Zigbee Security

Zigbee is a low-power, low-data-rate wireless mesh networking protocol based on IEEE 802.15.4. It is widely deployed in smart home automation (lights, locks, thermostats), industrial monitoring, and healthcare devices. Zigbee networks operate in the 2.4 GHz band and use a mesh topology where devices can relay messages to extend range.

The Zigbee protocol includes built-in security features such as AES-128 encryption for network-layer and application-layer communications. However, significant vulnerabilities exist in how these security features are implemented in practice. The most critical weakness involves the network key distribution process — when a new device joins the network, the encryption key may be transmitted in the clear during the initial pairing, creating a brief window where an attacker with a software-defined radio can intercept it.

Known attacks against Zigbee include key sniffing during device pairing, replay attacks where captured packets are retransmitted to trigger actions, and the exploitation of the Zigbee Light Link (ZLL) commissioning process which uses a well-known master key. Tools such as KillerBee, Attify Zigbee Framework, and RZUSBstick make Zigbee security testing accessible to researchers.

To harden Zigbee deployments, organisations should use Zigbee 3.0 with Install Code-based key exchange, monitor for unauthorised device joins, implement application-layer encryption in addition to network-layer encryption, and regularly audit which devices are connected to the network. Physical security of the Zigbee coordinator is also critical, as compromising it provides access to all network keys.