IOT Protocols: Zigbee, LoRa, Z-Wave & BLE
A look at the evolution of Radio merging with Cyber wouldn’t be complete without taking a look at some of the numerous IOT protocols that have been developed through the years.
Helping to power everything from advertising campaigns and device tracking through to low-powered and license-free communications nodes, understanding the basics behind some of these modulation schemes will help you to unlock new skills and interpret hardware on a different level.
There’s also plenty of good, open-source code to help kick off your experimentation journey, which means it’s super easy to get started. While we won’t be building anything today, we will be looking at what’s on offer.
Let’s see what the Internet of Things can help add to your cyber toolkit.
Background
IOT is a broad field, with plenty of different acronyms and communication modes that at a beginner level can seem quite confusing. However, when we explore this a little more deeply, we start to see common modes that are often used for particular purposes.
For instance, Bluetooth Low Energy is commonly seen in commercial advertising, while Zigbee and Z-Wave are extensively used for home automation purposes. LoRa is extremely flexible, often used to provide stable, long-range communication links that work particularly well in rural areas.
It’s worth pointing out that these unique roles that can be filled by these systems can often vary dramatically from typical development designs. Often, designs will prioritise low power over high speeds, while all these protocols use the license-free ISM bands that we’ve looked at before in this publication.
This means that for the most part, the systems are easy to implement and (usually) legal to operate, right out of the box, while coming with extensive notes and good community support.
All of this matters, however, for learning purposes, the notes are particularly useful, as it means we can look at the protocols in depth rather than performing a signal capture and analysis. 
Zigbee
ZigBee is a low-power, wireless communication protocol based on the IEEE 802.15.4 standard. Designed primarily for Internet of Things applications such as smart homes, industrial automation, and sensor networks, Zigbee will typically operate in the 2.4GHz band, however, some systems remain capable of sub-GHz designs.
It’s energy efficient, which means it works great on battery-operated devices and is capable of data rates from 20–250kbps, while the protocol stack is pre-configured to provide secure operation for large, networked operations.
Zigbee can be configured to operate in multi-hop mode and provides surprisingly strong resilience when properly configured. While it provides a broad range of use cases, it’s a firm favourite in the home automation scene thanks to its ability to leverage data easily from thermostats, lights and other smart home systems.
If you’re looking to explore Zigbee in more detail, you’ll find it active in plenty of off-the-shelf smart home products, meaning that it’s ready for exploration and, if you’re good enough, exploitation. 
Long Range (LoRa)
A proprietary modulation technique, LoRa usage has grown rapidly over the past few years as the interest in off-grid communications has grown. While it’s also suitable for usage in home automation systems, the differing design of LoRa means that it’s been used extensively in commercial systems focusing on Agriculture, Asset Tracking and Urban Monitoring.
A key feature of LoRa is the implementation of multi-band capabilities that help to vastly extend its functionality. While most systems will operate in the 2.4GHz band, LoRa is specifically designed to operate well in the lower frequencies as well. The propagation characteristics of these lower frequencies mean that they’ll often work very differently from microwave-based systems, especially when paired with an appropriate antenna.
Low-powered LoRa systems are capable of transmitting more than 10km in range at data rates that vary between 0.3–50kbps, while the chirp spread spectrum modulation scheme gives it some additional resiliency.
Later variants of the LoRa protocol will often be capable of controlling IP access, giving the developers the ability to rapidly scale and evolve the protocol as the design calls for it.
If you’re interested in exploring LoRa, Meshtastic is a great place to start. Buy a pre-configured device or build your own using the ESP-32.
Bluetooth Low Energy (BLE)
Originally called Bluetooth Smart, BLE would be developed based on the protocols introduced by the Bluetooth 4.0 specifications. It would be designed specifically for Internet of Things applications and would be used extensively as smart devices and wearables started to take off in the late 2010s.
Thanks to its link to the Bluetooth protocol, BLE uses a channelised format and modulation schema that is standardised globally. This means that plenty of data is available for review, while the channel designations mean that we also know where to look to find specific signals of interest.
With 40 designated channels available with spacings of 2MHz in between, Channels 0–36 are used for general operation, while Channels 37–39 are allocated to advertising purposes, including link-free beacons and connection requests.
BLE employs Gaussian Frequency-Shift Keying (GFSK) modulation and adaptive frequency hopping to mitigate interference, achieving data rates from 125 kbps (long-range mode) to 2 Mbps while supporting ranges of 10–100 meters depending on the system in use.
Thanks to its usage in nearly every modern smart device, the Bluetooth stack is well-understood at this point, and there’s also been plenty of Bluetooth exploits published through the years. There is also a broad range of tools to help identify and track Bluetooth devices within your area.
If you’re interested in exploring Bluetooth tracking in greater detail, running Kismet will help you identify targets of interest and advertising beacons within your vicinity. 
Z-Wave
Z-Wave is a low-power, wireless communication protocol developed specifically for home automation and IoT applications, originating from Zensys in 2001 and now managed by the Z-Wave Alliance.
Unique due to the sheer volume of products available, more than 4000 smart products exist that leverage the Z-Wave protocol to make home automation systems quick and easy to implement.
Z-Wave is particularly useful as it also focuses much of its product on the sub-GHz spectrum, giving it much more favourable characteristics than its 2.4GHz counterparts.
Like Bluetooth, it also uses Gaussian Frequency-Shift Keying (GFSK) modulation with data rates ranging from 9.6 kbps to 100 kbps, giving it indoor ranges of 30–100 meters.
Z-wave is unique in that it can then extend further through mesh hopping (up to four hops) in networks supporting up to 232 nodes in total. It also provides a specific focus on backwards compatibility, helping to alleviate problems during integration.
From the security perspective, it’s quite robust with the S2 framework featuring AES-128 encryption, elliptic curve Diffie-Hellman key exchange, and protection against jamming or replay attacks.
You can explore Z-Wave by examining any number of commercial, off-the-shelf home automation systems by GE, Schlage or Yale.
Over To You
While many of these protocols maintain a reasonable security posture, the concept of radio hacking is a broad description that provides a wide range of possible exploit paths to the savvy researcher. And, like traditional cybersecurity approaches, there is more than one way to bake a cake, as the saying goes.
Wireless signals have the potential to be geolocated, reverse-engineered, rebroadcast, jammed or even brute-forced, depending on the methods used and the encryption methods in play.
Like traditional cyber, recon plays an important role here, and time spent understanding the protocols you might encounter during your research is, more often than not, time well spent.
Some signals you encounter might have laughably bad security where a simple replay attack will often do the job. Others, you might have to break out some software to “dig into” the signal in-depth, breaking it down to the bit level to gain a correct understanding.
While some of this work is more demanding than others, part of it is also the magic of radio. There’s no denying that capturing a signal from the air, and analysing it in depth and learning how to exploit it, is a slightly nerdy thing to do, but….it’s also damn good fun.
Give it a try sometime and see what you think.
Investigator515 explores the RF spectrum, cybersecurity, and the hidden tech behind modern espionage.
Follow for new content weekly
Bluesky • X • Substack
You might also like,
- Your First SIGINT Toolkit For Under $100.00
- Hidden Trackers: 5 Ways Your Tech Betrays You
- The Night Stealth Fell: The Story Of Vega-31
