The popular wireless mesh networking protocol used in many connected home devices including the Philips Hue light bulbs has been shown to be vulnerable to intrusion. Researchers from Cognosec, presented a paper at the Black Hat security conference showing that the way the ZigBee wireless protocol authenticates devices in its mesh network leaves it open to attack, despite the protocol’s use of high quality security.
To be clear, this is not a weakness in ZigBee or the Hue light bulbs, but a weakness in the way that ZigBee is commonly implemented that can be exploited. The main area of vulnerability is around how the ZigBee protocol handles the keys it uses to authenticate the devices it adds to its mesh network. There are a few ways people can take advantage of it, but most boil down to not adding costs to the end product or not inconveniencing the end user or the manufacturer.
For example, the primary issue is that if manufactures of ZigBee devices use the default settings to exchange secure keys among other devices in the ZigBee network, it introduces a weakness. It’s the equivalent of manufacturers using “password” as their password for exchanging these keys. Another manufacturing problem is using low-end radios that aren’t tamper proof for the “dumb” devices in the network such as sensors.
If someone steals one of these nodes they can mess with the radio and then steal the keys to get onto your ZigBee network. One way to avoid this is to put a high-end radio on the device that shuts down if it detects that it is being tampered with.
Other weaknesses Cognosec noticed included a tendency for manufacturers to reply on the same key authentication for devices once they are on the network, which is actually a huge kindness to users since retyping in a key on a device or re-authenticating on a network would be a huge pain post-installation of a new connected light bulb or door lock. Believe me, once you put these types of things in your home, you don’t want them asking you for more interactions.
And that’s one huge challenge of securing the internet of things. The end user is not interested or necessarily capable of handling the demands that connected devices will require in the form of security. So while it’s nice to tell people to change their password and keep devices updated, many will not. And that gets into the second problem with securing the internet of things—most manufacturers still aren’t willing to take responsibility for security.
Many of the new connected products are designed by startups, some of which are taking steps such as hiring security firms to test their products, or thinking about security from the initial design. However, others are ignoring even common sense measures such as not storing everyone’s passwords in the same database behind a single password or trusting the physical security of a home security hub to the contract manufacturing firm that is making it. Slowly, the larger companies supplying those startups such as the chip firms and wireless radio standard consortia are trying to help make security better by creating products and standardized tools that startups can use easily to make their products more secure.
But not everyone is ready to talk about the role of the larger companies yet. I asked Mike McNamara, the CEO of Flextronics, the company that helps make many of these connected devices from the FitBits to the Wink home hub (which has had several security SNAFUs) about the role bigger firms such as his had to play in helping the connected device industry become more secure at our Brainstorm Tech event in July. He dodged the question utterly. That’s a shame, because he’s in a unique role to influence security and even enforce standards that could really push connected devices forward.
The industry needs to start working on ways to connect these devices securely and easily. And when things go wrong, as they often do, it needs to be able to alert users that their security has been compromised quickly and document what happened. Even today companies have a hard time with this, often noticing that something has happened in their networks, but they are unable to tell which users were affected or what hackers have done. As we attach medical devices, cars, manufacturing infrastructure and other sensitive assets to the Internet, having an understanding of an intrusion and then documentation of what the intruder did and if they still have access will be essential.
Consumers aren’t going to be able to do that. That’s something that needs to be designed in and managed on an ongoing basis. And yes, that will add costs, but it’s just the price we’re going to have to pay to live in a connected world. If that adds a few dollars to my ZigBee locks, that’s worth it.