Critical security flaws have been uncovered in ZigBee, the popular short-range wireless communication standard used by Internet of Things (IoT) devices.
Speaking at Black Hat 2015 in Las Vegas, Cognosec researchers outlined the main security risks in ZigBee implementations, the devices affected and provided practical exploitations of actual product vulnerabilities.
“Most commonly found in smart homes, the ZigBee standard was created to enable secure wireless communication for IoT devices,” the firm said in its report. “However, low per-unit-costs, interoperability and compatibility requirements, as well as the application of legacy security concepts, has led to the persistence of known security risks.”
The main problem is that ZigBee requires that an unsecure initial key transport to be supported, making it possible to compromise ZigBee networks and take control of all connected devices on the network. Those could include door locks and motion sensors, as well as HVAC systems and smart light bulbs/switches.
“If a manufacturer wants a device to be compatible to other certified devices from other manufacturers, it has to implement the standard interfaces and practices of this profile,” Cognosec noted. “However, the use of a default link key introduces a high risk to the secrecy of the network key. Since the security of ZigBee is highly reliant on the secrecy of the key material and therefore on the secure initialization and transport of the encryption keys, this default fallback mechanism has to be considered as a critical risk. If an attacker is able to sniff a device and join using the default link key, the active network key is compromised and the confidentiality of the whole network communication can be considered as compromised.”
Manufacturers using the ZigBee standard include Samsung, Philips, Motorola, Texas Instruments and many others.
Researchers performed a vulnerable device-pairing procedure that allows external parties to sniff the exchanged network key. This represents a critical vulnerability, as the security of the solution is solely reliant on the secrecy of this network key.
Tests with light bulbs, motion sensors, temperature sensors and door locks also showed that no other options to raise the level of security were implemented and available to the end-user.
One use case highlighted in the whitepaper and Black Hat presentation was the ability of external parties able to gain control over home automation systems, which have high privacy requirements and are a huge source of personalized data.
“The key to communicating between devices on a ZigBee network is the usage of application profiles,” researchers said. “A ZigBee home automation profile permits a series of device types to exchange control messages to form a wireless home automation application. These devices are designed to exchange well-known messages to effect control, such as turning a lamp on or off, sending a light sensor measurement to a lighting controller, or sending an alert message if an occupancy sensor detects movement.”
The shortfalls and limitations we have discovered in ZigBee have been created by the manufacturers, according to Tobias Zillner at Cognosec. “Companies want to create the latest and greatest products, which today means they are likely to be internet connected. Simple units such as light switches have to be compatible with a whole host of other devices and, unsurprisingly, little consideration is made to security requirements – most likely to keep costs down. Unfortunately the security risk in this last tier wireless communication standard can therefore be considered as very high.”