ZigBee smart-home devices use 'absolute minimum' security

ZigBee devices are not safe enough for critical purposes such as door locks and home-security systems, according to two researchers.

|
ZigBee/Tom's Guide
ZigBee

The ZigBee smart-home wireless-networking standard is not safe enough to be used for critical purposes such as door locks and home-security systems, two Austrian researchers told attendees at the Black Hat security conference here this month.

Researchers Tobias Zillner and Sebastian Strobl, both with the IT-security firm Cognosec in Vienna, praised the ZigBee Alliance for developing and promoting tough security standards.

But, they said, ZigBee device makers often "only implement the absolute minimum to be complaint" with Alliance security standards, resulting in devices that are barely protected at all.

MORE: ZigBee, Z-Wave, WeMo and Thread — What's the Difference?

ZigBee is one of the oldest and mostly widely used low-power, short-range wireless networking standards, and there are thousands of ZigBee-connected devices on the market, ranging from "smart" light bulbs to industrial equipment.

The standard is quite secure, Zillner and Strobl said — at least on paper. Communication among all devices on a single ZigBee network is encrypted with a network key, messages between two devices are authenticated with a different key and "replay" attacks that repeat already-verified communications are impossible.

However, there are fundamental weaknesses. Network encryption keys must briefly be transmitted in an unencrypted format when a new device joins a network. Devices can always "fall back" onto default master keys if there's a communication problem, and in fact, some ZigBee devices use nothing else. And any new device on a network can request a master key from another device.

Zillner and Strobl performed an onstage demonstration in which a hacking tool, built from an inexpensive Raspberry Pi mini-computer, captured a ZigBee encryption key from a door lock.

The Raspberry Pi then opened the lock without the action registering on the lock's companion smartphone app. A burglar could use a similar tool to capture the encryption key as a homeowner used the smart lock, then return later when the homeowner was away and get in easily.

With some devices, no legitimate use is necessary to capture the code. Philips Hue smart light bulbs are constantly looking for new devices to pair with, Zillner and Strobl said, and hence can be easily reset to factory defaults. The Hue bulb will transmit an unencrypted encryption key upon reboot.

"But it's not a big deal if my neighbor accidentally turns off my light bulb," Zillner said.

That's not the case with a home-security system. The pair played a video of a demonstration in which they jammed the ZigBee signals used by a wireless security system, forcing a reboot in which the encryption keys were again transmitted in the clear.

In a conversation with Tom's Guide following the presentation, Zillner and Strobl admitted that jamming the signal alone would stop any wireless security system, whether it used ZigBee, Wi-Fi or cellular signals.

But, they added, the components of a good wireless security system would regularly send out "I'm alive" signals to verify network integrity — and many ZigBee-based systems, because of their low-power requirements, can't do so because they need to conserve battery life.

The upshot, Zillner and Strobl said, was that ZigBee is fine for light bulbs, coffee makers and other devices that don't affect physical or financial safety or security.

"You just shouldn't use it for anything important," Zillner told Tom's Guide.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to ZigBee smart-home devices use 'absolute minimum' security
Read this article in
https://www.csmonitor.com/Technology/2015/0819/ZigBee-smart-home-devices-use-absolute-minimum-security
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe