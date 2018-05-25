Vulnerability in Z-Wave Wireless Communications Protocol, Used By Some IoT and Smart Devices, Exposes 100 Million Devices To Attack (bleepingcomputer.com) 21
An anonymous reader writes: The Z-Wave wireless communications protocol used for some IoT/smart devices is vulnerable to a downgrade attack that can allow a malicious party to intercept and tamper with traffic between smart devices. The attack -- codenamed Z-Shave -- relies on tricking two smart devices that are pairing into thinking one of them does not support the newer S-Wave S2 security features, forcing both to use the older S0 security standard.
The Z-Shave attack is dangerous because devices paired via an older version of Z-Wave can become a point of entry for an attacker into a larger network, or can lead to the theft of personal property. While this flaw might prove frivolous for some devices in some scenarios, it is a big issue for others -- such as smart door locks, alarm systems, or any Z-Wave-capable device on the network of a large corporation. The company behind the Z-Wave protocol tried to downplay the attack's significance, but its claims were knocked down by researchers in a video.
Neat, but you have to know when it's pairing (Score:2)
Neat trick, but if you watch the video, they have to be able to connect to the device while it's pairing to inject the attack...so, pretty cool, but I wonder how practical an attack it is in practise.
Re: (Score:2)
I'm worried that the neighborhood kids are going to lie in wait until I pair a new ZWave device, exploit this weakness, and then turn my ceiling fan on remotely.
Re: (Score:2)
Re: (Score:2)
I'm married and that's actually my vibrator.
Re: (Score:2)
Fake news. Slashdotters don't do women.
Re: (Score:2)
..."When we say active attacker – we don’t mean a guy in a hoody sat in a car with a laptop," said Pen Test's Andrew Tierney. "A battery-powered drop-box could be left outside the property for weeks, waiting for a pairing event to occur."...
Re: (Score:1)
Re: (Score:2)
Interesting question (Score:3)
Re: (Score:2)
I have a Schlage keypad with ZWave capability - though I have that turned off both because it drains the battery very quickly and because I can't fathom a reason to have a ZWave enabled lock...
The only thing I could come up with is rigging the alarm to send me an alert if the door is currently unlocked when the alarm is armed. But still not worth the roughly 10x battery life loss.
Re: (Score:2)
Re: (Score:2)
I had Kwikset Zwave door locks installed with the Vivint SmartHome system in my old house. The two AA batteries tended to last about 4-5 months.
The system was generally awesome and very convenient. I had timers set to automatically lock the doors in the evening and morning in case we forgot. If I left the garage door open more than 10 minutes, you'd get an alert on your phone. Quite handy, but no clue what version of Z-Wave those locks used.
Re: (Score:2)
The timer idea is nice, but doesn't really require z-wave. I have door sensors rigged to my alarm panel, but they are all hard-wired. I don't have the garage door sensor alert thing set up - that's a pretty good idea.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
What could go wrong?
https://www.youtube.com/watch?v=_CQA3X-qNgA [youtube.com]
