Looking under the Hood of Z-wave: Volatile Memory Introspection for the ZW0301 Transceiver
Document Type
Article
Publication Date
12-19-2018
Abstract
Z-Wave is a proprietary Internet of Things substrate providing distributed home and office automation services. The proprietary nature of Z-Wave devices makes it difficult to determine their security aptitude. While there are a variety of open source tools for analyzing Z-Wave frames, inspecting non-volatile memory, and disassembling firmware, there are no dynamic analysis tools allowing one to inspect the internal state of a Z-Wave transceiver while it is running. In this work, a memory introspection capability is developed for three Z-Wave devices containing a ZW0301, a Z-Wave transceiver system-on-chip. In all three devices, the firmware image is modified to include the memory introspection capability by hooking an existing data exfiltration mechanism used by the device. The memory introspection capability is applied to determine how nonces are generated by Z-Wave devices to prevent replay attacks. Through a combination of static and dynamic analysis, the nonce generating algorithm is found to be based on a nonce round key that updates every secure frame transaction.
DOI
Source Publication
ACM Transactions on Cyber-Physical Systems (ISSN 2378-962X | eISSN 2378-9638)
Recommended Citation
C. W. Badenhop, S. R. Graham, B. E. Mullins, and L. O. Mailloux. 2018. Looking Under the Hood of Z-Wave: Volatile Memory Introspection for the ZW0301 Transceiver. ACM Trans. Cyber-Phys. Syst. 3, 2, Article 20 (April 2019), 24 pages. https://doi.org/10.1145/3285030
Comments
Copyright © 2018 Public Domain. This paper is authored by an employee(s) of the United States Government and is in the public domain. Non-exclusive copying or redistribution is allowed, provided that the article citation is given and the authors and agency are clearly identified as its source.
The "Link to Full Text" on this page opens the full article hosted at ACM.