Is "Insecure Rejoin" for Zigbee still a risk?

I have a few Zigbee devices that go offline periodically, and I read that enabling the “Insecure Rejoin” is one method to allow these devices to reconnect again without my intervention. However, I also read about the security risk this could cause, but they often reference that Zigbee 3.0 will fix this. If I have a SmartThings Hub v3 that I believe supports Zigbee 3.0, do I still need to worry about this security vulnerability or no?

I honestly didn’t believe it was something to be concerned about with previous hub versions, but my environment and scenario may not reflect yours.

I believe unless if you live in a densely populated environment, or perhaps have other Zigbee hubs that are in an “auto-join state constantly looking for new devices mode”, or have a crazy neighbor constantly joining devices, or there’s a hacker parked in your driveway waiting to access your mesh, I’d enable insecure rejoin. Remember, someone would have to be in close proximity and in range of your Zigbee mesh.

TLDR:

The current ZigBee Home Automation 1.2 standard uses encryption to allow only authorized devices to join a home network. In order to allow some devices (like motion sensors) to drop off of, and then easily re-join the network (to preserve battery power), there is a feature known as “insecure rejoin” built into the standard. It has been shown, however, that in very specific cases this feature could potentially be used to gain unauthorized access to a ZigBee network. The upcoming ZigBee 3.0 specification removes this potential vulnerability, but until that new standard is released, SmartThings is giving users the ability to disable the insecure rejoin feature.

3 Likes