CVE-2020-28952 Information

Description

An issue was discovered on Athom Homey and Homey Pro devices before 5.0.0. ZigBee hub devices should generate a unique Standard Network Key that is then exchanged with all enrolled devices so that all inter-device communication is encrypted. However the cited Athom products use another widely known key that is designed for testing purposes: C0507090b0d0f00020406080a0c0d\ (the decimal equivalent of 1 3 5 7 9 11 13 15 0 2 4 6 8 10 12 13) which is human generated and static across all issued devices.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

https://homey.app/en-us/ https://developer.athom.com/firmware https://yougottahackthat.com/blog/1260/athom-homey-security-static-and-well-known-keys-cve-2020-28952

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

7.5