Researchers find major security flaw with ZigBee smart home devices

Manufacturers of smart home devices using the ZigBee standard are aiming for convenience at the expense of security, according to researchers from the Austrian security firm Cognosec. By making it easier to have smart home devices talk to each other, many companies also open up a major vulnerability with ZigBeee that could allow hackers to control your smart devices. And that could be a problem if you rely on things like smart locks or a connected alarm system for home security. Specifically, Cognosec found that ZigBee's reliance on an insecure key link with smart devices opens the door for hackers to spoof those devices and potentially gain control of your connected home.

"Tests with light bulbs, motion sensors, temperature sensors and even door locks have also shown that the vendors of the tested devices implemented the minimum of the features required to be certified," Cognosec's Tobias Zillner writes. Even worse, he points out that there's no way for consumers to make their smart devices more secure. In the end, he blames the push for ZigBee to be easy to use as the big reason why companies have been lax with security.

For anyone who's had worries about the vulnerability of the connected home, Cognosec's findings basically present the worst case scenario for ZigBee. Since it affects a wide variety of devices, it's unclear how quickly manufacturers will be able to come up with a fix.

The ZigBee Alliance, whose members include major companies like Samsung, Sony and ARM, offered up the following statement on the hack:

The ZigBee Alliance and its members take security very seriously. Our members develop standards and protocols to strike the appropriate balance between ease of use and secure interaction of devices to afford the greatest 'smart' functionality with the least exposure.

We are aware of the report promoted from Black Hat, and it appears to deal with a singular point in the initial, out-of-the-box joining (when the homeowner is installing a new device) – which is a few hundred milliseconds of key exchange. The hack described by Cognosec is an old one that exists for any system that uses an open key exchange during joining to the network. It effects many different technologies – not just ZigBee-based devices – and is typically shepherded by the consumer who is installing their device.

Security has to fit the application, and schemes are dictated by the resources at hand. It is very hard to enter a 16-digit passphrase into a light bulb when there is no keyboard or monitor. If a scheme is too expensive, too difficult to install, or too time-consuming – consumers won't apply it.

ZigBee technology is created and implemented by some of the most successful companies in the world, all of which have access to the latest security schemes. The ZigBee Alliance is continually evolving its security options to stay ahead of evolving threats, and we welcome this type of analysis as an open standards community. We encourage groups to bring their findings into the development discussion to improve the consumer experience and confidence during the smart home evolution.

[Photo credit: Tom Raftery/Flickr]