Test IoT Mesh Network Security

Sniff, decode, and attack Zigbee / Thread / Matter smart home mesh networks to intercept or replay commands

Zigbee mesh network assessment on unencrypted networks or with recovered keys; Thread/Matter networks mainly for architecture testing.

• · Zigbee 2.4 GHz USB sniffer (CC2531, NRF52840) or SDR capable of 2.4 GHz capture
• · Thread / Matter border router access point
• · Target device node ID or IEEE address

• · Captured Zigbee/Thread mesh packets in pcap format
• · Decoded NWK/APS/ZCL command payloads
• · Replayed or injected commands (device lock, light, sensor override)

• · Zigbee sniffer hardware (CC2531 ~$20, NRF52840 Dongle ~$100)
• · Wireshark with Zigbee/Thread dissectors
• · Scapy or similar packet manipulation library
• · Thread Topology Map tools (Thread Group API analysis)

• · Zigbee network unencrypted or security key recovered (factory-default keys common)
• · 2.4 GHz RF line-of-sight or proximity to mesh network
• · Sniffer captured with correct channel (11-26 for Zigbee, per CPAN)

• · Modern Zigbee 3.0 networks use AES-128 encryption by default — passive sniffing yields no plaintext
• · Thread networks roam across channels (Thread Group provides channel agility) — passive capture incomplete
• · Matter protocol (Thread IP layer) uses TLS 1.3 — end-to-end encryption prevents plaintext command interception
• · Device trust anchors (manufacturer-provided commissioning keys) not in sniffer scope
• · Replay detection on some devices (incremental frame counters or timestamp validation)

• · Covers Zigbee 2.4 GHz mesh, Thread 802.15.4 mesh, and Matter IP-based variants
• · Sniffer hardware options with cost and range tradeoffs documented
• · Encryption status (unencrypted vs. AES-128 vs. TLS 1.3) clearly separated