In this work, we analyze the privacy guarantees of Zigbee protocol, an energy-efficient wireless IoT protocol that is increasingly being deployed in smart home settings. Specifically, we devise two passive inference techniques to demonstrate how a passive eavesdropper, located outside the smart home, can reliably identify in-home devices or events from the encrypted wireless Zigbee traffic by 1) inferring a single application layer (APL) command in the event's traffic burst, and 2) exploiting the device's periodic reporting pattern and interval. This enables an attacker to infer user's habits or determine if the smart home is vulnerable to unauthorized entry. We evaluated our techniques on 19 unique Zigbee devices across several categories and 5 popular smart hubs in three different scenarios: i) controlled shield, ii) living smart-home IoT lab, and iii) third-party Zigbee captures. Our results indicate over 85% accuracy in determining events and devices using the command inference approach, without the need of a-priori device signatures, and 99.8% accuracy in determining known devices using the periodic reporting approach. In addition, we identified APL commands in a third party capture file with 90.6% accuracy. Through this work, we highlight the trade-off between designing a low-power, low-cost wireless network and achieving privacy guarantees.

中文翻译：

---

ZLeaks：对基于 Zigbee 的智能家居的被动推理攻击

在这项工作中，我们分析了 Zigbee 协议的隐私保证，Zigbee 协议是一种越来越多地部署在智能家居环境中的节能无线物联网协议。具体来说，我们设计了两种被动推理技术来演示位于智能家居外部的被动窃听者如何通过 1) 推断单个应用层 (APL) 命令，从加密的无线 Zigbee 流量中可靠地识别家庭设备或事件。事件的流量突发，以及 2) 利用设备的定期报告模式和间隔。这使攻击者能够推断用户的习惯或确定智能家居是否容易受到未经授权的进入。我们在 19 个独特的 Zigbee 设备上评估了我们在三个不同场景中的多个类别和 5 个流行的智能集线器的技术：i）受控屏蔽，ii) 生活智能家居物联网实验室，以及 iii) 第三方 Zigbee 捕获。我们的结果表明，使用命令推理方法确定事件和设备的准确度超过 85%，无需先验设备签名，使用定期报告方法确定已知设备的准确度为 99.8%。此外，我们以 90.6% 的准确率识别了第三方捕获文件中的 APL 命令。通过这项工作，我们强调了设计低功耗、低成本无线网络与实现隐私保证之间的权衡。我们以 90.6% 的准确率识别了第三方捕获文件中的 APL 命令。通过这项工作，我们强调了设计低功耗、低成本无线网络与实现隐私保证之间的权衡。我们以 90.6% 的准确率识别了第三方捕获文件中的 APL 命令。通过这项工作，我们强调了设计低功耗、低成本无线网络与实现隐私保证之间的权衡。