Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vulnerability in Z-Wave Wireless Communications Protocol, Used By Some IoT and Smart Devices, Exposes 100 Million Devices To Attack (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

An anonymous reader writes: The Z-Wave wireless communications protocol used for some IoT/smart devices is vulnerable to a downgrade attack that can allow a malicious party to intercept and tamper with traffic between smart devices. The attack -- codenamed Z-Shave -- relies on tricking two smart devices that are pairing into thinking one of them does not support the newer S-Wave S2 security features, forcing both to use the older S0 security standard.

The Z-Shave attack is dangerous because devices paired via an older version of Z-Wave can become a point of entry for an attacker into a larger network, or can lead to the theft of personal property. While this flaw might prove frivolous for some devices in some scenarios, it is a big issue for others -- such as smart door locks, alarm systems, or any Z-Wave-capable device on the network of a large corporation. The company behind the Z-Wave protocol tried to downplay the attack's significance, but its claims were knocked down by researchers in a video.

60 comments

  1. Neat, but you have to know when it's pairing by Bearhouse · · Score: 2

    Neat trick, but if you watch the video, they have to be able to connect to the device while it's pairing to inject the attack...so, pretty cool, but I wonder how practical an attack it is in practise.

    1. Re:Neat, but you have to know when it's pairing by MightyYar · · Score: 2

      I'm worried that the neighborhood kids are going to lie in wait until I pair a new ZWave device, exploit this weakness, and then turn my ceiling fan on remotely.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    2. Re:Neat, but you have to know when it's pairing by Locke2005 · · Score: 1

      I have some bad news for you: your girlfriend has a ZWave-enabled vibrator.

      --
      I've abandoned my search for truth; now I'm just looking for some useful delusions.
    3. Re:Neat, but you have to know when it's pairing by MightyYar · · Score: 1

      I'm married and that's actually my vibrator.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    4. Re:Neat, but you have to know when it's pairing by QuietLagoon · · Score: 1
      From TFA:

      .
      ..."When we say active attacker – we don’t mean a guy in a hoody sat in a car with a laptop," said Pen Test's Andrew Tierney. "A battery-powered drop-box could be left outside the property for weeks, waiting for a pairing event to occur."...

    5. Re:Neat, but you have to know when it's pairing by msauve · · Score: 2

      Precisely. Which means that the summary's statement that "[Z-Wave's] claims were knocked down by researchers" is simply not true.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    6. Re:Neat, but you have to know when it's pairing by olsmeister · · Score: 1

      Is this somehow preferable to breaking a window and letting yourself in?

    7. Re:Neat, but you have to know when it's pairing by PPH · · Score: 1

      Fake news. Slashdotters don't do women.

      --
      Have gnu, will travel.
    8. Re:Neat, but you have to know when it's pairing by Anonymous Coward · · Score: 0

      The article references this scenario:

      "When we say active attacker – we don’t mean a guy in a hoody sat in a car with a laptop," said Pen Test's Andrew Tierney. "A battery-powered drop-box could be left outside the property for weeks, waiting for a pairing event to occur." Tierney later added on Twitter that an attacker could also deploy a denial-of-service flaw against a targeted device to force it offline and trick the owner into re-pairing it at the attacker's convenience.

    9. Re:Neat, but you have to know when it's pairing by UnknowingFool · · Score: 1

      Neat trick, but if you watch the video, they have to be able to connect to the device while it's pairing to inject the attack...so, pretty cool, but I wonder how practical an attack it is in practise.

      The ZWave protocol has a range of 100m. How would it not be practical to park outside a house and launch an attack from the street?

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    10. Re: Neat, but you have to know when it's pairing by dargosch · · Score: 1

      Anyone worried obviously has not involved themselves in z-wave enough. The point of the whole thing is to have a low power communication, which means that the range is really not meant to be fantastic. I have problems reliably getting transfers through my outer wall when attempting it deliberately. And the attack only works on initial inclusion, and the negotiation of security standards to use is sure to take some time to complete. I would bet that in any real world scenario it will be very difficult to exploit this thing, as you really need very close proximity to the main controller AND the controller being in inclusion mode for some reason.
      I am not saying that it canâ(TM)t be exploited, but really I am more worried about more physical ways of getting into my house. And, what would you be able to do? Turn on a lamp? Turn the AC off? Turn a ceiling fan on?

      Not worried. The threat is really overstated IMHO.

    11. Re:Neat, but you have to know when it's pairing by Anonymous Coward · · Score: 0

      From TFA / Z-Wave's claim (archived just in case they try to change it)

      "We want to be clear: all installed Z-Wave-based smart locks are secure and are not vulnerable to threat."

      From the video

      click

      (you just have to watch it to see what I mean)

      What is really scary is that the people responsible for the protocol and for the security systems based on it are clearly either willing to lie about whether it's secure or, even worse, are unable to replicate security results properly and too stupid to ask the security researchers for help.

      What is really really scary is that no matter how obviously wrong the claim is from some figure of authority there are always a bunch of people like msuave who will treat every word they say as golden without any interest in the facts.

    12. Re:Neat, but you have to know when it's pairing by Scoth · · Score: 1

      It'd probably be a targeted attack - someone you're acquainted with who wants something you own. If you have a Z-Wave enabled house with z-wave locks and security and junk, you could theoretically use this to gain access with limited notice and no obvious breaking and entering. I doubt this is the kind of thing a rando criminal would use on some random person's house. Takes too much setup and work, and assumption that a pairing event happens frequently. Once I got my (limited to lights and AC) setup going, I haven't paired things for months and really have no reason to.

    13. Re: Neat, but you have to know when it's pairing by Anonymous Coward · · Score: 0

      No, there is no connection to the device. We carried the attack out over range today.

    14. Re:Neat, but you have to know when it's pairing by kaizendojo · · Score: 1

      Upside; they could disable it every few minutes and then she'll *have* to do him.

    15. Re: Neat, but you have to know when it's pairing by Anonymous Coward · · Score: 0

      So in my house you would be able to unlock the front door. But like you said, you would have a hard time exploiting this. When I paired the lock to the controller I did it with them 2 feet apart. This was actually REQUIRED. It would not work if they were more than 5 feet apart by design according to the documentation (even though Z-wave works over about 300 feet or so). But since there was nobody around and no suspicious devices there in that 2 feet, nobody was able to exploit this.

    16. Re:Neat, but you have to know when it's pairing by LynnwoodRooster · · Score: 2

      Well, for starters, you have to wait until a new device is added to the home so a pairing event is triggered. Second, most Z wave devices will only pair to something within 4-5m or so; the last set of Philips Hue bulbs I added to my Z Wave home had to be paired in the office - where my Z Wave controller is - and then relocated to other parts of the house. But I guess you can park and live 100m from my house for an undetermined amount of time and wait for me to actually pair something new that has a 100m pairing range...

      --
      Browsing at +1 - no ACs, I ignore their posts. So refreshing!
    17. Re: Neat, but you have to know when it's pairing by Anonymous Coward · · Score: 0

      Not me, my walls are covered in aluminum foil for just this reason.

    18. Re: Neat, but you have to know when it's pairing by Anonymous Coward · · Score: 0

      Aren't Hue bulbs ZigBee?

      There doesn't need to be someone in a car , a small battery powered device can do it.

    19. Re: Neat, but you have to know when it's pairing by LynnwoodRooster · · Score: 1

      Z Wave and Zigbee networks co-exist and interoperate. I have devices of both types in my house, it's pretty transparent. And I guess if you want to leave a battery powered device outside my home (right up next to the wall, so it can have a hope of working) for 6+ months or so, and it's not discovered, well...

      --
      Browsing at +1 - no ACs, I ignore their posts. So refreshing!
    20. Re: Neat, but you have to know when it's pairing by MountainLogic · · Score: 2

      To be a bit pedantic, they do not interoperate as they need a bridge device that can receive/translate a message form one protocol to the other and retransmit it. Completely different modulation, etc. Plus most consumer IEEE-802.15.4/ZigBee devices are going to run at 2.45 GHz (ZigBee does have a few channels at 902) and Z-Wave runs at 902MHz.

    21. Re: Neat, but you have to know when it's pairing by Anonymous Coward · · Score: 0

      No, they are totally different protocols. I think you have just made a mistake calling Hue Z-Wave.

  2. Interesting question by Locke2005 · · Score: 2

    Which electronic front door locks are using this vulnerable protocol? Asking for a friend, it's not like I go around breaking into houses or anything...

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.
    1. Re:Interesting question by MightyYar · · Score: 1

      I have a Schlage keypad with ZWave capability - though I have that turned off both because it drains the battery very quickly and because I can't fathom a reason to have a ZWave enabled lock...

      The only thing I could come up with is rigging the alarm to send me an alert if the door is currently unlocked when the alarm is armed. But still not worth the roughly 10x battery life loss.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    2. Re:Interesting question by QuietLagoon · · Score: 1

      Let me google that for you... http://lmgtfy.com/?q=zwave+doo...

    3. Re:Interesting question by JaredOfEuropa · · Score: 1

      I use a simple magnetic Z-Wave door sensor to check if the doors are locked. Instead of using the sensor on the door, it triggers on a reed relay inside the deadbolt well, with a small magnet glued to the deadbolt. I use Z-wave stuff throughout the house, but no automatic door locks except on the shed (which unlocks when I am near). As for this vulnerability, I am not too worried. I expect we'll have the option soon to disable the S0 protocol completely. I'm far more worried about someone getting onto the WiFi and accessing the Z_Wave controlling hub.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    4. Re:Interesting question by Necron69 · · Score: 1

      I had Kwikset Zwave door locks installed with the Vivint SmartHome system in my old house. The two AA batteries tended to last about 4-5 months.

      The system was generally awesome and very convenient. I had timers set to automatically lock the doors in the evening and morning in case we forgot. If I left the garage door open more than 10 minutes, you'd get an alert on your phone. Quite handy, but no clue what version of Z-Wave those locks used.

    5. Re:Interesting question by MightyYar · · Score: 1

      The timer idea is nice, but doesn't really require z-wave. I have door sensors rigged to my alarm panel, but they are all hard-wired. I don't have the garage door sensor alert thing set up - that's a pretty good idea.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    6. Re:Interesting question by Bruce+Perens · · Score: 2

      It's a pairing attack, and most locks by design pair over a short distance - so you have to take them off the door and hold them near the controller. IMO this is not a viable attack for an outsider to mount and you should not panic. If this attack worked at any time other than pairing, there would be more reason to worry.

      --
      Bruce Perens.
    7. Re:Interesting question by LynnwoodRooster · · Score: 1

      I do basically the same thing. But the garage door is automated even further, so that when a fob in either the car or motorcycle leaves, the garage door will automatically close in 1 minute. And if the system senses the fob returning it will automatically open up the garage door. Never have to worry about leaving the door open ever again! And never have to fumble with a garage remote whilst on my motorcycle.

      --
      Browsing at +1 - no ACs, I ignore their posts. So refreshing!
    8. Re:Interesting question by Anonymous Coward · · Score: 0

      To do this break-in you will need to tamper with the pairing (installation) process. This means deploying your tools close enough the the house and waiting for the owner to install a new lock. It is kind of feasible if you know the owner is waiting for a door lock delivery or he ordered a new security system that comes with such a lock. Without such inside info there is not enough to work with here.

    9. Re:Interesting question by Pascoea · · Score: 1
      I have a similar lock, and it always amuses me when people have wildly different results. I kept the z-wave on because I love that I can lock/unlock the door from my smart phone (via a Wink hub), I can see when my door was unlocked and by who, I have a robot/script that automatically locks the door 5 minutes after it was unlocked, and I can add/remove door codes from my phone.

      As far as the battery life, I can't comment on what happens when if I disable the z-wave, but I've had the lock installed since Christmas and I've only replaced the batteries once. And according to the wink app, they are at 97% health.

      Security wise, I figure if someone wants into my house they are going to get in. I'm not high enough value of target for someone to spend any amount of time trying to hack my front door, and it would likely be 100x faster just to pick the old-fashioned tumbler lock that's there as a backup.

    10. Re:Interesting question by Pascoea · · Score: 1

      What hub are you using? I have a Wink 2 and the damn thing won't let you automate unlocking the deadbolt or opening the garage. You can automate the closing/locking, but not the unlocking/opening. Dumb.

    11. Re:Interesting question by LynnwoodRooster · · Score: 1

      I'm using SmartThings.

      --
      Browsing at +1 - no ACs, I ignore their posts. So refreshing!
    12. Re:Interesting question by MightyYar · · Score: 1

      but I've had the lock installed since Christmas and I've only replaced the batteries once

      So for comparison, I last changed the battery in November of 2016 - so your experience of two sets in about 6 months with Z Wave enabled roughly jibes with mine. This is our main door, and most of us use the keypad, so it's not like it's just a matter of disuse.

      I agree that the uses you list are interesting - they just aren't very compelling. I've never had the occasion to let someone in to my home where I couldn't just give them one of the existing codes (like the one for the babysitter). Worst case I'll just wipe out that code after the fact. As for the lock after 5 minutes, the lock has a built-in timer that will automatically lock it after a set period of time - no ZWave necessary. I can see the value in knowing who unlocked the door, though there is the whole matter of people just using the keyhole :) In my case, I have an alarm so I have a nice log of who has come and gone and when without needing a smart lock on every door.

      Agreed on security - my house is mostly "protected" by panes of glass. Hacking my ZWave network would be the idiotic way to break in.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  3. Physical Access by Anonymous Coward · · Score: 0

    If I can get inside the house to present the pair button? Why does it matter?

    1. Re:Physical Access by UnknowingFool · · Score: 1

      The vulnerability is not in someone getting a hold of your device in your house. The vulnerability is in someone using a device to get inside your network from outside your home. The Z-Wave protocol has a range of 100m. This attack means that someone could use a device, force pair it with your door locks from a distance and then unlocking the doors without you knowing. In the article it shows researchers doing that. And that's just door locks. Any IoT device can be force paired from a distance.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    2. Re:Physical Access by Anonymous Coward · · Score: 0

      Not rhetorical. Can you remotely pair? Every system I've ever used that required "pairing", required physical access. I could see someone intercepting the pairing from a distance, but I would hope that a remote attacker could force pairing from a distance.

    3. Re:Physical Access by MikeDataLink · · Score: 1

      Not rhetorical. Can you remotely pair? Every system I've ever used that required "pairing", required physical access. I could see someone intercepting the pairing from a distance, but I would hope that a remote attacker could force pairing from a distance.

      This. You have to press a pairing button either on the webpage or on the physical controller. Either way you'd already have access if you could do either of those.

      --
      Mike @ The Geek Pub. Let's Make Stuff!
    4. Re: Physical Access by Anonymous Coward · · Score: 0

      Controllers can generally be put into pairing mode remotely (as you're usually accessing them over a network anyway), but I've never seen any end-device that can be. Most can't even be paired without removing covers or panels (eg light switches have the pairing button behind the fascia). It's possible that some exist, but if they do they're not common

    5. Re: Physical Access by Anonymous Coward · · Score: 0

      You've missed the point. The user will carry out the pairing, which is when the attack occurs.

    6. Re:Physical Access by UnknowingFool · · Score: 1

      Considering the range of 100m, yes. Now this vulnerability relies on attacking during a pairing process so an attacker cannot drive by and take control of all IoT networks but they can just wait outside a physical home for a pairing. How often does pairing occur? That depends. For unknown reasons my bluetooth devices required to be re-paired every now and then. If the devices do not need to be paired often then the chance of a remote attack is less

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    7. Re:Physical Access by LynnwoodRooster · · Score: 1

      I've never had to re-pair any Z Wave devices in my home... I guess you'll be waiting a LONG time for that event, which takes place at $RANDOM time and maybe once a year when I add a new device...

      --
      Browsing at +1 - no ACs, I ignore their posts. So refreshing!
    8. Re:Physical Access by UnknowingFool · · Score: 1

      Only if you will NEVER EVER add a new device or replace a device. I mean I still use all the same electronic devices I purchased in 1977. Now get off my lawn.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    9. Re:Physical Access by LynnwoodRooster · · Score: 1

      You know, I still have my Coleco Electronic Quarterback you insensitive clod! :)

      --
      Browsing at +1 - no ACs, I ignore their posts. So refreshing!
  4. Told you so ... by Anonymous Coward · · Score: 0

    So, companies rushed to get products out the door, using a new protocol which hasn't been field tested by people who will break into it .. and now it's turning into a gaping security hole.

    The problem with this IoT stuff is people have been rushing it out the door, and treating security as an afterthought.

    I'm afraid this was pretty much inevitable, and many of us have been saying so for some time.

    Oh well, that is what you get for being on the bleeding edge of technology, and this is truly a case of marketing driving the bus.

  5. shocked! by Anonymous Coward · · Score: 0

    I mean, connecting your door locks to the internet. What could go wrong?

    When/Will there ever be a backlash to all this "smart" shit.

    I mean don't get me wrong, it's cool to tell a voice assistant to add shit to lists and turn lights on and off. But no way in hell am I going to install smart locks or any other critical component of home security and safety, just don't need it.

    1. Re:shocked! by PPH · · Score: 1

      What could go wrong?

      https://www.youtube.com/watch?v=_CQA3X-qNgA

      --
      Have gnu, will travel.
  6. Insecure IOT devices, who would have guessed?? by Anonymous Coward · · Score: 0

    Who would ave thought that IOT devices would be insecure..

    Oh that's right, everyone with at least at high school education or better!

    This was only a matter of time.

  7. Options by jythie · · Score: 1

    I can recall after I got my new house I was looking into how I could better control the radiators and was kinda annoyed that my options seem to come down to either consumer-friendly z-wave or 'probably effective but more complicated industrial solutions'. I could not find a nice simple 'do this over PoE instead of wireless' type solution.

  8. Not an effective attack for most locks by Bruce+Perens · · Score: 1

    The locks in question pair over short distances - by design - and generally have to be taken off of the door and held need the controller to pair. Having an outsider cause a downgrade attack at that one critical time would be extremely unlikely. Once paired, there is no path to attack.

    Sure, I would have locks reflashed if the manufacturer offered it inexpensively. But there's no reason to panic.

    --
    Bruce Perens.
    1. Re: Not an effective attack for most locks by Anonymous Coward · · Score: 0

      We have carried the attack over a distance of 15m, and this is without optimization.

      The Z-Wave inclusion process allows for the power to be reduced, but does not mandate it.

      The single device I have seen reduce power only does so for they key exchange, not the node info, so I don't think the mitigation you mention is effective.

    2. Re: Not an effective attack for most locks by LynnwoodRooster · · Score: 1

      Did your attack take place at your prompting, or did you have to wait for someone to initiate pairing? If the latter - then it's essentially worthless, because the owner is right there to see you. Sure, you COULD leave a remote bug to automate the process, but how many of those are you going to scatter around the neighborhood, hope never show up in any gardener work, and not have their batteries die before someone decides to add yet another device to their home?

      --
      Browsing at +1 - no ACs, I ignore their posts. So refreshing!
    3. Re:Not an effective attack for most locks by Nkwe · · Score: 1

      The locks in question pair over short distances - by design - and generally have to be taken off of the door and held need the controller to pair. Having an outsider cause a downgrade attack at that one critical time would be extremely unlikely. Once paired, there is no path to attack.

      Sure, I would have locks reflashed if the manufacturer offered it inexpensively. But there's no reason to panic.

      This assumes that the lock controller and the lock are the only things on your z-wave network. Sure that pairing process is secure for the lock, but is the paring process for everything else your controller pairs with secure? Because if it is not, those other devices that were insecurely paired may be able to talk to your lock through the controller (it's a network after all.)

    4. Re: Not an effective attack for most locks by Anonymous Coward · · Score: 0

      It's all clearly documented here:

      https://www.pentestpartners.com/security-blog/z-shave-exploiting-z-wave-downgrade-attacks/

      A pairing (any pairing) needs to happen.

      The range for the attack is likely to be significantly further than 15m, so there really isn't a need to place many devices. There are several ways in which a user can be coerced into repairing a device.

      I don't agree the attack is worthless. Z-Wave is used in alarm systems and access control in commercial property.

  9. Meh...doors by Anonymous Coward · · Score: 0

    *Looks at your fancy door lock* ,,. *throws rock through window*

  10. Another safely ignored bit of hype by Anonymous Coward · · Score: 0

    Or, you know, you could post a link to the original research.

  11. Impractical attack: pairing only occurs once. by mveloso · · Score: 1

    During the pairing process you can pair with the older version of the protocol. However, the pairing process only happens when you add the device to your network and it only happens once.

    I'd agree with Sigma, this is a pretty minor issue.

    Sure someone could come in, disassemble your Z-Wave device, exclude the device, then re-pair it. At that point they have physical access to your stuff, so why not just crack open your home automation system?

    1. Re: Impractical attack: pairing only occurs once. by Anonymous Coward · · Score: 0

      How many people only pair a single device though?

  12. DIfficulty & Cost by Anonymous Coward · · Score: 0

    Compare the difficulty and cost of this attack versus a brick through a window.

    Which attack is quicker, easier, cheaper, and requires no planning?

    Yes, I can imagine the HIGHLY unlikely scenario where the FBI targets you, drops a "bug" in your flowerbed, then leverages the attack to compromise your entire Z-Wave network, to disarm your high-tech alarm system, enter your home, do dirty deeds, and then depart without you ever being aware that they were there. I know you think they want snaps of your gentleman's sausage. But take my word, nobody wants to see that. NOBODY.

    I can much more likely see the neighbor's drug-addicted kid busting the window and making off with your valuables while everyone tries to ignore your "annoying alarm siren" and the police arriving 20 minutes later, to the theme of yakety sax, only to confirm that you've indeed been burgled.

    It is the XKCD encryption scenario all over. https://xkcd.com/538/