ZLeaks: Passive Inference Attacks on Zigbee based Smart Homes

TL;DR

ZLeaks demonstrates that passive analysis of encrypted Zigbee traffic can reveal device identities and user habits, exposing privacy vulnerabilities in smart home IoT networks.

Contribution

This work introduces ZLeaks, a novel passive inference tool that uncovers device activities and user behaviors from encrypted Zigbee traffic, highlighting privacy risks in smart home deployments.

Findings

Achieved 83.6% accuracy in identifying unknown events and devices.

99.8% accuracy in recognizing known devices via reporting signatures.

91.2% accuracy in inferring application layer commands from public captures.

Abstract

Zigbee is an energy-efficient wireless IoT protocol that is increasingly being deployed in smart home settings. In this work, we analyze the privacy guarantees of Zigbee protocol. Specifically, we present ZLeaks, a tool that passively identifies in-home devices or events from the encrypted Zigbee traffic by 1) inferring a single application layer (APL) command in the event's traffic, and 2) exploiting the device's periodic reporting pattern and interval. This enables an attacker to infer user's habits or determine if the smart home is vulnerable to unauthorized entry. We evaluated ZLeaks' efficacy on 19 unique Zigbee devices across several categories and 5 popular smart hubs in three different scenarios; controlled RF shield, living smart-home IoT lab, and third-party Zigbee captures. We were able to i) identify unknown events and devices (without a-priori device signatures) using command inference approach with 83.6% accuracy, ii) automatically extract device's reporting signatures, iii) determine known devices using the reporting signatures with 99.8% accuracy, and iv) identify APL commands in a public capture with 91.2% accuracy. In short, we highlight the trade-off between designing a low-power, low-cost wireless network and achieving privacy guarantees. We have also released ZLeaks tool for the benefit of the research community.