ZigBee Penetration Testing is rising, ZigBee Attacks can be disruptive to your entire network, learn how to secure your IoT network from malicious Hackers.

Zigbee is an open wireless technology that supports low-cost, and low-power devices to communicate effectively through a Wireless mesh network.

Hacking ZigBee
Hacking ZigBee

WWWW – All devices connected

Typical application areas include:

  • Home automation
  • Wireless sensor networks
  • Industrial control systems
  • Embedded sensing
  • Medical data collection
  • Smoke and intruder warning
  • Building automation
  • Remote wireless microphone configuration
Zigbee Devices
Zigbee Devices

ZigBee Stack

ZigBee is a low-power, low-data-rate wireless communication technology. It is frequently used in smart lighting, home automation, and other Internet of Things (IoT) applications.

The ZigBee protocol specifies a set of layers that work together to provide devices with reliable communication.

ZigBee Penetration Testing

ZigBee Physical Layer (PHY) – Layer 1

ZigBee networks are dedicated to sensor networks with low power consumption, they operate on 2.4 GHz ISM Frequency and have the standard IEEE 802.15.4 specification dedicated to radio signals.

It is responsible for transmitting and receiving data over the wireless channel. It handles tasks such as frequency selection, modulation, and signal encoding.

Some extra frequencies:

  • 878Mhz – Europe
  • 915 Mhz – America
  • 745 Mhz – China


There are 16 channels available with 2 MHZ wide and 5 MHz between channels, a channel after is defined and used until the end of the communication.

ZigBee MAC Layer- Layer 2

This layer provides the interface between the network layer and the physical layer. It handles the transmission and reception of data and provides services such as security, acknowledgment, and error detection.

Frame Types:

  • Data –
  • Beacon –
  • ACK –
  • MAC –
  • CRC –

ZigBee Network Layer (ZNL) – Layer 3

Provides the functionality to create and manage a ZigBee network. It handles the routing of messages between devices in the network and supports both mesh and star network topologies.

Physical Device types

Coordinator, Router, End Device

Network Device Types



Network Addresses

ZigBee Topologies

Star, Mesh, and Cluster tree

ZigBee Device Object (ZDO) Layer

This layer provides the interface between the application layer and the rest of the ZigBee stack. It handles device discovery, management, and network formation.

Application Layer

This is the topmost layer in the ZigBee stack. It defines the application-specific functionality and data structures that are exchanged between devices. It is responsible for handling device-specific operations such as sensor readings, device status updates, and control commands.

ZigBee Penetration Testing

  • Physical
  • Key
  • Replay / Injection

Physical Attacks

PirateBUS and GoodFet help us find the encryption key by sniffing the transmission protocols or impersonation a device.

  • 1-Wire
  • JTAG
  • SPI
  • Async Serial

Key Based Attacks

ZigBee has two types of keys hardcoded (pre-shared-key) or updated by OTA.

Replay / Injection Attacks

ZigBee sniffer can be used to collect data

ZigBee Security Frameworks


Zigbee Protocol Analyzer

ZigBee Hacking Hardware

  • ApiMote
  • ELK
  • RZ Raven

Learn more about IoT Hacking – IoT Hacking 101

ZigBee Penetration Testing