WHAT'S NEW?
Loading...

Homeassistant ZHA (ZigBee) vulnerability

No this is not really a vulnerability, but just really bad documentation. [here it is][on wayback]



Homeassistant documentation is missing a very important part, setting the ZigBee Network Key. There is no mention of the ZigBee key anywhere on docs, shame on you HA. By default, the program behind the ZHA, called Zigpy, will fall back to the default key set by ZigBee Alliance and defined in the Zigpy source file zigpy_znp/const.py and in hex format the key is 

01:03:05:07:09:0B:0D:0F:00:02:04:06:08:0A:0C:0D


You can not see your network key from the Homeassistan panel/dashboard, you must go to the command line of the Homeassistant installation, find out in which TTY your ZigBee is, and read the info

zigpy radio znp /dev/ttyACM0 info

PAN ID:                0x1A42
Extended PAN ID:       2b:8c:2d:09:40:52:a4:0e
Channel:               11
Channel mask:          [11]
NWK update ID:         0
Device IEEE:           88:02:4b:11:18:d2:f0:a1
Device NWK:            0x0000
Network key:           01:03:05:07:09:0b:0d:0f:00:02:04:06:08:0a:0c:0d
Network key sequence:  0

Network key counter:   5397745


IF YOU DO NOT CHANGE YOUR ZIGBEE NETWORK KEY, YOU ARE VULNERABLE TO ATTACS!


see https://www.zigbee2mqtt.io/advanced/zigbee/04_sniff_zigbee_traffic.html#_3-sniffing-traffic

Zigpy and ZHA install process seems to be missing a network key generator. It is a common practice, to generate a key, when installing whatever software, that uses a key for something. You can use the Javascript ZigBee Network Key Generator below.


configuration.yaml should have the ZigBee network key set BEFORE you create your network.
Otherwise, unsecure known default key will be used! 

zha:
  zigpy_config:
    network:
      key: [...]


If you installed HA directly on the computer, you probably need to install zigpy-cli first. Login to your HA computer first, and then switch to homeassistant user using sudo:

sudo -u homeassistant -H -s
cd /srv/homeassistant
python3 -m venv .
source bin/activate
pip install zigpy-cli
# find your usb zigbee TTY..
dmesg
# then try read your network info
zigpy radio znp /dev/ttyACM0 info


You may have several USB radios (Bluetooth, Z-Wave etc.), try find the righ one, /dev/ttyACM0, /dev/ttyACM1, /dev/ttyACM2


Re-create your network with a new key

After adding your newly generated key to configuration.yaml file, you can reset the ZigBee network from the command line. I tried removing the ZHA Intergration from the HA Dashboard and then add it again, but it failed.



After I reset the network from command line, adding the ZHA Integration worked.


zigpy radio znp /dev/ttyACM1 reset
zigpy radio znp /dev/ttyACM1 form
zigpy radio znp /dev/ttyACM1 info


The info command did now show the new generated network key, and none of my lights or devices worked anymore. Good! 


After this I tried to click the Reconfigure device from the Dashboard, but it did not work so I ended up removing all my ZigBee devices and then added them again by putting them to pairing mode and adding via Dashboard by clicking the Add device.


I now have a randomly generated network key and secure ZigBee network!



Follow:

Login