Security researchers have identified a critical vulnerability in devices using ZigBee, a wireless standard used for connectivity in multiple Internet of Things and smart home devices — raising the specter of hackers breaking into your smart home and doing what they like with your connected locks, alarm system and even controlling your lightbulbs.
Cognosec presented a paper at the Black Hat confab in Vegas today outlining a flaw in ZigBee implementations it said affects multiple device types, and asserting it’s possible for hackers to compromise ZigBee networks and “take over control of all connected devices on a network.”
“The practical security analysis of every device assessed showed that the solutions are designed for easy setup and usage but lack configuration possibilities for security and perform a vulnerable device pairing procedure that allows external parties to sniff the exchanged network key,” the researchers write.
“This represents a critical vulnerability, as the security of the solution is solely reliant on the secrecy of this network key.”
“Tests with light bulbs, motion sensors, temperature sensors and even door locks have also shown that the vendors of the tested devices implemented the minimum of the features required to be certified [emphasis mine]. No other options to raise the level of security were implemented and available to the end-user,” they add.
The specific problem focuses on the ZigBee standard requiring that an unsecure initial key transport has to be supported, coupled with manufacturers’ use of a default link key — making it possible to compromise networks and breach user-profile confidentiality by sniffing out a device and using the default link key to join the network.
If a manufacturer wants a device to be compatible to other certified devices from other manufacturers, it has to implement the standard interfaces and practices of this profile. However, the use of a default link key introduces a high risk to the secrecy of the network key. Since the security of ZigBee is highly reliant on the secrecy of the key material and therefore on the secure initialisation and transport of the encryption keys, this default fallback mechanism has to be considered as a critical risk. If an attacker is able to sniff a device and join using the default link key, the active network key is compromised and the confidentiality of the whole network communication can be considered as compromised.
Manufacturing pressures to make consumer-friendly devices that interoperate slickly with other connected devices while also keeping their costs down are being fingered as the source of the vulnerability, more than the design of the ZigBee standard itself.
“The shortfalls and limitations we have discovered in ZigBee have been created by the manufacturers,” argues Cognosec’s Tobias Zillner in a statement. “Companies want to create the latest and greatest products, which today means they are likely to be internet connected. Simple units such as light switches have to be compatible with a whole host of other devices and, unsurprisingly, little consideration is made to security requirements – most likely to keep costs down. Unfortunately the security risk in this last tier wireless communication standard can therefore be considered as very high.”
ZigBee is used by manufacturers including Samsung, Philips, Motorola and Texas Instruments to name a few.
You can view Cognosec’s whitepaper detailing the ZigBee vulnerability here.