Z-Wave Security Flaw


It seems there is a security flaw in how Z-Wave S2 works allowing researchers to switch the device to S0 and compromise devices.

Good news is that it appears to be limited to device pairing. The only way around the vulnerability is to limit backwards compatiblity.


(Steve Jackson) #2

I read the article and it appears that the vulnerability is only present during the pairing process. It shouldn’t be there but the exploit window seems really small.

(Mark) #3

I think I tend to agree with you.

But one thing that seemed somewhat concerning is they mentioned a motivated/knowledgeable bad guy could leave a device in place that will wait around until a nearby z-wave component goes into pairing mode, and then execute this exploit.

(Steve Jackson) #4

I suppose. You could throw up a listening device and cross your fingers you caught someone setting up a lock. I still think it’s a real long shot.

It would be a whole lot easier to just break a window. The only scenario I can think of is if someone is aware of when you might be setting up your locks. Then it could really be a problem.

(Mark) #5

I agree, I’m never really that concerned about these vulnerabilities from the perspective of my house getting robbed. Kicking in a door jamb or smashing a window is generally easier and within the skill set of most criminals.

Seems more likely that someone might try to do this just for the technical challenge/to cause mischief.

But as you said, still not particularly likely to affect most people.

(www.rboyapps.com - Make your home your butler!) #6

It may be more than a long shot because it not just about catching someone in the pairing process, it’s about intercepting the pairing process to cause it to fail and then making it fall back to S0 pairing and then capturing the radio waves and decrypting it.

For that to work that someone needs to be within about 50-100ft of your lock to be able to successfully achieve this exploit.

I wrote up this note yesterday on this article:

From the article:

During the period when a user paired their controller (such as a smartphone or smart home hub) with the device

So it’s ONLY vulnerable during the pairing process. i.e. they would need access to your lock physically and assuming it’s isn’t already paired to your existing hub. If it’s already paired, sorry guys you’ll have to find a way to hack into exclude it first, but then it would be easier to just break down the door :wink:

But then again if they have access to the “pairing” of the lock, why go through the process of hacking it? Can’t you just “unlock” it after pairing it using your app?

So the moral of this story:
Don’t leave your lock lying around unpaired - but then again you need the “Master Code” to start the pairing process…

(Jimmy) #7

agree on the limited scope of the vulnerability. But it is a good point that almost no z-wave hubs support S2 yet. It’s been out for how long now? Wonder if SmartThings is even working on it?


A couple points I’m not clear on:

  1. How do we know if a device has S2 level security? I’ve never noticed it on a spec sheet.
  2. prhct92eh2: If network hubs don’t support S2 security, does that mean all the Z-Wave locks with S2 security don’t work with hubs??? Presumably only dedicated Z-Wave controllers have this level of security?
  3. Do less critical devices (switches, say) now have S2 security? Wondering about obnoxious hacker simply wanting to take control of anything.