What is ZigBee in a smart home and how does it work?

ZigBee is a wireless communication protocol for low power smart home devices operating in the 2.4 GHz band. It uses a mesh network in which devices relay messages for each other, so sensors, switches and hubs can maintain a stable connection with limited transmit power. This makes ZigBee popular for home automation, sensor networks and small scale IoT deployments.

How secure is a ZigBee smart home network against hacking?

ZigBee is reasonably secure by design, but real world security strongly depends on implementation, configuration and key management. In practice weak default passwords, reused network keys, insecure pairing flows and poorly protected hubs are common issues. As a result a poorly configured ZigBee network may still be vulnerable to sniffing, key abuse and denial of service attacks.

In what ways can a ZigBee network be attacked or hacked?

At a high level a ZigBee network can be attacked through sniffing of radio traffic, abuse of weak or leaked network keys, spoofing of devices and RF jamming of active channels. Attackers often focus on the pairing process and broadcast frames because these may expose network keys or useful metadata. Even when encryption is correct, targeted interference can still impact the availability of the ZigBee network.

Which tools are used to test ZigBee security during a legal pentest?

Legal ZigBee pentests typically use a ZigBee sniffer based on a dedicated USB dongle, a software-defined radio (SDR) such as HackRF and analysis software like Wireshark plus specialized ZigBee frameworks. These tools help testers inspect radio frames, understand the network topology and verify whether encryption, key management and segmentation are properly configured. The goal is to identify weaknesses in a controlled way, not to cause damage.

What is ZigBee jamming and what does it say about my smart home security?

ZigBee jamming is the deliberate disruption of ZigBee communication by injecting RF noise or interference into the same frequency band. Experiments show that even relatively low transmit power can be enough to temporarily break communication between a hub and its sensors at short range. This highlights that the availability of wireless smart home systems is heavily dependent on the radio environment and may require additional protection in critical use cases.

How can I protect my ZigBee network against hacking and jamming?

You can protect a ZigBee network by using strong and unique network keys, enforcing secure pairing, placing the hub in a good RF location and keeping device firmware up to date. Additional measures include selecting less congested channels, applying RF shielding where possible and using monitoring to detect abnormal noise or traffic patterns. For critical environments it is wise to combine ZigBee with wired or redundant communication protocols.

Is it legal to hack or jam ZigBee for research purposes in the EU?

Hacking or jamming ZigBee is only legal in a strictly controlled environment with explicit permission from the owner and in full compliance with local radio regulations. Without consent intercepting or disrupting wireless communication can be illegal, especially when other users of the 2.4 GHz band are affected. Legitimate security research therefore relies on contracts, clearly scoped test setups and adherence to telecom and privacy laws.

Research on ZigBee Security, Interference and SDR-Based Attacks

Abstract

This research post presents the outcomes of an experimental research focused on deliberately jamming a ZigBee-based wireless smart home network by leveraging the capabilities of a software-defined radio (SDR) platform - HackRF - in conjunction with GNU Radio. The research object was a commercial Aqara smart home system operating within the 2.4 GHz ZigBee spectrum. All tests were conducted under controlled conditions in the EU, adhering strictly to safety and regulatory guidelines. The results confirm the high efficacy of SDR-based tools in exploiting wireless protocol weaknesses and inform potential defense mechanisms against deliberate interference.

Zigbee

ZigBee (IEEE 802.15.4) remains a dominant protocol in consumer and prosumer smart homes due to its low power profile, mesh topology, and wide device ecosystem. Like any unlicensed-band technology, its reliability depends on an uncontested slice of spectrum. While over-the-air confidentiality and integrity are handled at higher layers, a determined adversary - or careless interference source- can still deny service by saturating the medium. Prior work has explored the theory and tooling of RF interference against low-power PANs; our contribution is a focused, practice-driven evaluation in a home-like environment using off-the-shelf devices and a reproducible (but ethically constrained) methodology.

The primary goal of this research is to evaluate - from a real-world, empirical standpoint - how resistant an Aqara-based ZigBee ecosystem is to deliberate RF interference introduced via HackRF and open-source software (GNU Radio). By doing so, we aim to expose systemic vulnerabilities and suggest concrete countermeasures for future deployments.

A little bit theory

ZigBee Protocol - ZigBee operates in the globally available 2.4 GHz ISM band 2400–2483.5 MHz) utilizing 16 channels, each 5 MHz wide. It relies on CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance) as its channel access mechanism, which - on paper - should offer a degree of robustness against random noise and interference. However, targeted RF aggression is another matter entirely.

HackRF Software-Defined Radio - HackRF is an open-hardware SDR capable of operating across a vast frequency range (1 MHz to 6 GHz). With a sample rate of up to 20 MSPS and support for 8-bit quadrature I/Q data, HackRF allows for both signal capture and injection. Its maximum transmit power of ~30 mW makes it safe for indoor experiments while still potent enough to cause meaningful disruptions at close range. From a hacker's perspective, HackRF is a versatile and dangerous weapon inthe `RF domain arsenal.

GNU Radio - GNU Radio is a modular, open-source signal processing toolkit equipped with a GUI flowgraph builder (GNU Radio Companion) and a vast library of DSP components. In this context, it was used to construct a ZigBee-band jammer - targeting specific channels with controlled noise patterns.

Ok, but how ZigBee talks (and why that matters)?

ZigBee rides atop IEEE 802.15.4 in the 2.4 GHz ISM band. The physical layer is designed for low data rates and long battery life: short frames, narrow channels, and modest transmit power. Medium access is CSMA/CA: a device listens, and if the channel sounds busy it waits; if it’s clear, it transmits and expects an ACK. When the air is noisy, two things happen:

Clear-channel assessment fails more often, so devices back off repeatedly.
ACKs don’t arrive (because frames were corrupted), so devices retry until they give up.

Neither case implies compromise. It’s just congestion at the most fundamental layer.

Jamming at a glance (conceptual)

Think of jamming as artificial, sustained “bad weather” on the frequency ZigBee uses. There are two broad flavors:

Broad/continuous interference: a constant hiss that keeps the channel busy and prevents new transmissions from starting.
Reactive/targeted interference: short bursts that collide with in-flight frames, making them unreadable and starving devices of ACKs.

There’s also unintentional "jamming": microwave ovens, leaky power supplies, or dense Wi-Fi traffic can swamp `2.4 GHz`. In practice, defenders must consider both malicious and accidental interference; the symptom pattern can look similar.

Hacking arsenal

For implementation, we will provide the following:

- HackRF One software-defined radio:

- Computer with GNU Radio installed:

- Aqara Hub Hub:

- Aqara Temperature and Humidity Sensor Temperature and Humidity Sensor:

- Aqara TVOC Air Quality Sensor Air Quality Monitor:

Software-defined radio HackRF One can be purchased in various online stores such as AliExpress, TaoBao, etc.

Link to the official website: https://greatscottgadgets.com/hackrf/one/

GNU Radio Jammer Design
A custom jamming flowgraph was engineered using GNU Radio Companion. Key modules included:

Signal Source - A noise-like waveform generator, with tunable amplitude and frequency.

Spectrum Shaping Filter - Tailored the signal to match the 5 MHz ZigBee channel width.

Frequency Controller - Sequentially swept through ZigBee channels 11 through 26.

osmocom Sink - Routed the synthesized waveform to HackRF for RF emission.

The system was calibrated to dwell long enough on each channel to cause observable interference while maintaining full coverage of the ZigBee spectrum.

FIrst of all, all experiments took place indoors under repeatable, controlled conditions:

The Aqara system was configured and verified under normal operating parameters.
Communication metrics were logged for a baseline.
Jamming was initiated on each ZigBee channel in sequence.
Connection drop times and system response behaviors were recorded.
Tests were repeated in environments with and without obstacles.

For full functionality, we need to install GNU Radio.
GNU Radio is a free and open source software platform for developing software-defined radio systems (SDR - Software Defined Radio).

The following is an instruction for installing GNU Radio on the Ubuntu operating system.

First of all, we install the packages we need:

sudo apt install gnuradio gr-osmosdr git cmake g++ libboost-all-dev libgmp-dev swig doxygen libfftw3-dev python3-numpy python3-mako python3-sphinx python3-lxml

In order to successfully work with IEEE 802.15.4 in GNU Radio, we need to install the add-on from https://github.com/bastibl/gr-ieee802-15-4.git:

clone:

git clone https://github.com/bastibl/gr-ieee802-15-4.git

Now, we need to collect everything and install it by running the following commands:

cd gr-ieee802-15.4
mkdir build
cd build
cmake ..
make

Install:

sudo make install

Next we see the launch window, in which we need to put the blocks we need.

gnuradio-companion

The scheme we need:

Now let's find out what each block means:

Options

Purpose: General flow settings.

Title: Scheme name - "IEEE 802...Transceiver"
Author: Project author
Description: Brief description - simulated receiver
Output Language: Python (code generation)
Generate Options: QT GUI (QT interface is used)
Realtime Scheduling: On (request for priority in the OS)

2. Variables

Variable "freq" = 2.42G. 
Variable "samp_rate" = 4M: Sampling frequency - 4 MHz.

QT GUI Label

These blocks display the parameter values on the GUI:

page_label: Shows "Channel Page"
freq_label: Shows the current frequency in GHz - 2.42
Used only for visualization and debugging.

QT GUI Chooser

Allows you to select a channel from the list (e.g. 11, 12, 13, ..., 14).

Used to change the frequency associated with the ZigBee channel.

osmocom Source

This is the main block that connects to the SDR receiver.

Parameters:

Sample Rate: 4 MHz
Frequency: 2.42 GHz
Gain: Different gain values
BB Gain: 16
Sync: "Don’t Sync" - do not synchronize the clock generators.
Works with SDR equipment via Osmocom.

IEEE802.15.4 OQPSK PHY

This is the physical layer of the IEEE 802.15.4 standard:

Receives a signal from the osmocom Source block and decodes it into packets.    
Uses OQPSK (Offset Quadrature Phase Shift Keying) modulation.

Null Sink

Inactive output.

Purpose: Disable data transmission on this port (debugging,

blocking).

Note: "Not using tx, disabled." - transmission is not used.

Wireshark Connector

Allows you to capture and transfer packets to Wireshark for analysis.

Technology: ZigBee

Debug: Disabled

File Sink

Writes output packets to a PCAP (Wireshark-compatible) file.

Path: /tmp/ieee802154-c.pcap
Unbuffered: Enabled (write immediately)
Append file: Overwrite on each run10. Message Debug
Prints packets and messages for debugging.
print_pdu: Prints each PDU (Protocol Data Unit)
store: Stores PDU for further analysis

The general setup for the attack is as follows:

In this case, the attack allows to disrupt the correctness of the connections between Aqara Hub and Aqara TVOC Air and Aqata Temper.

Hacking example: attack stages

Step 1: ZigBee channel reconnaissance

ZigBee uses 16 channels in the 2.4 GHz range:

from 2405 MHz (channel 11) to 2480 MHz (channel 26), in 5 MHz increments

Goal:

To determine which channel the target device is operating on (or to jam all 16).

Step 2: SDR setup

We use the HackRF One in transmit TX) mode to generate a jamming signal.

Step 3: creating a GNU Radio flowchart

Signal Source - White noise or modulated signal generator

Spectrum Shaping - Limits signal to 5 MHz ZigBee channel width)

Frequency Sweep - Cycles through channels from 2405 to 2480 MHz

HackRF Sink - Transmits signal through HackRF One

Step 4: Performing the attack

Launch a stream of interference on one or all channels

Result:

The Aqara system loses connection!

Interface updates disappear

Unable to add devices

The system tries to reconnect

Step 5: Measuring effectiveness

Time before connection loss ~ 10–20 seconds

Jamming range (open) - up to 3 m

With an obstacle (20 cm wall) ~up to 1 m

Results

Jamming Effectiveness

`HackRF`, paired with GNU Radio, proved highly effective in disrupting communication:

Connection Loss Delay: Between 10 and 20 seconds after jamming began.

Effective Jamming Range:

Open space: Up to 3 meters
With 20 cm wall obstruction: ~1 meter

Environmental Impact

Obstacles significantly reduced the interference radius.
Despite low transmit power, HackRF effectively disabled communication over short distances.
Channel-sweeping ensured that whichever ZigBee channel was active, it was jammed.

System Response

Observable effects included:

Complete loss of link between hub and peripherals
UI showed stale sensor data
Hub attempted to re-establish communication after jamming ceased

Limitations and Future Work

Our study targets the 2.4 GHz band; sub-GHz ZigBee profiles and Thread/Matter dynamics were out of scope. We did not test mixed-vendor roaming or high-density apartment scenarios with heavy neighbor interference—likely a harsher environment than a detached home. Future work should quantify recovery time distributions, compare channel agility across ecosystems, and evaluate whether multi-PAN segmentation limits blast radius during localized denial.

Summary

This research highlights critical vulnerabilities in ZigBee networks when exposed to deliberate, targeted RF jamming - even at low power levels. While ZigBee employs DSSS (Direct Sequence Spread Spectrum) to enhance robustness, real-world implementations often operate at just 1-3 mW, making them easy prey for a focused jammer.

Physical barriers offer a partial defense, consistent with theoretical RF propagation loss models at 2.4 GHz. This underscores the importance of equipment placement and the potential for security-by-design at the infrastructure level.

The findings confirm that SDR-based jamming - using accessible tools like HackRF and GNU Radio — can reliably incapacitate ZigBee communications in a smart home setup. This implies an urgent need for hardened architectures and failsafe mechanisms in future wireless systems.

Suggested countermeasures include:

Dynamic channel hopping
Hardware shielding and RF isolation
Anomaly detection algorithms in RF space
Fallback communications over redundant protocols

This research contributes to the growing body of knowledge on SDR-based attacks and reinforces the need for proactive defense strategies in consumer-grade wireless systems.