Hacker News new | past | comments | ask | show | jobs | submit login
Zigbee light link master key (mobile.twitter.com)
110 points by officialjunk on Mar 23, 2015 | hide | past | favorite | 21 comments

This may not be much of an attack. The master key is used only during "commissioning", when a controller is introduced to a light. Then they exchange keys, and the random key generated by the controller is sent to the light, encrypted with the master key. The light then stores the controller key. The controller and light must be physically close for this to work.[1]

Once you've done that, it's difficult to reset a light to factory defaults. There's a program called "LampStealer" which does this, but the controller and lamp have to be brought very close together, and even then it doesn't always work.

Some devices can be reset by connecting to the Zigbee bridge with Telnet on port 30000, then typing various simple commands. That's a bigger worry than a leak of the master key.

[1] https://docs.zigbee.org/zigbee-docs/dcn/12/docs-12-0255-01-0...

It's worth noting that for the port 30000 Telnet interface (At least on the Philips Hue bridge), it also needs to be physically close for it to work. In fact, this is how LampStealer works - it sends the command to the bridge over TCP.

How does it enforce requiring close proximity?

by very weak transmission power, probably

True but it does allow snooping of the commissioning process. And now it may allow easier factory resetting of zll devices by having a custom user device join the zll network. It could also mean some cheap unauthorized lights and remotes/accessories appearing in loosely regulated markets which would be compatible with major systems like hue.

Thank you - I had just posted questions to all your answers (deleted now) :)

The #DIY hashtag in the tweet implies that this is less about security but about allowing custom base stations to be built.

Some bulbs have a reset function built in, triggered by cycling the power. I believe that for GE bulbs it's 3sec off, 3s on repeated a couple of times.

For more about this, there's an excellent paper about hacking lightbulbs: http://www.dhanjani.com/docs/Hacking%20Lighbulbs%20Hue%20Dha...

"In order to change the state of the lightbulbs (such as turning all the associated bulbs off) the bridge uses the ZigBee Light Link (ZLL) wireless technology and protocol....

"ZLL requires the use of a manufacturer issued master key. This master key is stored on the bridge as well as the light bulbs. Upon initiation (when the user presses the button on the bridge), the bridge generates a random network key and encrypts it using the master key. The lightbulbs unwrap the network key since they also have the master key and use it to subsequently communicate with the bridge."

Philips already ships the absolute best zigbee light hijacking device with their bloom and living colors lamps. The remote.

The first thing I did when I got my hue set was try to see if the bulbs worked with the living colors remote. Not only can you force-pair (steal) the bulb with it, you can then no longer connect it to the bridge without removing it to get to the serial number, or bringing it close to the bridge and using the lightfinder app or telnet.

Quite a hassle, and all you need is the standard remote and proximity.

Presumably you can get around the "proximity" limit by just using a more powerful transmitter, I can't imagine they have any actual near field communication or anything.

Can someone explain me what this post is about?

This is the "secret" keys that is burned into all Zigbee lighting products - Zigbee is a low energy mesh network.

You need this key to develop you own clients for existing lights on the market.

It is only given to paying members of the Zigbee interest group to use in tested devices

As far as I can tell the master key of ZigBee pairing has been extracted and posted. This is used when pairing a new device to a ZigBee network which is used by many home automation devices (such as SmartThings).

Also, and please correct me if I'm wrong, but the attack window is very narrow in that you have to be close to the source and you have to reset the device (or use a new device) in order to really do anything. Not sure how much of a risk this is at the moment.

Note that this is only the Zigbee Light Link master key. A lot of devices use the Zigbee Home Automation specification which has a different well known master key (in that case it's in the standard which is freely available).

The ZLL key is slightly more interesting because you can factory reset (and effectively steal) devices in someone else's network, but that does require physical proximity to the device.

The master key also means that you can make your own device to add to someone's network. Most ZLL networks have a simple push button adding process, so you just need to be close to the button for a few seconds in order to add your own device to the network, after which you can control any other devices already in the network.

I dont think anyone knows, but we've all upvoted it to the top of HN because last time someone tweeted a key on twitter it was to do with that really exciting superfish thing

In case this gets taken down, the tweet said:

#DIY lover #ZLL master key [redacted] #ZigBee #Philips #Hue Please RT @travisgoodspeed @stevewoz

Redacted due to DMCA takedown request.

Suddenly I realize that I had almost forgotten 09 F9 11 02...

I like to think of that moment as Digg's swan-song.

This is why we can't have nice internet of things...

I'd rather have an internet of nice things anyway

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact