ZigBee exposes a serious loophole or cited intelligent lighting security crisis

Zhongguancun online news along with the rapid development of science and technology, the Internet of things (TheInternetofThings, IoT) concept rise again, daily necessities, people around the terminal equipment, home appliances etc. have gradually been given the ability of network connection. However, as one of the important standard which is widely used in wireless Internet connection to the device, ZigBee technology is in the recently held 2015 black hat Conference (BlackHat2015) on exposed serious security vulnerabilities caused widespread concern in the industry.

ZigBee is a low-cost, low-power, short-range wireless communication technology. Because of its name (ZigBee, Zig "buzz", Bee "bees") from the bee's eight character dance, so the protocol is also known as the purple bee protocol. At the theoretical level, it is based on the IEEE802.15.4 standard low power LAN protocol, which is suitable for automatic control and remote control. At present, the ZigBee protocol has been widely used in a variety of emerging networking devices, such as smart bulbs, smart door locks, motion sensors, temperature sensors, etc..

However, in each company will still focus on the equipment of the connectivity and compatibility when, without paying attention to the progress of some commonly used communication protocols in terms of security is lagging behind. This is not, in the just concluded 2015 black hat conference, there are security researchers pointed out that there is a serious flaw in the implementation of ZigBee technology. The flaw involves multiple types of devices, hackers may harm the ZigBee network, and take over the control of all Internet devices in the network".

The researchers said that through the practice of safety analysis of each equipment to assess the results of the show, using ZigBee technology for fast networking equipment while brings convenient, but because of the lack of safe and effective configuration options, resulting in equipment in the matching process vulnerabilities, hackers will exchange key organic will sniff network from outside. The security of the ZigBee network is completely dependent on the confidentiality of the network key, so the impact of this vulnerability will be very serious.

In the analysis of security personnel, they pointed out that the specific problem is that the ZigBee protocol is required to support the initial key unsafe transmission, coupled with the use of the default link key manufacturers - that hackers have a chance to invade the network, by sniffing a device to crack the user profile, and use the default key link to join the network.

However, the use of the default link key brings great risk to the security of the network key. Because the security of ZigBee is largely dependent on the confidentiality of the key, that is, the initialization and the transmission of the encryption key, so the default key mechanism must be regarded as a serious risk.

Security personnel said that if an attacker can sniff a device and use the default key link to join the network, so the network is no longer used in security key, communication confidentiality of the whole network can be determined to be unsafe.

In fact, the ZigBee protocol standard itself is not the cause of the design of the above vulnerabilities. The source of vulnerability is more pointed to as the manufacturer in order to produce convenient and easy to use, and other network equipment seamless collaboration equipment, but also to maximize the lower cost of equipment, without regard to the security considerations necessary in the security level.

Security personnel pointed out that in the smart bulbs, smart door locks, motion sensors, temperature sensors, and so on, the test shows that these devices suppliers only deployed a minimum number of requirements for certification functions. Other options to improve security levels are not deployed, and are not open to end users. In this case, the security risks brought about by the seriousness of the situation will be very high.

In summary, as wireless router security vulnerabilities exposed the default password management, now being deployed in a large number of intelligent devices in the ZigBee protocol has also been abused in household equipment manufacturers, or enterprise Internet device using the protocol exposed to malicious attackers coveted. Thus, in order to ensure a good interoperability and popularity of smart devices at the same time, how can consumers take into account the security level of reliable protection, is the most intelligent device manufacturers should do.

For more information about LED, please click on China LED network or pay attention to WeChat public account (cnledw2013).