Oh no ZigBee, as another front opens on home networking insecurity

Black Hat 2015 Security researchers have exposed new flaws in ZigBee, one of the most popular wireless communication standards used by Internet of Things (IoT) devices.

Implementations of ZigBee in home networks requires that an insecure initial key transport has to be supported, making it possible to compromise ZigBee networks and take control of all connected devices on the network, security firm Cognosec warns.

The ZigBee standard was created to enable secure wireless communication for IoT devices and is most commonly used in so-called smart home networks.

Devices on a home automation network may include security systems such as door locks and motion sensors, as well as HVAC (heating, ventilating, and air conditioning) systems and smart lightbulbs/switches – all use ZigBee to communicate and are therefore potentially vulnerable.

Manufacturers using the ZigBee standard include Samsung, Philips, Motorola, Texas Instruments and many others.

Home networking kits are commonly designed for easy set-up and usage. This commonly leads to a vulnerable device pairing procedure that allows external parties to sniff the exchanged network key. Hackers able to snaffle this key gain the ability to break into vulnerable systems.

The key to communicating between devices on a ZigBee network is the usage of application profiles. A ZigBee home automation profile permits a series of device types to exchange control messages to put together a wireless home automation application.

Devices are designed to exchange well-known messages to effect control, such as turning a lamp on or off, sending a light sensor measurement to a lighting controller or sending an alert message if an occupancy sensor detects movement.

If a manufacturer wants a device to be compatible with other certified devices from other manufacturers, it has to implement the standard interfaces and apply the uniform practices of this profile. However, the commonplace use of a default link key for this compatibility leaves network keys dangerously exposed to attack.

Low per-unit-costs, and interoperability and compatibility requirements, as well as the application of outdated security thinking, means that many elements of home networks are shipping with insecure configurations, according to Cognosec.

The security firm is due to outline the main security risks in ZigBee implementations, the devices affected, and demonstrations of practical exploitations against vulnerable kit during a presentation at Black Hat USA in Las Vegas on Thursday (7 August).