Z-Wave Plus with S2 NOT SECURE

Just received brand new V3 ST hub for Christmas. I installed 4 new GE(Jasco) Z-Wave Plus switches. Everything I find says these are compatible and secure. The switches are S2+Smart Start compatible.

To start with, I am in touch with Samsung and Jasco support on this issue. I have a fairly high/broad tech level and am getting no where with Samsung tech support so far. I hate the time it takes to climb the tech tree. I do not need the “turn it on and off or restart the device and make sure it is plugged in” tech support. I need someone who knows what protocols/security are implemented. If this is V3 hub it should be up to date.

Every time I add the switches I am getting the following errors

Then I press exit and get this message “Your device has been connected, but the device may not work properly because you didn’t finish secure setup. If you have any problems using the device, exclude it and add it again.”

When I close the message the switches operate properly. They are working normally in SmartThings App and Google Home.

I have tried factory resets, exlusion/inclusion, secure mode on/off combos, adding the switches in different orders. Nothing resolves this problem

I started digging deeper to verify my switches are indeed NOT secure at the moment.

All of my switches show “ZWAVE_S2_FAILED” in smartthings API management

Shouldn’t at least some level of security have been enabled. Why are these devices sold as compatible and they advertise security and then they do not work as they should?

With todays onslaught of ransomware and IoT hacking I take my home network security very serious. I don’t need something as dumb as a light switch to worry about.

Here is a screenshot from online API

S2 has not been implemented at this point. ST is in the process of getting it certified so it will become available in the future. No timeline.

2 Likes

To add to what @jkp said, your switches should fall back to the previous Z wave security profile, the one that the hub is using, and they will work just fine as light switches. You’ll be able to use them in automations. And, to be honest, they will be secure enough for light switches. Not, however, secure enough for UL listed perimeter protection devices like a security system sensor, which is what the S2 protocol was designed for.

But if you want that level of security, you probably wouldn’t have selected smartthings anyway. :wink: It lacks multiple features, such as cellular communications, which most purpose built security systems will have even in the low-cost tier.

So if you just wanted a low-cost security system which could run some light switches as well, look at Ring (which I believe was the first Z wave controller to fully implement S2).

But if you were looking for a home automation platform which can work with many different device protocols, which has support for very complex rules, and which can provide convenience level notifications as long as the Internet is available, then certainly smartthings is a popular choice. Just be aware that you will continue to see that S2 security message for any end devices that support S2 until it has been fully implemented with a hub firmware update. And they haven’t given us a timeline for that.

3 Likes

And for those interested in the technical details of S2:

https://www.electronicdesign.com/technologies/embedded-revolution/article/21805285/qa-the-lowdown-on-zwaves-s2-security-support

But honestly, it would be overkill for just a light switch. They have it so they can be included in UL listed security systems, but they don’t really need it.

1 Like

I am still new to smartthings and Z-Wave. I did some Zigbee stuff years ago before the advent of PIs and Arduinos and such. So anything I can learn quickly is beneficial.

So the S2 protocol was made mandatory April 2017. So now, nearly 3 years later this is still not functional?

If Z-wave plus and S2 enabled devices are supposed to be backwards compatible, shouldn’t my switches at least enable an earlier security protocol that is supported on the ST hub?

One thing I may have just figured out is that before S2 was made mandatory, secure AES-128 Bit has been available for a long time but only mandated for access-control devices(ie: door locks and such). So, could it be that Jasco implemented S2 as mandated, but completely left out legacy support for secure connections? That just seems lazy.

Does anyone have an example of what message I should get for a legacy device with secure connection instead of
ZWAVE_S2_FAILED

They do. It’s just a confusing error message (which is coming from smartthings, the Z wave protocol does not mandate the format of error messages).

Backwards compatibility is part of the zwave protocol.

So the S2 protocol was made mandatory April 2017. So now, nearly 3 years later this is still not functional?

I can’t recall any devices actually coming to market with S2 support until late 2018.

The smartthings 2018 hub specifically was given a waiver on S2 compatibility with the understanding that they would get there eventually.

ADT certified their first S2 z wave hub less than a year ago and brought it to market about 6 months ago.

https://products.z-wavealliance.org/regions/2/categories/25/products

The security systems are bringing it on first, which you would expect. The home automation systems are moving in that direction, but it may still be another year or two before it’s really common.

It used to look like this (this is from a comment by a smartthings customer support staff member)

It sounds like the device didn’t securely include. ZWAVE_S2_FAILED indicates the device supports S2 but did not securely include. Because S2 is not currently supported, you will see ZWAVE_S0_DOWNGRADE for devices that securely include and support S2.

Meaning if a device that supports S2 security attempts to pair securely, the ST hub will tell it that this particular network doesn’t support S2 and it should fall back to the S0 security framework and pair securely using that.

But I don’t know if that message is still what they’re using.

Tagging @Kianoosh_Karami @Brad_ST

1 Like

Also, thanks for your quick responses and insight JDRoberts!

I went with Smartthings to get started. I still have a standalone ADT security system that is prewired into the home and have not decided to take things that far with door sensors and such. My ADT hub has z-wave controller, but they want extra money to access features to control lights and stuff. At the additional monthly ADT price I basically paid for the ST hub in 2 months.

What really drove me to Smartthings was seeing the Konnected device to integrate existing alarm systems into my smart network… and hopefully ditching ADT :stuck_out_tongue_winking_eye:

So, for now light switch security is not a big deal. Trying to understand this issue and get the basics down. Without knowing how this system works I can’t feel confident. I would hate to take this to the next level with the alarm system and find out there is zero security.

I know that more nefarious people will lack the knowledge and tools, but smart devices are prevailing and criminals use tools to steal credit card info all the time. So, I do not just play ignorant that nobody is trolling the streets with the tools to do these things. Much easier to just pay some money black market to get a tool that sniffs around and unlocks doors or disarms security panels. Doesn’t mean they have to know how it works as long as it is easier than breaking down a door.

Thanks JDRoberts! I had seen mention of “ZWAVE_SO_DOWNGRADE”. Thats why I’m so confused now. Since mine shows the “Failed” message I have no assurance is any security is implemented or not. Maybe its a bug. But, all I know is the message it displays can only lead me to assume there is absolutely no secure connection, which I feel is unacceptable. The weirdest part of this, is that I cannot find mention of this specific error message anyone online.

Maybe I’m the first? :man_shrugging:

Hmmmm…

You know that Konnected doesn’t change SmartThings’ cloud dependency, right? Whether you have Konnected or not, notifications will come via the Internet from the smartthings cloud. So that’s two points of vulnerability right there.

Also, smartthings can and does take your hub offline Fairly often, historically at least once a month, just for maintenance update. You can neither refuse nor defer these. We usually get a couple of days notice, but not always. And it’s only supposed to be off-line for a few minutes, but it’s been known to go down for longer than that, in one case more than a day.

Again, all of which is acceptable for a cheap home automation system, but typically not acceptable for even a cheap security system.

That’s not just my opinion. The company says so themselves in the official product usage guidelines (Emphasis added)

  • Data accuracy and consistency from SmartThings sensors, including those provided by SmartThings directly, resold by SmartThings, or supported by SmartThings, is not guaranteed. Therefore, you should not rely on that data for any use that impacts health, safety, security, property or financial interests. For example, because temperature readings may vary significantly from reading to reading on an individual device, between devices, or over time, those readings should not be used to control heating and cooling in environments where food spoilage, health risks, or damage to physical goods could occur. Alternately, presence data from SmartThings devices or mobile/Smartphones can vary in accuracy, and therefore should not be used to control access to secure locations without secondary authentication.

Konnected is a great product, but people mostly use it who have an existing security system and want to also trigger some of their home automation features, like having lights come on. Or who buy a house which has existing wired sensors with no controller and they want to use those sensors for home automation purposes like changing the thermostat if a window is open. It’s not in any way a substitute for a real security system.

If your primary goal is to replace an ADT system, I would look at Ring, simplisafe, abode, or Lifeshield. All of which have battery back up, cellular communications, optional professional monitoring, non-mesh security sensors, and some home automation features. Features do vary from system to system, so you would still have research to do. But I just wouldn’t consider smartthings a candidate for that particular use case.

1 Like

First rule of smartthings: it’s never just you. :wink:

But that’s a smartthings message, you’ll only find discussion of it in this forum. Where there are several threads. I just didn’t previously point you to any of them because it’s an area where there have been a number of platform changes over the last year so a lot of the posts would be out of date and probably confusing. Particularly some of the ones referring to bugs which have since been fixed.

I also am having problems with Aeotec devices:

I have added a Aeotec Nano Shutter (ZW141-C) which displays the following error:

  • networkSecurityLevel: ZWAVE_S0_DOWNGRADE

and a Aeotec Dual Nano Switch (ZW140-C) which displays the following error:

  • networkSecurityLevel: ZWAVE_LEGACY_NON_SECURE

I am also concerned that the Dual Nano switch has completely disabled all security protocols with the error code displayed. The Nano Shutter is definately S2 but I am unsure for the Dual Nano Switch as the box does not say S2 only Z Wave Plus and G5.

I am unsure what firmware version either Aeotec device is running. is there a way to interogate the firmware version from smartthings? Is the fireware upgradable via SmartThings?

On a further note I am also having problems with the Nano shutter device handler, it appears to work fine with the “Aeotec Nano Shutter V2.0” with the SmartThings Classic App however appears garbled and is non-operational With SmartThings Modern.

Prior to loading the “Aeotec Nano Shutter V2.0” Device Handler the Modern SmartThings app appeared to work okay fine with the “Z-Wave Basic Window Shade” Device Handler but I was unable to set up the Nano Shutters parameters.

On Aeotecs website they state " Note: This device handler is not designed for firmware V3.0." however I have not been able to find out the modules firmware version so far.

SmartThings doesn’t yet fully support S2 security, so your S2 device was set up using the previous security standard (S0). This doesn’t mean all security protocols were disabled, it just means that it’s using an older security standard rather than the newest one. This is an issue on the SmartThings side, not the device side.

Looks like your switch doesn’t support S2, which is why you got the message that it’s using a legacy security standard rather than the most current.

You can check the firmware version in the IDE by logging into your account here:
https://account.smartthings.com/login
Then navigate to devices, select the device, and view details.

SmartThings has OTA updates for zigbee devices if you choose to allow them, but I don’t believe they have OTA updates for z-wave devices yet.

Lots of custom device handlers either don’t work at all in the new app, or have very limited functionality in the new app. To access the full functionality of custom device handlers you need to use the classic app. In some cases you can use the classic app and custom device handler to configure the device the way you want it, then switch the device handler to the stock one that works with the new app.

1 Like

Well I have an update this morning. I added a new GE/Jasco switch to my home. It is the same as the other switches and dimmers I already had. When I went to add the switch in smart things it actually required the QR/security DSK from the switch. I scanned the QR code and voila, the switch connected with S2 security enabled. I began to exclude and add my other switches and they are now being added with S2 security as well. Looks like Samsung finally put out the S2 protocol.

1 Like

Had same issues with Fibaro Roller Shutter 3 FGR-223, “couldn’t connect securely” . The device was undiscovered even if press skip, excuding also not working. Reset device several time, same issue.
Fixed the problem by removing the device , connect a cable to L and N and plugged in the power socket, it worked very easy to add to network. Installed again with the switch and calibrate the roller, no problems.

I have a v2 hub and recently in excluded/re-included the Ring Range Extender which is now showing up as
“ZWAVE_S2_AUTHENTICATED”
image

I also have a Zooz Zen27 (v1) switch downstream from the ring extender, which i’ve reset/excluded & re-added but it is still showing ZWAVE_S2_FAILED>
image

Should the Zooz also connect as S2?

Tagging @TheSmartestHouse

Per https://www.thesmartesthouse.com/products/zooz-z-wave-plus-s2-dimmer-switch-zen27-with-simple-direct-3-way-4-way " - “S2 security for a smarter and safer connection”.

@Speeder when you added the device did you scan a barcode or manually enter the DSK/Pin for the device?

it did not prompt for a PIN for the device. I simply did the “scan nearby” in the new app and it found the device after i tapped up paddle 3 times.