The SmartThings Hubs allows users to mitigate potential misuse of the ZigBee Home Automation feature known as "insecure rejoin" (or sometimes “unsecure rejoin”). Disabling insecure rejoin is optional, and there are advantages and disadvantages to both enabling and disabling this feature. Whether you opt to manually disable insecure rejoin entirely depends on your convenience and security preferences.
Can I get more information about ZigBee and "insecure rejoin"?
Your SmartThings Hub has several radio transmitters inside which allow it to be the universal translator between many different devices that all “speak” different languages. SmartThings doesn’t create these languages, rather we implement industry standards in order to ensure an open ecosystem, easy operation, and a high level of security. One of those radios and languages is called ZigBee Home Automation.
The current ZigBee Home Automation 1.2 standard uses encryption to allow only authorized devices to join a home network. In order to allow some devices (like motion sensors) to drop off of, and then easily re-join the network (to preserve battery power), there is a feature known as “insecure rejoin” built into the standard. It has been shown, however, that in very specific cases this feature could potentially be used to gain unauthorized access to a ZigBee network. The upcoming ZigBee 3.0 specification removes this potential vulnerability, but until that new standard is released, SmartThings is giving users the ability to disable the insecure rejoin feature.
For a more technical and detailed explanation, read this post we made on the SmartThings Developer Community forum.
Here are some additional facts:
- A known issue, not specific to SmartThings: This is a known issue with the ZigBee Home Automation standard used by many companies across the industry and is not specific to SmartThings.
- We alerted our community: SmartThings has been aware of the potential misuse use of ZigBee’s insecure rejoin feature since December 2015. We alerted our community immediately when this was discovered and worked to deliver this firmware update as soon as possible.
- We’re actively participating in improving standards: As a member of the Board of the ZigBee Alliance, Z-Wave Alliance, and Thread Group, SmartThings is working across the industry to ensure that security is a primary focus on new standards development for the connected home.
What are the pros and cons of disabling ZigBee’s insecure rejoin feature?
- Pros: Disabling insecure rejoin will effectively protect your ZigBee network from certain vulnerabilities. You can prevent someone from “spoofing” a known device on your network to obtain your ZigBee network key and gain unauthorized access to your wirelessly connected ZigBee devices.
- Cons: ZigBee devices may “drop off” your network and become unresponsive. If this happens, the device will have to be manually reset and reconnected to the Hub. (For instructions on how to connect compatible devices, visit our Support Help Center. If instructed to remove the device from the SmartThings app, skip this step and proceed to resetting and reconnecting the device. See also "I think my device dropped off my ZigBee network..." below for more information.)
How do I disable insecure rejoin?
In the SmartThings app, the insecure rejoin is disabled by default through the Secure Mode setting. To view and edit the Secure Mode status:
- Tap Devices
- Select your SmartThings Hub
- Toggle Secure Mode to your desired setting
- Secure Mode ON = ZigBee insecure rejoin disabled (most secure)
- Secure Mode OFF = ZigBee insecure rejoin enabled (most compatible)
Note: If you have multiple SmartThings Hubs, you will have to perform the above steps for each Hub to disable insecure rejoin.
Once you have disabled insecure rejoin, you can continue to use your SmartThings Hub as normal. Simply keep an eye out for ZigBee devices that may become unresponsive.
You can re-enable insecure rejoin at any time. In the SmartThings app, toggle Secure Mode to the OFF state from the Hub details page.
Does this affect all Hubs?
SmartThings Hubs use the ZigBee Home Automation standard and its insecure rejoin feature. Currently, the firmware update that allows users to disable insecure rejoin is available for Hub v2, Samsung Connect Home, ADT Security Hub, and SmartThings Link forNVIDIA® SHIELD™.
Read this guide to determine which version of the Hub you own.
I think my device dropped off my ZigBee network after disabling insecure rejoin—what should I do?
If you believe your ZigBee device failed to rejoin your network and is unresponsive, all you have to do is reconnect it with your Hub. Visit our Support Help Center for information about how to connect compatible devices. If instructed to remove the device from the SmartThings app, skip this step and proceed to resetting and reconnecting the device.
Again, removing the device from the app before performing these steps is not necessary or recommended.
You can also contact support for assistance.
What else is SmartThings doing to ensure my home security?
Protecting our customers’ privacy and data security is fundamental to everything we do and is something we take seriously. We’re providing this information in response to a number of recent articles about wireless security in the home, to illustrate key facts and to clarify where we stand on specific issues being highlighted.
We also regularly perform penetration tests of our system and work with professional third-party security research firms to look for vulnerabilities in the platform so that we may continue to improve its security. We work hard to stay in front of any issues and be transparent with our customers about our efforts.
At the recent Federal Trade Commission’s 2016 Privacy Conference, SmartThings scored highly in security and privacy tests by third-party researchers (Princeton University publication).
Additionally, when reproducible vulnerabilities are reported to SmartThings, we always work to ensure responsible remediation and disclosure of the issue (Gotham Digital Science security disclosure).
For further concerns and questions, please contact us at email@example.com.