The low-power, low-bandwidth wireless protocol ZigBee has found widespread adoption in IoT and M2M smart devices that need to be inexpensive, rugged and often separated by distances greater than be covered by conventional WiFi signals. Backed by Samsung, Motorola, TI and others, it represents one of the few successful standards adopted by Internet of Things companies to date. Unfortunately, according to research conducted by security firm Cognosec, it's also insecure, and maybe incurably so -- but not for the usual technical reasons.
If you choose to read the entire report, you might find yourself waiting for the punchline. After all, the protocol in question is completely open, well-pedigreed, widely-adopted, and has been audited and reviewed by some of the best research firms over the seven or eight years that it has existed. The researchers go into some detail about its scalability and built-in security features, pointing out their overall robustness.
So what's the problem, then?
Basically, people. Or money. Or both.
It seems that to gain certification, devices only need to implement some minimum number of features, and the security model of the protocol is such that if one part of the software stack is trusted, they all are trusted. Consequently, a poor or incomplete implementation of the protocol on one node of a deployment could potentially open up an attack vector for all of the other connected devices in the deployment. Short of figuring out the weakest link(s) in a deployment and weeding it out, this makes securing an IoT network next to impossible. And keep in mind that many of the "deployments" in this use-case are inside peoples' homes, where devices from a variety of different vendors might be networked together to provide smart home functionality, from controlling the lights and A/C to locking and unlocking doors.