Zigbee Technology Security: Examination and Possible Solutions

By Preyas Soni

Engineer, IoT and Cybersecurity


February 13, 2023


Zigbee Technology Security: Examination and Possible Solutions

In recent years, wireless technology has advanced quickly. Its benefits encompass accountability, simplicity, and reasonable cost. There are several wireless tracking applications for commercial and residential settings that demand less complexity, slower data transmission rates, and longer battery life than those from established standards.

The growth in Micro-Electro-Mechanical Systems (MEMS) technology has eased the development of smart sensors. Wireless sensor networking has been one of the most popular and active study fields in the networking and communication sector in the last few years.

Zigbee is a wireless PAN (Personal Area Network) technology that helps provide automation, machine-to-machine communication, remote control, and monitoring of Internet of Things gadgets. ZigBee Alliance has accomplished an amazing job in achieving integrity, confidentiality, and authentication. It did not, however, offer a complete security suite. Here, we examine real-life attacks that could be launched against a ZigBee network as well as ZigBee vulnerabilities.

What is Zigbee Technology?

ZigBee is a low-budget, non-proprietary wireless technology used in embedded devices low-powered to provide effective device-to-device communication (devices range between 10 to 100 meters). ZigBee Pro, ZigBee RF4CE, and ZigBee IP are the three network standards that the ZigBee Alliance offers.

ZigBee is regarded as a safe communication standard as it offers a variety of security features, including secure key creation, safe key transfer, symmetric cryptographic frame protection, and secure device management.

Zigbee Protocol Security Architecture 

As shown in the figure below, the ZigBee protocol stack is composed of four layers: Network layer (NWK), Application layer (APL), Physical layer, and medium access control (MAC) layer. The Physical and MAC layers are regulated by the IEEE 802.15.4, while the ZigBee standard governs the network and application layers.

Physical Layer (PHY)- It operates at 868/915 MHz and 2.4 GHz frequency bands to run. Energy control, creation of packets, and unambiguity of data are handled by the physical layer.

MAC Layer- Two functionalities are provided by this layer: Integrity and Encryption. Security and CCM* enhancements are both provided by the IEEE 802.15.4 standard. It is responsible for communication through beacon frames and radio channel access control via the CSMA-CA method. CCM is an updated counter that encrypts data using the CBC-MAC mode.

Network Layer (NWK)- The MAC layer is operated correctly by the network layer, which also offers a suitable service communion to the application layer. The frame-protection technique of the NWK layer utilizes the CCM and Advanced Encryption Standard (AES) algorithms for authentication and confidentiality. It communicates with the application layer through the control entity and data entity.

Application Layer (APL)- It incorporates ZigBee device objects (ZDOs), Application support sub-layer (APS), and Application Framework.

  • a) Application Support Sublayer (APS) - Services are offered through the APS Control entity and APS data entity (APSDE: delivers services for data transmission between application modules), (APMSE: provides security services, binding of devices and group controls). The APS layer is responsible for managing and securely producing cryptographic keys.
  • b) Application Framework - Application entities are hosted in the application framework. These are typically vendor-defined application objects. It defines application profiles (processing actions according to building interoperable applications and correspondence for messages and their formats) and clusters.
  •  c) ZigBee Device Objects (ZDO) - It offers intercommunication with APS, device profile, and application objects. To establish and carry out device and service discovery, security management (key establishment and transport, key authentication), network management (locating a network, rearrangement of network connection), binding, node, and group management, it compiles configuration data from the end applications.

Security Service Provider: This layer offers device administration, frame protection, key establishment, and key transport services for both NWK and APS.

Four types of logical devices are specified by the ZigBee Device Object. Each plays a certain role.

  • Coordinator: It is the root node in a tree or mesh topology, whereas it is the central node in a star topology. Its primary activity is to allocate addresses, allow nodes to join or leave the network, and transfer application packets. It must not be in sleep mode.
  • Trust Center: In the Zigbee security network, at least one Trust Center must be included. Either regular or high-security mode can be selected for operation. Its basic functionalities are to offer key distribution and device authentication.
  • Router: The task of routing packets among end devices is performed by the router, an intermediate node device. Routers need permission from the Trust Center to join the network if security is allowed on it. Routers must be powered on since they connect different parts of a network.
  • End Device: An end device is a sensor node that monitors and gathers environmental data. When there is no action, they can be put to sleep to preserve energy.

Security Flaws and Concerns with Zigbee Protocol

The ZigBee standard has undergone numerous secure improvements since its initial release in 2004; yet, because of its limited processing capability, it is more vulnerable to network attacks. As a result, it is crucial to identify network and security risks to the ZigBee standard, assess their criticality, and provide appropriate security controls and countermeasures.

By using the Wireless Sensor Networks threat model, Fig depicts potential ZigBee threats and attacks.

  1. Layer Attacks
    1. Network Layer Attacks: Wormholes and Selective forwarding attacks are examples of network layer attacks. The sender node is duped into believing that two malicious nodes are nearby even though they may be out of range by one or two hops.
    2. MAC Layer Attacks: One type of MAC layer attack used to cause DoS is Link Layer Jamming, which prevents messages from being sent between the sending and receiving nodes.
    3. Transport Layer Attacks: Flooding and de-synchronization attacks are two examples of possible attacks. In a flood attack, the targeted node is bombarded with multiple erroneous connection establishment requests.
  2. Target Attacks
    1. Sink Attacks: When a malicious node declares a route to be the shortest path, a sinkhole attack might happen. Because all routing algorithms use such a path, more network traffic will be sent toward it.
    2. Source Attacks: Here, the attacker hacks one legitimate node to function as a "black hole node" where a node selectively discards packets it receives - to cause other nearby nodes to hunt for a different route after the first one fails.
  3. Method Attacks
    1. Active Attacks: The attacker can alter and inject error data frames while intercepting the network. Data integrity and confidentiality are compromised.
    2. Passive Attacks: Without compromising the integrity of the data, the attacker observes the flow.

Restrictions and Defenses for Security

  • Guidelines for avoiding ZigBee Key acquisition

The Standard Security level of the ZigBee protocol, which involves delivering the network key unencrypted over the air, should be discarded. The ZigBee keys must be preloaded out of the band and not communicated over the air to avoid their capture by an attacker. The physical location of ZigBee devices must be protected. Manufacturers should not provide default key settings.

  • Best Practices for preventing Replay Attacks

A ZigBee protocol should be set up so that it can verify that the sequence number of the freshly received packet is at least one number more than the sequence number of the previously received packet to prevent replay attacks.

  • Effective strategies to prevent DoS attacks

Maintaining a list of malicious nodes is another method of mitigation. Distorted security headers along with messages noticed by a Victim Node, Network will have a popup with alert notes, Sender node will be added to the Blacklist. Monitoring the ZigBee devices' energy use since a denial-of-service attack will cause them to lose power much more quickly than usual.


In conclusion, Zigbee’s security is not strong and must be implemented with other security measures. Concentrating on the basics is the best method for protecting IoT (Internet of Things) devices. Creating an extra layer of protection by incorporating security system attributes and integrating tamper detection tools are some of the best ways to thwart attacks.

Merchants should continuously observe best practices and strive for confidentiality, integrity, and availability (the CIA triad) while designing IoT devices. Over time, firmware must be upgraded, just like any other programming that helps secure the network and the IOT’s capacity to perform all operational tasks smoothly.

Users must be aware about the potential IoT device vulnerabilities, which is a key component of awareness training for customers. Most high-end technology companies use secure-by-design methodology to defend IoT technology from baseline. To protect connected device networks at all device-connectivity-application levels, technology companies aid enterprises in developing, deploying, and managing security solutions on a worldwide scale.


Preyas Soni works as an Engineer at eInfochips in the IoT /Cybersecurity Team. A Certified Ethical Hacker with experience in Web Application & Mobile VAPT and database security, he also holds a Master's Degree in Cyber Security.

Preyas Soni works as an Engineer at eInfochips in the IoT /Cybersecurity Team. A Certified Ethical Hacker with experience in Web Application & Mobile VAPT and database security, he also holds a Master's Degree in Cyber Security.

More from Preyas