The Alliance Statement on Security: Recent Light-Bulb Hack Report
The Zigbee Alliance is in continuous communication with its member companies to develop and maintain its suite of market-relevant standards for the IoT. The Alliance is aware of the issues raised in the Weizmann Institute / Dalhousie University report referenced in multiple press articles this week.
The weakness described in this report is not in any of the Zigbee standards.
In this instance, there was a software bug in the implementation from one silicon provider. It is not a Zigbee protocol issue “ but rather an internal implementation issue. Like many technology platforms, such as smartphones and our daily computing devices, there's a constant need to keep the software current and check for updates to ensure the security of devices and system solutions. The attack here leveraged an internal interface vulnerability, and as such is not applicable in an entire ecosystem or product suite.
The problem in this specific smart bulb scenario has since been resolved and rolled out to all customers of that stack supplier. We also understand that Philips Hue, which uses third-party software components from this particular stack supplier for part of their portfolio, has implemented the patch and already rolled out the firmware to all devices in the field. No changes to the Zigbee standard are warranted.
The Zigbee Alliance and its members take security very seriously. Our members develop standards and protocols to strike the appropriate balance between ease of use and secure interaction of devices to afford the greatest smart functionality with essential security measures in place. There are many layers in a software implementation that work behind the scenes to drive the behavior of products and solutions. Members earn the Zigbee Certified designation, which verifies that their platform and product meets Alliance requirements and performs over-the-air transfers as expected. From there, manufacturers have many implementation choices before bringing their products to market.
Zigbee technology is created and implemented by many of the most successful companies in the world, all of which have access to the latest security schemes. Members of Zigbee Alliance technical working groups actively review the Zigbee security framework as well as industry best practices, and therefore welcome this type of analysis as an open standards community.
We'll continue to work closely with our members to ensure all the functionality available to them in our existing set of standards and security measures is used to its full effect to deliver a secure and encouraging IoT experience. We'll also continue to help the market understand the many moving parts, requirements and criticalities of wireless networking in the emerging world of the Internet of Things.