Improved tools for indoor ZigBee warwalking

Secure ZigBee wireless sensor and control networks use 128-bit AES encryption to defend against message sniffing and unauthorized access. However, the low cost and low complexity of ZigBee devices makes them vulnerable to physical attacks such as tampering and network key extraction. Network administrators and penetration testers require tools such as Zbfind to accurately locate ZigBee hardware and evaluate physical security. The open source Zbfind tool estimates distance to ZigBee devices in real time using received signal strength and a distance prediction model. We collect 4500 signal strength measurements along nine walking paths toward ZigBee transmitters in three office buildings. We find that the log-distance path loss model used by Zbfind predicts transmitter distance with 92.5% mean absolute percentage error. We construct an alternative linear model that reduces error to 21%.