"ZigBee was the first wireless standard designed from the ground up for the sensor network constraint: a mesh of 250 kbps nodes on the same coin cell for years."
Lecture (90 min)
7.1 IEEE 802.15.4: The Physical and MAC Foundation
ZigBee, Thread, WirelessHART, ISA100, and Z-Wave all build on (or borrow concepts from) IEEE 802.15.4. Understanding the base layer is prerequisite to reading protocol-RE captures.
802.15.4 physical layer:
| Band | Frequency | Channels | Data rate | Modulation |
|---|---|---|---|---|
| 2.4 GHz (global) | 2.405-2.480 GHz | 11-26 (16 channels, 5 MHz spacing) | 250 kbps | O-QPSK with DSSS |
| 868 MHz (EU) | 868.3 MHz | 0 (1 channel) | 20 kbps | BPSK with DSSS |
| 915 MHz (US) | 902-928 MHz | 1-10 (10 channels) | 40 kbps | BPSK with DSSS |
At 2.4 GHz the modulation is Offset-QPSK (O-QPSK) with 4-chip spreading. O-QPSK offsets the Q branch by one symbol period to prevent 180° phase transitions (which would cause amplitude dips and increase bandwidth). The spreading is by a 32-chip sequence per 4-bit symbol (Hadamard codes). Chip rate: 2 Mchip/s.
PPDU (Physical Protocol Data Unit):
| Sync header (SHR): 4B preamble + 1B SFD | PHR: 1B (frame length) | PSDU: payload up to 127B |
SFD = 0xA7 (Start Frame Delimiter). The preamble is 4 bytes of 0x00 before the SFD. Your 802.15.4 sniffer lock on the SFD.
CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance): Before transmitting, a device performs a Clear Channel Assessment (CCA) using energy detection or carrier sense. If the channel is idle for a backoff period, it transmits. The MAC includes ACK frames for confirmed delivery.
Frame types:
| Type | Purpose |
|---|---|
| Beacon | Sent by coordinator on a schedule; defines superframe structure |
| Data | Carries application payload; source/destination addresses |
| Acknowledgement | Confirms receipt of data/command frames |
| Command (MAC command) | Association request, beacon request, disassociation, data request |
Addressing: 802.15.4 supports both 16-bit short addresses (assigned by PAN coordinator after association) and 64-bit IEEE EUI-64 addresses. The PAN ID identifies the network. Frames include PAN ID in the FCF address mode fields.
7.2 ZigBee: Network, Security, and Application Layers
ZigBee (Zigbee Alliance, now Connectivity Standards Alliance) adds three layers above 802.15.4:
Application (ZCL — ZigBee Cluster Library; profiles: HA, SE, ZLL, etc.)
↑
Application Support Sublayer (APS)
↑
Network Layer (NWK — routing, addressing, security keys)
↑
IEEE 802.15.4 MAC + PHY
ZigBee device roles:
| Role | Description | 802.15.4 analog |
|---|---|---|
| Coordinator | Forms the network; holds the trust centre; issues network keys | Full-function device |
| Router | Routes frames; extends coverage; always-on | Full-function device |
| End Device | Leaf node; may sleep between data polls; cannot route | Reduced-function device |
ZigBee security model:
ZigBee uses AES-128 in CCM* mode at the network layer (NWK) and optionally at the application support sublayer (APS).
Network key: A 128-bit key shared across all devices in the network. Encrypts NWK-layer frames. Distributed by the trust centre (typically the coordinator) during joining.
Link key: A 128-bit per-pair key between two devices. Encrypts APS-layer traffic between those two devices.
The trust-centre join procedure:
- New device scans for beacons, selects a PAN, sends Association Request
- Coordinator sends Association Response with short address
- Trust centre sends the Network Key to the new device
- The key transport frame is encrypted with a pre-configured or well-known transport key
The well-known transport key vulnerability: ZigBee 2004/2006 profiles used a default transport key of 0xD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDF. This is published in the specification. If the coordinator sends the network key encrypted with this default transport key, a passive observer who captures the join procedure can decrypt the network key and then decrypt all subsequent NWK-layer traffic.
ZigBee 3.0 (2016) requires Install Codes (unique per-device keys derived from an 8-byte install code + CRC) instead of the well-known default. But many deployed ZigBee 2006 devices remain in the field.
ZigBee cluster library (ZCL): The application-layer data model. Clusters define:
- Commands: actions (e.g., On/Off cluster command 0x01 = "On")
- Attributes: data points (e.g., OnOff attribute = current state)
Common security-relevant clusters: On/Off (0x0006), Level Control (0x0008), Door Lock (0x0101), Occupancy Sensing (0x0406).
7.3 Sniffing and Capturing ZigBee
Hardware options for 802.15.4 sniffing:
| Tool | Cost | Notes |
|---|---|---|
| nRF52840 USB dongle (Nordic) | ~$10 | Wireshark plugin; 2.4 GHz only; per-channel |
| CC2531 USB sniffer (TI) | ~$10 | Wireshark plugin via whsniff; legacy; still widely used |
| ANTSDR E200 + gr-ieee802-15-4 | ~$400 | Full TX/RX; software demodulation via GNU Radio block |
| RTL-SDR | ~$40 | Receive-only; limited for 802.15.4 because demodulation requires a full O-QPSK software demodulator |
Wireshark ZigBee dissection:
Wireshark includes built-in ZigBee dissectors. To decrypt encrypted ZigBee frames, add the network key (and optionally link keys) to Wireshark's ZigBee key database:
Edit → Preferences → Protocols → ZigBee → ZigBee Keys → Add
Key: d0:d1:d2:d3:d4:d5:d6:d7:d8:d9:da:db:dc:dd:de:df
If the default transport key was used during joining, adding the network key after decrypting the key transport frame gives you full plaintext visibility.
Practical capture with nRF52840 sniffer:
# Flash nRF Sniffer firmware (see SETUP.md)
# Launch Wireshark with nRF Sniffer extcap plugin
wireshark -i /dev/ttyACM0 # nRF52840 serial port
# Or: use nrf-sniffer-for-802-15-4 (for 802.15.4 captures)
# Nordic Infocenter: nRF Sniffer for 802.15.4
7.4 ZigBee vs. Z-Wave vs. Thread vs. Matter
The Architecture Comparison Sidebar for Layer-2 protocols (full version in handouts/cross-chapter-rf-201-architecture-sidebars.md) includes mesh protocols:
| Protocol | PHY | Band | Mesh | Security | Primary use |
|---|---|---|---|---|---|
| ZigBee | 802.15.4 O-QPSK | 2.4 GHz / 868 / 915 MHz | Yes (self-healing mesh) | AES-128 CCM*; trust-centre model | HA, smart lighting, industrial sensors |
| Z-Wave | DSSS FSK | 868/908/916 MHz (region-specific) | Yes (source-routed mesh) | AES-128 CCM; S2 frame; per-pair keys | HA smart switches, locks, sensors |
| Thread | 802.15.4 + IPv6 | 2.4 GHz | Yes (border router to IP) | DTLS for commissioning; ECDH; per-device certs | Google Home, Apple HomePod; Matter transport |
| Matter | Thread / Wi-Fi / Ethernet | Varies | Via transport layer | Case (Certificate Authenticated Session Establishment) | Cross-ecosystem smart home (Apple/Google/Amazon) |
Z-Wave security: Z-Wave S2 (2017) uses Elliptic Curve DH for key establishment, CMAC for authentication, and AES-128-OFB for encryption. Pre-S2 devices (Z-Wave S0 or unsecured) are vulnerable to eavesdropping and command replay.
Homework
Reading (1.5 hr):
- ZigBee specification §5 (NWK layer) and §6 (APS layer) — publicly available from csa-iot.org (selected sections)
- Wireshark wiki: ZigBee protocol analysis
- "Hacking ZigBee Networks" (DEFCON 22 talk by Travis Goodspeed) — freely available slides/paper
Hands-on (1.5 hr): If you have any ZigBee devices (Philips Hue, IKEA Tradfri, smart plug, smart lock), scan for their PAN ID and device addresses using the nRF52840 sniffer or a ZigBee sniffer app. Without the network key:
- Can you see unencrypted frames (e.g., beacon frames, MAC commands)?
- Can you identify device roles (coordinator, router, end device) from the MAC-layer addresses?
- What does the key distribution (if you observe a join) tell you about the security mode in use?
If no ZigBee hardware: use Lab 6's pre-captured PCAP. Apply the default ZigBee transport key in Wireshark and attempt to decrypt the network key from the join procedure frames.
Key Terms
- IEEE 802.15.4: the physical and MAC layer standard underlying ZigBee, Thread, WirelessHART, and ISA100
- O-QPSK: Offset-QPSK; 802.15.4's modulation at 2.4 GHz; offsets Q by half a symbol to prevent 180° phase transitions
- Trust centre: ZigBee coordinator role that holds master keys and distributes the network key to joining devices
- Network key: ZigBee AES-128 symmetric key shared by all network members; encrypts NWK-layer frames
- Install code: ZigBee 3.0 per-device unique key for secure key distribution; replaces the well-known default transport key
- ZCL (ZigBee Cluster Library): application-layer data model; clusters define commands and attributes for device functionality
- SFD (Start Frame Delimiter): 0xA7 byte marking the start of an 802.15.4 PPDU after the preamble; sniffers synchronise on this
- CCM (Counter with CBC-MAC):* AES mode used in 802.15.4 and ZigBee for authenticated encryption