Thanks! And it seems to be limited to certain devices that poorly implement security. It’s always good to be aware of potential threats.
(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy)
The flaw seems “difficult” enough to exploit that the targets would have to be of high value. I doubt the typical home is realistically at risk while other easier vulnerabilities exist (e.g., physical lock picking / key bumping )
As stated above, the ZigBee Security is based on
the assumption that keys are securely stored, and
devices are pre-loaded with symmetric keys so
they have never to be transmitted unencrypted.
But there are exceptions to this policy. If a non-
preconfigured device joins a network, a single key
may be sent unprotected and enable encrypted
communication. This one-time transmission of the
unprotected key results in a short timeframe of
exploitability in which the key could be sniffed by
an attacker. Since the security is dependent on
the safekeeping of the encryption keys such a key
interception would lead to a critical security
compromise and puts the security of the whole
network at risk. Even thought the timeframe
seems to be narrow, an attacker could use
jamming techniques to trick the user to initiate a
factory reset or another way of re-joining, re-
establishing that attack time-frame.
Well i’d have to agree, that is a pretty serious security flaw. Luckily it really requires developing a perfect storm to exploit it. IDK what anyone else’s zigbee range looks like… except @JDRoberts but in my case i pretty much have a 5-10ft zigbee bubble around my house and you would have to be in the bubble to pull off the attack and be very patient. Now if your zigbee range extends to the street or your neighbors house and you have things or knowledge in your home worth enough to wait days or months to steal and you have a zigbee door lock/HVAC then you should take action to @ least shrink your zigbee bubble. If thats not the case its still WAY easier to break in through a door, window or wall.
I’m waiting for the day someone gets in my house and has to deal with…
Not really, but it would be funny to see it on video. We did have a rather inebriated individual from a party a few houses away get ‘lost’ in the middle of the night and walk in the front door, right after I closed it (I opened it to greet him, closed it, and in his drunken stupor, thought he was at the right house again). He got sober rather quick. It was rather funny to see a very large, very drunk fellow run sideways and crooked through the yard to get away from a rather crabby dog.
I can think of a few (maybe fun) social engineering attacks to get someone to put a hub into pair mode. It is certainly more directed (very much active, not passive), however. Not quite as easy as the garage door attacks of yesteryear.
Here is a pretty good article that breaks down the vulnerabilities.
The hub will pass the encryption keys on boot. If you can force the controller to reboot, you can steal the keys. ZLL bulbs send get the keys in pairing mode. If you can get the hub into pair mode you can get the keys. The Zigbee standard has good security built in, but it’s up to device makers to enforce good security practices.
Since SmartThings is based primarily on compatibility with Zigbee and Z-Wave home automation standards, how do the two standards compare with regard to known security flaws? Is Zigbee being unfairly criticized for a minor security flaw that is also an issue with Z-wave devices?
What about security measures in newer standards like Home Kit?
HomeKit has very tight security, so much so that reportedly the challenges in getting it right are one of the reasons very few HomeKit devices have come to market yet. It will be awhile before we can really evaluate it.
Zwave, just like zigbee btw, offers different levels of security options. Quite a few complaints about the newest zwave generation, that pairing in high security mode is very difficult, and fails a lot. (You can see these concerns expressed in these forums with regard to the newest aeotec lightbulb and Aeotec multi-sensor.) sometimes very secure becomes too secure for normal use.
It’s always tough to get the balance between usability and security right.
Where is this stated? I never noticed the hub passes encryption keys on boot, only on pair / join requests. ZLL is totally insecure by default, since it is designed that way.
The two issues are these: private key exchange at pair / join can be intercepted, either sniff out packets or as an endpoint device. Also, some hubs (ST has not confirmed this vulnerability publicly, not sure if it is an issue or not) use a fallback default key vs using a secured custom key.
If the fallback default key is used, then any device, including rogue devices can be paired, potentially without a join command, but most likely will still need to be in join mode.
However, if the fallback key is used, then all sniffed packets could be decrypted easily.
If all hubs use the same hard coded key, which a lot of manufacturers do, once that key is discovered, then any sniffed packets that use that hard coded key could also be decrypted.
Again, decrypting packets only gets you status of devices. Not a high risk vulnerability.
However, forcing join mode and having the ability to send encrypted packets to other zigbee devices could cause problems.
In theory, the main vector of attack is to inject an encrypted packet to the hub to force it into join mode, spoofed from another joined endpoint, could gain access to the mesh and hub.
It is possible, but I would be much more worried about someone just logging into my ST account and pushing the “+” button that puts the hub into join mode anyway. Much easier.
'#1 Zigbee security flaw is the end user access to the hub and that access can be hacked. Doesn’t matter the hub.
If that isn’t a reason for optional 2 stage authentication, I don’t know what is. I truly wish ST would reconsider their stance on mobile device authentication.
Don’t know if this is ST behavior or not. But was one of the exploits they demoed.
From the article
That’s not the case with a home-security system. The pair played a video of a demonstration in which they jammed the ZigBee signals used by a wireless security system, forcing a reboot in which the encryption keys were again transmitted in the clear.