Although the security mechanism has been enhanced for IoT devices, flaws are continually being found by security experts. According to a research report by Friedrich-Alexander University Erlangen-Nürnberg (FAU) and IT Security Infrastructures, connectivity protocol ZigBee 3.0 contains security flaws that may allow unathorized intruders to control connected devices.
The research team sent a single radio command from a distance of more than 100 meters away and were able to modify smart light bulbs and wrest control from their users.
They indicated in the report that an active attacker may even trigger the identify action, reset to factory-new, change the wireless channel and join a device to another or non-existing network. All these events could happen within a distance between 15 and 190 meters, depending on the product.
The weakness showed up in the TouchLink commissioning procedure of ZigBee 3.0, which was released in December 2016. The TouchLink commissioning procedure was introduced for adding new devices to an existing smart home network or setting up a new network. But the team found inadequate security in the procedure, making it vulnerable to attacks coming from outside.
Smart lighting products from GE, IKEA, Philips and Osram were examined and found to be attackable due to the security flaw. After the report was released, some of the companies responded by disabling the touchlink commissioning procedure in order to protect users’ home privacy.
“This knowledge and experience was taken into account during the development of ZigBee 3.0, in which TouchLink is an optional feature. Although the TouchLink procedures themselves are not changed, more attention is paid to the enabling/disabling of the TouchLink feature under application control. For example, a ZigBee 3.0 light may only accept TouchLink commands within a certain amount of time (e.g., a few minutes) after power-up. This approach significantly shortens the window of vulnerability in our opinion,” the ZigBee Alliance replied regarding the finding.