[ANSWERED]: Hacking Z-Wave

Posted on
Sun Apr 17, 2016 5:14 am
Turribeach offline
Posts: 429
Joined: Feb 06, 2015
Location: London, UK

[ANSWERED]: Hacking Z-Wave

I think the Hacking board name is meant as "Tinkering" but since we don't seem to have another relevant board I am posting here (Jay/Matt maybe we need a "Security" board for posts like the one I am making?).

On Jan 2016 at the ShmooCon hacker convention a paper was released showing how to "hack" Z-Wave:

http://www.networkworld.com/article/302 ... vices.html

I got lots of questions about that paper and the implications for Indigo, I will try to summarise them:

1) Is Indigo impacted by what's shown on the paper and if so in what level?

2) The paper authors tested 33 different Z-Wave devices with only 9 of them supported encryption. Does Indigo support showing which devices are encrypting communications and if so how? If not can this be added ASAP please?

3) The paper also talks about four devices that required a user to ‘opt-in’ for encryption. What's the process to enable encryption in a device in Indigo if such option is support?

4) It would appear to me that if a Z-Wave device is not encrypting communication is open to be attacked more easily and that these guys found ways to "break" through the device security rather than Z-Wave protocol security. If that's the case it seems there is little we can do to protect ourselves from this. Perhaps Indigo could add some "detection" of suspicions activity? For instance devices being turned on/off constantly (as described on the paper) or perhaps any device which a user could set as only controllable from Indigo as a honeypot detection for intrusion?

5) At the bottom of the article Z-Wave Alliance Executive Director Mitchell Klein mentions the launch of the Z-Wave Security 2 (S2) framework which combines the existing ES 128 encryption with Elliptic Curve Diffie-Hellman key exchange. Is this framework supported by Indigo? (probably not as it was only launched on Dec 2015). Are there any plans to add support to this? What are the hardware requirements for S2? Do existing Z-Wave devices support S2? Where can I find more information about this? I couldn't find any more info on the Web other than articles reporting the press release.

Thanks,
Christian

Posted on
Fri Apr 22, 2016 8:46 am
matt (support) offline
Site Admin
User avatar
Posts: 21411
Joined: Jan 27, 2003
Location: Texas

Re: Hacking Z-Wave

Indigo 6.x does not use the encrypted Z-Wave command classes. We haven't announced yet when/if future versions will support it, but it is definitely on our radar. Modules use encryption based on how they are included. Some modules have a manual process by which encryption is enabled during inclusion (tapping a button twice versus once). If they support encryption then their manuals should detail the different steps. The host application can also enable encryption during inclusion via NWI. Again, Indigo doesn't do that yet though.

Regarding S2, it can take a while for the hardware vendors to adopt firmware changes. Using such a new framework would require new firmware versions of all the modules involved (including Z-Stick). I don't know what those manufacturers plans are in regards to new firmware releases. Historically, it can take a long time for new modules to come out with the latest stacks.

My 2 cents: security for HA will improve a lot over the next few years, but given there are dozens/hundreds of vendors with not-so-easy-to-upgrade firmware it isn't going to be fast and in a lot of cases will require new hardware. IoT security patching is going to be significantly slower than desktop or mobile device OS updates.

Image

Posted on
Fri Apr 22, 2016 9:04 am
RogueProeliator offline
User avatar
Posts: 2501
Joined: Nov 13, 2012
Location: Baton Rouge, LA

Re: [ANSWERED]: Hacking Z-Wave

A slightly less technical comment - sometimes these types of presentations at DefCon, ShmooCon, etc. are focusing on some pretty esoteric attacks. Not saying that they aren't worth a consideration and valid points, and security should ALWAYS be improving... BUT, the odds of someone attacking a Z-Wave network are pretty astronomical -- think about the scale of things:

I am a bad guy looking to score or cause mischief... I can attempt to find a single house with Z-Wave, spend some time attacking that house and causing a bit of havoc to a person. This requires me to be physically near said network (possibly for extended amounts of time). OR, I can go after a cloud provider from behind my computer at a coffee shop... and perhaps score literally millions of username/password combinations and cause total mayhem on a ton of users.

I think a target attack on a house is FAR more likely to come from the network -- most notably cloud providers, though a script looking and finding web servers may find individual houses and servers. This is why I don't recommend directly opening up ports on a router to Indigo. If a script can hit you, said script may find a vulnerability even if you think you are secure and have done everything right. Not saying it can't be opened safely, but most users lack the skills to both setup AND monitor the configuration.

Adam

Posted on
Mon Jun 13, 2016 10:17 am
Umtauscher offline
User avatar
Posts: 566
Joined: Oct 03, 2014
Location: Cologne, Germany

Re: [ANSWERED]: Hacking Z-Wave

Hi Adam,

forgive me, but that is a rather naive point of view. Maybe you are living on a huge property, where none of your neighbours are even able to reach your z-wave network from outside and mybe your front door is open anyways?
In big cities, its a matter of seconds to find a zwave network if one is there, because you can just pass by it without beeing noticed.

This sort of attitude is the main problem nowadays concerning any security in computer systems. It reminds me when years ago people said "who needs a firewall - nobody will be interested in my personal data". "Who need mail encrytion, I have nothing to hide". Today endpoint to endpoint encryption is mostly standard even on chat platforms. (apart from Google naturally)

In my opinion Indigo should learn encryption a.s.a.p .
I know, z-wave encytion is not very secure and can be hacked, but transmitting everthing in the open is still much, much worse.
Just my 2 Cts.
Cheers
Wilhelm

Posted on
Mon Jun 13, 2016 1:07 pm
RogueProeliator offline
User avatar
Posts: 2501
Joined: Nov 13, 2012
Location: Baton Rouge, LA

Re: [ANSWERED]: Hacking Z-Wave

This sort of attitude is the main problem nowadays concerning any security in computer systems. It reminds me when years ago people said "who needs a firewall - nobody will be interested in my personal data". "Who need mail encrytion, I have nothing to hide". Today endpoint to endpoint encryption is mostly standard even on chat platforms. (apart from Google naturally)

Perhaps you misconstrued my comments - if you'll re-read them you'll see that it isn't that they aren't valid points and that we DO need to keep improving, but that it shouldn't be as big of a concern as some of the other vulnerabilities out there. The companies involved indeed should always be increasing security - but this isn't where the individual user should focus attention.

Again, asking the questions and encouraging Z-Wave secure implementations is NOT a bad thing, but choosing, say, a controller platform that does support Z-Wave encryption yet stores everything in the cloud is a false sense of security.

It is similar to this example:
You have an secured Z-Wave network and a WiFi connection that you have secured with WAP2, so you feel good. I can see both from my house next door in a crowded urban environment. Even WAP2-TKIP (still the default on many routers) is super easy to break, not to mention that some routers still inexplicably still enable WEP. If I am sophisticated enough to break either the Z-Wave (unsecured) or the WiFi, the WiFi is still a better target - go after bank accounts, passwords, etc. going over the network.

Posted on
Mon Jun 13, 2016 2:50 pm
johnpolasek offline
Posts: 911
Joined: Aug 05, 2011
Location: Aggieland, Texas

Re: [ANSWERED]: Hacking Z-Wave

RogueProeliator wrote:
Again, asking the questions and encouraging Z-Wave secure implementations is NOT a bad thing, but choosing, say, a controller platform that does support Z-Wave encryption yet stores everything in the cloud is a false sense of security.

It is similar to this example:
You have an secured Z-Wave network and a WiFi connection that you have secured with WAP2, so you feel good. I can see both from my house next door in a crowded urban environment. Even WAP2-TKIP (still the default on many routers) is super easy to break, not to mention that some routers still inexplicably still enable WEP. If I am sophisticated enough to break either the Z-Wave (unsecured) or the WiFi, the WiFi is still a better target - go after bank accounts, passwords, etc. going over the network.


+100 on that... I hate the way that so much stuff is "out there" where I have no idea how much (or little) security that Kwikset for example has on their server farms; and the more data they keep for the more users, the higher the likelyhood that an "authorized' user or employee will be a hacker breaking into his neighbor's data vault. And once Joe figures out how to send an electronic key to Bills Kevo, (or a disgruntaled underpaid staffer sells the whole database to to the Russian mob since all their data is stored somewhere in Xyzistahn, even 1024 bit encryption over the net does you no good at all.

Posted on
Mon Jun 13, 2016 2:58 pm
Umtauscher offline
User avatar
Posts: 566
Joined: Oct 03, 2014
Location: Cologne, Germany

Re: [ANSWERED]: Hacking Z-Wave

Hi Adam,

thanks for taking the time to explain what you meant.
Anyway I think every hole to patch is one hole less.

BTW I chose indogo because it doesn't store anything in a cloud and I. refuse to do so with any app on my iphone. I immediately return any gadgets that insist on creating an online account (e.g Danalock) and try to keep everything under my control.
Certainly one cannot be sure something isn't messed up, but we can at least try to make everything as secure as possible.

Cheers
Wilhelm

Posted on
Mon Jun 13, 2016 8:00 pm
RogueProeliator offline
User avatar
Posts: 2501
Joined: Nov 13, 2012
Location: Baton Rouge, LA

Re: [ANSWERED]: Hacking Z-Wave

BTW I chose indogo because it doesn't store anything in a cloud and I. refuse to do so with any app on my iphone. I immediately return any gadgets that insist on creating an online account (e.g Danalock) and try to keep everything under my control.
Certainly one cannot be sure something isn't messed up, but we can at least try to make everything as secure as possible.

Well, you are indeed the type of user then that I think SHOULD question things as you seem to have your security "priorities" in order. My comments were not, of course, directed at any user, but rather just your average user that follows the latest security headlines... because frankly the news is AWFUL at actually reporting relevant information and instead goes after the sensational headline... which is what kind of prompted my first post.

I don't think the cloud has to necessarily be a bad thing overall, btw, just as long as one is aware of the risks. For instance, I believe a few people here use a cloud service to graph some energy data -- doesn't really matter all that much if that is compromised in the end. I have never heard of a targeted Z-Wave attack, so I am aware but not concerned about that; would I prefer a secured network? Of course! But then again, if someone did attack me they could learn we use the A/C too much or the humidity of the crawlspace. They aren't unlocking doors!

Page 1 of 1

Who is online

Users browsing this forum: No registered users and 3 guests