Security flaws in ZigBee networks mean connected solutions could be used to send out data for miles, a watchdog has found.
The watchdog said that ZigBee’s standard requires an unsecure initial key transport to be supported, allowing its networks to be compromised and all connected devices to be taken control of, CBR Online reported.
Security watchdog Cognosec said that the ZigBee standard requires that an unsecure initial key transport has to be supported, making it possible to compromise ZigBee networks and take control of all connected devices on the network.
The ZigBee solutions are said to lack configuration options for security and to have a vulnerable device pairing procedure which allows external parties to determine the exchanged network key. Cognosec added that this is a “critical vulnerability”, as the system’s security is entirely reliant on this network key remaining secret.
The ZigBee IoT standard was created by ZigBee Alliance members including Samsung, Philips, Motorola, AT&T, Bosch and Silicon Labs, and was designed for “personal-area” networks, providing cheap, efficient consumption and a two-way wireless communications standard for short range applications. Its smart solutions can be applied to remote control, input devices, home automation, healthcare, smart energy and retail services.
Researchers from Red Balloon Security, in a joint investigation with Columbia university, also found that IoT devices can act as transmission channels to steal data from compromised networks. The team infected a Pantum laser printer and circumvented its circuits, finding that it could emit electromagnetic radiation by rapidly moving a chip’s energy output back and forth. Devices like printers and washing machines hacked to transmit invisible, inaudible signals for miles.
Tobias Zillner, Senior IS Auditor at Cognosec, said: “The shortfalls and limitations we have discovered in ZigBee have been created by the manufacturers.
“Unfortunately the security risk in this last tier wireless communication standard can therefore be considered as very high.”
Amol Sarwate, Director of Engineering at cloud security group Qualys, explained that there is a range of different devices, connections and software connected to the IoT service: “Each device should be secure by default – by this I mean that it should only perform specific tasks and stop unauthorised activities from being carried out.
“Unfortunately, many IoT developers don’t have this mindset in place from the start. Too often, devices are released and not updated when components or standards are updated. Responsibility for this should be included within each IoT device, and considered as part of wider services as well.”