Hue has already released an update. What other Zigbee devices does this affect? SmartThings does not yet support over the air updates which could leave us vulnerable.

That was answered in the first few sentences of the piece you’re posting about…

“…a wireless technology often used in smart home devices, including Philips Hue smart light bulbs.”

“The new risk stems from radio protocol ZigBee…”

I think I heard about this earlier and it pertains to ZigBee Light Link (ZLL), not ZigBee Home Automation (ZigBee HA)

http://colinoflynn.com/2016/08/philips-hue-r-e-whitepaper-from-black-hat-2016/

I think it is a Zigbee problem rather than anything to do with Smartthings.

I don’t know the details but Osram released an update to cover some of this when their hub was said to be insecure and they commented that some of it they could do nothing about because there is a flaw in the Zigbee protocol.

A quick check shows this was on the radar last year or earlier even!

This was the report about Osram Lighitfy

https://threatpost.com/unpatched-smart-lighting-flaws-pose-iot-risk-to-businesses/119479/

This was discussed in the forums a few days ago.

Short answer: it was likely it was likely a zigbee light link problem, not just zigbee, and not the zigbee home automation profile that SmartThings uses.

ZLL is the only profile that doesn’t require a coordinator, and doesn’t require physical manipulation of the end device when it is going to a new network.

Put those two things together and it is massively less secure than other zigbee profiles, which is why ZLL devices are limited to lights.

Note that the effort required that the hacker be within about 100 m of the target device.

And, yes, Phillips put out an update on October for which removed the vulnerability from their bridge.

Some of the Chinese copycat devices probably still have the vulnerability.

BTW…ZLL security sucks.

Multiple issues have been known since 2012. The bottom line is it’s just lightbulbs, and it hasn’t been seen as a high enough priority to address at the present time. It may be addressed in zigbee 3.0, we just don’t know yet.

If you’re interested in the details, here’s a paper from earlier this year that went over multiple known successful attacks. Note that most of them were denial of service, basically removing bulbs from the control of the owner. They all required being close enough to send a one hop signal to either the bulb or the bridge, which means within about 100 m.

The ZigBee Alliance has released a statement on this vulnerability.

http://www.zigbee.org/zigbee-alliance-statement-on-security/

TLDR; They state this is a manufacturing issue and not with the ZigBee HA protocol.

Interesting, thanks. I’d still bet it’s something you could only do with ZLL.

Just as an FYI Philips is working on a firmware update for their hub/bulbs. We are also working with them to get a firmware update to bulbs connected directly to a SmartThings hub.

Would this be over the air?

Yes it would