Vulnerability Details CVE-2020-28952
An issue was discovered on Athom Homey and Homey Pro devices before 5.0.0. ZigBee hub devices should generate a unique Standard Network Key that is then exchanged with all enrolled devices so that all inter-device communication is encrypted. However, the cited Athom products use another widely known key that is designed for testing purposes: "01030507090b0d0f00020406080a0c0d" (the decimal equivalent of 1 3 5 7 9 11 13 15 0 2 4 6 8 10 12 13), which is human generated and static across all issued devices.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 58.7%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://developer.athom.com/firmware
- https://homey.app/en-us/
- https://yougottahackthat.com/blog/1260/athom-homey-security-static-and-well-known-keys-cve-2020-28952
- https://developer.athom.com/firmware
- https://homey.app/en-us/
- https://yougottahackthat.com/blog/1260/athom-homey-security-static-and-well-known-keys-cve-2020-28952
Products affected by CVE-2020-28952
-
cpe:2.3:h:homey:homey:-
-
cpe:2.3:h:homey:homey_pro:-
-
cpe:2.3:o:homey:homey_firmware:2.0
-
cpe:2.3:o:homey:homey_firmware:2.3.0
-
cpe:2.3:o:homey:homey_firmware:2.4.0
-
cpe:2.3:o:homey:homey_firmware:2.4.1
-
cpe:2.3:o:homey:homey_firmware:2.5.0
-
cpe:2.3:o:homey:homey_firmware:2.5.1
-
cpe:2.3:o:homey:homey_firmware:2.5.2
-
cpe:2.3:o:homey:homey_firmware:3.0.0
-
cpe:2.3:o:homey:homey_firmware:3.1.0
-
cpe:2.3:o:homey:homey_firmware:3.1.1
-
cpe:2.3:o:homey:homey_firmware:3.2.0
-
cpe:2.3:o:homey:homey_firmware:3.2.1
-
cpe:2.3:o:homey:homey_firmware:4.0.0
-
cpe:2.3:o:homey:homey_firmware:4.0.1
-
cpe:2.3:o:homey:homey_firmware:4.1.0
-
cpe:2.3:o:homey:homey_firmware:4.2.0
-
cpe:2.3:o:homey:homey_pro_firmware:2.0
-
cpe:2.3:o:homey:homey_pro_firmware:4.2.0