With an Eye on Security, CSA Releases the Latest Zigbee Specification

The Connectivity Standards Alliance (CSA) has announced the release of Zigbee PRO 2023, the next version of the Zigbee PRO standard, which brings new security features that reflect the importance of device security and interoperability in IoT development. This release introduces the latest security best practices and addresses the constantly evolving threats that come with being one of the most widely used wireless protocols. 

One of these new features is dynamic link key negotiation, a key mechanism that uses Simple Password Exponential Key Exchange, or SPEKE, which establishes a secure link between a trust center and other nodes on the network. SPEKE is used with a robust, industrially recognized elliptic curve (curve25519) to establish a shared secret key over an insecure communication channel. This can be used with low-entropy passwords or install codes to provide authentication. This makes the Zigbee commissioning process highly secure and resistant to common attacks. 

Zigbee PRO 2023 also introduces device interview, allowing interrogation of a joining device onto the network before it's commissioned and before it's given the credentials to the network. A new device can also interrogate the trust center to determine whether or not it's joining the right network. The trust center is responsible for managing digital certificates and cryptographic keys, which are used to authenticate the identities of individuals, devices, and organizations involved in digital transactions.

Some of the security benefits of device interview include:

• Identification of unauthorized devices: unauthorized devices pose a security risk because they may not have the necessary security controls in place to protect against threats.
• Identification of outdated devices: outdated devices can be vulnerable to threats or may not receive the necessary security updates or patches.
• Identification of vulnerabilities: administrators can identify vulnerabilities in devices that could be exploited and take action to mitigate risks.
• Identification of misconfigured devices: misconfigured devices can be a significant security risk by allowing unauthorized access to the network.

These security improvements are particularly useful in smart energy applications, where Zigbee networks will now be able to adequately interrogate new devices and determine the level of authentication each device has from the trust center. The new specification also brings in a formal method of trust center swap-out. If the trust center becomes inoperable and needs to be replaced, the new specification formally addresses this without the need to disrupt and recommission the entire network.

Another enhancement is Zigbee’s Works with all Hubs feature, an initiative started by global IoT leaders with the goal of pulling together the industry’s best practices for working with hub-based network. Network management from the hub, which is responsible for authorization and onboarding of new devices, checking for appropriate security levels, makes it possible to get devices onboarded accurately and reliably, and reducing the load on low power devices. Zigbee PRO 2023 provides the necessary foundation for the Zigbee Direct feature.

Silicon Labs has a long and proven track record of leading the way in Zigbee development, and we’re one of the vendors designated as “golden units” for Zigbee Protocol Specification 2023. As one of the few vendors with a full portfolio of Zigbee reference devices that support all of these new features, we’ll continue to set the standard for providing Zigbee development tools and solutions.

Zigbee PRO 2023 is backward compatible, so users will be able to use the latest stack in Zigbee 3.0 product certification. Learn more about Zigbee PRO 2023 here, and learn more about Silicon Labs support for Zigbee at silabs.com/zigbee.