HKCert
Security Guideline

IoT Device (ZigBee) Security Study

Release Date: 08 / 05 / 2020
Last Update: 08 / 05 / 2020

Industries all over the world are keeping up with the trend of Internet of Things (IoT), by developing and applying products with built-in IoT-related function. ZigBee, as one of the wireless technologies with low-power consumption and a simple set-up, has been widely adopted in the development and market application of IoT devices.

 

ZigBee is designed for simple network request and response packets to be transferred to achieve a simple data reading or command action on ZigBee device. By the means which mentioned above, ZigBee-enabled IoT devices are mostly used among the following five use case categories:

  1. Sensors for Data Analysis
  2. Sensors for Automated Decision and Control
  3. Electricity Relay and Switching Control
  4. Direct Mechanical Control
  5. Critical Infrastructure

Given the growing application of IoT devices, especially those supporting ZigBee in a smart home environment. HKCERT has recently completed a study on the security of ZigBee devices so as to illustrate relevant security issues with the test results, and to raise security awareness of ZigBee devices among product developers and general users.

 

Starting with the introduction of ZigBee technology, the report elaborates on the security features to protect ZigBee wireless communication. On top of identifying the types of attacks that such devices are subject to and the corresponding defense methods, it has also conducted a security analysis on their pairing and encryption, and data protection by testing some of them.

 

The study also introduces tips on strengthening the security of ZigBee devices. Here, HKCERT recommends five noteworthy security configuration areas in deploying ZigBee devices:

  1. Trust Centre Link Key
  2. Network Key
  3. Smart Hub Security Control
  4. Device Pairing Control
  5. Device Connection Management

HKCERT has provided a table mapping out the use cases, considerations within product designs and the corresponding security configurations. It hopes to provide developers with ease of reference in applying suitable security configurations best fit for different design requirements.

 

Please click “IoT Device (ZigBee) Security Study” to download. Should users or developers have any comments or enquires about the study, they are most welcome to contact HKCERT via email: [email protected] or its 24-hour telephone hotline: 8105 6060.