By Brad Ree
Zigbee Alliance Security Advisory Group Chair
VP of IoT Security | Verimatrix
IoT security is nothing new to the Zigbee Alliance. We continue to evolve the protocol as it is applied to new markets, or new threats have been identified. Zigbee 3.0 provides the tools to form, operate, and update a network in a secure manor. The use of install codes during network formation has been a requirement for the Smart Energy protocol for years, and now has been added to the Zigbee 3.0 protocol. The install code provides a unique joining key between the device and the coordinator, such that the network key can only be received by the joining node.
The network is protected with an AES 128-bit network key. Further, network operators may enable device to device application layer security. Zigbee provides tools to monitor the network for interference, either intentional or not. Based on the interference, the network can be reformed on a clear channel. The inference may also be reported to the network operator if further action is required. The network key can and should be rotated periodically, which greatly reduces an attacker’s ability to gain access to the network, along with refreshing the replay attack protection.
Recently, the United States Federal Trade Commission has recommended that device manufactures provide a means to update devices in the field, and inform customers about the capability. Zigbee provides a robust secure update process, which supports both sleepy and non-sleepy nodes. All updates are signed to guarantee their authenticity, and then delivered over a secure link. Many platform providers also support encryption of the image when stored in external memory.
The Security Advisory group works with each of the technical working groups as they add new features to the protocol. The group is also active in the review and response to security papers as they apply to any of the Zigbee protocols. Further, we are re-engaging outside researchers to perform an updated audit of Zigbee 3.0, and the underlying protocol stack. I highly recommend any member who is interested in the latest security updates to join the group.
Please contact the Zigbee Alliance staff at firstname.lastname@example.org if you are interested in being added to the roster.