
Zigbee light link master key - officialjunk
https://mobile.twitter.com/MayaZigBee/status/579723961661022209
======
Animats
This may not be much of an attack. The master key is used only during
"commissioning", when a controller is introduced to a light. Then they
exchange keys, and the random key generated by the controller is sent to the
light, encrypted with the master key. The light then stores the controller
key. The controller and light must be physically close for this to work.[1]

Once you've done that, it's difficult to reset a light to factory defaults.
There's a program called "LampStealer" which does this, but the controller and
lamp have to be brought very close together, and even then it doesn't always
work.

Some devices can be reset by connecting to the Zigbee bridge with Telnet on
port 30000, then typing various simple commands. That's a bigger worry than a
leak of the master key.

[1] [https://docs.zigbee.org/zigbee-
docs/dcn/12/docs-12-0255-01-0...](https://docs.zigbee.org/zigbee-
docs/dcn/12/docs-12-0255-01-0mwg-exploring-new-opportunities-with-zigbee-
light-link.pdf)

~~~
nathankunicki
It's worth noting that for the port 30000 Telnet interface (At least on the
Philips Hue bridge), it also needs to be physically close for it to work. In
fact, this is how LampStealer works - it sends the command to the bridge over
TCP.

~~~
chrisBob
How does it enforce requiring close proximity?

~~~
baq
by very weak transmission power, probably

------
jph
For more about this, there's an excellent paper about hacking lightbulbs:
[http://www.dhanjani.com/docs/Hacking%20Lighbulbs%20Hue%20Dha...](http://www.dhanjani.com/docs/Hacking%20Lighbulbs%20Hue%20Dhanjani%202013.pdf)

"In order to change the state of the lightbulbs (such as turning all the
associated bulbs off) the bridge uses the ZigBee Light Link (ZLL) wireless
technology and protocol....

"ZLL requires the use of a manufacturer issued master key. This master key is
stored on the bridge as well as the light bulbs. Upon initiation (when the
user presses the button on the bridge), the bridge generates a random network
key and encrypts it using the master key. The lightbulbs unwrap the network
key since they also have the master key and use it to subsequently communicate
with the bridge."

------
notum
Philips already ships the absolute best zigbee light hijacking device with
their bloom and living colors lamps. The remote.

The first thing I did when I got my hue set was try to see if the bulbs worked
with the living colors remote. Not only can you force-pair (steal) the bulb
with it, you can then no longer connect it to the bridge without removing it
to get to the serial number, or bringing it close to the bridge and using the
lightfinder app or telnet.

Quite a hassle, and all you need is the standard remote and proximity.

~~~
13
Presumably you can get around the "proximity" limit by just using a more
powerful transmitter, I can't imagine they have any actual near field
communication or anything.

------
sunilkumarc
Can someone explain me what this post is about?

~~~
BinaryIdiot
As far as I can tell the master key of ZigBee pairing has been extracted and
posted. This is used when pairing a new device to a ZigBee network which is
used by many home automation devices (such as SmartThings).

Also, and please correct me if I'm wrong, but the attack window is very narrow
in that you have to be close to the source and you have to reset the device
(or use a new device) in order to really do anything. Not sure how much of a
risk this is at the moment.

~~~
johnkeeping
Note that this is only the Zigbee Light Link master key. A lot of devices use
the Zigbee Home Automation specification which has a different well known
master key (in that case it's in the standard which is freely available).

The ZLL key is slightly more interesting because you can factory reset (and
effectively steal) devices in someone else's network, but that does require
physical proximity to the device.

The master key also means that you can make your own device to add to
someone's network. Most ZLL networks have a simple push button adding process,
so you just need to be close to the button for a few seconds in order to add
your own device to the network, after which you can control any other devices
already in the network.

------
w00kie
In case this gets taken down, the tweet said:

#DIY lover #ZLL master key [redacted] #ZigBee #Philips #Hue Please RT
@travisgoodspeed @stevewoz

~~~
dang
Redacted due to DMCA takedown request.

------
Natsu
Suddenly I realize that I had almost forgotten 09 F9 11 02...

~~~
nness
I like to think of that moment as Digg's swan-song.

------
benmcnelly
This is why we can't have nice internet of things...

~~~
pantalaimon
I'd rather have an internet of nice things anyway

