Cve-2020-28952

Athom Homey Security | Static And Well-Known Keys
Do What is this CVE-2020-28952 about:
CVE stands for Common Vulnerabilities and Exposures (CVE®)

TL;DR: All Homey’s and Homey Pro devices, before version 5.0.0, have a static and well-known ZigBee communications encryption key.

The reporter wrote everything in his blog here:
https://yougottahackthat.com/blog/1260/athom-homey-security-static-and-well-known-keys-cve-2020-28952

As you could read in the Blog Athom fixed it in the version 5.0.0 Firmware, from then new ZigBee networks are created with a unique Zigbee Network key.

I will try to summarize and answer all questions I see and debunk misconceptions: [Work in Progres]

  • Q: I have updated my Homey from a version before v5.0.0, do I have the old Well-Known-Key?
    A: Probably yes, you can Check it here if the Network Key is: “01:03:05:07:09:0b:0d:0f:00:02:04:06:08:0a:0c:0d”
  • Q: What is the Risk with the Well-Known-Key?
    A: Someone within range of the ZigBee Signal with the knowledge and tools can “break in”, Listen and Control devices on your network. Probably switch Lights and Sockets or read sensor measurements.
  • Q: Can I Change the Key?
    A: The only way to change the key is by resetting ZigBee and that would remove all ZigBee devices from Homey. You will have to add all devices again and fix all flows.
  • Q: Do I now need to reset my ZigBee network to be secure?
    A: No, even if you reset your network ZigBee is not fully secure. It is your own choice if you think some your neighborhood will try to play with your ZigBee devices, it is just a little bit easier for them if you use the Well-Known-Keys. Decide for yourself if it is worth the hassle.

I wanted to make an central topic about this as I see reply’s in many other Topics around this with links, assumptions, misinformation etc.
To keep other topics clean I moved discussion from other threads on request here.

Still To be updated

2 Likes

Reserved

Right, i’gonna do this!:+1:

That has nothing to do with devices showing a question mark in the routing table.

1 Like

Here’s when and why to press ALT during recovery

Thank you for the link👍!

Yes it is quite strange but as it works i don’t Wanna take any risk, as the ‘médecine could be worst than the desease😉…’

You’right, i’ll send this to Homey staff.

Ok, i thought so…

Pls look up your zigbee network key here. Never publish it, but if it is
01:03:05:07:09:0b:0d:0f:00:02:04:06:08:0a:0c:0d
your issues are very very odd.
If your key is different, then since v5.0.1 you have a private key, which causes (can cause) to lose connection to all paired zigbee devices.
You seem to have kind of mix of those two issues.
I’m very interested about Athoms reply to your filed issue.

You only get a new key when you explicitly perform a Zigbee network reset, which would cause Homey to lose all paired Zigbee devices anyway.

1 Like

Also after an update to v5.0.1, if your Homey is “chosen”, according to this guy’s findings. Sounds reasonable, only how not every Homey gets a new key is what I don’t get. Did Athom push different versions v5.0.1 to specific Homey’s? I don’t buy that.

Rather frustratingly, upon performing the upgrade from v4.2.0 to v5.0.1 my ZigBee network simply stopped working. Knowing what I was looking for this wasn’t that big a surprise. I got out my ZigBee Sniffer Array and had added a device back into my ZigBee network. Low-and-behold, a completely new network key was found. This is why my previously-connected devices stopped working: they no longer had a valid network key.

Neither do I. Athom has stated on Slack that only a Zigbee reset will trigger a rekeying. Perhaps the writer of the article inadvertently performed a reset after he updated to 5.0.1 and his Zigbee network stopped working, or perhaps Athom inadvertently published a version of 5.0.1, that would automatically do the rekeying, for a short period of time.

This sounds more logical to me. That kind of stuff happens.
So, they decided to enroll a security fix, but it only gets implemented when you reset your zigbee network yourself. So “you wouldn’t notice the fix” as average user. And why is that? Why not proudly tell every user a security fix is available, and if you care, you’ll have to reset your zigbee network. Now complaints spread on the net about frustrated users with a dropped out zigbee, and not knowing why. That is not a very good way to promote your product.

1 Like

My main issue with the whole affair is that Athom never communicated this issue to its users.

4 Likes

I don’t get it either. They could have promoted it as a step forward, ‘better security’. People would understand imho.

How or where did you get this info? It’s indeed interesting why Athom haven’t communicated this with its users. I would do a zigbee reset, if that’s the only way to fix a security vulnerability. But I do want to hear it from an official source.

Edit: just saw this link. So that’s the source.

1 Like

@Dijker is busy with this, and Athom. He also made a survey to get a somewhat global view and insights. I’ll wait for what he and Athom come up with.
And hey, it’s not a very big security risk, only your neighbours or the-script-kid-on-the-block _could- switch your lights on or the garden sprinklers right?
Yes it is kinda silly to sell production models with the default well-known key still enabled, which could be the result of the everlasting battle between sales and tech staff.
I was ‘lucky’, I happened to reset my zigbee after v5.0.1 to tune it with my wifi, before I paired zigbee devices, sorry :wink:
Like Robert wrote, it is so strange Athom ‘thought’ this could be silently fixed and not telling the customers.

I did that many Times without success😩…

A solution seem to reset and back un Homey While pressing Alt at a spécific step, ( i can’t fond nom more that post) but As my zigbee works quite well i won’t play with that, as i m afraid of having to re add devics and to have to fix many flows…
So i think i’ll wait for an update to fix this🤗

Athom already has come up with a solution: when you reset your Zigbee network, you get a new random key.

1 Like

1 Like

@Dijker is busy with this, and Athom. He also made a survey to get a somewhat global view and insights.

Where’s that survey?