While this attack may not be based on a weakness of the ZigBee standards it does highlight a key weakness in the way most IoT deployments are architected today, which is by integrating a number of disjunct technology components and services from different suppliers and then facing the challenge of maintaining security of the combined result for years to come.
This approach has a high risk of mistakes, resulting in unproven designs, integration gaps, or weak links, and makes it very difficult to rapidly address security vulnerabilities because fixes need to percolate through the entire integration chain before becoming effective. By that time, the damage is often done.
The below diagram illustrates the topic:
We at Electric Imp believe the problem needs to be addressed with a very different approach: By offering a fully integrated and tested silicon-to-cloud security architecture with ongoing platform and security maintenance. Security not only at deployment, but over the lifetime of the solution.
Defense-in-Depth and Defense-over-Time. It’s how IoT Security needs to be done.
Update Nov 18, 2016:
Yesterday, the Z-Wave Alliance also made an announcement for plans to beef up security. This highlights the challenge of retrofitting existing deployed devices and the moving target security presents.