ZHA security and support

I just started to add some zigbee devices with zigbee2mqtt, and I am not sure if ZHA is a better option than zigbee2mqtt. About security, I can change the pan_id and network_key in Zigbee2mqtt, but I am not sure if I can do it with ZHA. Maybe zigbee2mqtt is more secure? apart of this, I think maybe ZHA, as it is an home assistant integration, it will be better support and compatibility for next HA updates… so, for security and HA future integration, Should I move from zigbee2mqtt to ZHA?

Did you ever find out anything here. I have similar questions: I know under z2m you can turn off the feature to automatically add any new devices discovered on a Zigbee network (to make it more secure) but I can’t see how to do that under zha.

Are these networks inherently insecure and, if so, what can you do to tighten them up?

Under ZHA adding new devices is off by default unless you explicitly click the “add a new device” button at which point Network is only open for one minute.

As far as comparing security, z2m installs used to have add new devices on all the time, and all z2m installs use the same encryption key so maliciously taking over a network is trivial.

Awesome, thanks for that. I wondered why I couldn’t find a setting to toggle it.

So you’re saying Zigbee2mqtt is is very vulnerable and can be easily exploited. What about ZHA, does it have the same issues and, if so, can change the encryption key somewhere?

There is a switch to allow to add new devices or not. And in the Zigbee2MQTT documentation it is strongly recommended to change your network key.

Thanks @francisp but I’m actually talking about ZHA. Is that option available there too? If so, where can I find it? I’ve looked but don’t see the option to do that…

I don’t know if you can change the encryption key in ZHA.

ZHA uses a unique key for each install – You can change it by doing a leave/form network via bellows (if using EZSP).

1 Like

Hello,
I have read what you have written but i can’t find a way to change the network key.
I have this warning:

Logger: zigpy_znp.zigbee.application
Source: /usr/local/lib/python3.8/site-packages/zigpy_znp/zigbee/application.py:372
First occurred: 17:26:40 (1 occurrences)
Last logged: 17:26:40

Your network is using the insecure Zigbee2MQTT network key!

How can i change the netwrok key?

3 Likes

I have found how we can change the network key.
From what i have seen it’s stored inside the stick so the only way is to reset the stick.
Assuming you are using the Zstack devices here there are some info (!!WHEN REST PAIR MUST BE PROCESSED AGAIN!!)
See TOOLS part

Best Regards
Stefano

1 Like