Security issue, default key

Open jmgurney opened this issue 3 years ago • 0 comments

Per the code at: https://github.com/zigpy/zigpy-cc/blob/e75d1fccfcd225abf6ac93a1e215ea16b2018897/zigpy_cc/types.py#L110

If a key is not provided, an insecure key is used. Many applications do not provide a key, such as home assistant (at least at one point it did, they may have fixed it), which means that networks deployed w/ this default key are easy to hijack and control.

Please make it an error to not provide a secure key, or generate a secure key by default. A warning in the later case is likely useful as a restart will cause problems.

May 05 '22 00:05 jmgurney