ZigBee is a wireless technology standard for connecting Internet of Things (IoT) devices based on the IEEE 802.15.4 specification. Similarly to other IoT protocols, ZigBee faces numerous security issues that threaten the confidentiality, integrity and availability of its networks and services. ZigBee is implemented with a variant of the 128-bit Advanced Encryption Standard with symmetric keys for node authentication and data confidentiality. However, ZigBee’s technology incorporates certain constraints, such as low cost and low power into its design, which has allowed certain security issues to persist across the protocol revisions over the years. These constraints raise concerns because ZigBee is often deployed in data-sensitive applications.

Although previous studies have addressed the main security issues found in the earlier protocol revisions, limited studies have been conducted on the latest ‘ZigBee 3.0’ standard. Therefore, this research contributes to addressing this research gap by investigating the impact of the identified and prevalent security issues against ZigBee 3.0 networks. Three core issues were investigated in this study based on the findings in the related literature: (a) ‘Security of Symmetric Keys’, which relates to how an attacker could obtain ZigBee’s symmetric keys through exploiting known vulnerabilities and whether the implemented security mechanisms are sufficient to protect the keys; (b) ‘Compromised Symmetric Keys’, which concerns the breach against a network’s confidentiality if one or more of its symmetric keys have been exposed by an attacker; and (c) ‘Insufficient Denial of Service Protection Mechanisms’, which enables the protocol to be susceptible to specific denial of service attacks.

The research was conducted as a practical undertaking against real ZigBee 3.0 networks comprising XBee 3 radio modules and ZigBee-compatible hardware. Attacks associated with each issue were performed to determine their impact, and where necessary, both security models provided by ZigBee 3.0 were evaluated separately. In addition, the study outlined the security controls within the device’s configuration, as well as best practices that can be applied to address or mitigate the attacks considered in this study and strengthen the network’s security over symmetric keys. The compiled results revealed that certain attacks under each investigated security issue continue to affect the confidentiality or availability of ZigBee 3.0 networks. However, the enhancements made to the protocol’s security controls combat the elements of each security issue, reducing their overall impact compared with its earlier revisions.