
Introduction
ZigBee is considered a secure communication protocol. Its security architecture complements the security services provided by the IEEE 802.15.4 standard. The security services provided by ZigBee include secure key establishment, secure key transfer, frame protection through symmetric encryption, and secure device management.
However, its security features are based on certain inherent assumptions:
• ZigBee adopts an “open trust” model; that is, layers within the protocol stack trust each other, and the layer that generates frames is responsible for protecting the frames produced.
• Security services only protect the interfaces between different devices in an encrypted manner.
• Interfaces between different stack layers on the same device are unencrypted.
• Keys will not unintentionally leak during transmission (the exception is during the pre-configuration of new devices, where a single key may be sent unprotected).
• The availability of a nearly perfect random number generator.
• The availability of tamper-proof hardware.
Considering these assumptions, this article will explore the security model provided by the ZigBee standard, the various keys for secure communication, the recommended key management methods by ZigBee, and other inherent security mechanisms such as authentication, replay attack protection, etc.
ZigBee Security Model
The ZigBee standard supports two types of security models, as shown in Figure 1 below, with the primary distinction being how they allow new devices to join the network and how they protect messages on the network:

Figure 1: ZigBee Security Models
Centralized Security Model: A complex but presumably the most secure model, involving a third logical device and a trust center (network coordinator). The trust center is responsible for:
• Configuring and validating routers and end devices joining the network;
• Generating network keys for encrypted communication across the network;
• Regularly or as needed switching to new network keys. Therefore, if an attacker gains access to the network key, it will have a limited lifecycle before expiration;
• Establishing a unique trust center link key for each device joining the network to ensure secure communication with the trust center and maintain the overall security of the network.
Distributed Security Model: Simple but with lower security. This model only supports routers and end devices. Routers form a distributed network responsible for registering other routers and end devices. Routers publish the network key (used for encrypting messages) to newly joined routers and end devices. All nodes in the network use the same network key to encrypt messages. Additionally, all nodes are pre-configured with a link key (used for encrypting the network key) before registering to the network.
ZigBee Security Keys
Three types of symmetric keys (each 128 bits in length) are used in the ZigBee standard.
Network Key: Used for broadcasting communication, applied by NWK and ZigBee’s APL. Each node requires the network key to securely communicate with other devices on the network. The trust center generates the network key and distributes it to all devices on the network. Devices on the network obtain the network key either through key transfer (to protect the transmitted network key) or pre-installation. There are two different types of network keys: standard (the network key is sent openly) and high security (the network key is encrypted). The type of network key controls how the network key is distributed; it can also control how the network frame counter is initialized. However, this type does not affect the security of the messages.
Link Key: Used for unicast communication, applied by the APS application of the ZigBee protocol stack. Devices obtain the link key through key transfer (the key loading key protects the transmission of the link key), key establishment (based on the “master” key and other network parameters), or pre-installation (e.g., factory-installed). Typically, out-of-band methods (e.g., QR code in product packaging) are used to pre-configure link keys related to the trust center, while link keys between nodes are generated by the trust center and encrypted with the network key before being sent to the nodes.
ZigBee defines two types of link keys: global and unique (which can be two types in succession – the first being the trust center link key; the key is established between the trust center and the device, and the second is the application link key established between two devices outside the trust center). The type of link key determines how devices handle various trust center messages (APS commands), including whether to apply APS encryption.
Additionally, each node can also have the following pre-configured link keys, which will be used to export the trust center link key (export is done via a certificate-based key establishment protocol (if SE security is enabled), APS request key method), Touchlink debugging, or using the Matyas-Meyer-Oseas hash function):
• The default global trust center link key is defined by the ZigBee Alliance. If the application does not specify another link key upon joining, the default is 5A 69 67 42 65 65 41 6C 6C 69 61 6E 63 65 30 39 (ZigBeeAlliance09) and is used or supported by the device.
• The distributed secure global link key is a manufacturer-specific key used for interaction between devices from the same manufacturer.
• The installation code is a pre-configured link key. All ZigBee devices can contain a unique installation code, a 128-bit random number protected by a 16-bit cyclic redundancy check (CRC). The trust center may require each new device to use a unique installation code to join the centralized security network, and the installation code must match the previously input code (i.e., QR code) at the out-of-band trust center. Upon verifying the installation code, the joining device and the trust center derive a unique 128-bit trust center link key from the installation code using the Matyas-Meyer-Oseas (MMO) hash function.
• Touchlink pre-configured link key.
Master Key: Forms the basis of long-term security between two devices and is used solely by APS. Its function is to maintain the secrecy of the link key exchange between two nodes in the symmetric key establishment protocol (SKKE). Devices obtain the master key through key transfer (the key loading key protects the transmission of the master key), pre-installation, or user input data (such as PIN or password).
Key Management
As mentioned above, one feature of ZigBee is that it has multiple key management mechanisms:
• Pre-installation: Manufacturers install keys into the devices themselves. Users can select a pre-installed key using a series of jumpers in devices that have multiple pre-installed keys.
• Key establishment: This is a local method of generating link keys based on the master key. Different security services of the ZigBee network use keys derived from a one-way function (using the link key as input) to avoid security vulnerabilities caused by unwanted interactions between services. Using unrelated keys ensures logical separation in the execution of different security protocols. This key establishment is based on the SKKE (symmetric key establishment) protocol. The devices involved in the communication must possess the master key, which may be obtained through pre-installation, key transfer, or user input.
• Key transfer: Network devices issue requests to the trust center to send keys to them. This method is suitable for requesting any of the three types of keys in a commercial model, while in a residential model, the trust center retains only the network key. The trust center uses the key loading key to protect the transmission of the master key.
Additionally, in the centralized model, a certificate-based key establishment protocol (CBKE) can be used to distribute keys. CBKE provides a mechanism to negotiate symmetric keys with the trust center based on certificates stored in both devices at manufacturing time, signed by a certificate authority (CA).
ZigBee Protocol Stack Security Measures
IEEE 802.15.4 provides robustness against interference from other networks and uses AES (Advanced Encryption Standard) with a key length of 128 bits (16 bytes) to achieve:
• Data security – by encrypting data payloads and executing
• Data integrity – using message integrity codes (MIC) or message authentication codes (MAC) that are appended to the messages to be sent. This code ensures the integrity of the added MAC header and payload data. (It is created by encrypting part of the IEEE MAC frame using a 128-bit key)
In the IEEE 802.15.4 MAC frame, the auxiliary security header is enabled only when the security enable subfield of the frame control field is turned on. This special header has three fields:
• Security control specifies the type of protection provided by the network. It is where the global security policy is set. The choice of security level determines the key length and what content is to be encrypted. That is, each security level provides a certain degree of frame encryption and integrity checking. ZigBee defines eight different security levels for the NWK and APS layers, as shown in Figure 2 below.

Figure 2: ZigBee Security Levels
• Frame counter is a counter given by the source of the current frame, protecting messages from replay attacks.
• Key identifier specifies the key type required for communication with nodes that need to know.
IEEE 802.15.4 security materials (such as keys, frame counters, and security levels) are stored in access control lists (ACLs). ACLs are used to prevent unauthorized devices from joining the network. ACLs are stored in the MAC PAN information base (PIB) and are accessed and modified similarly to other MAC attributes. Each access control list (ACL) stores the addresses of nodes to communicate with, Security Suite (AEC-CTR, AES-CCM-64, AES-CCM-128, etc.), key: the 128b key used in the AES algorithm, the previous initial vector (IV), and the replay counter (the last IV is used as a message ID by the source and destination’s replay counters to avoid replay attacks). While IEEE 802.15.4 provides security measures, it does not specify how to manage keys or the types of authentication policies applied. These issues are managed by ZigBee. The ZigBee standard supports the following optional security services:
• Encryption/Decryption – ZigBee frames can optionally be protected using the AES-CCM* security suite to provide data confidentiality, data authentication, and data integrity. AES-CCM* is a slight variant of AES (Advanced Encryption Standard) that uses a modified CCM mode (with CBC-MAC).
The following Figure 3 illustrates the role of AES-CCM* in data authentication and confidentiality. At the sender’s end, plaintext in the form of a 128-bit data block enters AES-CCM*. The job of AES-CCM* is to encrypt the data and generate the associated MIC, which is sent along with the frame to the receiver. The receiver uses AES-CCM* to decrypt the data and generates its own MIC from the received frame to compare with the received MIC (data integrity). Compared to CRC, MIC provides a stronger authenticity guarantee. The MIC generated by CCM* is used to detect intentional and unauthorized data modifications as well as accidental errors.
CCM* is known as a universal operation mode that combines data encryption, data authentication, and data integrity. CCM* provides only encryption and integrity functions, as shown in Figure 2 above. The random number used in this process is a 13-byte string constructed using the security control, frame counter, and source address field of the auxiliary header. The size of the MIC can be 32 bits, 64 bits, or 128 bits.

Figure 3: The Role of AES-CCM* in Data Authentication and Confidentiality
• Replay attack protection: Each node in the ZigBee network contains a 32-bit frame counter that increments with each packet transmission. Each node also tracks the last 32-bit frame counter of each connected device (node). If a node receives a packet from an adjacent node with the same or smaller frame counter value as the last received frame counter, the packet is discarded. This mechanism enables replay attack protection by tracking packets and discarding them when the node has already received them. The maximum value of the frame counter can be 0XFFFFFFFF, but once the maximum is reached, no further transmissions can occur. The frame counter is reset to 0 only when the network key is updated.
• Device authentication: The ZigBee standard supports device authentication and data authentication. Device authentication is the act of confirming that a new device joining the network is legitimate. The new device must be able to receive the network key and set appropriate attributes within a given timeframe for authentication. Device authentication is performed by the trust center. The authentication procedures differ between residential and commercial modes.
In residential mode, if a new device joining the network does not have the network key, the trust center sends the network key over an unprotected link, leading to a security vulnerability. If the new device already has the network key, it must wait to receive a virtual (all zeros) network key from the trust center as part of the authentication process. The new device does not know the address of the trust center and uses the source address of the received message to set the trust center address. The joining device is then considered authenticated for residential mode.
In contrast, in commercial mode, the trust center never sends the network key to the new device over an unprotected link. However, if the new device does not have a shared master key with the trust center, an unsecured master key can be sent in commercial mode. Once the new device receives the master key, the trust center and the new device initiate the key establishment protocol (SKKE). The new device has a limited time to establish a link key with the trust center. If the new device cannot complete the key establishment before the timeout period ends, it must leave the network and retry the association and authentication process again. Once the new link key is confirmed, the trust center sends the network key to the new device over a secure connection. The joining device is now considered authenticated in commercial mode.
Additionally, ZigBee supports unique device authentication upon joining, such as Touchlink debugging – an easy-to-use proximity mechanism for commissioning devices into the network. This method works by determining the proximity of the target device (to be commissioned) through the Touchlink ‘initiator’ and negotiating/transmitting network parameters.
Secure Wireless (OTA) Firmware Upgrade: OTA updates allow manufacturers to add new features, fix defects in their products, and apply security patches when new threats are identified. However, if the protocol does not provide adequate protection, or if the device manufacturer does not use all available security measures, OTA updates can also represent potential security vulnerabilities. ZigBee devices and the associated silicon platforms provide multi-layered security for updating field devices and ensure that unupdated maliciously modified code images:
• First, the ZigBee standard provides a method for wirelessly transmitting all images encrypted using unique keys.
• Second, the standard provides a method to sign OTA images with another unique key.
• Third, images can be encrypted during manufacturing so that only the final product contains the key for decrypting it.
• Finally, images can be stored in chip memory configured to disable debugging readback functionality, preventing reverse engineering using standard debugging tools, which is a common vulnerability in other solutions.
During OTA upgrades, once the device receives the encrypted image, its secure bootloader will decrypt the image, verify the signature, and then update the device. Additionally, each time the device boots, the bootloader checks the validity of the active image. If the image is invalid, the bootloader will prevent it from being updated and revert to using a previously known good image. Thus, image corruption will be quickly detected, and system operators can take action.
Logical Link-Based Encryption: Another key security tool is the ability to create application-level secure links between pairs of devices in the network. This is managed by establishing a set of unique AES-128 encryption keys between pairs of devices. This allows for logical secure links between any two devices in the network, thereby supporting “virtual private links” between a pair of devices in the network and many other devices. This measure limits the ability of an attacker who obtains the network key to intercept or inject messages that other devices will act upon.
Runtime Key Update: Periodically or as needed, the trust center actively changes the network key. The trust center generates a new network key and distributes it throughout the network by encrypting it with the old network key. After the update, all devices will retain the old network key for a short time until every device on the network switches to the new network key. Additionally, devices will initialize their frame counters to zero upon receiving the new network key.
Network Interference Protection: In low-cost ZigBee nodes, using selective filters may be one option to protect the network from interference due to cost or node size limitations. However, the fundamental characteristics of the ieee802.15.4 and ZigBee networks, such as low RF transmission power, low duty cycle, and CSMA/CA channel access mechanisms, help reduce the impact of ZigBee wireless networks on nearby other systems and vice versa. There are two ways to improve the coexistence performance of ZigBee networks: cooperative and non-cooperative.
In the cooperative approach, certain operations of ZigBee networks and other networks (e.g., IEEE 802.11b/g networks) are managed together. Whenever one network is active, the other network remains inactive to avoid packet collisions. In this approach, there must be a communication link between the ZigBee network and other networks to achieve and manage cooperation.
The non-cooperative approach is a procedure that any ZigBee network can follow to improve its coexistence performance without knowing the operational mechanisms of nearby interfering wireless devices. This approach is based on detecting and assessing interference and avoiding it whenever possible. Some non-cooperative methods that can be utilized in ZigBee wireless networks include:
• Carrier Sense Multiple Access (CSMA/CA) with collision avoidance
• Spread spectrum techniques similar to DSSS that allow the desired signal to have the advantage of processing gain against any interference residing in the same band. Thus, signal spreading generally improves the network’s robustness against interference sources.
• Dynamic RF output power control – adjusting the transmitter’s RF output power based on channel conditions and distance between nodes. Reducing the transmitter’s output power can decrease interference with nearby other wireless devices, but the signal receiver is more susceptible to interference.
• Mesh networks and location-aware routing – if a router node in the network is consistently subject to strong interference, leading to frequent failures in packet delivery to the next hop, the mesh network can choose alternative paths to carry messages to their final destination, avoiding routers close to the main interference source. This is sometimes referred to as path diversity. In location-aware routing, information about potentially high interference areas can be considered when calculating link cost functions (if known). In this way, packet traffic can be guided away from high interference areas whenever possible. However, interference sources still affect transmissions initiated or intended to be sent by nodes within high interference areas.
• Frequency channel selection – when the energy of interference signals in the desired channel is unacceptable, changing frequency channels can be a simple solution to interference issues. ZigBee provides frequency hopping capabilities that allow the entire network to change channels during interference. If the operational frequency and bandwidth of interference signals in nearby networks are known, the frequency channel of the ZigBee network can be selected accordingly to minimize the impact of interference signals. This is referred to as channel alignment.
• Adaptive packet length selection – based on channel conditions. Reducing packet size is often considered a way to improve PER in the presence of interference. Generally, smaller packets have a better chance of reaching the intended destination before interference sources appear on the same frequency channel. However, some experiments indicate that reducing packet lengths does not always yield better PER performance.
Conclusion
Although ZigBee was designed with security in mind, trade-offs are still required to maintain low cost, low power consumption, and high compatibility of devices. It allows the same key to be reused between different layers on the same device and enables end-to-end security on a device-to-device basis, rather than between specific layer pairs on two communicating devices (or even application pairs). Additionally, for device interoperability, ZigBee uses the same security level across all devices and all layers on a given network. Nevertheless, these measures inevitably lead to security risks. Therefore, the burden falls on developers to address these issues and include strategies for detecting and handling errors, lost key synchronization, regular key updates, etc.
While this article has explored the basic security features provided by ZigBee, the next article, ZigBee Security: Penetration Testing Part 1, will explore various attacks that can be performed on ZigBee-supporting devices and the tools available for performing assessments.
References
[1] ZigBee Specification Document 053474r20. Provided by the ZigBee Alliance.
[2] http://www.libelium.com/security-802-15-4-zigbee/
[3] http://www.embedded-computing.com/embedded-computing-design/zigbee-evolution-continues-with-wireless-iot-security-updates
[4] ZigBee Wireless Networks and Transceivers – Shahin Farahani
[5] Maximizing ZigBee Network Security – NXP

