Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

As far as I can tell the master key of ZigBee pairing has been extracted and posted. This is used when pairing a new device to a ZigBee network which is used by many home automation devices (such as SmartThings).

Also, and please correct me if I'm wrong, but the attack window is very narrow in that you have to be close to the source and you have to reset the device (or use a new device) in order to really do anything. Not sure how much of a risk this is at the moment.



Note that this is only the Zigbee Light Link master key. A lot of devices use the Zigbee Home Automation specification which has a different well known master key (in that case it's in the standard which is freely available).

The ZLL key is slightly more interesting because you can factory reset (and effectively steal) devices in someone else's network, but that does require physical proximity to the device.

The master key also means that you can make your own device to add to someone's network. Most ZLL networks have a simple push button adding process, so you just need to be close to the button for a few seconds in order to add your own device to the network, after which you can control any other devices already in the network.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: