Security flaws exposed in a the ZigBee standard reveal that hackers can compromise ZigBee networks and take control of all connected devices on a network.
A security watchdog said that the ZigBee standard requires that an unsecure initial key transport has to be supported, making it possible to compromise ZigBee networks and take control of all connected devices on the network.
Speaking at Black Hat 2015 in Las Vegas, NV, Cognosec said that solutions designed with ZigBee lack configuration possibilities for security and perform a vulnerable device pairing procedure that allows external parties to sniff the exchanged network key.
The firm added that this represents a critical vulnerability, as the security of the solution is solely reliant on the secrecy of this network key.
ZigBee is an IoT standard created by ZigBee Alliance’s members including companies like Samsung, Philips, Motorola, AT&T, Bosch and Silicon Labs.
The solution was designed for personal-area networks with the aim of providing low-cost, low-power consumption, two-way, reliable, wireless communications standard for short range applications, according to the organisation.
The standard is used in different smart solutions, including remote control, input devices, home automation, healthcare, smart energy and retail services, for example.
Tobias Zillner, Senior IS Auditor at Cognosec, said: "The shortfalls and limitations we have discovered in ZigBee have been created by the manufacturers.
"Unfortunately the security risk in this last tier wireless communication standard can therefore be considered as very high."
Also at the Back Hat event, researchers from Red Ballon Security, in a joint investigation with Columbia University, found that IoT devices can be used as transmission channels to steal data from compromised networks.
Researcher Ang Cui said that devices like printers and washing machines, have the ability to transmit invisible inaudible signals for miles.
The research team infected a Pantum laser printer and worked around its circuits, founding that the device could emit electromagnetic radiation by quickly switching a chip’s energy output back and forth. The research team dubbed the security flaw as "funtenna".
Speaking about security and standards to CBR, Amol Sarwate, director of engineering at Qualys explained that there is a range of different devices, connections and software that goes to make up an IoT service.
He said: "Each device should be secure by default – by this I mean that it should only perform specific tasks and stop unauthorised activities from being carried out.
"Unfortunately, many IoT developers don’t have this mindset in place from the start. Too often, devices are released and not updated when components or standards are updated. Responsibility for this should be included within each IoT device, and considered as part of wider services as well."
This article is from the CBROnline archive: some formatting and images may not be present.