This may not be much of an attack. The master key is used only during "commissioning", when a controller is introduced to a light. Then they exchange keys, and the random key generated by the controller is sent to the light, encrypted with the master key. The light then stores the controller key. The controller and light must be physically close for this to work.[1]
Once you've done that, it's difficult to reset a light to factory defaults. There's a program called "LampStealer" which does this, but the controller and lamp have to be brought very close together, and even then it doesn't always work.
Some devices can be reset by connecting to the Zigbee bridge with Telnet on port 30000, then typing various simple commands. That's a bigger worry than a leak of the master key.
It's worth noting that for the port 30000 Telnet interface (At least on the Philips Hue bridge), it also needs to be physically close for it to work. In fact, this is how LampStealer works - it sends the command to the bridge over TCP.
True but it does allow snooping of the commissioning process. And now it may allow easier factory resetting of zll devices by having a custom user device join the zll network. It could also mean some cheap unauthorized lights and remotes/accessories appearing in loosely regulated markets which would be compatible with major systems like hue.
Some bulbs have a reset function built in, triggered by cycling the power. I believe that for GE bulbs it's 3sec off, 3s on repeated a couple of times.
Once you've done that, it's difficult to reset a light to factory defaults. There's a program called "LampStealer" which does this, but the controller and lamp have to be brought very close together, and even then it doesn't always work.
Some devices can be reset by connecting to the Zigbee bridge with Telnet on port 30000, then typing various simple commands. That's a bigger worry than a leak of the master key.
[1] https://docs.zigbee.org/zigbee-docs/dcn/12/docs-12-0255-01-0...