【联盟声明】ZigBee联盟关于“采用 ZigBee 协议的智能家居设备存在严重漏洞”的声明

ZigBee联盟关于“采用 ZigBee 协议的智能家居设备存在严重漏洞”的声明

ZigBee联盟及其成员开发标准和协议是建立在一个适当的平衡点之上的，它综合考虑了设备的安全互动以及易用性，并以最小的暴露风险来提供最好的“智能”功能。

我们很清楚黑帽子此次推出的报告。报告描述的是一个在单节点初始化时的小漏洞，发生在用户开箱加网（当用户安装新设备）或者当一个设备跟父节点失去连接重新加网的时候——通常这意味着几毫秒的密钥交换。入侵该小漏洞需要懂得丰富的专业知识和设备，不可能发生在安全团队之外。

安全性必须要与应用保持一致，其方案由手头可利用的资源所决定。当一个灯泡既没有键盘也没有显示器的时候，要给它输入16位密码是非常困难的。而如果一个方案太昂贵，太难安装，或者太耗时，消费者是不会用它的。

ZigBee技术由一些全球最为成功的公司所创建，所有这些公司都会关注最新的安全方案。ZigBee联盟成员的技术工作组一直在积极审查ZigBee安全框架，寻求业界最佳方法，来保持走在不断演变的威胁之前，因此我们欢迎这种开放标准团队的分析。

The ZigBee Alliance and its members take security very seriously. Our members develop standards and protocols to strike the appropriate balance between ease of use and secure interaction of devices to afford the greatest ‘smart’ functionality with the least exposure.

We are aware of the reportpromoted from Black Hat, The risk described is small regarding a singular pointin the initial, out-of-the-box joining (when the homeowner is installing a newdevice) or when a device is re-joining the network after losing contact withits parent – which is a few milliseconds of key exchange. The hack requires substantial knowledge andequipment and is unlikely to occur outside of the security community.

Securityhas to fit the application, and schemes are dictated by the resources at hand.It is very hard to enter a 16-digit passphrase into a light bulb when there isno keyboard or monitor. If a scheme is too expensive, too difficult to install,or too time-consuming – consumers won’t apply it.

ZigBeetechnology is created and implemented by some of the most successful companiesin the world, all of which have access to the latest security schemes. Membersof ZigBee Alliance technical working groups actively review the ZigBee securityframework as well as industry best practices to stay ahead of evolving threats,and therefore welcome this type of analysis as an open standards community.