What starting position does this attack require?

The first step is Trigger device re-join (WIFI-DEAUTH) — a impact primitive. Assumed environment: target uses Zigbee 3.

What is the final impact of this kill-chain?

The final step lands on Decrypt traffic in Wireshark (T1040), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

Zigbee network key sniff → smart-home control

Sniff a fresh device-join with an Atmel RZRAVEN — Zigbee broadcasts the network key in plaintext during pairing. Decrypt all subsequent traffic + send commands.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Impact

Trigger device re-join

WIFI-DEAUTH · Deauthentication DoS

Credential Access

Capture Zigbee traffic with RZRAVEN / nRF52840

IOT-BLE-EAVESDROP · BLE Eavesdropping

Credential Access

Extract network key from broadcast

IOT-ZIGBEE-KEY · Zigbee Network Key Extraction

Impact

Inject commands to locks / thermostats / lights

OT-MODBUS-WRITE · Modbus TCP Write to PLC

Credential Access

Decrypt traffic in Wireshark

T1040 · Network Sniffing

§ Context

Assumed environment: target uses Zigbee 3.0 with the Insecure Rejoin / 'TC Link Key' default network. A device pairing event happens during the window or can be induced (factory reset).

§ Steps

01
Trigger device re-joinImpact
WIFI-DEAUTH— Deauthentication DoS
02
Capture Zigbee traffic with RZRAVEN / nRF52840Credential Access
IOT-BLE-EAVESDROP— BLE Eavesdropping
03
Extract network key from broadcastCredential Access
IOT-ZIGBEE-KEY— Zigbee Network Key Extraction
04
Inject commands to locks / thermostats / lightsImpact
OT-MODBUS-WRITE— Modbus TCP Write to PLC
05
Decrypt traffic in WiresharkCredential Access
T1040— Network Sniffing

§ References

T1040Network Sniffing

§ Frequently asked

What is the "Zigbee network key sniff → smart-home control" attack path?: Sniff a fresh device-join with an Atmel RZRAVEN — Zigbee broadcasts the network key in plaintext during pairing. Decrypt all subsequent traffic + send commands. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Trigger device re-join (WIFI-DEAUTH) — a impact primitive. Assumed environment: target uses Zigbee 3.
What is the final impact of this kill-chain?: The final step lands on Decrypt traffic in Wireshark (T1040), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

Shared techniques2
Reachable Modbus PLC → direct register override
Modbus has no authentication. From a foothold on a reachable OT network, write to coils / holding registers directly with pymodbus.

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Reachable Modbus PLC → direct register override