ZigBee protocol is widely used for home automation and remote control operations. However, the protocol design and common implementations suffer from several vulnerabilities. We will talk about ZigBee (based on IEEE 802.15.4 standard) and ZigBee RF4CE security designs (the latest being popular in the USA) and review the security implementation of a well-known set-top box, using different commercial and home-made tools. We will focus in particular on various security mechanisms like key exchange, authentication and encryption. We will see that ZigBee main practical vulnerability is the lack of a secure key echange scheme and assess how easy it is to intercept and use the key for an attacker. We will talk about the associated risks and best practices in this field. The goal of the talk will be to sketch the minimal security basics for IoT devices and recommendations for future protocols.

- Keywords: IoT, ZigBEE, IEEE 802.15.4, RF4CE, home automation, set-top box, security