Zigbee security considerations (is Zigbee insecure by design?)

Dear all,

I am not worried about security as this is home use, but i wonder how secure is Zigbee 3.0.

After searching the Internet, I found that :

Maybe this would valuable to add a security section in home assistant and give more precise information on the wiki. I myself purchased an additional key to survey my Zigee network and I am aware that a lot of information are outdated. Any information about Zigbee 3.0 security as of 2023-08 are welcome.

Is there a way to achieve a strong security and does it make sense or is Zigbee insecure by design?

Kind regards,
French Fries

That is why you enable pairing only when you actually want to pair something.

Yes, this is important to disable pairing But on other wireless systems, the security key is derived from the main key and only valid a certain amount of time.

My request would be to open a dedicated section on the forum and provide accurate information about security. I find this is relatively vague to rely on Docker strong security and in the end to discover that the Zigbee framework is relatively insecure.

It could be also interesting to provide a security audit tool in home-assistant to discover default security keys and warn about bad firmwares and bad configurations.

These are just toughs as I did not myself implement any audit yet.