back to article Oh no ZigBee, as another front opens on home networking insecurity

Security researchers have exposed new flaws in ZigBee, one of the most popular wireless communication standards used by Internet of Things (IoT) devices. Implementations of ZigBee in home networks requires that an insecure initial key transport has to be supported, making it possible to compromise ZigBee networks and take …

  1. Mark 85 Silver badge

    "...so-called smart home networks."

    Not so smart after all. I'm thinking a marketing droid's wetdream in buzzphrases to grab the masses.

    So is anyone surprised by this insecurity? Show of hands.... Didn't think so.

  2. Steve Crook

    Security, heard of it, somewhere...

    ZigBee. Stretched to do things it was never designed for. Could it be the IoT equivalent of Flash?

    There's every chance it could, single handedly, poison the well for years to come. Most of today's flawed devices are never going to receive firmware updates and will be an open door into peoples home networks.

    1. Lysenko

      Re: Security, heard of it, somewhere...

      To be fair to the vendors, they are damned either way as things stand. They either maximise interoperability and therefore have lowest common denominator security or else they fix the security problem and get vilified for "vendor lock in" and refusal to adopt "open standards". The ZigBee arguments apply equally go ZWave.

      WiFi simply isn't an option for many of these devices due to power issues and Bluetooth LE doesn't currently have the routing sophistication to solve range problems. That only leaves the EnOcean, Insteon, Lutron approach of proprietary protocols - which may well actually be security through (relative) obscurity in terms of the black hat target list.

      The real nasty in the IoT\HA space in my view is the creeping acceptance of "cloud" BS (I'm looking at you: NEST, SmartThings, HoneyWell, GE\Wink), potentially exposing these control systems to hackery from anywhere on the planet.

  3. Anonymous Coward
    Anonymous Coward

    The vendors involved say the flaws identified only affect older versions of their software.

    On older devices which we won't update.

    From a security perspective should it not be two way authentication? i.e. I push button on device to be connected and on the hub (potentially via a web interface/app) otherwise it won't connect?

    1. Charles Manning

      re: two way authentication

      Surely the selling point of IoT is convenience. Having to rummage around your house pushing buttons to pair your phone with your numerous devices sounds rather bothersome. Sounds like we're putting IoT in the too much hassle basket.

      Expect most of the IoT features in most devices to be unused. They're be like the VCR clocks that flash 00:00 for their whole life.

      Unfortunately, most devices will likely come with unsecured IoT access to allow you to get going quicker.

    2. Vic

      From a security perspective should it not be two way authentication? i.e. I push button on device to be connected and on the hub (potentially via a web interface/app) otherwise it won't connect?

      That's still insufficient; given the flawed implementations detailed in the article, a deliberate, legitimate pairing could still be sniffed, leading to the leaking of the security key. This allows a (prepared) attacker to join the PAN and attack its members.

      Vic.

  4. batfastad

    Smart Ahem Meters?

    Don't smart meters also use this?

    1. Androgynous Cowherd

      Re: Smart Ahem Meters?

      They most certainly do in the HAN

  5. Anonymous Coward
    Anonymous Coward

    Smart People

    I guess smart people will just stick with Battlestar Galactica 'dumb tech' standards for the forseeable future.

  6. david 12 Bronze badge

    Would be interested to read actual article about actual flaws

    So I start reading, and I see "new flaws in ZigBee" and "insecure key transport".

    But when I read further, I see "older versions" and "default link key"

    That doesn't sound lik a "new flaw" or "insecure trasnport".

    Which leaves me feeling just pissed off and unimpressed.

  7. Infernoz Bronze badge
    Holmes

    I think what is needed is easy inital security setup and /not/ by wireless!

    Say a specific physical security connector which /all/ wireless devices needing security must support and a security device to carry one or more security data containers to upload to the devices, rather than stupid button press security binding over wireless.

  8. Warm Braw Silver badge

    Smart light bulbs, motion sensors, temperature sensors and even door locks

    The one thing these devices would appear to have in common is a need for power. And you don't really want your heating, alarm or door locks to fail when batteries run out. I can just about believe that a Zigbee temperature sensor could eke out its battery for a year or two, but the rest are going to need real juice. So aren't all practical deployments of these things going to have wired connections anyway?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019