John J. Strauchs, MA, CPP, is Senior Principal of Strauchs LLC in Ashburn, Va.
This article originally appeared in the July 2012 issue of SD&I magazine
After several false starts over the past three decades, building automation system (BAS) technology is accelerating again. It finally seems to be ready for prime time. It is showing up in office buildings, in factories in industrial automation, and in our homes—usually upscale homes. The potential of BAS is revolutionary. Many building automation systems are beginning to interconnect devices with short-range, low-power, digital radio links to significantly minimize wire and conduit costs and reduce installation time. That part of the system architecture is generically called ZigBee mesh networks or ZigBee chips, or more specifically, wireless personal area networks (WPANs). What most people don’t know and very few insiders are willing to talk about is that this technology has an Achilles Heel. Some ZigBee networks can be hacked—often easily. In as much as there is a mounting trend toward incorporating security systems into these networks, it is essential for security dealers and integrators to fully understand this emerging vulnerability.
ZigBee technology emerged in the late 1990s. The term “ZigBee” is reputed to be based on the zigzag dance of honey bees reporting the location of flowers. As is the case for most of the older technologies, it was developed at a time when cyber-security wasn’t perceived as being especially important. The term “ZigBee” refers to a specific set of communications protocols based on Institute of Electrical and Electronics Engineers (IEEE) 802.15.4 standards. Although these protocols have similarities with Bluetooth and Wi-Fi, they are not the same. The ZigBee specifications are maintained by the ZigBee Alliance which is composed of a number of companies. ZigBee is a registered trademark maintained by the Alliance. In the U.S., the chips operate at 915 MHz with data transmission rates ranging from 20 to 900 kilobits per second, but more often 250 kbps. The devices typically have from 60 to 256 KB of flash memory.
Watch out for sniffers
The vulnerability is that it is a radio signal emanating device. Hackers can drive around and “sniff” unprotected wireless systems and devices using modified smartphones, PDAs or other receivers. The range can be up to 100 meters. They call this “wardriving”—albeit the terms initially applied to searching for Wi-Fi signals (the term “wardriving” is said to be derived from “wardialing,” a term popularized by the 1983 motion picture, WarGames). A number of “White Hat” hackers, such as Travis Goodspeed, Joshua Wright and a few others demonstrated at various hacker conferences (viz. Blackhat) that once a ZigBee network is detected, certain technical vulnerabilities in the protocol and/or the specific device can often be exploited to gain control of the WPAN. If security systems are a part of the network, they could be turned off or settings changed.
ZigBee-based technology is continually expanding into new applications. When President Obama promised to reduce the cost of medical services by automating healthcare records, the ZigBee Alliance developed an application for healthcare automation. Other new applications for ZigBee devices include industrial controls, smart electrical meters, embedded sensors, the Smart Grid, HVAC, lighting, electronic locks—and now, security systems. Yes…it is possible to remotely unlock some electronic locks. ZigBee is especially prevalent in many home automation and home entertainment systems. In that these are usually “upscale” homes, they frequently include security systems, which often don’t have the security network safeguards found in some industrial applications.
The discovery of vulnerabilities in industrial control devices is a relatively recent development, but it is hardly surprising. That technology was developed up to 40 years ago at a time when virus only meant catching a cold. For example, in August 2011, a research team composed of myself, Tiffany Rad and Teague Newman demonstrated at a DefCon Conference in Las Vegas that they could surreptitiously take control of programmable logic controllers (PLCs) in a correctional facility to open or close any door, while blocking the annunciation of any status changes at central control. This research was validated by Idaho National Laboratories. The detection of weaknesses in some ZigBee devices is one link in this long chain integrators should be aware of.
John J. Strauchs, MA, CPP, is Senior Principal of Strauchs LLC in Ashburn, Va., and formerly CEO of Systech Group Inc., a professional security and fire protection engineering firm. Earlier in his career, he was an operations officer with the U.S. Central Intelligence Agency (CIA).