Zigbee's wireless security flaws threatens IoT devices

10 August 2015
By James Hayes
Mobile version
Share |
Cognosec's Tobias Zillner [R] and Sebastian Strobl [L], whose research uncovered the ZigBee vulnerability

Cognosec's Tobias Zillner [R] and Sebastian Strobl [L], whose research uncovered the ZigBee vulnerability

The ZigBee wireless communications specification used by many Internet of Things (IoT) devices contains critical security flaws, IT firm Cognosec has claimed.

Speaking at the Black Hat USA conference in Las Vegas recently, Cognosec senior IS auditor Tobias Zillner named the principle security risks in ZigBee implementations, revealed which devices are affected by them and demonstrated practical exploitations of actual product vulnerabilities.

Conducting real-world assessments on identified vulnerabilities, Cognosec found that it is possible to compromise ZigBee networks and thereby take control of connected devices on a network. Smart home devices such as lights, motion sensors, temperature sensors and even door locks, for example, could be compromised via such vulnerabilities, Zillner warned.

First standardised in 2003, the ZigBee specification was developed to enable secure wireless communication for a range of IoT devices; however, low per-unit-costs, interoperability and compatibility requirements, along with the application of legacy security concepts, has resulted in persistent known security risks, said Zillner.

"The key to communicating between devices on a ZigBee network is the usage of 'application profiles'. ZigBee home automation profiles permit a series of device types to exchange
control messages to form a wireless home automation application," Zillner explained in his Black Hat presentation. "These devices are designed to exchange well-known messages to effect control, such as turning a lamp on or off, sending a light sensor measurement to a lighting controller, or sending an alert message if an occupancy sensor detects movement."

Vendors wanting a device to be compatible to other certified devices from other manufacturers have to implement the standard interfaces and practices of this profile, Zillner added: "However, the use of a default link key introduces a high risk to the secrecy of the network key. As the security of ZigBee is reliant on the secrecy of the key material - and therefore on the secure initialisation and transport of the encryption keys - this default fallback mechanism has to be considered as a critical risk."

As a result the ZigBee specification "requires that an insecure initial key transport has to be supported, making it possible to compromise ZigBee networks, and take control of all connected devices on the network,” Zillner argued. The practical security analysis of devices Cognosec assessed indicated that the solutions are designed for easy set-up and usage, "but lack configuration possibilities for security, and [also] perform a vulnerable device pairing procedure that allows external parties to 'sniff' the exchanged network key... This represents a critical vulnerability, as the security of the solution is reliant on the secrecy of this network key”.

One use case Zillner highlighted was of external parties able to gain control over home automation systems, which have high privacy requirements, and as such can be a source of personalised data. Cognosec tests with light bulbs, motion and temperature sensors and door locks also showed that the vendors of the tested devices implemented the minimum of the features required to be certified; no other options to raise the level of security were implemented and available to the end-user, the company asserted.

“The shortcomings and limitations we have discovered in ZigBee have been created by [vendors wanting] to create the latest and greatest products – which these days means they are likely to be Internet-connected,” according to Cognosec's Zillner. “Simple units such as light switches have to be compatible with a host of other devices and [therefore] little consideration is made to security requirements – most likely to keep costs down.”

Cognosec has published its findings in a Zigbee security white paper.

Further information



Latest Issue

E&T cover image 1607

"As the dust settles after the referendum result, we consider what happens next. We also look forward to an international summer of sport."

E&T jobs

  • Design Delivery Leader, Palace of Westminster Restoration & Renewal (R&R) - Engineering Lead

    House of Commons
    • City of Westminster, London (Greater)
    • Circa £65,000 (There may be more for an exceptional candidate)

    You will lead on a number of engineering infrastructure and associated workstreams under direction from the Deputy Director

    • Recruiter: House of Commons

    Apply for this job

  • Senior Engineer, Network Equipment

    Energy Networks Association
    • Westminster
    • £49-58k per annum, dependent on experience

    Manage issues and working groups relating to all types of equipment and assets used on the UK Transmission and Distribution Networks.

    • Recruiter: Energy Networks Association

    Apply for this job

  • Programme Manager, Network Resilience

    Energy Networks Association
    • Westminster
    • Competitive salary, dependent on experience

    Co-ordinate the network resilience, emergency planning and the Single Electricity Number (SEN) work in the ENA Engineering team.

    • Recruiter: Energy Networks Association

    Apply for this job

  • Assistant Professor (Tenure Track) of Smart Building Solutions

    Premium job

    ETH Zurich
    • Zurich, Canton of Zürich (CH)

    The successful candidate is expected to develop a strong and visible research programme in the area of control and diagnostics of building systems

    • Recruiter: ETH Zurich

    Apply for this job

  • Process Controls Leader

    Premium job

    Phillips 66
    • Humber Refinery, South Killingholme, North Lincolnshire DN40 3DW
    • £60k - 75k plus extensive Compensation and benefits package, dependent upon experience

    Experienced Process Control Leader providing leadership and technical support for Oil Refinery. Extensive Compensation and benefits package.

    • Recruiter: Phillips 66

    Apply for this job

  • Regional Technical Support Manager

    Premium job

    • Warwick, Warwickshire

    You will be required to lead the regional Customer Services strategy and resources to maximise Customer satisfaction.

    • Recruiter: Siemens

    Apply for this job

  • Communications Engineer

    BAE Systems
    • England, Hampshire, Portsmouth
    • Negotiable

    Communications Engineer Would you like to play a key role supporting the UK's Maritime Communications Infrastructure? We currently have a vacancy for a Communications Engineer at our site in Portsmouth. As a Communications Engineer, you will be carrying o

    • Recruiter: BAE Systems

    Apply for this job

  • MetOp-SG Receiver Project Manager

    Science and Technology Facilities Council (STFC)
    • STFC Rutherford Appleton Laboratory, Harwell, Oxfordshire
    • £37,213 - £50,926 (depending on experience)

    Project Manager to oversee the development, production and test of spaceflight components and integrated receiver systems

    • Recruiter: Science and Technology Facilities Council (STFC)

    Apply for this job

  • Financial Controller

    • Stevenage
    • Competitive Salary & Benefits

    An opportunity has arisen to manage a diverse range of financial controlling activities within the Equipment Team (ET) and newly Centres of Excellence (CofEx) function...

    • Recruiter: MBDA

    Apply for this job

  • Weapon System Product Support Manager

    • Stevenage
    • Competitive Salary & Benefits

    The Opportunity An opportunity has arisen within MBDA?s Customer Support & Services organisation for a strong competent leader to deliver a key Weapon capability primarily...

    • Recruiter: MBDA

    Apply for this job

More jobs ▶


Choose the way you would like to access the latest news and developments in your field.

Subscribe to E&T