Latest in Hacks

Image credit:

Researchers find major security flaw with ZigBee smart home devices

101 Shares
Share
Tweet
Share
Save

Sponsored Links

Manufacturers of smart home devices using the ZigBee standard are aiming for convenience at the expense of security, according to researchers from the Austrian security firm Cognosec. By making it easier to have smart home devices talk to each other, many companies also open up a major vulnerability with ZigBeee that could allow hackers to control your smart devices. And that could be a problem if you rely on things like smart locks or a connected alarm system for home security. Specifically, Cognosec found that ZigBee's reliance on an insecure key link with smart devices opens the door for hackers to spoof those devices and potentially gain control of your connected home.

"Tests with light bulbs, motion sensors, temperature sensors and even door locks have also shown that the vendors of the tested devices implemented the minimum of the features required to be certified," Cognosec's Tobias Zillner writes. Even worse, he points out that there's no way for consumers to make their smart devices more secure. In the end, he blames the push for ZigBee to be easy to use as the big reason why companies have been lax with security.

For anyone who's had worries about the vulnerability of the connected home, Cognosec's findings basically present the worst case scenario for ZigBee. Since it affects a wide variety of devices, it's unclear how quickly manufacturers will be able to come up with a fix.

The ZigBee Alliance, whose members include major companies like Samsung, Sony and ARM, offered up the following statement on the hack:

The ZigBee Alliance and its members take security very seriously. Our members develop standards and protocols to strike the appropriate balance between ease of use and secure interaction of devices to afford the greatest 'smart' functionality with the least exposure.

We are aware of the report promoted from Black Hat, and it appears to deal with a singular point in the initial, out-of-the-box joining (when the homeowner is installing a new device) – which is a few hundred milliseconds of key exchange. The hack described by Cognosec is an old one that exists for any system that uses an open key exchange during joining to the network. It effects many different technologies – not just ZigBee-based devices – and is typically shepherded by the consumer who is installing their device.

Security has to fit the application, and schemes are dictated by the resources at hand. It is very hard to enter a 16-digit passphrase into a light bulb when there is no keyboard or monitor. If a scheme is too expensive, too difficult to install, or too time-consuming – consumers won't apply it.

ZigBee technology is created and implemented by some of the most successful companies in the world, all of which have access to the latest security schemes. The ZigBee Alliance is continually evolving its security options to stay ahead of evolving threats, and we welcome this type of analysis as an open standards community. We encourage groups to bring their findings into the development discussion to improve the consumer experience and confidence during the smart home evolution.

[Photo credit: Tom Raftery/Flickr]

Via: TechCrunch
Source: Cognosec
In this article: hacks, security, smarthome, Zigbee
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
101 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget's Guide to Privacy

Engadget's Guide to Privacy

View
Australia will help NASA go to the Moon and Mars

Australia will help NASA go to the Moon and Mars

View
Apple gets US approval for Mac Pro tariff exemptions

Apple gets US approval for Mac Pro tariff exemptions

View
TiVo says all retail DVR owners will see ads before recorded shows

TiVo says all retail DVR owners will see ads before recorded shows

View
Batman comes to 'Fortnite' along with Catwoman and Gotham City

Batman comes to 'Fortnite' along with Catwoman and Gotham City

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr