Professional Documents
Culture Documents
Ethernet
Attacker
ZigBee
(Radio)
Attacker
Controlled
WiFi
ZigBee
Factory
Reset
Ethernet
Attacker
ZigBee
(Radio)
Attacker
Controlled
WiFi
ZigBee
Factory
Reset
Ethernet
Attacker
ZigBee
Malicious (Radio)
OTA Update
Attacker
Controlled
WiFi
Ethernet
Attacker
ZigBee
Exploit
Attacker
Controlled
WiFi
Ethernet
Attacker
ZigBee
Exploit
Attacker
Controlled
ZigBee Cluster ZigBee Device
Levels 5+ Some Application
Library (ZCL) Profile (ZDP)
ZigBee “Modem”
ATSAMR21E18E
“… (the bridge) Is
using a single
huge process that
does everything”
E_ZCL_BOOL (0x10)
E_ZCL_UINT8 (0x20)
E_ZCL_ARRAY (0x48)
E_ZCL_UINT32 (0x23)
Yup, this firmware
contains symbols!
github.com/CheckPointSW/Cyber-Research/tree/master/Vulnerability/Smart_Lightbulbs
Goal: Confuse malloc() to “allocate” a buffer at an
arbitrary address
@EyalItkin