Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security

Vulnerability in Z-Wave Wireless Communications Protocol, Used By Some IoT and Smart Devices, Exposes 100 Million Devices To Attack (bleepingcomputer.com) 60

Posted by msmash from the security-woes dept.
An anonymous reader writes: The Z-Wave wireless communications protocol used for some IoT/smart devices is vulnerable to a downgrade attack that can allow a malicious party to intercept and tamper with traffic between smart devices. The attack -- codenamed Z-Shave -- relies on tricking two smart devices that are pairing into thinking one of them does not support the newer S-Wave S2 security features, forcing both to use the older S0 security standard.

The Z-Shave attack is dangerous because devices paired via an older version of Z-Wave can become a point of entry for an attacker into a larger network, or can lead to the theft of personal property. While this flaw might prove frivolous for some devices in some scenarios, it is a big issue for others -- such as smart door locks, alarm systems, or any Z-Wave-capable device on the network of a large corporation. The company behind the Z-Wave protocol tried to downplay the attack's significance, but its claims were knocked down by researchers in a video.
This discussion has been archived. No new comments can be posted.

Vulnerability in Z-Wave Wireless Communications Protocol, Used By Some IoT and Smart Devices, Exposes 100 Million Devices To Att More

Vulnerability in Z-Wave Wireless Communications Protocol, Used By Some IoT and Smart Devices, Exposes 100 Million Devices To Att

Comments Filter:

  • Neat trick, but if you watch the video, they have to be able to connect to the device while it's pairing to inject the attack...so, pretty cool, but I wonder how practical an attack it is in practise.

    • I'm worried that the neighborhood kids are going to lie in wait until I pair a new ZWave device, exploit this weakness, and then turn my ceiling fan on remotely.

    • From TFA:

      .
      ..."When we say active attacker – we don’t mean a guy in a hoody sat in a car with a laptop," said Pen Test's Andrew Tierney. "A battery-powered drop-box could be left outside the property for weeks, waiting for a pairing event to occur."...

      • Is this somehow preferable to breaking a window and letting yourself in?

        • Re: (Score:2)

          by Scoth ( 879800 )

          It'd probably be a targeted attack - someone you're acquainted with who wants something you own. If you have a Z-Wave enabled house with z-wave locks and security and junk, you could theoretically use this to gain access with limited notice and no obvious breaking and entering. I doubt this is the kind of thing a rando criminal would use on some random person's house. Takes too much setup and work, and assumption that a pairing event happens frequently. Once I got my (limited to lights and AC) setup going,

    • Re: (Score:3)

      by msauve ( 701917 )
      Precisely. Which means that the summary's statement that "[Z-Wave's] claims were knocked down by researchers" is simply not true.

    • Neat trick, but if you watch the video, they have to be able to connect to the device while it's pairing to inject the attack...so, pretty cool, but I wonder how practical an attack it is in practise.

      The ZWave protocol has a range of 100m. How would it not be practical to park outside a house and launch an attack from the street?

      • Well, for starters, you have to wait until a new device is added to the home so a pairing event is triggered. Second, most Z wave devices will only pair to something within 4-5m or so; the last set of Philips Hue bulbs I added to my Z Wave home had to be paired in the office - where my Z Wave controller is - and then relocated to other parts of the house. But I guess you can park and live 100m from my house for an undetermined amount of time and wait for me to actually pair something new that has a 100m p

    • Anyone worried obviously has not involved themselves in z-wave enough. The point of the whole thing is to have a low power communication, which means that the range is really not meant to be fantastic. I have problems reliably getting transfers through my outer wall when attempting it deliberately. And the attack only works on initial inclusion, and the negotiation of security standards to use is sure to take some time to complete. I would bet that in any real world scenario it will be very difficult to exp

  • Interesting question (Score:3)

    by Locke2005 ( 849178 ) on Friday May 25, 2018 @11:27AM (#56673740)
    Which electronic front door locks are using this vulnerable protocol? Asking for a friend, it's not like I go around breaking into houses or anything...

    • I have a Schlage keypad with ZWave capability - though I have that turned off both because it drains the battery very quickly and because I can't fathom a reason to have a ZWave enabled lock...

      The only thing I could come up with is rigging the alarm to send me an alert if the door is currently unlocked when the alarm is armed. But still not worth the roughly 10x battery life loss.

      • I use a simple magnetic Z-Wave door sensor to check if the doors are locked. Instead of using the sensor on the door, it triggers on a reed relay inside the deadbolt well, with a small magnet glued to the deadbolt. I use Z-wave stuff throughout the house, but no automatic door locks except on the shed (which unlocks when I am near). As for this vulnerability, I am not too worried. I expect we'll have the option soon to disable the S0 protocol completely. I'm far more worried about someone getting onto

      • Re: (Score:2)

        by Necron69 ( 35644 )

        I had Kwikset Zwave door locks installed with the Vivint SmartHome system in my old house. The two AA batteries tended to last about 4-5 months.

        The system was generally awesome and very convenient. I had timers set to automatically lock the doors in the evening and morning in case we forgot. If I left the garage door open more than 10 minutes, you'd get an alert on your phone. Quite handy, but no clue what version of Z-Wave those locks used.

        • The timer idea is nice, but doesn't really require z-wave. I have door sensors rigged to my alarm panel, but they are all hard-wired. I don't have the garage door sensor alert thing set up - that's a pretty good idea.

        • I do basically the same thing. But the garage door is automated even further, so that when a fob in either the car or motorcycle leaves, the garage door will automatically close in 1 minute. And if the system senses the fob returning it will automatically open up the garage door. Never have to worry about leaving the door open ever again! And never have to fumble with a garage remote whilst on my motorcycle.

          • Re: (Score:2)

            by Pascoea ( 968200 )
            What hub are you using? I have a Wink 2 and the damn thing won't let you automate unlocking the deadbolt or opening the garage. You can automate the closing/locking, but not the unlocking/opening. Dumb.

      • Re: (Score:2)

        by Pascoea ( 968200 )
        I have a similar lock, and it always amuses me when people have wildly different results. I kept the z-wave on because I love that I can lock/unlock the door from my smart phone (via a Wink hub), I can see when my door was unlocked and by who, I have a robot/script that automatically locks the door 5 minutes after it was unlocked, and I can add/remove door codes from my phone.

        As far as the battery life, I can't comment on what happens when if I disable the z-wave, but I've had the lock installed since Chri

        • but I've had the lock installed since Christmas and I've only replaced the batteries once

          So for comparison, I last changed the battery in November of 2016 - so your experience of two sets in about 6 months with Z Wave enabled roughly jibes with mine. This is our main door, and most of us use the keypad, so it's not like it's just a matter of disuse.

          I agree that the uses you list are interesting - they just aren't very compelling. I've never had the occasion to let someone in to my home where I couldn't just give them one of the existing codes (like the one for the babysitter). Worst case I'll j

    • Let me google that for you... http://lmgtfy.com/?q=zwave+doo... [lmgtfy.com]
    • It's a pairing attack, and most locks by design pair over a short distance - so you have to take them off the door and hold them near the controller. IMO this is not a viable attack for an outsider to mount and you should not panic. If this attack worked at any time other than pairing, there would be more reason to worry.
  • I can recall after I got my new house I was looking into how I could better control the radiators and was kinda annoyed that my options seem to come down to either consumer-friendly z-wave or 'probably effective but more complicated industrial solutions'. I could not find a nice simple 'do this over PoE instead of wireless' type solution.

  • The locks in question pair over short distances - by design - and generally have to be taken off of the door and held need the controller to pair. Having an outsider cause a downgrade attack at that one critical time would be extremely unlikely. Once paired, there is no path to attack.

    Sure, I would have locks reflashed if the manufacturer offered it inexpensively. But there's no reason to panic.

    • Re: (Score:2)

      by Nkwe ( 604125 )

      The locks in question pair over short distances - by design - and generally have to be taken off of the door and held need the controller to pair. Having an outsider cause a downgrade attack at that one critical time would be extremely unlikely. Once paired, there is no path to attack.

      Sure, I would have locks reflashed if the manufacturer offered it inexpensively. But there's no reason to panic.

      This assumes that the lock controller and the lock are the only things on your z-wave network. Sure that pairing process is secure for the lock, but is the paring process for everything else your controller pairs with secure? Because if it is not, those other devices that were insecurely paired may be able to talk to your lock through the controller (it's a network after all.)

  • During the pairing process you can pair with the older version of the protocol. However, the pairing process only happens when you add the device to your network and it only happens once.

    I'd agree with Sigma, this is a pretty minor issue.

    Sure someone could come in, disassemble your Z-Wave device, exclude the device, then re-pair it. At that point they have physical access to your stuff, so why not just crack open your home automation system?

Slashdot Top Deals

Counting in octal is just like counting in decimal--if you don't use your thumbs. -- Tom Lehrer

Close