No this is not really a vulnerability, but just really bad documentation. [here it is][on wayback]
Homeassistant documentation is missing a very important part, setting the ZigBee Network Key. There is no mention of the ZigBee key anywhere on docs, shame on you HA. By default, the program behind the ZHA, called Zigpy, will fall back to the default key set by ZigBee Alliance and defined in the Zigpy source file zigpy_znp/const.py and in hex format the key is
01:03:05:07:09:0B:0D:0F:00:02:04:06:08:0A:0C:0D
You can not see your network key from the Homeassistan panel/dashboard, you must go to the command line of the Homeassistant installation, find out in which TTY your ZigBee is, and read the info
zigpy radio znp /dev/ttyACM0 info
PAN ID: 0x1A42Extended PAN ID: 2b:8c:2d:09:40:52:a4:0eChannel: 11Channel mask: [11]NWK update ID: 0Device IEEE: 88:02:4b:11:18:d2:f0:a1Device NWK: 0x0000Network key: 01:03:05:07:09:0b:0d:0f:00:02:04:06:08:0a:0c:0dNetwork key sequence: 0
Network key counter: 5397745
IF YOU DO NOT CHANGE YOUR ZIGBEE NETWORK KEY, YOU ARE VULNERABLE TO ATTACS!
see https://www.zigbee2mqtt.io/advanced/zigbee/04_sniff_zigbee_traffic.html#_3-sniffing-traffic
Zigpy and ZHA install process seems to be missing a network key generator. It is a common practice, to generate a key, when installing whatever software, that uses a key for something. You can use the Javascript ZigBee Network Key Generator below.
configuration.yaml should have the ZigBee network key set BEFORE you create your network.
Otherwise, unsecure known default key will be used!
zha: zigpy_config: network: key: [...]
If you installed HA directly on the computer, you probably need to install zigpy-cli first. Login to your HA computer first, and then switch to homeassistant user using sudo:
sudo -u homeassistant -H -s cd /srv/homeassistant python3 -m venv . source bin/activate pip install zigpy-cli # find your usb zigbee TTY.. dmesg # then try read your network info zigpy radio znp /dev/ttyACM0 info
You may have several USB radios (Bluetooth, Z-Wave etc.), try find the righ one, /dev/ttyACM0, /dev/ttyACM1, /dev/ttyACM2
Re-create your network with a new key
After adding your newly generated key to configuration.yaml file, you can reset the ZigBee network from the command line. I tried removing the ZHA Intergration from the HA Dashboard and then add it again, but it failed.
After I reset the network from command line, adding the ZHA Integration worked.
zigpy radio znp /dev/ttyACM1 reset zigpy radio znp /dev/ttyACM1 form zigpy radio znp /dev/ttyACM1 info
The info command did now show the new generated network key, and none of my lights or devices worked anymore. Good!
After this I tried to click the Reconfigure device from the Dashboard, but it did not work so I ended up removing all my ZigBee devices and then added them again by putting them to pairing mode and adding via Dashboard by clicking the Add device.
I now have a randomly generated network key and secure ZigBee network!