HiveGuard: A Network Security Monitoring Architecture for Zigbee Networks

Zigbee networks can be found in a wide range of smart environments that incorporate low-power devices to report sensed events and accept actuation commands wirelessly. However, there is a lack of open-source software tools that consumers can use to monitor their Zigbee networks and ensure that they remain secure. There are several attacks that malicious users can launch against Zigbee networks that would go unnoticed by their network administrators if they are not making use of an appropriate network security monitoring system, which is especially concerning in cases where the Zigbee devices have critical capabilities such as unlocking doors. In this work we introduce the architecture of a distributed system for monitoring the security of Zigbee networks, called HiveGuard. Additionally, we present an energy depletion attack against battery-powered Zigbee devices that we use to test the monitoring capabilities of our prototype implementation. We show that it is possible for an outside attacker to completely deplete the energy of commercial Zigbee devices that are powered by one 3-volt CR2450 lithium battery in less than 16 hours. Our prototype implementation of HiveGuard successfully generated an alert for each attack that we launched and provided additional information about the operation of the Zigbee network for further inspection. We are publicly releasing the source code that we wrote and the packets that we captured during our experiments in order to enable researchers to closely examine our prototype implementation and study novel intrusion detection techniques for Zigbee networks.