While looking into the ZNCZ03LM US socket, I noticed that it is listed on a CVE for “insecure key transport in ZigBee communication, causing attackers to gain sensitive information and denial of service attack, take over smart home devices, and tamper with messages.” Looks like it was posted Dec 20th, so its still quite new.
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15913
Also listed: DGNWG03LM, ZNCZ03LM, MCCGQ01LM, WSDCGQ01LM, RTCGQ01LM
So - someone who actually knows zigbee protocols/security - how bad is this? Should we be avoiding use of these Xiaomi products until we have a way to update the firmware (if a firmware fix is released at some point?)