Force Disassociate Zigbee Router/End Device

Hi Everybody!

I’m looking to implement a security feature in my application that when a coordinator powers up (configured as trust centre) and routers/end devices with the correct link key associate with the coordinator I then scan a device whitelist and validate the 64bit addresses present using the network discovery code available through the API.

If a 64bit address is present on the network but is not in the whitelist I wish to send a command to dissociate that device so that I can update the key on all permitable devices.

The function forceDisassociate() as per the API is “Only valid for End Devices.” and therefore will not work with Router devices.

Additionally the removeRemoteDevice() function under the Network class doesn’t actually disconnect the device from the network.

I could implement a function on the remote devices that the new key could be individually sent using APS to the permitable devices rather than using the inbuilt trust centre key update command - but I’m looking to reduce the amount of coding I need to do.

Any ideas?


I don’t have an answer for your question - but will need to handle this in a month or two myself.

If I understand, once the ‘rogue’ router links, you want to kick it out & change the Link Key by a broadcast push? Seems to me you’d not have any concrete way to confirm the ‘rogue router’ actually left … plus you always have the problem of what happens if 1 or 2 valid nodes are offline during the key change? They then become orphaned. That will be fine on a school or science project, but in the field you may need to find another answer.

Could you just try to tell the ‘rouge router’ by unicast to change its own link key to some other value? Won’t help if it is being malicious, but if the roguiness was innocent, it would then go off and be orphaned itself, without any network.