Critical IoT security flaw leaves connected home devices vulnerable

UPDATED. IoT devices offered by firms ranging from Samsung to Phillips may be vulnerable to exploit and hijacking.
Written by Charlie Osborne, Contributing Writer
Update 10.11: Updated with ZigBee response.

A number of critical vulnerabilities ripe for exploit have been discovered in ZigBee, a popular standard used by IoT devices.

Internet of Things (IoT) devices are picking up pace in the home technology sector. Smart fridges which monitor food freshness, meters which track electricity usage and smart home lighting systems are only a few examples of how networking and the web is changing the nature of home appliances.

While these devices can make homes more efficient and fun, once you connect a device to the Internet you have forged a pathway for software vulnerabilities to potentially be exploited -- and IoT vendors are not known for their attention to security risks.

The standards which allow IoT devices to communicate with each other, the underlying systems which make IoT possible, are also placed at risk -- a concept exploited by researchers from IT security firm Cognosec. Unveiled at Black Hat in Las Vegas, Nevada this week, the team said in a white paper that ZigBee, a popular IoT standard, is riddled with security holes.

ZigBee is an open global wireless standard based on IEEE 802.15.4, and is commonly used by IoT device manufacturers including Samsung, Philips, Motorola and Texas Instruments. The aim of the software protocol is to improve communication and compatibility between different IoT devices, but according to Cognosec, "low per-unit-costs, interoperability and compatibility requirements, as well as the application of legacy security concepts, has led to the persistence of known security risks."

Vienna-based Cognosec found that it is possible to compromise ZigBee networks and take over every IoT device connected to a hub using this protocol. According to the team, easy setup and usage features negatively impact on security as there is a "lack of configuration possibilities" to shore up the defense of IoT products using the ZigBee protocol.

ZigBee allows a variety of device types to exchange control messages to form a wireless home automation application, which then can be used for turning lights and heating on and off, checking home security cameras or opening a door.

However, one serious security flaw can compromise the entire network.

Cognosec discovered one flaw in particular, which the firm describe as a "vulnerable device pairing procedure" which allows third-parties to sniff out exchange network keys. This, in turn, leaves devices open for man-in-the-middle (MITM) attacks and device hijacking.

As a result, the security problem has been deemed critical.

"Since the security of ZigBee is highly reliant on the secrecy of the key material and therefore on the secure initialisation and transport of the encryption keys, this default fallback mechanism has to be considered as a critical risk," the team says.

"If an attacker is able to sniff a device and join using the default link key, the active network key is compromised and the confidentiality of the whole network communication can be considered as compromised."

After conducting tests with IoT light bulbs, motion sensors and door locks, the security firm found that vendors often implement the "minimum" amount of security features required to become certified for home use, but customers do not have many options to raise security standards --such as changing passwords and installing additional security software. Default transport keys cannot be changed, and being easily searchable through the web, leaves key transport unencrypted and vulnerable when IoT devices are pairing with a connected home network.

Tobias Zillner from Cognosec commented:

"The shortfalls and limitations we have discovered in ZigBee have been created by the manufacturers. Companies want to create the latest and greatest products, which today means they are likely to be Internet-connected.

Simple units such as light switches have to be compatible with a whole host of other devices and, unsurprisingly, little consideration is made to security requirements -- most likely to keep costs down. Unfortunately the security risk in this last tier wireless communication standard can therefore be considered as very high."

A ZigBee spokesman told ZDNet:

"The ZigBee Alliance and its members take security very seriously. Our members develop standards and protocols to strike the appropriate balance between ease of use and secure interaction of devices to afford the greatest 'smart' functionality with the least exposure.

We are aware of the report promoted from Black Hat, and it appears to deal with a singular point in the initial, out-of-the-box joining (when the homeowner is installing a new device) -- which is a few hundred milliseconds of key exchange. The hack described by Cognosec is an old one that exists for any system that uses an open key exchange during joining to the network. It affects many different technologies -- not just ZigBee-based devices -- and is typically shepherded by the consumer who is installing their device.

Security has to fit the application, and schemes are dictated by the resources at hand. It is very hard to enter a 16-digit passphrase into a light bulb when there is no keyboard or monitor. If a scheme is too expensive, too difficult to install, or too time-consuming -- consumers won't apply it.

The ZigBee Alliance is continually evolving its security options to stay ahead of evolving threats, and we welcome this type of analysis as an open standards community."

10 steps to erase your digital footprint

Read on: Top picks

In pictures:

Editorial standards