ZHA security and support

Josepz · January 1, 2021, 5:29pm

I just started to add some zigbee devices with zigbee2mqtt, and I am not sure if ZHA is a better option than zigbee2mqtt. About security, I can change the pan_id and network_key in Zigbee2mqtt, but I am not sure if I can do it with ZHA. Maybe zigbee2mqtt is more secure? apart of this, I think maybe ZHA, as it is an home assistant integration, it will be better support and compatibility for next HA updates… so, for security and HA future integration, Should I move from zigbee2mqtt to ZHA?

alexwooks · February 28, 2021, 1:56am

Did you ever find out anything here. I have similar questions: I know under z2m you can turn off the feature to automatically add any new devices discovered on a Zigbee network (to make it more secure) but I can’t see how to do that under zha.

Are these networks inherently insecure and, if so, what can you do to tighten them up?

walt · February 28, 2021, 4:07am

Under ZHA adding new devices is off by default unless you explicitly click the “add a new device” button at which point Network is only open for one minute.

As far as comparing security, z2m installs used to have add new devices on all the time, and all z2m installs use the same encryption key so maliciously taking over a network is trivial.

alexwooks · February 28, 2021, 4:18am

Awesome, thanks for that. I wondered why I couldn’t find a setting to toggle it.

So you’re saying Zigbee2mqtt is is very vulnerable and can be easily exploited. What about ZHA, does it have the same issues and, if so, can change the encryption key somewhere?

francisp · February 28, 2021, 5:23am

There is a switch to allow to add new devices or not. And in the Zigbee2MQTT documentation it is strongly recommended to change your network key.

alexwooks · February 28, 2021, 10:19pm

Thanks @francisp but I’m actually talking about ZHA. Is that option available there too? If so, where can I find it? I’ve looked but don’t see the option to do that…

francisp · March 1, 2021, 4:53am

I don’t know if you can change the encryption key in ZHA.

walt · March 1, 2021, 5:59pm

ZHA uses a unique key for each install – You can change it by doing a leave/form network via bellows (if using EZSP).

Wes93 · July 1, 2021, 3:30pm

Hello,
I have read what you have written but i can’t find a way to change the network key.
I have this warning:

Logger: zigpy_znp.zigbee.application
Source: /usr/local/lib/python3.8/site-packages/zigpy_znp/zigbee/application.py:372
First occurred: 17:26:40 (1 occurrences)
Last logged: 17:26:40

Your network is using the insecure Zigbee2MQTT network key!

How can i change the netwrok key?

Wes93 · September 20, 2021, 3:33pm

I have found how we can change the network key.
From what i have seen it’s stored inside the stick so the only way is to reset the stick.
Assuming you are using the Zstack devices here there are some info (!!WHEN REST PAIR MUST BE PROCESSED AGAIN!!)
See TOOLS part

github.com

zigpy/zigpy-znp/blob/b60f7c18bf4faf1de8a97418170838dd4e6bb84f/TOOLS.md

# zigpy-znp command line tools
The command line tools bundled with zigpy-znp do not depend in any way on Home Assistant
and will work with any Texas Instruments radio previously used with ZHA or Zigbee2MQTT.


# Table of Contents
- [Installation](#installation)
  * [In Home Assistant OS](#in-home-assistant-os)
  * [In other environments](#in-other-environments)
    + [Installing Python 3.7 or above](#installing-python-37-or-above)
      - [Linux](#linux)
      - [macOS](#macos)
      - [Windows](#windows)
    + [Creating a virtualenv (recommended)](#creating-a-virtualenv-recommended)
    + [Installing zigpy-znp](#installing-zigpy-znp)
- [Tools](#tools)
  * [Backup and restore](#backup-and-restore)
    + [Network backup (beta)](#network-backup-beta)
    + [NVRAM backup](#nvram-backup)
  * [NVRAM reset](#nvram-reset)

This file has been truncated. show original

Best Regards
Stefano