Oh no ZigBee, as another front opens on home networking insecurity

Secrecy of keys

Cognosec discovered that it is possible to compromise ZigBee networks and take over control of all connected devices on a network after uncovering vulnerabilities during various real-world assessments.

Tests by Cognosec with smart light bulbs, motion sensors, temperature sensors and even door locks have also shown that the vendors of the tested devices implemented the minimum of the features required to be certified. No other options to raise the level of security were implemented and available to the end-user.

The security of ZigBee is reliant on preserving the secrecy of keys. If an attacker is able to sniff a device and join using the default link key, the active network key is compromised and the confidentiality network communications is toast.

“The shortfalls and limitations we have discovered in ZigBee have been created by the manufacturers,” said Tobias Zillner at Cognosec.

“Companies want to create the latest and greatest products, which today means they are likely to be internet connected. Simple units such as light switches have to be compatible with a whole host of other devices and, unsurprisingly, little consideration is made to security requirements – most likely to keep costs down. Unfortunately, the security risk in this last-tier wireless communication standard can therefore be considered as very high,” he added.

The publication of the research by Cognosec comes less than a month after Tripwire revealed various security shortcomings in home hubs.

Hubs – devices that link into home networks to control lighting, dead-bolt locks and cameras – are potentially vulnerable to to web security flaws that leave them susceptible to hacking, according to Tripwire.

The vendors involved say the flaws identified only affect older versions of their software. ®