CVE-2020-28952 - OpenCVE

An issue was discovered on Athom Homey and Homey Pro devices before 5.0.0. ZigBee hub devices should generate a unique Standard Network Key that is then exchanged with all enrolled devices so that all inter-device communication is encrypted. However, the cited Athom products use another widely known key that is designed for testing purposes: "01030507090b0d0f00020406080a0c0d" (the decimal equivalent of 1 3 5 7 9 11 13 15 0 2 4 6 8 10 12 13), which is human generated and static across all issued devices.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Homey	Homey Homey Firmware Homey Pro Homey Pro Firmware

Configuration 1 [-]

AND

cpe:2.3:o:homey:homey_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:homey:homey:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:homey:homey_pro_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:homey:homey_pro:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://developer.athom.com/firmware
https://homey.app/en-us/
https://yougottahackthat.com/blog/1260/athom-homey-security-static-and-well-known-keys-cve-2020-28952

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-03-09T19:31:33

Updated: 2024-08-04T16:48:01.456Z

Reserved: 2020-11-19T00:00:00

Link: CVE-2020-28952

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-03-09T20:15:12.680

Modified: 2021-03-17T18:28:55.453

Link: CVE-2020-28952

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered on Athom Homey and Homey Pro devices before 5.0.0. ZigBee hub devices should generate a unique Standard Network Key that is then exchanged with all enrolled devices so that all inter-device communication is encrypted. However, the cited Athom products use another widely known key that is designed for testing purposes: \"01030507090b0d0f00020406080a0c0d\" (the decimal equivalent of 1 3 5 7 9 11 13 15 0 2 4 6 8 10 12 13), which is human generated and static across all issued devices."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-03-09T19:31:33", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://developer.athom.com/firmware"}, {"tags": ["x_refsource_MISC"], "url": "https://homey.app/en-us/"}, {"tags": ["x_refsource_MISC"], "url": "https://yougottahackthat.com/blog/1260/athom-homey-security-static-and-well-known-keys-cve-2020-28952"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-28952", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered on Athom Homey and Homey Pro devices before 5.0.0. ZigBee hub devices should generate a unique Standard Network Key that is then exchanged with all enrolled devices so that all inter-device communication is encrypted. However, the cited Athom products use another widely known key that is designed for testing purposes: \"01030507090b0d0f00020406080a0c0d\" (the decimal equivalent of 1 3 5 7 9 11 13 15 0 2 4 6 8 10 12 13), which is human generated and static across all issued devices."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://developer.athom.com/firmware", "refsource": "MISC", "url": "https://developer.athom.com/firmware"}, {"name": "https://homey.app/en-us/", "refsource": "MISC", "url": "https://homey.app/en-us/"}, {"name": "https://yougottahackthat.com/blog/1260/athom-homey-security-static-and-well-known-keys-cve-2020-28952", "refsource": "MISC", "url": "https://yougottahackthat.com/blog/1260/athom-homey-security-static-and-well-known-keys-cve-2020-28952"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:48:01.456Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://developer.athom.com/firmware"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://homey.app/en-us/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://yougottahackthat.com/blog/1260/athom-homey-security-static-and-well-known-keys-cve-2020-28952"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-28952", "datePublished": "2021-03-09T19:31:33", "dateReserved": "2020-11-19T00:00:00", "dateUpdated": "2024-08-04T16:48:01.456Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:homey:homey_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "F91DB805-377E-44FE-8D5C-99E61F6493EF", "versionEndExcluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:homey:homey:-:*:*:*:*:*:*:*", "matchCriteriaId": "53273CFA-B260-401D-9DD6-B90E3DA09D7D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:homey:homey_pro_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "FA1184C0-AC54-4DE6-9667-78A6645FDF33", "versionEndExcluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:homey:homey_pro:-:*:*:*:*:*:*:*", "matchCriteriaId": "C01177C9-CED9-4D65-BEBB-C44C13C8A0A6", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered on Athom Homey and Homey Pro devices before 5.0.0. ZigBee hub devices should generate a unique Standard Network Key that is then exchanged with all enrolled devices so that all inter-device communication is encrypted. However, the cited Athom products use another widely known key that is designed for testing purposes: \"01030507090b0d0f00020406080a0c0d\" (the decimal equivalent of 1 3 5 7 9 11 13 15 0 2 4 6 8 10 12 13), which is human generated and static across all issued devices."}, {"lang": "es", "value": "Se detect\u00f3 un problema en los dispositivos Athom Homey y Homey Pro anteriores a la 5.0.0. Los dispositivos concentradores ZigBee deben generar una clave de red est\u00e1ndar \u00fanica que luego se intercambia con todos los dispositivos inscritos para que toda la comunicaci\u00f3n entre dispositivos est\u00e9 cifrada. Sin embargo, los productos Athom citados usan otra clave ampliamente conocida que est\u00e1 dise\u00f1ada con fines de prueba: \"01030507090b0d0f00020406080a0c0d\" (el equivalente decimal de 1 3 5 7 9 11 13 15 0 2 4 6 8 10 12 13), que es generada por humanos y est\u00e1tica en todos los dispositivos emitidos"}], "id": "CVE-2020-28952", "lastModified": "2021-03-17T18:28:55.453", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-09T20:15:12.680", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://developer.athom.com/firmware"}, {"source": "cve@mitre.org", "tags": ["Product", "Vendor Advisory"], "url": "https://homey.app/en-us/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://yougottahackthat.com/blog/1260/athom-homey-security-static-and-well-known-keys-cve-2020-28952"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}]}