Security of zwave & zigbee devices

an39511 · 2015-05-09 00:39:01 UTC

I am reaching out to anyone knowledgeable with the security of zwave & zigbee devices. Is it possible to control these devices from outside the network they are joined too? I was under the impression that these devices were encrypted but I am starting to think this may not be the case. Over the course of the last year I have had multiple switches activate by themselves. I have worked with support on many occasions and they can offer no explanations. I have an LFM20 to control a garage door, a GE in wall dimmer, the new version of the CentralLite appliance module and a Aeon lab appliance switch all randomly turning on by themselves. The problem seems to come in waves over time. I can go months with no problem, but then all of a sudden I will get some of these devices activating. Today my garage door activated twice. Yesterday a dimmer switch turned on. Three days ago an appliance switch connected to an air conditioner turned on. This problem is driving me nuts! Support replaced all my first generation appliance modules with the newer ones. I have replaced the dimmer switch. I have replaced the garage door switch but the problem keeps happening. How can this happen when these devices are claimed as secure?

NONE of these devices are controlled by apps

tgauchat · 2015-05-09 00:50:46 UTC

As far as I know, they are encrypted, but there are known exploits / security holes. It does require deliberate snooping and hacking though… It wouldn’t be something like random neighbors or RF interference triggering devices (unlike X10 which has no security at all).

That doesn’t explain what you’re experiencing. I wouldn’t know how to definitively trace these anomalies.

an39511 · 2015-05-09 01:38:37 UTC

Support claims that whatever is causing the issue, it is not coming from the SmartThings hub. I figured if the network was encrypted there would be some type of error correction that would make the devices immune from being activated outside of the network. I can understand RF interference preventing a switch being turned on/off but not actually causing it to activate. If it is indeed Radio Interference then that suggests to me that anyone that floods the frequency band can possibly cause critical devices to fail. In a world becoming more conscience of security that does not go well for home automation and the new Smart homes. I guess I am glad I haven’t installed door locks.

pstuart · 2015-05-09 01:54:19 UTC

In theory it would be possible. But would require significant access. Rf interference can’t cause the device to turn on or off.

Packets are sent with encryption at least with ZigBee. Some zwave devices can be peer to peer without a hub but that is hard to initiate.

What is more likely is a weak password or another user in the system somewhere.

Also, since it sounds like a lot of your devices are hard wired do you have power spikes or brown outs? How stable is your power? Dropping power on the device could reset it and cause the symptoms you are describing. How is static?

keithcroshaw · 2015-05-09 01:56:17 UTC

I recently experienced random door unlocking which caused me to totally loose trust in the platform as far as security goes. It’s been degraded to fun stuff only…

tgauchat · 2015-05-09 02:23:29 UTC

Perhaps you misunderstood what I wrote…

I’m not an expert in this area, but the ZigBee and Z-Wave protocols use encryption and specific messages to control devices. They may be subject to sophisticated attacks (like capture and rebroadcast of packets), but random or flooding of the RF bands are… Well, to the best of my knowledge, impossible to cause device activation.

tgauchat · 2015-05-09 02:26:25 UTC

I agree … But power fluctuations are much different than random ambient or intentional, but random RF flooding.

The devices would have to have a really serious hardware level bug.

tgauchat · 2015-05-09 02:31:33 UTC

Unless caused by an intentional hacker, this must be due to software bugs or defective hardware.

Random RF causing random unlocking… doubt it.

The lock reading the packet meant for a lightswitch… Slightly possible?

What brand lock? I highly suspect a defective unit.

tgauchat · 2015-05-09 02:49:30 UTC

The “playback” attacks and similar holes in ZigBee and Z-Wave are being addressed in newer versions (new Z-Wave devices from Aeotec, etc. on the market already, I think).

As mentioned in another thread, though, “most” home door locks can be defeated with picks or widely available “bump keys”, or breaking a window.

So the incremental risk due to wireless access is rather small.

Ironically, concerns over wireless locks may hold folks back from the security benefits (lock tamper detection, and, the various contact and motion sensors and cameras that are enabled by wireless technology).

keithcroshaw · 2015-05-09 02:59:38 UTC

Well mobile presence was the culprit, but I don’t know how else to trust that… ever…

tgauchat · 2015-05-09 03:14:46 UTC

Assuming an authorized person is home because a presence sensor is in the house is like assuming they are home because they left their keys on the nightstand or coat hook.

The default could be to assume that the authorized person is not home, unless confirmed with a PIN (2 factor authentication, of course… Something you have… Aeon Minimote or Key Fob, and something you know… PIN… Or Amazon Echo challenge / response questions!).

Use Buttons As PIN Input ("Security Keypad") e.g., Aeon Aeotec Minimote, ZWN-SC7 Enerwave 7 Button; trigger to Routines, lock/unlock, arm/disarm, mode, lights SmartApps

This is a pre-release BETA: Testing and feedback is highly encouraged. [image] [image] Description Use Buttons As PIN Input Assign a multi-button controller (e.g., Aeon Labs Minimote) to be a security 'PIN code' input pad, which triggers a switch, lock, mode, or Hello Home action. App Name: Use Buttons As PIN Input Category: Safety & Security File Name: ButtonsAsPIN.app.groovy License: See repository and/or source code header comments. Version: v0.1.4-beta (non-production pre-release) as of latest update. Published/Submitted to SmartThings Marketplace: no Published to "Browse SmartApps" in IDE: yes Releases URL: https://github.com/CosmicPuppy/SmartThings-ButtonsAsPIN/releases/latest Master URL: https://github.com/CosmicPuppy/SmartThings-ButtonsAsPIN SmartApp Code Snippet (Copy cod…

surfous · 2015-05-09 05:15:43 UTC

You don’t. Not by itself at least. That’s not due to SmartThings per se, but because it’s not a secure practice for applications like access control.

Add a ‘signal of intent’ into the mix so that unlocking criteria are never just “I’m here,” but rather, “I’m here, and I want the door to unlock”

Examples are the Kevo lock - proximity of an authorized device outside the door (presence) plus touching the face of the lock (signal). Lockitron, if I recall, is similar - bluetooth proximity of a trusted device (presence) plus knocking on the door (signal). Finally, I use Knock to Unlock to unlock my Mac - my phone’s proximity provides presence, but I have to knock twice on the phone to signal that I want my computer to unlock.

I don’t know what you might combine with presence for signal. Maybe a zwave or zigbee button like Aeotec’s forthcoming doorbell? Of course, I wouldn’t want my mere presence ‘around home’ + a press of the doorbell button to unlock my door! I’d probably try to mix in a bluetooth beacon with IFTTT/Launch Center Pro somehow to limit my valid presence for the door unlock signal to my front steps.

Or since I’m blue-skying here, combinatorial presence: Geofence (I’m nearby) + being on my Wi-Fi network (I’m really nearby) + bluetooth beacon in a low power mode to limit radius to a few feet (I’m right in front of my door). It may be overkill to have all three, but this is an instance where I feel belt & suspenders is fashionable.

I guess my preference with locks is to err on the side of security. If the more convenient prox+signal or triple prox methods fail, then I fall back to using the app (less convenient, but secure) or the keypad (about the same convenience as pulling out my phone).

Sigh, I have just not yet mastered the ‘quick’ reply…

JDRoberts · 2015-05-09 05:25:55 UTC

I’m using zigbee presence plus physical indicator (contact or motion sensor) for the “I’m really here” case. It’s gotten rid of all the false arrival triggers for me. Not 100% perfect, but good enough for my purposes.

JDRoberts:

Okay the last couple days it's been working very well, and it is really nice to have when it is working. So as long as I treat it as a convenience, meaning I always have to have a Plan B available, I like it. Here's how I have it set up. Everything is done with hello home actions. There is no custom code except for the creation of one virtual switch. And I'm using that switch for some other things in IFTTT, not for the actual arrival events in smartthings. You could leave the virtual switch out, and still get the improvements regarding network drop offs. 1) I usually wear my hat when I go out, so I leave my hat In the cupboard with a motion sensor under it. When I'm ready to go I pick up the hat which triggers the motion sensor. This sets the mode to "JD Leaving." This motion sensor is…

an39511 · 2015-05-09 11:26:40 UTC

The password to the router is 64 characters long and the password to the smarthings interface is 14 characters, all random characters. As far as power, I have a TED5000 which does a pretty good job of monitoring line voltage. There are no detected spikes or sags and the most the voltage fluctuates is 5 volts.

Looking at the smartthings log I can see the the switches reporting they have turned on but there is no log entry of any command coming from the hub turning them on. This supports their claim the problem is not with smartthings.

The only out of the ordinary is that I have a few of devices that are use the same frequency spectrum, such as the TED5000 however that was installed sometime after I started experiencing problems. I also have a wireless weather station and a smart water meter that both use the 900MHz band.

an39511 · 2015-05-09 11:39:26 UTC

I would think you are correct but I am at a loss to understand how or why switches turn on by themselves. Smartthings support has claimed commands are not coming from the hub. I don’t have the knowledge or the equipment to diagnose the problem but I am not the only one reporting this type of issue.

pstuart · 2015-05-09 12:18:12 UTC

The switches are zwave, right? Pull the breaker and turn back on, what is the state now?

I still think it is either power or hardware related.

Security is a myth, why would someone hack your zwave mesh just to occasionally turn on or off a switch.

Password length is irrelevant if a rootkit or keylogger is installed or the password is sent in plaintext and a packet sniffer sees it.

I would get a voltage line logger before the load to the switch and watch for spikes or drops if or when the event occurs.

an39511 · 2015-05-09 17:36:06 UTC

I have both zwave and zigbee switches spontaneously turn themselves on. However the first generation zigbee switches were replaced about a year ago because support claimed they had problems.

I am not suggesting that anyone has hacked into my system I was just responding to “weak passwords” suggestion. The only reason I am talking about security is because smartthings support claims they are not the cause of the switches turning on and if they aren’t the source, then what is?

I don’t buy the suggestions from support that I have defective switches as I have replace every one that ever self activated and even the new ones still will activate by themselves.

I have gone through the motions of removing power cycling every device. When you ask what is the “state now?” I don’t know what you mean. If you are asking if it solves the problem, the answer is no.

I have a TED5000 installed for over a year now and it has only reported voltage spikes and sags during a lightning storm last summer. Other than that power is very clean. I realize that device does not compare to a commercial line logger but if it really comes down to minor power fluctuations causing switches to spontaneously activate then I really can’t justify keeping the system installed anymore. I am just tired of having my garage door opening a 3AM or bedroom lights coming on in the middle of the day/night, air conditioners turning on in the winter or space heaters in the summer. Two weeks ago I was working in my shop and the air conditioner activated. This is the same room I was heating with a space heater. No lights flickering, no reports of voltage fluctuations. Nothing in the logs showing commands turning the device on.

pstuart · 2015-05-09 17:49:47 UTC

Then remove the hub from the equation and see if the problems still exist. Try another hub or solution.

Nothing points to Smartthings, everything points to local issues beyond your ability to diagnose.

If a switch, not paired with a hub turns itself on/off then it is the device and nothing more.

I think its time you take an HA vacation, clearly your circumstances aren’t typical and I would suggest simplifying the solution or removing it all together until you find the cause.

tgauchat · 2015-05-09 18:00:30 UTC

Poltergeist!

Support@SmartThings.com might be able to recommend a Ghost Buster in your area.