臺灣博碩士論文加值系統

隨著科技領域及物聯網的成長，智慧家庭的概念已經可以實現，因此其相關的設備也逐漸普及於市場，伴隨的資訊安全問題也逐漸被披露，而且新型態的攻擊方式也逐漸增加，因此我們相信關於智慧家庭環境的資訊安全問題會是重要的議題之一。

本論文分析目前ZigBee網路中已存在的資安弱點，進而針對市售的智慧家庭設備提出四種攻擊方式，其中一種可以造成竄改資訊的效果、而另外三種則可以造成阻斷式服務攻擊。我們也實施了攻擊演示，證明了目前市售的智慧家庭設備存在著資安問題，並且可以有效的對其造成影響。我們也針對這些攻擊方式提出建議實施的緩解方法，來降低這些資安弱點在智慧家庭環境中的ZigBee網路所造成的安全風險。

The concept of smart home has become achievable with the development of technology and the Internet of Things, and its related devices are becoming more popular in the market. The corresponding security issues are being disclosed, and the new attack patterns are increasing. Therefore, we believe that security issues in smart home environment will be one of the important topics.

In this thesis, we analyze the attack methods of the existing security vulnerability in the ZigBee network, and we propose four attack methods based on the smart home devices currently on the market. One of these attack methods can cause the effect of tampering with messages, and the other three can cause denial of service attack. We also conduct demonstrations of such attacks to prove that the security vulnerability exist and how effectively to affect these smart home devices. Finally, we propose corresponding mitigation methods to reduce the security risks of the ZigBee network in the smart home environments.

摘 要 i
ABSTRACT ii
致謝 iii
表目錄 vii
圖目錄 viii
一、 緒論 1
1.1 前言 1
1.2 智慧家庭環境 2
1.3 研究動機與論文架構 3
1.3.1 研究動機 3
1.3.2 論文架構 4
二、 ZigBee通信協定概述 5
2.1 協定堆疊 5
2.2 設備類型 7
2.3 網路拓樸 8
2.3.1 星型拓樸（Star Topology） 8
2.3.2 樹狀拓樸（Tree Topology） 9
2.3.3 網狀拓樸（Mesh Topology） 10
2.4 位址和網路識別 11
2.4.1 位址 11
2.4.2 網路識別 12
2.5 安全機制 12
2.5.1 信任中心 12
2.5.2 安全金鑰 13
2.5.3 資料保護 14
2.5.4 AES-CCM* 16
三、 ZigBee網路資安弱點與攻擊方式 20
3.1 金鑰嗅探（Key sniffing）20
3.1.1 被動式金鑰嗅探 21
3.1.2 主動式金鑰嗅探 22
3.2 資訊竄改 24
3.3 阻斷式服務攻擊（denial-of-service attack） 26
3.3.1 私人區域網路識別碼衝突 26
3.3.2 媒體存取控制位址衝突 27
3.3.3 最大訊框計數器 27
3.3.4 不安全的離開網路機制 28
3.4 攻擊方式應用於真實場景的威脅分析 29
3.4.1 金鑰嗅探應用於真實場景的威脅分析 29
3.4.2 資訊竄改應用於真實場景的威脅分析 29
3.4.3 阻斷式服務攻擊應用於真實場景的威脅分析 30
四、 智慧家庭環境中ZigBee網路攻擊演示 31
4.1 智慧家庭環境中ZigBee網路攻擊演示架構 31
4.1.1 系統架構 31
4.1.2 攻擊端環境 32
4.1.3 受害端環境 33
4.2 金鑰嗅探演示 34
4.2.1 被動式金鑰嗅探演示 34
4.2.2 主動式金鑰嗅探演示 35
4.3 資訊竄改演示 36
4.4 阻斷式服務攻擊演示 38
4.4.1 私人區域網路識別碼衝突演示 38
4.4.2 媒體存取控制位址衝突演示 40
4.4.3 最大訊框計數器演示 42
4.4.4 不安全的離開網路機制演示 44
4.5 攻擊緩解 45
4.5.1 金鑰嗅探緩解 45
4.5.2 資訊竄改緩解 45
4.5.3 阻斷式服務攻擊緩解 46
五、 結論與未來工作 47
參考文獻 48

[1] Dr. Cédric LÉVY-BENCHETON (ENISA), M.E.D.E., Mr. Guillaume TÉTU (Trusted
labs), Dr. Guillaume DUFAY (Trusted Labs), Dr. Mouhannad ALATTAR (Trusted
Labs), Security and Resilience of Smart Home Environments.
[2] Kolias, C., Kambourakis, G., Stavrou, A., Voas, J., DDoS in the IoT: Mirai
and Other Botnets. Computer, 2017. 50(7): p. 80-84.
[3] Ronen, E., Shamir, A., Weingarten, A., O’Flynn , C., IoT Goes Nuclear:
Creating a ZigBee Chain Reaction. in 2017 IEEE Symposium on Security and
Privacy (SP). 2017.
[4] Morgner, P., Mattejat S., Benenson Z., Muller C., Armknecht F., Insecure
to the Touch: Attacking ZigBee 3.0 via Touchlink Commissioning. 2017. 230-
240.
[5] Yüksel, E., H. Riis Nielson, and F. Nielson, ZigBee-2007 Security
Essentials. 2008.
[6] Aju, O.G. and A. Ajasin. A Survey of ZigBee Wireless Sensor Network
Technology: Topology, Applications and Challenges. 2015.
[7] Olawumi, O., Haataja, K., Asikainen, M., Vidgren, N., Toivanen P., Three
practical attacks against ZigBee security: Attack scenario definitions,
practical experiments, countermeasures, and lessons learned. in 2014 14th
International Conference on Hybrid Intelligent Systems. 2014.
[8] ZigBee Specification, in ZigBee Document – 05-3474-21. 2015, ZigBee
Alliance.
[9] ZigBee Home Automation Public Application Porfile, in ZigBee Document 05-
3520-29. 2013, ZigBee Alliance.
[10] InfoSecurity, M. An Overview of ZigBee Networks. Available from:
https://www.mwrinfosecurity.com/our-thinking/an-overview-of-zigbee-
networks/.
[11] Dragomir, D., Gheorghe, L., Costea, S., Radovici, A., A Survey on Secure
Communication Protocols for IoT Systems. in 2016 International Workshop
on Secure Internet of Things (SIoT). 2016.
[12] FIPS Pub 197, Advanced Encryption Standard (AES), Federal Information
Processing Standards Publication 197, US Department of Commerce/N.I.S.T,
Springfield, Virginia, November 26, 2001.; Available from:
http://csrc.nist.gov/.
[13] Fan, X., Susan, F., Long, W., Li, S. “Security Analysis of Zigbee”,
MIT.edu, 2017
[14] Fox., B. ZigDiggity ZigBee hacking toolkit. 2018; Available from:
https://github.com/BishopFox/zigdiggity.
[15] Farha, F. and H. Chen, Mitigating replay attacks with ZigBee solutions.
Network Security, 2018. 2018(1): p. 13-19.
[16] Farahani, S., ZigBee Wireless Networks and Transceivers. 2008: Newnes.
360.