ProsConsEase of planning and deployment: Intelligent nodes mean less site surveying; indoor and outdoor nodes can coexist.Latency: The more nodes there are in the network, the more hops to route traffic, meaning increased latency.Reduced backhaul requirements: Several nodes are able to use one wireless/wireline dedicated point-to-point or point-to-multipoint link.Security: Point-to-point communications are more predictable. Routing from multiple different nodes means greater vulnerability and exposure to unauthorized access if adequate controls are not established. Rogue access points can be easily set up within the mesh.Resilience: Data packets have multiple paths and can be dynamically rerouted around failed nodes or interference transparent to the user.Non-incremental network deployment: Meshes don't lend themselves to incremental approaches; they have to be almost completely built out within a coverage area to be useful.Expandability: New nodes can easily be added to self-adjusting networks.Scalability: Single mesh networks are generally not scalable because system capacity is not reduced as more mesh APs are added. Dual- or multi-radio mesh where access and backhaul radios operate on different frequencies increase scalability.
In this modern era, there are several standards that are available for high data rate transfer, but none of them seems to be compatible for sensors and control devices communication standards. This communication not only required high data rates but also low tenancy and power consumption at lower bandwidths. Due to the fact that all of these specifications are present in this ZigBee technology, it is making this “a best fit” for several embedded applications, industrial control, HA, and so on.
This technology is mainly used for sensor and automation control network on IEEE 802.15.4 standards for WPAN. The type of communication standards define the access of MAC layer to incorporates many devices at low data rates. This technology can be operated at 868 MHz, 902-928 MHz, and 2.4 GHz frequencies depending upon the requirement of application; whereas, the data rate of 250 Kbps is best suited for two way communication between several sensors nodes and controllers. ZigBee is widely used to control several devices within the range of 10–100 m. The communication system is cost-effective and simple to use that any other short range wireless technology as Bluetooth and Wi-Fi [Fig. 17].
Fig. 17. ZigBee PRO modem.
Reproduced from Agarwal T. ZigBee wireless technology architecture and applications, elprocus.System structure of ZigBee technology consists of three main components: ZigBee coordinator, Router, and end device. Every ZigBee network has to consist one coordinator which acts as a bridge of network. The coordinator acts as a hub of receiving and storing important information during a process of transmitting data operations. ZigBee router acts as an intermediate between the hub of information and end devices which permits the traffic or commands to move through them to the end device as shown in Fig. 18. End devices have limited access of communication with their parents nodes such that to save useful power, energy or battery itself. The pattern in which these three components are connected with each other’s depends on star, tree, and mesh networks.
Fig. 18. ZigBee architecture.
Reproduced from Agarwal T. ZigBee wireless technology architecture and applications, elprocus.ZigBee protocol architecture consists of different layers as per IEEE 802.15.4 standards. Each layers has its own characteristic and working, which is explained in detail below [Table 5].
Table 5. Specification of physical layer of ZigBee
FrequencyBandCoverageData ratesNumber of channels2.4 GHzIndustry, scientific and medical [ISM]Worldwide250 Kbps11–26868 MHzEurope20 Kbps0915 MHzISMAmerica40 Kbps1–10
1.Physical layer: this layer performs the task of modulation as well as demodulation of various transmitted and received signals, respectively. Various frequency, data rates, and channel are used with this layers depending upon the locality.
2.MAC Layer: the function of this layer is to enable reliable data transfer communication by accessing different networks with the carrier sense multiple access collision avoidance [CSMA].
3.Network Layer: this layer accompanies for all network related operations such as connection between router and different end devices, disconnection to network, routing and various device configuration.
4.Application support sublayer: this layer is responsible interfere ZigBee devices with different object application device in order to communicate through network layer. It is responsible of matching to peripherals on the basis of their services, application, and needs.
5.Application framework: it gives two sorts of information administrations as key esteem combine and nonspecific message administrations. Nonspecific message is a developer characterized structure, while the key esteem match is utilized for getting properties inside the application objects. ZDO gives an interface between application items and APS layer in ZigBee gadgets. It is in charge of distinguishing, starting and restricting different gadgets to the system.
ZigBee data transmission technology mainly works under two modes: non-Beacon mode and Beacon mode. In first mode, i.e., beacon mode, coordinators and routers continuously monitor any changes of flowing data; therefore, more power is consumed. The routers and coordinators cannot sleep in this mode as at anytime node could receive any signal to communicate and respond. Nonetheless, it requires more power supply and its general power utilization is low on the grounds that the greater part of the gadgets are in a latent state for over long stretches in the system.
Contrary, in beacon mode the router and coordinators enters the sleeping mode when there is no data transmission. There is a cyclic process using relays which counters, which periodically switch on and off routers to transmit data to multiple nodes within a network. These networks are work for available time slots which implies, they work when the correspondence required outcomes in lower duty cycles and longer battery use.
Read moreNavigate DownView chapterPurchase book
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780128095973005241
ZigBee and IEEE 802.15.4 Protocol Layers
Shahin Farahani, in ZigBee Wireless Networks and Transceivers, 2008
3.1 Zigbee and IEEE 802.15.4 Networking Layers
ZigBee wireless networking protocol layers are shown in Figure 3.1. The ZigBee protocol layers are based on the International Standards Organization [ISO] Open System Interconnect [OSI] basic reference model [1]. There are seven layers in the ISO/OSI model, but ZigBee implements only the layers that are essential for low-power, low-data-rate wireless networking. The lower two layers [PHY and MAC] are defined by the IEEE 802.15.4 standard [2]. The NWK and APL layers are defined by the ZigBee standard [3]. The security features are defined in both standards. A network that implements all of the layers in Figure 3.1 is considered a ZigBee wireless network.
Figure 3.1. ZigBee Networking Protocol Layers
Each layer communicates with the adjacent layers through service access points [SAPs]. A SAP is a conceptual location at which one protocol layer can request the services of another protocol layer. For example, in Figure 3.1, the PHY Data Service Access Point [PD-SAP] is where the MAC layer requests any data service from the PHY layer.
View chapterPurchase book
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780750683937000030
ZigBee Gateways
In Zigbee Wireless Networking, 2008
9.3 Bandwidth and the Gateway
Okay, so now there are enough routes to communicate from the gateway to any node in the network and back again. But there is something else to consider besides just routes. Is there enough bandwidth?
2.4 GHz 802.15.4 radios communicate at 250 kbps [kilobits per second]. This is considered the maximum bandwidth of any given radio. But all radios in a given vicinity share that same bandwidth, so don't expect applications to communicate at 250 kbps.
For determining average bandwidth available for applications, consider the following:
•Interferers
•Density of the network
•ZigBee protocol overhead
•Communication patterns
9.3.1 Interferers
All radios experience some form of interference. In fact, wireless often has a reputation as an unreliable medium, one which ZigBee spends much effort to correct. A basic rule of thumb is to assume that 50% of the bandwidth is taken up by interferers at any given moment in time. Of course, this formula is much too general to apply in all situations, but it provides a starting point for discussion.
One of the most common interferers is WiFi. WiFi is prevalent in many areas where ZigBee is installed, and will only get more so with time. By using CSMA-CA and retries, ZigBee is able to continue to communicate, even if the WiFi traffic is particularly heavy. Take a look at Figure 9.13. There are periods of silence, even when WiFi is communicating continually. ZigBee takes advantage of these silent periods to communicate or to retry packets. Tests conducted by the ZigBee Alliance had a 0% packet error rate, even with the ZigBee radio within one foot of the WiFi router! That's not to say that ZigBee didn't need to use its retry mechanism, but no packets were lost from an application perspective.
Figure 9.13. ZigBee and WiFi interference
It is worth noting, however, that ZigBee did not test 802.11.n [only a/b and g]. A copy of this white paper will be available on the ZigBee Web site [//www.zigbee.org].
One of the other interesting things about WiFi and ZigBee is that usually WiFi channels 1, 6, or 11 are used, which means that many ZigBee channels will be free, given any single implementation of WiFi. As seen in Figure 9.14, ZigBee [802.15.4] channels 15, 20, 25, and 26 are always free from WiFi interference, regardless of which WiFi channel is used.
Figure 9.14. ZigBee and WiFi Channels
Many radio technologies, such as Bluetooth™, also share the 2.4 GHz space. Empirically, ZigBee has shown itself to be very robust in noisy RF environments. At trade shows I routinely see many wireless technology demos break or have trouble in the chaotic environment. Not so with ZigBee. The ZigBee demos just keep working.
Other common interferers are cordless telephones, microwave ovens [yes, microwaves operate in the 2.4 GHz band], and general RF noise. I'm told even sunspots can cause some interference. Modern microwave ovens are built to screen most of their RF interference. In fact, at San Juan Software, we use microwave ovens as a way of isolating ZigBee nodes. [Yes, we are careful not to turn the oven on while a ZigBee board is inside!
Assume 50% of the available bandwidth is used by interferers.
9.3.2 ZigBee Protocol Overhead
ZigBee consumes bandwidth to enhance reliability, extend network range, and to commission the network.
For example, the 802.15.4 MAC will retry up to three times [for a total of four transmissions] to send a message to the next hop. If ZigBee APS retries are used [one of the TxOptions on an APSDE-DATA.request], then ZigBee will retry up to three times as well, for a total of 16 possible transmissions of a single packet.
ZigBee uses unicasts to send data along a route, but every node in the vicinity of each hop can hear that unicast. It is rejected by all but the intended node, but the transmission still consumes bandwidth.
ZigBee broadcasts may repeat up to two times [a total of three times] and each node in the network or within the radius of that broadcast repeats it. Broadcasts can consume a lot of bandwidth. Most reasonably sized networks [100-plus nodes] can only handle about four to five broadcasts at any given time. Where practical, try to use unicasts, either mesh or along the tree, instead of broadcasts. Unicasts use far less resources in terms of bandwidth and RAM. But remember that commands like ZDP-NWK-ADDR.request require a broadcast. So does discovering a route. Likewise, groupcasts are a form of broadcast.
One of the most difficult times for ZigBee functioning is during commissioning. Many nodes are competing for the same resources, and applications tend to be a lot chattier during this period. Ideally, it is best to commission the network one device at a time. This includes joining, as well as determining which of the various nodes any given node needs to speak with.
One thing that consumes bandwidth that is often forgotten is ZigBee End-Device polling. Sleeping [RxOnIdle=FALSE] ZEDs poll their parent to see if their parent is keeping any messages for them while they were asleep. This poll rate by default is often set up to something like two seconds, because that's a useful rate during commissioning. Set this poll rate to as long as possible. The Home Controls Stack Profile [stack profile 0x01] allows this poll rate to be as slow as once per hour. It's really up to what the application can bear. Remember, this does not affect the transmission rate of the device [the light switch can still send the on/off command immediately when switched], only the receiving rate. And most implementations poll for a message shortly after transmitting. Polling once every 6.5 seconds is a good poll rate because it matches well with the MAC purge rate.
Use unicasts, not broadcasts [or groupcasts] where possible.
Commission nodes one at a time.
Reduce poll-rate for ZigBee End-Devices. Once every 6.5 seconds is a good poll rate.
9.3.3 Density of the Network
Too many ZigBee nodes in the same vicinity can interfere with each other. In a typical home, the ZigBee network may contain 50 to 100 nodes, all within hearing range of each other. In a commercial network, such as building automation, this number can be significantly higher. The bandwidth in any given vicinity is limited [only one node may be speaking at any given time] and is shared by all the nodes in that vicinity. Each node uses Carrier-Sense-Multiple-Access Channel-Assessment [CSMA-CA] before speaking, so there must be some silence between packets.
Network density is determined by the number of nodes that a given node can hear, based on the transmit power of the other nodes, and the receiving node's ability to hear those transmissions.
802.15.4, including ZigBee, requires from 1 to 4 milliseconds, depending on the size of the packet. Assuming a 50% duty cycle [which allows enough quiet time for CSMA-CA to work] this allows an average of about 250 packets per second. Because ZigBee is an acknowledged protocol, this is really a maximum of 125 application packets per second, shared by all nodes. So if there are 50 nodes in the vicinity, this equates to two packets per second per node.
Remember, that some of this bandwidth will be taken up by other portions of the ZigBee protocol. For example, if a node in this or another part of the network is performing a route discovery, the packets are repeated three times by each router in the network. A group or multicast likewise eats up bandwidth. ZigBee end devices poll their parents for information, which also consumes bandwidth.
My rule of thumb is to allow 50% of the bandwidth average for ZigBee protocol overhead. So I don't write applications that send data any more frequently than one packet per second, on average. I also work to minimize over-the-air traffic wherever possible, keeping in mind the density of the network.
Reduce network density, or reduce over-the-air traffic for a healthy network.
9.3.4 Communication Patterns
One of the aspects of bandwidth consumption that is often forgotten is communication pattern. Even if there is a very noisy RF channel [lots of bandwidth consumed by interferers], and a very dense network [hundreds of nodes in the vicinity], ZigBee applications can still continue to communicate reliably. How? They do this by reducing the traffic, and randomizing when the traffic occurs.
Consider this scenario. Perhaps 100 nodes must report their status to a data concentrator or gateway. If all of them attempt to communicate once every minute, once every hour, or even once every day, they can overload the ZigBee network should they try to communicate at the same time.
For the purposes of most applications, it is not necessary to specify the precise moment at which to transmit data; a measurement from anywhere during a specified interval is sufficient. For example, sending in a temperature reading can occur at any time within a given minute, for home or commercial building automation. The temperature won't change that rapidly even if the heating or cooling units come on right away.
Adding a little bit of randomization [called jitter] can go a long way toward helping an application be a team player in larger networks. ZigBee uses randomization in repeating broadcasts or sending unicast retries. The Smart Energy application profile, which monitors and regulates electrical power usage, contains a whole section [E.3.5] on randomization.
The following code shows what a random jitter in a temperature sensor application might look like:
void TimerCallback [tmrTimerID_t timerID]
{
if[timerID == gTemperatureTimerId]
{
GetCurrentTemperature[]; //read from temp sensor
TransmitTemperatureReading[]; //send reading to gateway
StartRandomTemperatureReadingTimer[];
}
}
void StartRandomTemperatureReadingTimer[void]
{
uint16_t randomJitter;
randomJitter = 1000 * [50 + GetRandomRange[0, 20]];
TMR_StartSingleShotTimer[mTimer, randomJitter, TimerCallback];
}
This procedure tends to spread the messages out over time very well. Just a jitter of a few milliseconds can be enough to make even a large network function better.
Another way to help messages flow more smoothly in a ZigBee network is to combine data when possible. Take that same example of a temperature sensor. The sensor might take 10 or even 100 readings, average them, and then send out a single number at the end of a minute, rather than sending out many readings at shorter intervals. Or perhaps the application might only send a reading when the temperature has changed by five degrees, or after two minutes have passed, whichever comes first.
In another application I was involved with, battery-operated ZigBee nodes were worn by crew members on commercial ships as “man overboard” detectors. These nodes, called “tags,” sent a message to the gateway once every two seconds to indicate that the node [that is, the person] was still on the network. If any node didn't check in, it could mean that the crew member was in the water. Even for very small networks [under 50 nodes] the system would sometimes overload and give false man overboard readings [no check-in] over a 24-hour period. The solution was to collate the incoming information on the receiving routers, and only send one message to the gateway for every 50 nodes. This greatly reduced the traffic, allowing the network to scale much higher [into the hundreds of nodes], while still allowing a very quick transmit rate [in ZigBee terms] from each of the battery-operated nodes.
Reduce over-the-air traffic when possible.
Use jitter to communicate in a more distributed pattern.
View chapterPurchase book
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780750685979000094
Lower-power wireless mesh networks for machine-to-machine communications using the IEEE802.15.4 standard
T. Watteyne, in Machine-to-machine [M2M] Communications, 2015
4.4.2 ZigBee
The ZigBee Alliance was arguably the first to finalize a complete protocol stack for low-power mesh networks. The ZigBee protocol stack is rooted entirely in the legacy IEEE802.15.4-2003 and IEEE802.15.4-2006 MAC protocol. It differentiates between full-function devices [FFD] and reduced-function devices [RFD], where the former are typically used as routing nodes, the latter as nonrouting leaf nodes. A ZigBee network consists of a number of FFDs collecting data from RFDs located around it.
A ZigBee network is not time-synchronized. Routing nodes therefore need to leave their radio on all the time to be ready to receive data packets from an RFD at any time. In a practical setting, this often means having the router nodes be mains-powered. As a result, most ZigBee networks have been used in a “star” topology, where RFDs send data to single collector FFDs a single hop away.
A ZigBee network operates on a single frequency channel. While it is possible to reconfigure the complete network to communicate at a different frequency, the network does not channel hop and is therefore prone to the effects of external interference and multipath fading highlighted above.
View chapterPurchase book
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9781782421023000046
ZigBee/IEEE 802.15.4 Networking Examples
Shahin Farahani, in ZigBee Wireless Networks and Transceivers, 2008
Publisher Summary
ZigBee networking has a diverse range of application scenarios in which ZigBee devices can increase efficiency or reduce cost. Full ZigBee protocol implementation has the advantage of reliable mesh networking capability. However, if the application is simple, it might be possible to implement only IEEE 802.15.4 layers. Home automation is one of the major application areas for ZigBee wireless networking. Home automation uses include security systems, meter reading systems, irrigation systems, light control systems, and multizone heating, ventilation, and air-conditioning [HVAC] systems. In consumer electronics, ZigBee can be used in wireless remote controls, game controllers, a wireless mouse for a personal computer, and many other applications. This chapter reviews the application of ZigBee in wireless remotes. At the industrial level, ZigBee mesh networking can help in areas such as energy management, light control, process control, and asset management. This application includes asset management and personnel tracking and livestock tracking. Furthermore, ZigBee also finds its application in the sector of healthcare. A ZigBee gateway provides the interface between a ZigBee network and other networks, such as an Internet Protocol [IP] network, thus helping hospitals improve patient care and relieve hospital overcrowding by enabling them to monitor patients at home. Some other applications of ZigBee devices include hotel room guest access and fire extinguishers.
View chapterPurchase book
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780750683937000029
AI and IoT Capabilities: Standards, Procedures, Applications, and Protocols
Aditya Pratap Singh, Pradeep Tomar, in Artificial Intelligence to Solve Pervasive Internet of Things Issues, 2021
4.2.3.6 ZigBee
ZigBee is an answer for short-duration wireless communication requiring less energy consumption mainly in IoT for low-rate sensors. IEEE 802.15.4 is the base protocol for ZigBee protocol. IEEE 802.15.4 specifies low-rate wireless personal area networks [LR-WPAN] standards. ZigBee technology is a product of ZigBee Alliance.
The protocol stack for ZigBee has MAC, network, and application layer [27]. ZigBee supports three types of devices: ZigBee coordinator, router, and end device. The coordinator is fully functional device with functions for managing the whole network. The ZigBee router is also a fully functional device in tree and mesh networks only. These types of nodes are having routing functions like finding best path to forward packets. ZigBee end device is reduced-function device just to send and receive packets. Application object [APO] is used at application layer. It is a software responsible for controlling hardware units like transducer or switches on devices. These APOs have a unique id to enable them to communicate with other APOs. The ZigBee DeviceObject [ZDO] performs task like device discovery, security, managing requests, and so on. [28].
View chapterPurchase book
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780128185766000046
ZigBee Basics
Shahin Farahani, in ZigBee Wireless Networks and Transceivers, 2008
1.4 The Relationship Between ZigBee and IEEE 802.15.4 Standards
One of the common ways to establish a communication network [wired or wireless] is to use the concept of networking layers. Each layer is responsible for certain functions in the network. The layers normally pass data and commands only to the layers directly above and below them.
ZigBee wireless networking protocol layers are shown in Figure 1.3. ZigBee protocol layers are based on the Open System Interconnect [OSI] basic reference model [9]. Dividing a network protocol into layers has a number of advantages. For example, if the protocol changes over time, it is easier to replace or modify the layer that is affected by the change rather than replacing the entire protocol. Also, in developing an application, the lower layers of the protocol are independent of the application and can be obtained from a third party, so all that needs to be done is to make changes in the application layer of the protocol. The software implementation of a protocol is known as protocol stack software.
Figure 1.3. ZigBee Wireless Networking Protocol Layers
As shown in Figure 1.3, the bottom two networking layers are defined by the IEEE 802.15.4 standard [5]. This standard is developed by the IEEE 802 standards committee and was initially released in 2003. IEEE 802.15.4 defines the specifications for PHY and MAC layers of wireless networking, but it does not specify any requirements for higher networking layers.
The ZigBee standard defines only the networking, application, and security layers of the protocol and adopts IEEE 802.15.4 PHY and MAC layers as part of the ZigBee networking protocol. Therefore, any ZigBee-compliant device conforms to IEEE 802.15.4 as well.
IEEE 802.15.4 was developed independently of the ZigBee standard, and it is possible to build short-range wireless networking based solely on IEEE 802.15.4 and not implement ZigBee-specific layers. In this case, the users develop their own networking/application layer protocol on top of IEEE 802.15.4 PHY and MAC [see Figure 1.4]. These custom networking/application layers are normally simpler than the ZigBee protocol layers and are targeted for specific applications.
Figure 1.4. A Networking Protocol can be Based on IEEE 802.15.4 and not Conform to the ZigBee Standard
One advantage of custom proprietary networking/application layers is the smaller size memory footprint required to implement the entire protocol, which can result in a reduction in cost. However, implementing the full ZigBee protocol ensures interoperability with other vendors’ wireless solutions and additional reliability due to the mesh networking capability supported in ZigBee. The decision of whether or not to implement the entire ZigBee protocol or just IEEE 802.15.4 PHY and MAC layers depends on the application and the long-term plan for the product.
Physical-level characteristics of the network are determined by the PHY layer specification; therefore, parameters such as frequencies of operation, data rate, receiver sensitivity requirements, and device types are specified in the IEEE 802.15.4 standard.
This book covers the IEEE 802.15.4 standard layers and the ZigBee-specific layers with the same level of detail. The examples given throughout this book are generally referred to as ZigBee wireless networking examples; however, most of the discussions are still applicable even if only IEEE 802.15.4 PHY and MAC layers are implemented.
View chapterPurchase book
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780750683937000017
Hello ZigBee
In Zigbee Wireless Networking, 2008
Publisher Summary
This chapter provides information on how to apply ZigBee appropriately to achieve wireless control that simply works. The wireless control market has a number of unique needs for which ZigBee is ideally suited, because ZigBee is highly reliable, cost-effective, able to achieve very low power, highly secure, and an open global standard. Low data rate of Zigbee adds a constraint in achieving the low power and low cost criteria. ZigBee is all about wireless monitoring and control and is a standard networking protocol aimed at the wireless control market. The ZigBee protocol fits on 8-bit microcontrollers, with 16- and 32-bit solutions available. It is great at wireless control; where anywhere from two to thousands of nodes are all connected together, in a multi-hop mesh network. It enhances reliability through mesh networking, acknowledgments and use of the robust IEEE 802.15.4 standard. Multiple silicon and stack vendors, ZigBee modules, and many available resources all contribute to low development costs for ZigBee devices. It uses AES 128-bit security for encryption and authentication. ZigBee Alliance membership is required in order to ship ZigBee technology in products and it provides early access to specifications. ZigBee covers many markets, including home, commercial and industrial automation, medical, and location-based services. ZigBee networks can be put together in a very ad hoc [random] fashion, and they simply work. ZigBee can communicate to individual nodes or groups and these devices remember their settings across resets and power outages.
View chapterPurchase book
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B978075068597900001X
How on Earth Could That Happen? An Analytical Study on Selected Mobile Data Breaches
Sherenaz Al-Haj Baddar, in Adaptive Mobile Computing, 2017
4.7 Communication Protocols
Other surfaces of attack that threaten mobile data security are wireless communication protocols. Whether it is WiFi, Zigbee, Bluetooth, radio, or NFC, wireless communication media pose threats to the safety of mobile data. Zigbee exploitations were illustrated in several studies, including the recent findings depicted in Refs. [72,73], which depicted the pitfalls in Zibgee implementations in some smart-home devices. The main issue with the Zigbee protocol pertained to insecure key exchange, which rendered critical data accessible in almost-plain format to eavesdroppers within the communication range of the designated devices. Weakly secured key-exchange processes allowed the researchers to jam wireless signals, identify target devices, and reset them to factory settings. To achieve their goal of breaking the Zigbee protocol in the examined devices, researchers did not even need prior knowledge of any secret keys. Vulnerabilities in Zigbee have been identified years before such recent studies. For example, the work in Ref. [74] depicts a Zigbee exploitation framework that capitalizes on Zigbee's killer vulnerability of plaintext key-exchange as well as its susceptibility to replay attacks. The work in Ref. [74] also shows that the Zigbee protocol implementation where plaintext key-exchange was replaced with hard-coding critical keys in devices' memories was not anymore secure, as breaking into the device's memories to extract the plain keys was easy, relatively speaking.
Previous studies illustrated the weaknesses in the security of WEP and WPA2 wireless communication protocols. For example, the study in Ref. [75] illustrated how an attacker can break the WPA and WPA2 protocols via eavesdropping on their initial unencrypted 4-way key-exchange process, which makes it possible to perform a brute-force dictionary attack, hence, breaking the encryption used in these protocols. Several studies also recommended ditching the WEP protocol as it is prone to packet replay, forging, and tampering, in addition to the WEP protocol's weak encryption. The same security loopholes were also pointed out in the study depicted in Ref. [73], which also highlighted vulnerabilities in the WiFi Protected Setup [WPS] protocol used by some IoT devices' vendors, including the possibility of performing brute-force attack on the WPS PIN code.
Bluetooth protocols used in several IoT devices are also vulnerable according to several recent studies. For example, the study in Ref. [73] points out that the Bluetooth low-energy protocol [i.e., Bluetooth Smart] used in several smart-home devices has vulnerabilities that allow attackers to take control over door locks and the like by hacking the smartphone App used to control these locks over the Internet. The study in Ref. [73] also emphasizes that the Bluetooth Smart protocol standards themselves are way too flexible, leaving space for the vendors' implementation to have major security loopholes. This study also highlights pitfalls in some custom-made RF protocols used in some smart-home devices; for instance, they highlight the LightweightRF protocol which is not immune to replay attacks, and the Powerline protocol used in some smart-home devices which bleeds its encrypted communication signals allowing eavesdroppers to spy on them.
An interesting white-hacking incident is depicted in Ref. [76], where a white-hacker illustrated how he managed to reverse-engineer the Bluetooth protocol of the Nike + FuelBand smart wristband, thus, gaining control over the device. In his thorough analysis of the device and its custom Bluetooth communication protocol, the researcher revealed that the wristband's authentication was fragile allowing almost any eavesdropper within communication range to break into the device. He also showed that it was possible to perform read and write operations directly to the wristband's memory, and that the implemented protocol featured debugging-themed revealing functions that should not have been retained in the production implementation. The researcher also pointed out that the implemented protocol also featured functions with higher-than-necessary privileges. Moreover, the device's implementation of the Bluetooth protocol abandoned its well-emphasized authentication process, and opted for hard-wired tokens instead, which rendered the device even further vulnerable. Even during his white-hat attempt, the error messages generated by the device's software provided him with further clues into perfecting his hack. To make it even easier to hack, the device's critical keys were continuously broadcasted plainly.
Another IoT communication protocol that has been shown to be susceptible to attacks is the Z-wave protocol implementations as illustrated in the studies depicted in Ref. [73,77]. In the work depicted in Ref. [77], researchers analyzed the Z-wave protocol stack and built a tool they called Z-force to intercept Z-wave messages. This tool helped the researchers intercept and break the encryption of the z-wave protocol, as they discovered vulnerabilities in the protocol's AES encryption implementation. These vulnerabilities allowed the researchers to remotely take control over door locks that used the Z-wave protocol without knowing the encryption keys. They only needed to know the devices' IDs which were not difficult to obtain given that the devices put them in the pulling messages they sent frequently. The main reason the researchers managed to break the Z-wave protocol in the devices they tested was that the devices' vendor eliminated a critical status-check for validating the encryption keys from their implementation of the Z-wave protocol. This, plus weaknesses in the device's memory security, allowed the researchers to overwrite encryption keys and authenticate successfully, then hijack the door locks.
View chapterPurchase book
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780128046036000085
Smart Grid Communications: Opportunities and Challenges
Hussein T. Mouftah, Melike Erol-Kantarci, in Handbook of Green Information and Communication Systems, 2013
25.3.1.1 IEEE 802.15.4/ZigBee
ZigBee is a short-range, low-data-rate, energy-efficient wireless technology that is based on the IEEE 802.15.4 standard. ZigBee utilizes 16 channels in the 2.4 GHz ISM band worldwide, 13 channels in the 915 MHz band in North America, and one channel in the 868 MHz band in Europe. ZigBee is a low-bit-rate technology designed to service low-data-rate transmissions. The supported data rates are 250 kbps, 100 kbps, 40 kbps, and 20 kbps. The range of a ZigBee radio is approximately 30 m indoors. Thus, ZigBee is considered suitable for the HAN domain of the smart grid.
ZigBee is well-known for its energy efficiency, which is due to its duty cycling mechanism. ZigBee certified devices can work for several years without the need for battery replacement. The IEEE 802.15.4 standard defines the physical and MAC layer access while the upper layers including routing and applications are defined in the ZigBee protocol stack [see Figure 25.5].
Figure 25.5. ZigBee protocol stack.
ZigBee supports two addressing modes: 16-bit and 64-bit addressing. A ZigBee network can support up to 64,000 nodes [devices]. These devices can be of two types: [i] full function device [FFD] and [ii] reduced function device [RFD]. FFDs can be interconnected in a mesh topology which means they can communicate with their peers while RFDs are simpler than FFDs, and they can be the edge nodes in a star topology. In the star topology configuration ZigBee employs a personal area network [PAN] coordinator, which may operate in beacon-enabled mode or beaconless mode. In the beacon-enabled mode, the PAN coordinator defines the duty cycle with the superframe duration [SD] within the superframe structure presented in Figure 25.6. A superframe synchronizes the nodes in the network. Nodes communicate only in the active period. In the contention access period [CAP] of the superframe, nodes compete to achieve access to transmit their data by using the slotted carrier sense multiple access with collision avoidance [CSMA/CA] technique. The contention free period [CFP] provides guaranteed time slots [GTSs] for the nodes that have previously reserved these slots for communication. One cycle of active and inactive periods can occur within a beacon interval [BI], which starts at the beginning of a beacon frame and ends at the beginning of the next beacon frame. SD and BI are defined in the IEEE 802.15.4 standard as follows [17]:
Figure 25.6. IEEE 802.15.4/ZigBee superframe format [18].
[25.1]SD=a base superframe duration∗2SOsymbols,
[25.2]BI=a base superframe duration∗2BOsymbols,
where SO is the superframe order and BO is the beacon order. In the standard, the range of SO and BO is defined as 0⩽SO⩽BO⩽14.
Presently, there are various ZigBee certified products for home automation. Several smart meter vendors have already developed ZigBee-enabled smart meters, which enable the smart meters to communicate with the home appliances and home automation tools. For instance, Landis + Gyr, Itron, and Elster have advanced, ZigBee-enabled smart meters. Landis + Gyr has also produced a home energy monitor that is able to communicate with the Landis + Gyr smart meters and report consumption to consumers. ZigBee Alliance has also developed a Smart Energy Profile [SEP] to support the needs of smart metering and AMI, and provide communication among utilities and household devices.