As promised in a post 2 weeks ago, the latest firmware update for V2 Hubs has added a new feature associated with ZigBee insecure rejoin that we’ve talked about before. Specifically, we added the option for you to turn on and off the ability for devices to use the insecure rejoin method.
What does this mean?
There’s a more detailed technical description available, but in short, the ZigBee HA 1.2 specification was designed with a convenience feature known as insecure rejoin. Meant to ensure usability, it lets devices that are unable to reconnect to the network securely due to a change in the network to request that the network key be resent using the well known Trust Center Link Key. It came to our attention that a security researcher was able to misuse this feature to cause unauthorized devices to join the ZigBee network.
While the likelihood that this misuse would be exploited in an average smarthome is very low, we wanted to give users the option to disable it entirely.
There may, however, be some negative effects of disabling the insecure rejoin feature. By taking away the ability of end-devices to rejoin the ZigBee network in this manner, some legitimate devices may disconnect from the network and become unresponsive. In order to reconnect stranded devices, the hub and each disconnected device needs to be put back into join mode.
With insecure rejoin disabled, you can ensure that the feature cannot be misused to gain unauthorized access to your ZigBee network, but you may find that some devices lose their connection to the network and need to be reset. By leaving secure rejoin enabled, it may be possible for unauthorized devices to join your network, but your ZigBee devices will always be able to rejoin the network.
How do I disable insecure rejoin?
You can disable insecure rejoin yourself through the “Utilities” page for your hub in the IDE, or by contacting email@example.com for assistance. Detailed instructions are available in the ZigBee “Insecure Rejoin” FAQ on the SmartThings Support Site.
What about my V1 Hub?
We are currently exploring the potential for including this feature in V1 Hubs and will update you here on our progress on the community site.