An issue was discovered on Athom Homey and Homey Pro devices before 5.0.0. ZigBee hub devices should generate a unique Standard Network Key that is then exchanged with all enrolled devices so that all inter-device communication is encrypted. However, the cited Athom products use another widely known key that is designed for testing purposes: "01030507090b0d0f00020406080a0c0d" (the decimal equivalent of 1 3 5 7 9 11 13 15 0 2 4 6 8 10 12 13), which is human generated and static across all issued devices.
References
Link | Resource |
---|---|
https://homey.app/en-us/ | Product Vendor Advisory |
https://developer.athom.com/firmware | Release Notes Vendor Advisory |
https://yougottahackthat.com/blog/1260/athom-homey-security-static-and-well-known-keys-cve-2020-28952 | Third Party Advisory |
Information
Published : 2021-03-09 12:15
Updated : 2021-03-17 11:28
NVD link : CVE-2020-28952
Mitre link : CVE-2020-28952
JSON object : View
CWE
CWE-798
Use of Hard-coded Credentials
Products Affected
homey
- homey_firmware
- homey
- homey_pro_firmware
- homey_pro