This may not be much of an attack. The master key is used only during "commissioning", when a controller is introduced to a light. Then they exchange keys, and the random key generated by the controller is sent to the light, encrypted with the master key. The light then stores the controller key. The controller and light must be physically close for this to work.[1]
Once you've done that, it's difficult to reset a light to factory defaults. There's a program called "LampStealer" which does this, but the controller and lamp have to be brought very close together, and even then it doesn't always work.
Some devices can be reset by connecting to the Zigbee bridge with Telnet on port 30000, then typing various simple commands. That's a bigger worry than a leak of the master key.
It's worth noting that for the port 30000 Telnet interface (At least on the Philips Hue bridge), it also needs to be physically close for it to work. In fact, this is how LampStealer works - it sends the command to the bridge over TCP.
True but it does allow snooping of the commissioning process. And now it may allow easier factory resetting of zll devices by having a custom user device join the zll network. It could also mean some cheap unauthorized lights and remotes/accessories appearing in loosely regulated markets which would be compatible with major systems like hue.
Some bulbs have a reset function built in, triggered by cycling the power. I believe that for GE bulbs it's 3sec off, 3s on repeated a couple of times.
"In order to change the state of the lightbulbs (such as turning all the associated bulbs off) the bridge
uses the ZigBee Light Link (ZLL) wireless technology and protocol....
"ZLL requires the use of a manufacturer issued master key. This master key is stored on the bridge as
well as the light bulbs. Upon initiation (when the user presses the button on the bridge), the bridge
generates a random network key and encrypts it using the master key. The lightbulbs unwrap the
network key since they also have the master key and use it to subsequently communicate with the
bridge."
Philips already ships the absolute best zigbee light hijacking device with their bloom and living colors lamps. The remote.
The first thing I did when I got my hue set was try to see if the bulbs worked with the living colors remote.
Not only can you force-pair (steal) the bulb with it, you can then no longer connect it to the bridge without removing it to get to the serial number, or bringing it close to the bridge and using the lightfinder app or telnet.
Quite a hassle, and all you need is the standard remote and proximity.
Presumably you can get around the "proximity" limit by just using a more powerful transmitter, I can't imagine they have any actual near field communication or anything.
As far as I can tell the master key of ZigBee pairing has been extracted and posted. This is used when pairing a new device to a ZigBee network which is used by many home automation devices (such as SmartThings).
Also, and please correct me if I'm wrong, but the attack window is very narrow in that you have to be close to the source and you have to reset the device (or use a new device) in order to really do anything. Not sure how much of a risk this is at the moment.
Note that this is only the Zigbee Light Link master key. A lot of devices use the Zigbee Home Automation specification which has a different well known master key (in that case it's in the standard which is freely available).
The ZLL key is slightly more interesting because you can factory reset (and effectively steal) devices in someone else's network, but that does require physical proximity to the device.
The master key also means that you can make your own device to add to someone's network. Most ZLL networks have a simple push button adding process, so you just need to be close to the button for a few seconds in order to add your own device to the network, after which you can control any other devices already in the network.
I dont think anyone knows, but we've all upvoted it to the top of HN because last time someone tweeted a key on twitter it was to do with that really exciting superfish thing
Once you've done that, it's difficult to reset a light to factory defaults. There's a program called "LampStealer" which does this, but the controller and lamp have to be brought very close together, and even then it doesn't always work.
Some devices can be reset by connecting to the Zigbee bridge with Telnet on port 30000, then typing various simple commands. That's a bigger worry than a leak of the master key.
[1] https://docs.zigbee.org/zigbee-docs/dcn/12/docs-12-0255-01-0...