A recent firmware update to SmartThings Hubs now allows users to mitigate potential misuse of the ZigBee Home Automation feature known as "insecure rejoin" (or sometimes “unsecure rejoin”). Disabling insecure rejoin is optional, and there are advantages and disadvantages to both enabling and disabling this feature. Whether you opt to manually disable insecure rejoin entirely depends on your convenience and security preferences.
Can I get more information about ZigBee and "insecure rejoin"?
Your SmartThings Hub has several radio transmitters inside which allow it to be the universal translator between many different devices that all “speak” different languages. SmartThings doesn’t create these languages, rather we implement industry standards in order to ensure an open ecosystem, easy operation, and a high level of security. One of those radios and languages is called ZigBee Home Automation.
The current ZigBee Home Automation 1.2 standard uses encryption to allow only authorized devices to join a home network. In order to allow some devices (like motion sensors) to drop off of, and then easily re-join the network (to preserve battery power), there is a feature known as “insecure rejoin” built into the standard. It has been shown, however, that in very specific cases this feature could potentially be used to gain unauthorized access to a ZigBee network. The upcoming ZigBee 3.0 specification removes this potential vulnerability, but until that new standard is released, SmartThings is giving users the ability to disable the insecure rejoin feature.
For a more technical and detailed explanation, read this post we made on the SmartThings Developer Community forum.
Here are some additional facts:
- A known issue, not specific to SmartThings: This is a known issue with the ZigBee Home Automation standard used by many companies across the industry and is not specific to SmartThings.
- We alerted our community: SmartThings has been aware of the potential misuse use of ZigBee’s insecure rejoin feature since December 2015. We alerted our community immediately when this was discovered and worked to deliver this firmware update as soon as possible.
- We’re actively participating in improving standards: As a member of the Board of the ZigBee Alliance, Z-Wave Alliance, and Thread Group, SmartThings is working across the industry to ensure that security is a primary focus on new standards development for the Connected Home.
What are the pros and cons of disabling ZigBee’s insecure rejoin feature?
- Pros: Disabling insecure rejoin will effectively protect your ZigBee network from certain vulnerabilities. You can prevent someone from “spoofing” a known device on your network to obtain your ZigBee network key and gain unauthorized access to your wirelessly connected ZigBee devices.
- Cons: ZigBee devices may “drop off” your network and become unresponsive. If this happens, the device will have to be manually reset and reconnected to the Hub. (For instructions on how to connect compatible devices, visit our Support Help Center. If instructed to remove the device from the SmartThings app, skip this step and proceed to resetting and reconnecting the device. See also "I think my device dropped off my ZigBee network..." below for more information.)
How do I disable insecure rejoin?
From your browser:
- Go to ide.smartthings.com
- Click Log in
- Enter your SmartThings account credentials (email and password)
- Click Log in
- Click My Hubs
- Scroll down to Utilities and click View Utilities
- Under ZigBee Utilities > Network Security, click Disable Unsecure Rejoin (Most Secure)
- Click OK to confirm
Note: If you have multiple Hubs, you will have to perform the above steps for each Hub to disable insecure rejoin.
Once the Hub is rebooted, you can continue to use your SmartThings system as normal. Simply keep an eye out for ZigBee devices that may become unresponsive.
You can re-enable insecure rejoin at any time by selecting Allow Unsecure Rejoin (Most Compatible) from the ZigBee Utilities menu.
Does this affect all Hubs?
Both first-generation Hubs and Samsung SmartThings Hubs (Hub v2) use the ZigBee Home Automation standard and its insecure rejoin feature. Currently, the firmware update that allows users to disable insecure rejoin is only available for Hub v2.
Read this guide to determine which version of the Hub you own.
I can’t disable the feature—can you help me?
If you encounter problems with changing your ZigBee network settings, contact support for assistance.
I think my device dropped off my ZigBee network after disabling insecure rejoin—what should I do?
If you believe your ZigBee device failed to rejoin your network and is unresponsive, all you have to do is reconnect it with your Hub. Visit our Support Help Center for information about how to connect compatible devices. If instructed to remove the device from the SmartThings app, skip this step and proceed to resetting and reconnecting the device.
Tip: Put the Hub in join mode by selecting Connect New Device, and then power cycle the device (by removing and replacing the battery or by unplugging and replacing the device). Though the app may say that no devices were discovered, it’s possible that the device actually rejoined the ZigBee network behind the scenes. Navigate to the Things page and send a command to the device to see whether it is responsive.
Tip: If the above methods do not work, put the Hub in join mode by selecting Connect New Device. While the Hub is searching, perform the device-specific instructions to factory reset the device and then to connect the device.
Again, removing the device from the app before performing these steps is not necessary or recommended.
You can also contact support for assistance.
What else is SmartThings doing to ensure my home security?
Protecting our customers’ privacy and data security is fundamental to everything we do and is something we take seriously. We’re providing this information in response to a number of recent articles about wireless security in the home, to illustrate key facts and to clarify where we stand on specific issues being highlighted.
We also regularly perform penetration tests of our system and work with professional third-party security research firms to look for vulnerabilities in the platform so that we may continue to improve its security. We work hard to stay in front of any issues and be transparent with our customers about our efforts.
At the recent Federal Trade Commission’s 2016 Privacy Conference, SmartThings scored highly in security and privacy tests by third-party researchers (Princeton University publication).
Additionally, when reproducible vulnerabilities are reported to SmartThings, we always work to ensure responsible remediation and disclosure of the issue (Gotham Digital Science security disclosure).
For further concerns and questions, please contact us at firstname.lastname@example.org.