Zigbee is not silver bullet for IoT security, warns MWR InfoSecurity chief
January 12, 2016
Zigbee is not a silver bullet for IoT security, warned Rob Miller, head of smart energy at UK firm MWR InfoSecurity, after news broke last week of vulnerabilities being found in Comcast's Xfinity home security system.
“There is a belief in the IoT community that using a wireless protocol such as Zigbee means that the device is secure,” he said. “Zigbee has a number of very effective security features such as encryption of communications, but it is not a silver bullet. Developers of IoT need to consider the unique security risks of their products rather than assuming that they have already been solved for them. Many attacks such as denial of service, capture and replay of messages and side channel attacks could undermine an otherwise secure product.”
According to a blog post last week by cybersecurity firm Rapid 7, by creating a failure condition in the 2.4GHz radio frequency band, the Xfinity home security system fails open, with the base station failing to recognise or alert on a communications failure with the component sensors. In addition, sensors take an inordinate amount of time to re-establish communications with the base station, even if their closed state is switched to open during the failure event.
What this means in practice is that if an attack is underway, it could continue to report that all sensors were intact and all doors were closed, with no motion detected. Rapid 7 said it was helping Concast investigate the issue.
Miller said that the IoT was a rapidly growing area as could be seen at last week’s Consumer Electronics Show in Las Vegas.
“Making a device smart is seen as a way of gaining a competitive edge in a range of products, from fitness to home security,” he said. “This advantage is strongest when your product is first to market whilst also being efficient and practical. Building a competitive device requires short development times, reduction of component cost and reduction in power usage.”
This he said often meant that security was marginalised in an attempt to get the product out the door at a reasonable price. The consequences for a simple smart device may be minimal, but when these devices start controlling burglar alarms or car doors, then he said the priorities must be adjusted.
“There are two races happening at the moment that are leading to security failures in IoT,” he said. “The first is over which wireless protocol will become the de-facto standard in IoT. Developers and manufacturers of wireless protocols and hardware need to be clear not only what security features their solutions have, but also how to use them safely and where their limits are. The second race is which IoT products will become the must haves for 2016. IoT vendors should consider not only the impact of being first to market, but the impact to their brand when the security of their products is exposed to the world.”