Athom Homey Security | Static And Well-Known Keys
Do What is this CVE-2020-28952 about:
CVE stands for Common Vulnerabilities and Exposures (CVE®)
TL;DR: All Homey’s and Homey Pro devices, before version 5.0.0, have a static and well-known ZigBee communications encryption key.
The reporter wrote everything in his blog here:
As you could read in the Blog Athom fixed it in the version 5.0.0 Firmware, from then new ZigBee networks are created with a unique Zigbee Network key.
I will try to summarize and answer all questions I see and debunk misconceptions: [Work in Progres]
- Q: I have updated my Homey from a version before v5.0.0, do I have the old Well-Known-Key?
A: Probably yes, you can Check it here if the Network Key is: “01:03:05:07:09:0b:0d:0f:00:02:04:06:08:0a:0c:0d”
- Q: What is the Risk with the Well-Known-Key?
A: Someone within range of the ZigBee Signal with the knowledge and tools can “break in”, Listen and Control devices on your network. Probably switch Lights and Sockets or read sensor measurements.
- Q: Can I Change the Key?
A: The only way to change the key is by resetting ZigBee and that would remove all ZigBee devices from Homey. You will have to add all devices again and fix all flows.
- Q: Do I now need to reset my ZigBee network to be secure?
A: No, even if you reset your network ZigBee is not fully secure. It is your own choice if you think some your neighborhood will try to play with your ZigBee devices, it is just a little bit easier for them if you use the Well-Known-Keys. Decide for yourself if it is worth the hassle.
I wanted to make an central topic about this as I see reply’s in many other Topics around this with links, assumptions, misinformation etc.
To keep other topics clean I moved discussion from other threads on request here.
Still To be updated