Once you've done that, it's difficult to reset a light to factory defaults. There's a program called "LampStealer" which does this, but the controller and lamp have to be brought very close together, and even then it doesn't always work.
Some devices can be reset by connecting to the Zigbee bridge with Telnet on port 30000, then typing various simple commands. That's a bigger worry than a leak of the master key.
The #DIY hashtag in the tweet implies that this is less about security but about allowing custom base stations to be built.
"In order to change the state of the lightbulbs (such as turning all the associated bulbs off) the bridge
uses the ZigBee Light Link (ZLL) wireless technology and protocol....
"ZLL requires the use of a manufacturer issued master key. This master key is stored on the bridge as
well as the light bulbs. Upon initiation (when the user presses the button on the bridge), the bridge
generates a random network key and encrypts it using the master key. The lightbulbs unwrap the
network key since they also have the master key and use it to subsequently communicate with the
The first thing I did when I got my hue set was try to see if the bulbs worked with the living colors remote.
Not only can you force-pair (steal) the bulb with it, you can then no longer connect it to the bridge without removing it to get to the serial number, or bringing it close to the bridge and using the lightfinder app or telnet.
Quite a hassle, and all you need is the standard remote and proximity.
You need this key to develop you own clients for existing lights on the market.
It is only given to paying members of the Zigbee interest group to use in tested devices
Also, and please correct me if I'm wrong, but the attack window is very narrow in that you have to be close to the source and you have to reset the device (or use a new device) in order to really do anything. Not sure how much of a risk this is at the moment.
The ZLL key is slightly more interesting because you can factory reset (and effectively steal) devices in someone else's network, but that does require physical proximity to the device.
The master key also means that you can make your own device to add to someone's network. Most ZLL networks have a simple push button adding process, so you just need to be close to the button for a few seconds in order to add your own device to the network, after which you can control any other devices already in the network.
#DIY lover #ZLL master key [redacted] #ZigBee #Philips #Hue Please RT @travisgoodspeed @stevewoz