[edit] Technical overview

ZigBee is a low-cost, low-power, wireless mesh network standard. The low cost allows the technology to be widely deployed in wireless control and monitoring applications. Low powerusage allows longer life with smaller batteries. Mesh networking provides high reliability and more extensive range. ZigBee chip vendors typically sell integrated radios and microcontrollers with between 60 KB and 256 KB flash memory. ZigBee operates in the industrial, scientific and medical (ISM) radio bands; 868 MHz in Europe, 915 MHz in the USA and Australia, and 2.4 GHz in most jurisdictions worldwide. Data transmission rates vary from 20 to 900 kilobits/second. The ZigBee network layer natively supports both star and tree typical networks, and generic mesh networks. Every network must have one coordinator device, tasked with its creation, the control of its parameters and basic maintenance. Within star networks, the coordinator must be the central node. Both trees and meshes allows the use of ZigBee routers to extend communication at the network level.

ZigBee protocol stack

ZigBee builds upon the physical layer and medium access control defined in IEEE standard 802.15.4 (2003 version) for low-rate WPANs. The specification goes on to complete the standard by adding four main components: network layer, application layer, ZigBee device objects (ZDOs) and manufacturer-defined application objects which allow for customization and favor total integration. Besides adding two high-level network layers to the underlying structure, the most significant improvement is the introduction of ZDOs. These are responsible for a number of tasks, which include keeping of device roles, management of requests to join a network, device discovery and security. ZigBee is not intended to support powerline networking but to interface with it at least for smart metering and smart appliance purposes. Because ZigBee nodes can go from sleep to active mode in 30 ms or less, the latency can be low and devices can be responsive, particularly compared to Bluetooth wake-up delays, which are typically around three seconds. [3] Because ZigBee nodes can sleep most of the time, average power consumption can be low, resulting in long battery life.

[edit] Trademark and alliance

The ZigBee Alliance is a group of companies that maintain and publish the ZigBee standard.[4] The term ZigBee is a registered trademark of this group, not a single technical standard. The Alliance publishes application profiles that allow multiple OEM vendors to create interoperable products. The relationship between IEEE 802.15.4 and ZigBee[5] is similar to that between IEEE 802.11 and the Wi-Fi Alliance.

[edit] License
For non-commercial purposes, the ZigBee specification is available free to the general public.[6] An entry level membership in the ZigBee Alliance, called Adopter, provides access to the as-yet unpublished specifications and permission to create products for market using the specifications. The requirements for membership in the Zigbee Alliance causes problems for open-source developers because the annual fee conflicts with the GNU General Public Licence.[7] The requirement for the developer to join the ZigBee Alliance similarly conflicts with most other free software licenses.[8]

[edit] Application profiles

The current list of application profiles either published, or in the works are:

Released specifications o ZigBee Home Automation o ZigBee Smart Energy 1.0 o ZigBee Telecommunication Services

o o

ZigBee Health Care ZigBee RF4CE - Remote Control

Specifications under development o ZigBee Smart Energy 2.0 o ZigBee Building Automation o ZigBee Retail Services o ZigBee Light Link

The ZigBee Smart Energy V2.0 specifications define an IP-based protocol to monitor, control, inform and automate the delivery and use of energy and water. It is an enhancement of the ZigBee Smart Energy version 1 specifications,[9] adding services for plug-in electric vehicle (PEV) charging, installation, configuration and firmware download, prepay services, user information and messaging, load control, demand response and common information and application profile interfaces for wired and wireless networks. It is being developed by partners including:

HomeGrid Forum responsible for marketing and certifying ITU-T G.hn technology and products HomePlug Powerline Alliance International Society of Automotive Engineers SAE International IPSO Alliance SunSpec Alliance Wi-Fi Alliance.

In 2009 the RF4CE (Radio Frequency for Consumer Electronics) Consortium and ZigBee Alliance agreed to jointly deliver a standard for radio frequency remote controls. ZigBee RF4CE is designed for a wide range of consumer electronics products, such as TVs and set-top boxes. It promises many advantages over existing remote control solutions, including richer communication and increased reliability, enhanced features and flexibility, interoperability, and no line-of-sight barrier.[10] The ZigBee RF4CE specification lifts off some networking weight and does not support all the mesh features, which is traded for smaller memory configurations for lower cost devices, such as remote control of consumer electronics.

[edit] Uses
ZigBee protocols are intended for embedded applications requiring low data rates and low power consumption. The resulting network will use very small amounts of power individual devices must have a battery life of at least two years to pass ZigBee certification.[11] Typical application areas include:[12]

Home Entertainment and Control Home automation, smart lighting, advanced temperature control, safety and security, movies and music Wireless Sensor Networks Starting with individual sensors like Telosb/Tmote and Iris from Memsic

Industrial control Embedded sensing Medical data collection Smoke and intruder warning Building automation

[edit] Device types

There are three different types of ZigBee devices:

ZigBee coordinator (ZC): The most capable device, the coordinator forms the root of the network tree and might bridge to other networks. There is exactly one ZigBee coordinator in each network since it is the device that started the network originally. It is able to store information about the network, including acting as the Trust Center & repository for security keys.[13][14] ZigBee Router (ZR): As well as running an application function, a router can act as an intermediate router, passing on data from other devices. ZigBee End Device (ZED): Contains just enough functionality to talk to the parent node (either the coordinator or a router); it cannot relay data from other devices. This relationship allows the node to be asleep a significant amount of the time thereby giving long battery life. A ZED requires the least amount of memory, and therefore can be less expensive to manufacture than a ZR or ZC.

[edit] Protocols
The protocols build on recent algorithmic research (Ad-hoc On-demand Distance Vector, neuRFon) to automatically construct a low-speed ad-hoc network of nodes. In most large network instances, the network will be a cluster of clusters. It can also form a mesh or a single cluster. The current ZigBee protocols support beacon and non-beacon enabled networks. In non-beacon-enabled networks, an unslotted CSMA/CA channel access mechanism is used. In this type of network, ZigBee Routers typically have their receivers continuously active, requiring a more robust power supply. However, this allows for heterogeneous networks in which some devices receive continuously, while others only transmit when an external stimulus is detected. The typical example of a heterogeneous network is a wireless light switch: The ZigBee node at the lamp may receive constantly, since it is connected to the mains supply, while a batterypowered light switch would remain asleep until the switch is thrown. The switch then wakes up, sends a command to the lamp, receives an acknowledgment, and returns to sleep. In such a network the lamp node will be at least a ZigBee Router, if not the ZigBee Coordinator; the switch node is typically a ZigBee End Device. In beacon-enabled networks, the special network nodes called ZigBee Routers transmit periodic beacons to confirm their presence to other network nodes. Nodes may sleep between beacons, thus lowering their duty cycle and extending their battery life. Beacon intervals depend on data rate; they may range from 15.36 milliseconds to 251.65824 seconds at 250 kbit/s, from 24

milliseconds to 393.216 seconds at 40 kbit/s and from 48 milliseconds to 786.432 seconds at 20 kbit/s. However, low duty cycle operation with long beacon intervals requires precise timing, which can conflict with the need for low product cost. In general, the ZigBee protocols minimize the time the radio is on, so as to reduce power use. In beaconing networks, nodes only need to be active while a beacon is being transmitted. In nonbeacon-enabled networks, power consumption is decidedly asymmetrical: some devices are always active, while others spend most of their time sleeping. Except for the Smart Energy Profile 2.0, ZigBee devices are required to conform to the IEEE 802.15.4-2003 Low-Rate Wireless Personal Area Network (LR-WPAN) standard. The standard specifies the lower protocol layersthe (physical layer) (PHY), and the (media access control) portion of the (data link layer (DLL)). The basic channel access mode is "carrier sense, multiple access/collision avoidance" (CSMA/CA). That is, the nodes talk in the same way that people converse; they briefly check to see that no one is talking before they start. There are three notable exceptions to the use of CSMA. Beacons are sent on a fixed timing schedule, and do not use CSMA. Message acknowledgments also do not use CSMA. Finally, devices in Beacon Oriented networks that have low latency real-time requirements may also use Guaranteed Time Slots (GTS), which by definition do not use CSMA.

[edit] History
ZigBee-style networks began to be conceived around 1998, when many installers realized that both Wi-Fi and Bluetooth were going to be unsuitable for many applications. In particular, many engineers[by whom?] saw a need for self-organizing ad-hoc digital radio networks.[citation needed] The IEEE 802.15.4-2003 standard was completed in May 2003 and has been superseded by the publication of IEEE 802.15.4-2006. [3] In the summer of 2003, Philips Semiconductors, a major mesh network supporter, ceased the investment. Philips Lighting has, however, continued Philips' participation, and Philips remains a promoter member on the ZigBee Alliance Board of Directors.[citation needed] The ZigBee Alliance announced in October 2004 that the membership had more than doubled in the preceding year and had grown to more than 100 member companies, in 22 countries. By April 2005 membership had grown to more than 150 companies, and by December 2005 membership had passed 200 companies.[citation needed] The ZigBee specifications were ratified on 14 December 2004.[citation needed] The ZigBee Alliance announced availability of Specification 1.0 on 13 June 2005, known as ZigBee 2004 Specification. In September 2006, ZigBee 2006 Specification is announced. In 2007, ZigBee PRO, the enhanced ZigBee specification was finalized.[citation needed] The first stack release is now called ZigBee 2004. The second stack release is called ZigBee 2006, and mainly replaces the MSG/KVP structure used in 2004 with a "cluster library". The 2004 stack is now more or less obsolete.[citation needed]

ZigBee 2007, now the current stack release, contains two stack profiles, stack profile 1 (simply called ZigBee), for home and light commercial use, and stack profile 2 (called ZigBee Pro). ZigBee Pro offers more features, such as multi-casting, many-to-one routing and high security with Symmetric-Key Key Exchange (SKKE), while ZigBee (stack profile 1) offers a smaller footprint in RAM and flash. Both offer full mesh networking and work with all ZigBee application profiles.[citation needed] ZigBee 2007 is fully backward compatible with ZigBee 2006 devices: A ZigBee 2007 device may join and operate on a ZigBee 2006 network and vice versa. Due to differences in routing options, ZigBee Pro devices must become non-routing ZigBee End-Devices (ZEDs) on a ZigBee 2006 network, the same as for ZigBee 2006 devices on a ZigBee 2007 network must become ZEDs on a ZigBee Pro network. The applications running on those devices work the same, regardless of the stack profile beneath them. The ZigBee 1.0 specification was ratified on 14 December 2004 and is available to members of the ZigBee Alliance. Most recently, the ZigBee 2007 specification was posted on 30 October 2007. The first ZigBee Application Profile, Home Automation, was announced 2 November 2007.

[edit] Radio hardware

The radio design used by ZigBee has been carefully optimized for low cost in large scale production. It has few analog stages and uses digital circuits wherever possible. Though the radios themselves are inexpensive, the ZigBee Qualification Process involves a full validation of the requirements of the physical layer. All radios derived from the same validated semiconductor mask set would enjoy the same RF characteristics. An uncertified physical layer that malfunctions could cripple the battery lifespan of other devices on a ZigBee network. ZigBee radios have very tight constraints on power and bandwidth. Thus, radios are tested to the ISO 17025 standard with guidance given by Clause 6 of the 802.15.4-2006 Standard. Most vendors plan to integrate the radio and microcontroller onto a single chip[15] getting smaller devices.[16] This standard specifies operation in the unlicensed 2.4 GHz (worldwide), 915 MHz (Americas and Australia) and 868 MHz (Europe) ISM bands. In the 2.4 GHz band there are 16 ZigBee channels, with each channel requiring 5 MHz of bandwidth. The 2.4 GHz band provides up to 250 kbit/s, 915 MHz provides up to 40 kbit/s and 868 MHz provides a data rate up to 20 kbit/s. The actual data throughput will be less than the maximum specified bit rate due to the packet overhead and processing delays. The radios use direct-sequence spread spectrum coding, which is managed by the digital stream into the modulator. Binary phase-shift keying (BPSK) is used in the 868 and 915 MHz bands, and Offset quadrature phase-shift keying (OQPSK) that transmits two bits per symbol is used in the 2.4 GHz band. The raw, over-the-air data rate is 250 kbit/s per channel in the 2.4 GHz band, 40 kbit/s per channel in the 915 MHz band, and 20 kbit/s in the 868 MHz band. Transmission range is between 10 and 75 meters (33 and 246 feet) and up to 1500 meters for zigbee pro,

although it is heavily dependent on the particular environment. The output power of the radios is generally 0 dBm (1 mW).

[edit] Software
The software is designed to be easy to develop on small, inexpensive microprocessors.

[edit] Network layer

The main functions of the network layer are to enable the correct use of the MAC sublayer and provide a suitable interface for use by the next upper layer, namely the application layer. Its capabilities and structure are those typically associated to such network layers, including routing. On the one hand, the data entity creates and manages network layer data units from the payload of the application layer and performs routing according to the current topology. On the other hand, there is the layer control, which is used to handle configuration of new devices and establish new networks: it can determine whether a neighboring device belongs to the network and discovers new neighbors and routers. The control can also detect the presence of a receiver, which allows direct communication and MAC synchronization. The routing protocol used by the Network layer is AODV. In order to find the destination device, it broadcasts out a route request to all of its neighbors. The neighbors then broadcast the request to their neighbors, etc. until the destination is reached. Once the destination is reached, it sends its route reply via unicast transmission following the lowest cost path back to the source. Once the source receives the reply, it will update its routing table for the destination address with the next hop in the path and the path cost.

[edit] Application layer

The application layer is the highest-level layer defined by the specification, and is the effective interface of the ZigBee system to its end users. It comprises the majority of components added by the ZigBee specification: both ZDO and its management procedures, together with application objects defined by the manufacturer, are considered part of this layer.

[edit] Main components

The ZDO is responsible for defining the role of a device as either coordinator or end device, as mentioned above, but also for the discovery of new (one-hop) devices on the network and the identification of their offered services. It may then go on to establish secure links with external devices and reply to binding requests accordingly. The application support sublayer (APS) is the other main standard component of the layer, and as such it offers a well-defined interface and control services. It works as a bridge between the network layer and the other components of the application layer: it keeps up-to-date binding tables in the form of a database, which can be used to find appropriate devices depending on the

services that are needed and those the different devices offer. As the union between both specified layers, it also routes messages across the layers of the protocol stack.

[edit] Communication models

ZigBee high-level communication model An application may consist of communicating objects which cooperate to carry out the desired tasks. The focus of ZigBee is to distribute work among many different devices which reside within individual ZigBee nodes which in turn form a network (said work will typically be largely local to each device, for instance the control of each individual household appliance). The collection of objects that form the network communicate using the facilities provided by APS, supervised by ZDO interfaces. The application layer data service follows a typical requestconfirm/indication-response structure. Within a single device, up to 240 application objects can exist, numbered in the range 1-240. 0 is reserved for the ZDO data interface and 255 for broadcast; the 241-254 range is not currently in use but may be in the future. There are two services available for application objects to use (in ZigBee 1.0):

The key-value pair service (KVP) is meant for configuration purposes. It enables description, request and modification of object attributes through a simple interface based on get/set and event primitives, some allowing a request for response. Configuration uses compressed XML (full XML can be used) to provide an adaptable and elegant solution.

The message service is designed to offer a general approach to information treatment, avoiding the necessity to adapt application protocols and potential overhead incurred on by KVP. It allows arbitrary payloads to be transmitted over APS frames.

Addressing is also part of the application layer. A network node consists of an 802.15.4conformant radio transceiver and one or more device descriptions (basically collections of attributes which can be polled or set, or which can be monitored through events). The transceiver is the base for addressing, and devices within a node are specified by an endpoint identifier in the range 1-240.

[edit] Communication and device discovery

In order for applications to communicate, their comprising devices must use a common application protocol (types of messages, formats and so on); these sets of conventions are grouped in profiles. Furthermore, binding is decided upon by matching input and output cluster identifiers, unique within the context of a given profile and associated to an incoming or outgoing data flow in a device. Binding tables contain source and destination pairs. Depending on the available information, device discovery may follow different methods. When the network address is known, the IEEE address can be requested using unicast communication. When it is not, petitions are broadcast (the IEEE address being part of the response payload). End devices will simply respond with the requested address, while a network coordinator or a router will also send the addresses of all the devices associated with it. This extended discovery protocol permits external devices to find out about devices in a network and the services that they offer, which endpoints can report when queried by the discovering device (which has previously obtained their addresses). Matching services can also be used. The use of cluster identifiers enforces the binding of complementary entities by means of the binding tables, which are maintained by ZigBee coordinators, as the table must be always available within a network and coordinators are most likely to have a permanent power supply. Backups, managed by higher-level layers, may be needed by some applications. Binding requires an established communication link; after it exists, whether to add a new node to the network is decided, according to the application and security policies. Communication can happen right after the association. Direct addressing uses both radio address and endpoint identifier, whereas indirect addressing uses every relevant field (address, endpoint, cluster and attribute) and requires that they be sent to the network coordinator, which maintains associations and translates requests for communication. Indirect addressing is particularly useful to keep some devices very simple and minimize their need for storage. Besides these two methods, broadcast to all endpoints in a device is available, and group addressing is used to communicate with groups of endpoints belonging to a set of devices.

[edit] Security services

As one of its defining features, ZigBee provides facilities for carrying out secure communications, protecting establishment and transport of cryptographic keys, cyphering frames and controlling devices. It builds on the basic security framework defined in IEEE 802.15.4. This part of the architecture relies on the correct management of symmetric keys and the correct implementation of methods and security policies.

[edit] Basic security model

The basic mechanism to ensure confidentiality is the adequate protection of all keying material. Trust must be assumed in the initial installation of the keys, as well as in the processing of security information. In order for an implementation to globally work, its general correctness (e.g., conformance to specified behaviors) is assumed. Keys are the cornerstone of the security architecture; as such their protection is of paramount importance, and keys are never supposed to be transported through an insecure channel. There is a momentary exception to this rule, which occurs during the initial phase of the addition to the network of a previously unconfigured device. The ZigBee network model must take particular care of security considerations, as ad hoc networks may be physically accessible to external devices and the particular working environment cannot be foretold; likewise, different applications running concurrently and using the same transceiver to communicate are supposed to be mutually trustworthy: for cost reasons the model does not assume a firewall exists between application-level entities. Within the protocol stack, different network layers are not cryptographically separated, so access policies are needed and correct design assumed. The open trust model within a device allows for key sharing, which notably decreases potential cost. Nevertheless, the layer which creates a frame is responsible for its security. If malicious devices may exist, every network layer payload must be ciphered, so unauthorized traffic can be immediately cut off. The exception, again, is the transmission of the network key, which confers a unified security layer to the network, to a new connecting device.

[edit] Security architecture

ZigBee uses 128-bit keys to implement its security mechanisms. A key can be associated either to a network, being usable by both ZigBee layers and the MAC sublayer, or to a link, acquired through pre-installation, agreement or transport. Establishment of link keys is based on a master key which controls link key correspondence. Ultimately, at least the initial master key must be obtained through a secure medium (transport or pre-installation), as the security of the whole network depends on it. Link and master keys are only visible to the application layer. Different services use different one-way variations of the link key in order to avoid leaks and security risks. Key distribution is one of the most important security functions of the network. A secure network will designate one special device which other devices trust for the distribution of security keys: the trust center. Ideally, devices will have the trust center address and initial master key preloaded; if a momentary vulnerability is allowed, it will be sent as described above.

Typical applications without special security needs will use a network key provided by the trust center (through the initially insecure channel) to communicate. Thus, the trust center maintains both the network key and provides point-to-point security. Devices will only accept communications originating from a key provided by the trust center, except for the initial master key. The security architecture is distributed among the network layers as follows:

The MAC sublayer is capable of single-hop reliable communications. As a rule, the security level it is to use is specified by the upper layers. The network layer manages routing, processing received messages and being capable of broadcasting requests. Outgoing frames will use the adequate link key according to the routing, if it is available; otherwise, the network key will be used to protect the payload from external devices. The application layer offers key establishment and transport services to both ZDO and applications. It is also responsible for the propagation across the network of changes in devices within it, which may originate in the devices themselves (for instance, a simple status change) or in the trust manager (which may inform the network that a certain device is to be eliminated from it). It also routes requests from devices to the trust center and network key renewals from the trust center to all devices. Besides this, the ZDO maintains the security policies of the device.

The security levels infrastructure is based on CCM*, which adds encryption- and integrity-only features to CCM.

ZigBee applications - Part 7: ZigBee Security & Application Support Sublayer

Drew Gislason

8/17/2010 6:58 PM EDT

ZigBee AES 128-Bit Security

The ZigBee security suite is built on the Advanced Encryption (AES-128 bit) Standard, a wellrespected block cipher algorithm published by the National Institute of Standards and Technology (NIST). To read more about AES, go to http://www.nist.gov. If you read the security section in the ZigBee specification, you might get a headache. The language is pretty thick, and there are a lot of security options, including security levels, a variety of key types, CCM*, and so on. Security encompasses 120 pages of the 534-page ZigBee specification. But from an application standpoint, ZigBee security is simple. It is always there. That's right! There are no code changes or special parameters to set on a data request to include security. It's just there (see Figure 4.28).

Figure 4.28: ZigBee Secure Data Frame

ZigBee both encrypts and authenticates packets. The encrypted portion (the NWK payload), cannot be understood by any nodes sniffing the air. This includes sensitive customer data, such as billing or medical records, or any other application payload, including what clusters, profile, and endpoints are used. ZigBee authenticates the entire frame. Authentication is required in order to prevent replay attacks and to prevent any node from falsely injecting a packet into the network. A replay attack is simple to perform. Set an 802.15.4 device listening on a channel or set of channels. When a packet is heard, replay it byte-for-byte. ZigBee will simply throw away these packets, perhaps after a delay. Denial of service is another type of wireless attack, and is something that's very difficult to prevent. I can write a small bit of code (no, I'm not providing it in the book!) that constantly transmits. Any radios within hearing range will not be able to transmit because all of the bandwidth is used. This is the equivalent to someone cutting the power to a building, or cutting the office broadband connection to the Internet. With ZigBee, using signal strength (LQI) makes it fairly easy to track down the culprit.

ZigBee uses a 128-bit key for the entire network, called a network key. It is assumed that if a node is allowed on a ZigBee network, it is trusted. This is similar to allowing someone in your home. You at least trust them not to steal the silver. Some applications require additional security beyond the network key, for example, if multiple customers will be sharing the same network, but each customer may have his own sensitive data. In order to secure data on shared networks of this type, some vendors use a different AES 128-bit key to secure the APS payload. (This method is available to both ZigBee 2006 and ZigBee 2007 stacks.) Others use a link key, as described in ZigBee 2007 specification. In short, ZigBee provides a very strong, solid, security solution. Here is a challenge. Using only the over-the-air octets below, determine the AES 128-bit key. Just to make it easier, the following command is an HA OnOff Toggle command, that is, a switch is toggling a Home Automation Light