Login Sign Up

CVE-2020-28952

7.5 HIGH

📋 TL;DR

Athom Homey and Homey Pro devices use a static, well-known ZigBee network key instead of generating unique keys, allowing attackers to decrypt and potentially inject ZigBee network traffic. This affects all Homey and Homey Pro devices running firmware versions before 5.0.0.

💻 Affected Systems

Products:
  • Athom Homey
  • Athom Homey Pro
Versions: All versions before 5.0.0
Operating Systems: Athom Homey OS
Default Config Vulnerable: ⚠️ Yes
Notes: All devices ship with the vulnerable static key by default. No special configuration required for exploitation.

📦 What is this software?

Homey Firmware by Homey

View all CVEs affecting Homey Firmware →

Homey Pro Firmware by Homey

View all CVEs affecting Homey Pro Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers within ZigBee range can decrypt all ZigBee communications, inject malicious commands to connected smart devices, and potentially take control of the entire smart home ecosystem.

🟠

Likely Case

Local attackers can eavesdrop on ZigBee communications between smart devices, potentially gaining access to sensitive information or disrupting device operations.

🟢

If Mitigated

With proper network segmentation and physical security, risk is limited to attackers who can physically access the ZigBee network range.

🌐 Internet-Facing: LOW - This is a local network vulnerability requiring proximity to the ZigBee network.
🏢 Internal Only: HIGH - Attackers within ZigBee range (typically 10-100 meters) can exploit this vulnerability without authentication.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires ZigBee radio hardware and knowledge of the static key, but tools for ZigBee packet capture and injection are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.0 and later

Vendor Advisory: https://developer.athom.com/firmware

Restart Required: Yes

Instructions:

1. Open Homey app 2. Go to Settings > System > Update 3. Install firmware update 5.0.0 or later 4. Device will restart automatically

🔧 Temporary Workarounds

Physical Security Enhancement

all

Limit physical access to ZigBee network range and monitor for unauthorized ZigBee devices

Network Segmentation

all

Isolate Homey device on separate VLAN from critical systems

🧯 If You Can't Patch

  • Physically secure the device location to prevent unauthorized ZigBee access
  • Consider replacing vulnerable devices with patched versions or alternative products

🔍 How to Verify

Check if Vulnerable:

Check firmware version in Homey app: Settings > System > About. If version is below 5.0.0, device is vulnerable.

Check Version:

Not applicable - check via Homey mobile app interface

Verify Fix Applied:

Verify firmware version is 5.0.0 or higher in Homey app settings. The update generates a unique ZigBee network key.

📡 Detection & Monitoring

Log Indicators:

  • Unusual ZigBee device enrollments
  • Multiple failed ZigBee pairing attempts

Network Indicators:

  • Unexpected ZigBee traffic patterns
  • ZigBee devices responding to unauthorized commands

SIEM Query:

Not applicable - this is a local hardware vulnerability

📊 Metadata

CVE ID: CVE-2020-28952
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-798
Published: March 9, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28952, you might also want to check these:

CVE-2025-20188 10.0

This critical vulnerability in Cisco IOS XE Wireless LAN Controllers allows unauthenticated remote a...

Same vulnerability type (CWE-798)
CVE-2026-22769 10.0

Dell RecoverPoint for Virtual Machines versions before 6.0.3.1 HF1 contain hardcoded credentials tha...

Same vulnerability type (CWE-798)
CVE-2021-0248 10.0

This vulnerability involves hard-coded credentials in Juniper Junos OS on NFX Series devices, allowi...

Same vulnerability type (CWE-798)