Possible Z-Wave S2 vulnerability

The article mentions that S2 added Diffie-Hellman key exchange and hardened this version of Z-Wave. However, I thought this might be a good topic to discuss, as at least U.S. users approach the start of holiday travel season. I use Z-Wave protocol for my Kwikset front door lock, but the remainder of my control system is Insteon.

https://www.forbes.com/sites/thomasbrew ... fadb894517

[matt (support)]

We have on our development schedule a couple of items to improve Indigo to support S2 protocol pairing. Currently, Indigo always does S0 for compatibility – a lot of security modules being used with Indigo unfortunately don't support S2. We are also going to improve Indigo so that whenever a potentially insecure pairing process is about to occur (the only time at which there is a known vulnerability) the user is first prompted for approval. Not supporting S0 style pairing would prevent a lot of modules from being able to work at all. Therefore, the best approach will be to get informed consent from the user.

Thanks, Matt. I wasn't aware of the compatibility problems with other modules. It's regrettable that Z-Wave is the common protocol for the major lock companies (other than Zigbee or proprietary ones like Lowe's Iris), and we don't have a good way to fix vulnerabilities. Is the encryption vulnerability of Z-Wave locks mitigated in any way by using them with Indigo, since it's a bit of a closed loop system, i.e., not using Z-Wave hubs?

I'm glad I only use Z-Wave for the one device (the lock) and if the vulnerability exists, even using them with Indigo, I'm not going to use a Z-Wave device to access my garage door, either. At the very least, it's worth having this discussion.

[matt (support)]

Is the encryption vulnerability of Z-Wave locks mitigated in any way by using them with Indigo, since it's a bit of a closed loop system, i.e., not using Z-Wave hubs?

Unfortunately, no. In this case Indigo + Z-Stick is a hub. The problem only occurs during module inclusion, and then only when including a module with encryption. So limiting how often you do that (and check outside for shading characters or vans with antennas ) is the best we can do for now.

Z-Wave ‘Hack’ is Old News; ‘Vulnerability’ is Deliberate

"What some media outlets are calling an IoT security "flaw" is a "conscious choice" by Z-Wave Alliance members to make new super-secure S2 home-automation devices backward compatible with 100 million existing Z-Wave products."

[jay (support)]

LOL - CEPro is such a fanboy (some might even say toady) of Z-Wave (they claimed back in 2009 that a totally unknown, new and anemic Z-Wave product for the Mac would take over the Mac home automation market - it barely made it to market before being discontinued). Despite the fantastical headline, the vulnerability itself was not really intentional, but propagating the vulnerability to the S2 security model was intentional in order to enable backwards compatibility.

To be clear, the window for the vulnerability is quite small and requires a very Z-Wave tech-saavy person to be within range and be attempting the hack at *exactly* the same time you're including an encrypted device.

I don't disagree at all, but I will give CEPRO credit for trying to get dealers to quit considering HA enthusiasts as the enemy.

The problem only occurs during module inclusion, and then only when including a module with encryption.

OK, so in my case, the 'vulnerability' is pretty remote, since I don't think anyone can approach my house closely enough to hack my Z-Wave device without my noticing and the last time I did an inclusion was when I replaced my door lock with a warranty replacement. I did notice some shady characters, but both were my cats and they drive a Tesla.

I did notice some shady characters, but both were my cats and they drive a Tesla.

So they're bent on world domination, then.

[jay (support)]

OK, so in my case, the 'vulnerability' is pretty remote, since I don't think anyone can approach my house closely enough to hack my Z-Wave device without my noticing and the last time I did an inclusion was when I replaced my door lock with a warranty replacement.

Correct.

I did notice some shady characters, but both were my cats and they drive a Tesla.