As you could read in the Blog Athom fixed it in the version 5.0.0 Firmware, from then new ZigBee networks are created with a unique Zigbee Network key.
I will try to summarize and answer all questions I see and debunk misconceptions: [Work in Progres]
Q: I have updated my Homey from a version before v5.0.0, do I have the old Well-Known-Key?
A: Probably yes, you can Check it here if the Network Key is: “01:03:05:07:09:0b:0d:0f:00:02:04:06:08:0a:0c:0d”
Q: What is the Risk with the Well-Known-Key?
A: Someone within range of the ZigBee Signal with the knowledge and tools can “break in”, Listen and Control devices on your network. Probably switch Lights and Sockets or read sensor measurements.
Q: Can I Change the Key?
A: The only way to change the key is by resetting ZigBee and that would remove all ZigBee devices from Homey. You will have to add all devices again and fix all flows.
Q: Do I now need to reset my ZigBee network to be secure?
A: No, even if you reset your network ZigBee is not fully secure. It is your own choice if you think some your neighborhood will try to play with your ZigBee devices, it is just a little bit easier for them if you use the Well-Known-Keys. Decide for yourself if it is worth the hassle.
I wanted to make an central topic about this as I see reply’s in many other Topics around this with links, assumptions, misinformation etc.
To keep other topics clean I moved discussion from other threads on request here.
Pls look up your zigbee network key here. Never publish it, but if it is 01:03:05:07:09:0b:0d:0f:00:02:04:06:08:0a:0c:0d
your issues are very very odd.
If your key is different, then since v5.0.1 you have a private key, which causes (can cause) to lose connection to all paired zigbee devices.
You seem to have kind of mix of those two issues.
I’m very interested about Athoms reply to your filed issue.
Also after an update to v5.0.1, if your Homey is “chosen”, according to this guy’s findings. Sounds reasonable, only how not every Homey gets a new key is what I don’t get. Did Athom push different versions v5.0.1 to specific Homey’s? I don’t buy that.
Rather frustratingly, upon performing the upgrade from v4.2.0 to v5.0.1 my ZigBee network simply stopped working. Knowing what I was looking for this wasn’t that big a surprise. I got out my ZigBee Sniffer Array and had added a device back into my ZigBee network. Low-and-behold, a completely new network key was found. This is why my previously-connected devices stopped working: they no longer had a valid network key.
Neither do I. Athom has stated on Slack that only a Zigbee reset will trigger a rekeying. Perhaps the writer of the article inadvertently performed a reset after he updated to 5.0.1 and his Zigbee network stopped working, or perhaps Athom inadvertently published a version of 5.0.1, that would automatically do the rekeying, for a short period of time.
This sounds more logical to me. That kind of stuff happens.
So, they decided to enroll a security fix, but it only gets implemented when you reset your zigbee network yourself. So “you wouldn’t notice the fix” as average user. And why is that? Why not proudly tell every user a security fix is available, and if you care, you’ll have to reset your zigbee network. Now complaints spread on the net about frustrated users with a dropped out zigbee, and not knowing why. That is not a very good way to promote your product.
How or where did you get this info? It’s indeed interesting why Athom haven’t communicated this with its users. I would do a zigbee reset, if that’s the only way to fix a security vulnerability. But I do want to hear it from an official source.
@Dijker is busy with this, and Athom. He also made a survey to get a somewhat global view and insights. I’ll wait for what he and Athom come up with.
And hey, it’s not a very big security risk, only your neighbours or the-script-kid-on-the-block _could- switch your lights on or the garden sprinklers right?
Yes it is kinda silly to sell production models with the default well-known key still enabled, which could be the result of the everlasting battle between sales and tech staff.
I was ‘lucky’, I happened to reset my zigbee after v5.0.1 to tune it with my wifi, before I paired zigbee devices, sorry
Like Robert wrote, it is so strange Athom ‘thought’ this could be silently fixed and not telling the customers.
A solution seem to reset and back un Homey While pressing Alt at a spécific step, ( i can’t fond nom more that post) but As my zigbee works quite well i won’t play with that, as i m afraid of having to re add devics and to have to fix many flows…
So i think i’ll wait for an update to fix this🤗
