Looks like during the annual BlackHat security conference in Las Vegas, some news was released about Zigbee devices:
Tests with light bulbs and even door locks have shown that the vendors of the tested devices implemented the minimum of the features required to be certified, including the default TC fallback key. No other options were implemented and available to the end user.
I don’t have any zigbee gear, so can’t really test. The Qolsys does support zigbee…hoping it has no issues but I might have to experiment when I have some time in a few weeks.
Full paper is at https://www.blackhat.com/docs/us-15/materials/us-15-Zillner-ZigBee-Exploited-The-Good-The-Bad-And-The-Ugly-wp.pdf