ZigBee Chain Reaction

In this paper we describe a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction, provided that the density of compatible IoT devices exceeds a critical mass. site

In this paper we described an attack which has the potential to cause large scale effects. Moreover, fixing the malicious software update will require the physical replacement of every affected lightbulb with a new one, and a waiting period for a software patch to be available before restoring light. pdf

This scenario might be alarming enough by itself, but this is only a small example of the large scale problems that can be caused by the poor security offered in many IoT devices.

Our attacks exploit a specific implementation bug of the Touchlink commission protocol and a specific design for the OTA update process, but they are just an example of the way security in IoT is designed today. The Atmel code we reviewed was very well written and documented, but it is extremely difficult to implement complex state machines of such protocols without any bugs. The main problem is in the insecure design of the ZLL standard itself.

We believe this will not be the last bug or attack found against ZLL commissioning. While the vendor’s main design goal of ease of use is understandable, a better trade-off between usability and security must be made, and the security community and academia should be allowed to take part in the process. The sharp contrast between the open and inclusive manner in which TLS 1.3 standard was designed and the secretive work on the ZigBee 3.0 specification that is still not open to the public, is a big part of the problem.


Eyal Ronen. I am a PHD student of Prof. Adi Shamir at the Department of Computer Science and Applied Mathematics of the Weizmann Institute of Science. My research interests are security and cryptography. site

My name is Colin O’Flynn. I’m trained as an electrical engineer, based in Nova Scotia, Canada. I’ve previously worked around the world for a variety of companies performing such diverse tasks as software programming, PCB design, prototype construction, installing devices on helicopters, RF layout, FPGA design, and a few others. Previously I was fairly active in some of the open-source AVR toolchain development, which is what powers the Arduino platform. This ultimately led to working as a consultant with Atmel for several years. blog