How to easily query Z-Wave lock for current codes

I’m looking to simple query the lock’s Z-Wave codes in a smart app using the typical default z-wave device handler. This is for V2 hubs.

This is simply to verify that the code sent was set, it’s impossible to do so easily from what I’ve found so far. I’ve tried using requestCode, getallCodes, and some other methods but none seem to do this and return it in a variable or in the log.

Thanks for any pointers!

Do t know a way to do it. And quite honestly I don’t want a third party smartapp to have the capability to do this. I want them locked up in the lock (pun intended) with only the ability to verify that yes there is a code or no there isn’t. Anything else is a security risk.

2 Likes

Correct - I always assumed and hoped that the lock firmware does not have any way of revealing codes!

Depending on the zwave lock you may or may not be able to issue a command to GET the codes

4.113.3 User Code Get Command
This command is used to request the User Code of a specific User Identifier.
The User Code Report Command MUST be returned in response to this command.
This command MUST NOT be issued via multicast addressing.
A receiving node MUST NOT return a response if this command is received via multicast addressing. The
Z-Wave Multicast frame, the broadcast NodeID and the Multi Channel multi-End Point destination are
all considered multicast addressing methods.

Hey all thanks for all of your responses!

And quite honestly I don’t want a third party smartapp to have the capability to do this.

This is for an app that’s internal use only, not for use by the public.

I always assumed and hoped that the lock firmware does not have any way of revealing codes!

I don’t think this is true, I’ve gone down a level to hass.io and issues commands to getCodes just fine.

If this isn’t popular/possible, can anyone suggest a way to be 100% sure a lock code made it or did not make it to the lock? Currently using lock.updateCodes() command, it works 95% of the time or so, but I would love to know when it doesn’t - can’t find a clear way to do that yet sorry if I’m missing the obvious.

1 Like

As per earlier posts in this thread, it seems some lock brands offer a way to stored request codes.

Frankly, the only acceptable way (to me) is if there was a function to test a code for validity (and prevent excessive, brute force, testing of too many codes)… ie, isCodeValid("1234")

Many people these days want to do lock management by app. That requires a way to query the codes. The security of that process is a separate issue.

Why?

Codes are stored per slot. So if you have a different guest, say every day in a week, you can push a unique code to each slot, and at the end of each day delete the expired slot.

Or something even more secure and organized by that, depending on how many codes you need concurrently valid (e.g. for multiple guests, housekeeping etc.).

Locks report what slot was used, instead of the PIN code, so the codes are never compromised by the lock or SmartThings.

There’s never a reason for any system to tell you what its passwords are!

Offices, hotels, Airbnb, dorms…

You misunderstood my question.

Of course we need to be able to set codes and query which code slot has been used - because each user should be given a unique code which is inserted to a specific slot.

But there is never a reason to report any of the actual PIN Code (ie, the PASSWORDS!) themselves. Never. Completely unacceptable for any password or PIN storage system to offer this ability. All codes should be one-way hashed and never accessible in plain text.

That to me sounds the same as Samsung saying users should not be able to arm their security system based on Geopresence. So they won’t offer the feature.

I would respectfully disagree and say that the choice should be left up to the owner of the lock. You can give them whatever warnings you want, but if someone wants to be able to see the passcode in an app for a lock that they own, that choice should be up to them.

There are times when someone may have the legal and moral authorization to go into a unit where someone else has set the passcode. it’s a legitimate use case. They may also want to review the passcode to make sure that it meets their own security protocols. (This is done in some dorms, for example.)

The protocol should allow for the option, which Z wave does in this case, as mentioned upthread. :sunglasses:

Then tell that to the current developers of Windows, Unix, Android, etc…

No modern operating system allows inspection of passwords / passcodes in plain text. None. It’s completely non-essential nonsense.

There are plenty of ways to check passcode strength (against hash tables) without pulling the codes in clear text.

There are plenty of ways to implement secure administrative codes for emergency or other legitimate administrative access.

Some functionality is far too risky to leave in the hands of consumers.

1 Like

Good point: they don’t have to be passed in plain text. But of course they aren’t in zwave: the lock commands are all encrypted. That’s why they have their own device class: access control. :wink: but the codes can still be queried and decrypted on the other side if desired.

Ummm… That’s what I mean by “plain text” - it’s a big no-no.

A user may choose to use their ATM PIN as their lock code. Nobody (not even administrators) should ever be able to retrieve a passcode.

The fact that the Z-Wave spec contains such an option is just evidence they developed that function before the implementation of best practices for passcode storage.

Oh well. If we don’t agree by now, this discussion is hopeless. But you’re not the only one missing the serious point of this.

1 Like

Storing in plain text is very different than allowing authorized access.

And management of specific lock codes for physical locks is very different from General best practices for digital data passwords.

Just as one example, my local 911 services have a file on me (as a medically fragile person) which includes the lock code to my house. That is considered 2019 best practices for people in similar circumstances, when seconds might count in saving a life.

For people who don’t have a smart lock, the analogous practice is the code to a key safe.

Is it an edge case? Certainly. But a real one. :sunglasses:

1 Like

I totally agree that distributing and/or storing keys externally for various use cases is justified. Emergency services, check. AirBnB automated check-in emails or text messages, check!

In fact, I’m sure that “Lock Code Manager” SmartApps do exactly this: i.e., store the codes so they can be distributed.

I’m just concluding by emphasizing that I think that using the lock itself as s “key safe” doesn’t make sense. It is insufficiently protected, and, best I can tell, inconsistently implemented - i.e., some locks allow querying of the list of valid codes, others do not. Hence the initial point and title of this Topic.

If the OP (@Zach_Feldman) really believes that getting a list of codes back from the lock is essential for reliability, then the question remains: What brands/models of Z-Wave locks actually have that function implemented.

Thanks for the discussion, JD.

3 Likes

Haha wow this has really spiralled.

Codes are stored per slot . So if you have a different guest, say every day in a week, you can push a unique code to each slot, and at the end of each day delete the expired slot.

What if we need to use the majority of the slots for other important access codes for our use case? A different number of slots depending on the day? It gets pretty complicated to verify by slot filled or not only right?

If the OP (@Zach_Feldman) really believes that getting a list of codes back from the lock is essential for reliability, then the question remains: What brands/models of Z-Wave locks actually have that function implemented.

Appreciate you bringing that up! I don’t even really believe that in itself is essential. I would be really happy with just a true or false return (is this code on the lock?) Rather than a straight list.

My question does remain though which is: how do we verify a code is on the lock if the slots are filled or close to it every time the code is written to? Is it to first delete all codes to start, then write, then check slots filled or not? What function is called to check if a slot is filled?

@Zach_Feldman

OK what Is your use case? Maybe there’s a better way or something that already answers your need. Also if you mention what lock you are using I missed it. As @JDRoberts always says, in home automation model numbers matter.

Nathan

1 Like

It’s a Kwikset 910.

Best option is to use a highly rated Lock Manager SmartApp which handles all the details for you.

Specifically, @RBoy

1 Like

© 2019 SmartThings, Inc. All Rights Reserved. Terms of Use | Privacy Policy

SmartThings; SmartApps®; Physical Graph; Hello, Home; and Hello, Smart Home are all trademarks of the SmartThings, Inc.