Fuzz Testing Zigbee Hardware

Overview

This topic describes how to use beSTORM to attack a Raspberry Pi with a Zigbee module. You can also use this method to attack other Zigbee devices if you know their channel and network ID.

Required hardware

To fuzz Zigbee hardware with beSTORM and a Raspberry Pi, you will need the following:

  • Two XBee modules (preferably XBee S2C)

  • Two XBee USB dongles (this topic uses the Digi XBee Grove Connector Development Board)

  • Raspberry Pi 2 Model B or later (this is the device under test [DUT] for this topic)

    NOTE: If you already have a Zigbee enabled device to test, you won't need the additional module or dongle for the examples in this topic and instead only need to complete the steps listed in the Configure the XBee modules and Run beSTORM sections below.

Install the Raspberry Pi

  1. Go to https://www.raspberrypi.com/documentation/computers/getting-started.html#install-an-operating-system and complete the steps to install a Linux operating system on the Raspberry Pi.

  2. Boot the Raspberry Pi.

  3. Go to https://www.raspberrypi.com/documentation/computers/getting-started.html#configuration-on-first-boot to perform the initial configuration on the Raspberry Pi and verify it is working correctly.

  4. Use the following command to install the XBee Python files: sudo pip install xbee

Configure the XBee modules

NOTE: You must perform steps 3-12 for each module individually. We recommend configuring the first module for the beSTORM computer, and then configuring the second module for the Raspberry Pi.
  1. Go to https://hub.digi.com/support/products/xctu/.

  2. Download and install the XCTU application for Windows.

  3. Mount one of the XBee modules on the XBee USB dongle. When properly mounted, the hardware should look like this:

  4. Connect the assembled USB dongle to the beSTORM computer.

  5. Open XCTU.

  6. On the menu bar, select XCTU >Discover Radio Modules.

  7. On the Select the ports to scan dialog, select the USB port the USB dongle is connected to, and then select Next. In this example, the dongle is connected to the COM5 port.

  8. On the Set port parameters dialog, select Select all, and then select Finish.

  9. Once your XBee module is found, select its checkbox, and then select Add selected devices.

    NOTE: If you have multiple XBee devices already connected to your computer, you may find more than one device. Select the device that matches the port in step 7.

  10. Back on the main XCTU window, double-click the module to begin configuring it.

  11. Under Networking, do the following:

    1. [ID] PAN ID: The PAN ID is similar to your SSID in Wi-Fi. It is the identifier for your network. Make sure both XBee modules are configured to the same PAN ID. In our example, we use C001BEE.

    2. [CE] Coordinator: Set this value to Disabled [0] for XBee module connected to the beSTORM computer. For the XBee module that you will connect to the Raspberry Pi, set this value to Enabled [1] because we are creating a new Zigbee network (identified by PAN ID C001BEE) and each Zigbee network needs one coordinator. Otherwise, if you selected a PAN ID value of an already existing Zigbee network with its own coordinator, you must set this to Disabled [0].

    3. [CH] Operating Channel: Set both XBee modules to the same channel.

    4. [DH] Destination Address High: This will be the upper bound address of other Zigbee devices that this module will communicate with. To communicate with all other devices on the network, use the value 0xFFFF.

    5. [DL] Destination Address Low: This is the lower bound address of other Zigbee devices that this module will communicate with. To communicate with the lowest address coordinator, set this value to 0.

    6. [MY] 16-bit Network Address: This is the address this XBee module will use. If this device is set as the coordinator, you will be unable to set this value as the coordinator always uses the network address of 0. If this device is not the coordinator, set it to an address that is not already in use on the Zigbee network. You can use any value between 0x0000 - 0xFFFF.

  12. Select Write.

  13. After writing the settings to the first module, repeat steps 3-12 to configure the other module for the Raspberry PI.

Set up the Raspberry Pi to receive data

  1. Connect the USB dongle with the XBee module you configured for the Raspberry PI to the Raspberry Pi.

  2. In the root directory of the Raspberry Pi, create a Python file with the name receiveData.py.

  3. Open receiveData.py and enter the following:

    Copy
    from xbee.thread import XBeeimport serial

    PORT = '/dev/ttyUSB0'
    BAUD_RATE = 9600

    # Open serial port
    ser = serial.Serial(PORT, BAUD_RATE)

    # Create API object
    xbee = XBee(ser)

    # Continuously read and print packets
    while True:
    try:
    response = xbee.wait_read_frame()
    print(response)
    except KeyboardInterrupt:
    break

    ser.close()
  4. Confirm the PORT parameter matches where you have connected XBee module to the Raspberry PI and update it if necessary.

  5. Run the following command: sudo python receiveData.py

Run beSTORM

  1. Connect the USB dongle with the XBee module you configured for the beSTORM computer to the beSTORM computer.

  2. Open beSTORM Client.

  3. On the Welcome to beSTORM window, select New Project. The beSTORM New Project Wizard opens.

  4. On the Welcome page, do the following:

    1. In the Project Name box, enter a name.

    2. Optionally, select a different file location for your project in the Location Name box.

    3. Leave Please select the wizard set to Simple.

    4. Leave Perform a port scan, and service detection and assist me in choosing the relevant module unchecked.

  5. Select Next.

  6. On the Basic Configuration page, in the beSTORM's predefined modules list, select ZigBee.

  7. Select Next.

  8. On the Module Environment page, make sure the Serial COM value matches the USB port where the USB dongle is installed. To confirm the USB port assignment, open Device Manager in Windows.

  9. Select Next.

  10. On the Extra Configuration page, leave all options to their default settings.

  11. Select Next.

  12. On the Complete beSTORM wizard page, select Finish to start fuzzing.

Confirm fuzzing data is being received

On the Raspberry Pi, the receiveData.py file should start displaying the fuzzing data it is receiving from beSTORM. If no fuzzing data is being received, check your settings or contact Fortra Support.