ZVDetector: State-Guided Vulnerability Detection System for Zigbee Devices

Nowadays, Zigbee devices are widely used in smart home, smart agriculture and other industries. However, there are many vulnerabilities in Zigbee devices that could compromise their normal functionality. Existing research either analyzes firmware or fuzzes devices through Zigbee networks to discover potential vulnerabilities. However, they overlook the impact of device state and protocol state on firmware or explore only a limited state space. Thus, they fail to identify many vulnerabilities caused by hidden states within each of the two states, especially vulnerabilities triggered by the combination of these two states. In this paper, we design a state-guided fuzzing system, named ZVDetector, aimed at uncovering firmware vulnerabilities caused by hidden and combined states. Specifically, we design two state-aware modules that explore richer unknown protocol state transitions based on message relationships and gain a more complete understanding of the intrinsic device state attributes. We develop a fuzzing algorithm that incorporates message semantics awareness and correlation state analysis. By integrating the perceived state information, it can explore the combined state space more efficiently. We validate the performance of ZVDetector on 10 Zigbee devices and find 25 vulnerabilities (19 zero-day). Our experiments also demonstrate the ability to explore more device state attributes and discover more message relationships related to unknown protocol states.