Vulnerability in Z-Wave Wireless Communications Protocol, Used By Some IoT and Smart Devices, Exposes 100 Million Devices To Attack

An anonymous reader writes: The Z-Wave wireless communications protocol used for some IoT/smart devices is vulnerable to a downgrade attack that can allow a malicious party to intercept and tamper with traffic between smart devices. The attack -- codenamed Z-Shave -- relies on tricking two smart devices that are pairing into thinking one of them does not support the newer S-Wave S2 security features, forcing both to use the older S0 security standard.

The Z-Shave attack is dangerous because devices paired via an older version of Z-Wave can become a point of entry for an attacker into a larger network, or can lead to the theft of personal property. While this flaw might prove frivolous for some devices in some scenarios, it is a big issue for others -- such as smart door locks, alarm systems, or any Z-Wave-capable device on the network of a large corporation. The company behind the Z-Wave protocol tried to downplay the attack's significance, but its claims were knocked down by researchers in a video.

Neat, but you have to know when it's pairing

[Bearhouse]

Neat trick, but if you watch the video, they have to be able to connect to the device while it's pairing to inject the attack...so, pretty cool, but I wonder how practical an attack it is in practise.

Re:Neat, but you have to know when it's pairing

[MightyYar]

I'm worried that the neighborhood kids are going to lie in wait until I pair a new ZWave device, exploit this weakness, and then turn my ceiling fan on remotely.

Re:Neat, but you have to know when it's pairing

[Locke2005]

I have some bad news for you: your girlfriend has a ZWave-enabled vibrator.

Re:Neat, but you have to know when it's pairing

[MightyYar]

I'm married and that's actually my vibrator.

Re:Neat, but you have to know when it's pairing

[QuietLagoon]

From TFA:

.
..."When we say active attacker – we don’t mean a guy in a hoody sat in a car with a laptop," said Pen Test's Andrew Tierney. "A battery-powered drop-box could be left outside the property for weeks, waiting for a pairing event to occur."...

Re:Neat, but you have to know when it's pairing

[msauve]

Precisely. Which means that the summary's statement that "[Z-Wave's] claims were knocked down by researchers" is simply not true.

Re:Neat, but you have to know when it's pairing

[olsmeister]

Is this somehow preferable to breaking a window and letting yourself in?

Re:Neat, but you have to know when it's pairing

[PPH]

Fake news. Slashdotters don't do women.

Re:Neat, but you have to know when it's pairing

[UnknowingFool]

Neat trick, but if you watch the video, they have to be able to connect to the device while it's pairing to inject the attack...so, pretty cool, but I wonder how practical an attack it is in practise.

The ZWave protocol has a range of 100m. How would it not be practical to park outside a house and launch an attack from the street?

Re: Neat, but you have to know when it's pairing

[dargosch]

Anyone worried obviously has not involved themselves in z-wave enough. The point of the whole thing is to have a low power communication, which means that the range is really not meant to be fantastic. I have problems reliably getting transfers through my outer wall when attempting it deliberately. And the attack only works on initial inclusion, and the negotiation of security standards to use is sure to take some time to complete. I would bet that in any real world scenario it will be very difficult to exploit this thing, as you really need very close proximity to the main controller AND the controller being in inclusion mode for some reason.
I am not saying that it canâ(TM)t be exploited, but really I am more worried about more physical ways of getting into my house. And, what would you be able to do? Turn on a lamp? Turn the AC off? Turn a ceiling fan on?

Not worried. The threat is really overstated IMHO.

Re:Neat, but you have to know when it's pairing

[Scoth]

It'd probably be a targeted attack - someone you're acquainted with who wants something you own. If you have a Z-Wave enabled house with z-wave locks and security and junk, you could theoretically use this to gain access with limited notice and no obvious breaking and entering. I doubt this is the kind of thing a rando criminal would use on some random person's house. Takes too much setup and work, and assumption that a pairing event happens frequently. Once I got my (limited to lights and AC) setup going, I haven't paired things for months and really have no reason to.

Re:Neat, but you have to know when it's pairing

[kaizendojo]

Upside; they could disable it every few minutes and then she'll *have* to do him.

Re:Neat, but you have to know when it's pairing

[LynnwoodRooster]

Well, for starters, you have to wait until a new device is added to the home so a pairing event is triggered. Second, most Z wave devices will only pair to something within 4-5m or so; the last set of Philips Hue bulbs I added to my Z Wave home had to be paired in the office - where my Z Wave controller is - and then relocated to other parts of the house. But I guess you can park and live 100m from my house for an undetermined amount of time and wait for me to actually pair something new that has a 100m pairing range...

Re: Neat, but you have to know when it's pairing

[LynnwoodRooster]

Z Wave and Zigbee networks co-exist and interoperate. I have devices of both types in my house, it's pretty transparent. And I guess if you want to leave a battery powered device outside my home (right up next to the wall, so it can have a hope of working) for 6+ months or so, and it's not discovered, well...

Re: Neat, but you have to know when it's pairing

[MountainLogic]

To be a bit pedantic, they do not interoperate as they need a bridge device that can receive/translate a message form one protocol to the other and retransmit it. Completely different modulation, etc. Plus most consumer IEEE-802.15.4/ZigBee devices are going to run at 2.45 GHz (ZigBee does have a few channels at 902) and Z-Wave runs at 902MHz.

Interesting question

[Locke2005]

Which electronic front door locks are using this vulnerable protocol? Asking for a friend, it's not like I go around breaking into houses or anything...

Re:Interesting question

[MightyYar]

I have a Schlage keypad with ZWave capability - though I have that turned off both because it drains the battery very quickly and because I can't fathom a reason to have a ZWave enabled lock...

The only thing I could come up with is rigging the alarm to send me an alert if the door is currently unlocked when the alarm is armed. But still not worth the roughly 10x battery life loss.

Re:Interesting question

[QuietLagoon]

Let me google that for you... http://lmgtfy.com/?q=zwave+doo...

Re:Interesting question

[JaredOfEuropa]

I use a simple magnetic Z-Wave door sensor to check if the doors are locked. Instead of using the sensor on the door, it triggers on a reed relay inside the deadbolt well, with a small magnet glued to the deadbolt. I use Z-wave stuff throughout the house, but no automatic door locks except on the shed (which unlocks when I am near). As for this vulnerability, I am not too worried. I expect we'll have the option soon to disable the S0 protocol completely. I'm far more worried about someone getting onto the WiFi and accessing the Z_Wave controlling hub.

Re:Interesting question

[Necron69]

I had Kwikset Zwave door locks installed with the Vivint SmartHome system in my old house. The two AA batteries tended to last about 4-5 months.

The system was generally awesome and very convenient. I had timers set to automatically lock the doors in the evening and morning in case we forgot. If I left the garage door open more than 10 minutes, you'd get an alert on your phone. Quite handy, but no clue what version of Z-Wave those locks used.

Re:Interesting question

[MightyYar]

The timer idea is nice, but doesn't really require z-wave. I have door sensors rigged to my alarm panel, but they are all hard-wired. I don't have the garage door sensor alert thing set up - that's a pretty good idea.

Re:Interesting question

[Bruce+Perens]

It's a pairing attack, and most locks by design pair over a short distance - so you have to take them off the door and hold them near the controller. IMO this is not a viable attack for an outsider to mount and you should not panic. If this attack worked at any time other than pairing, there would be more reason to worry.

Re:Interesting question

[LynnwoodRooster]

I do basically the same thing. But the garage door is automated even further, so that when a fob in either the car or motorcycle leaves, the garage door will automatically close in 1 minute. And if the system senses the fob returning it will automatically open up the garage door. Never have to worry about leaving the door open ever again! And never have to fumble with a garage remote whilst on my motorcycle.

Re:Interesting question

[Pascoea]

I have a similar lock, and it always amuses me when people have wildly different results. I kept the z-wave on because I love that I can lock/unlock the door from my smart phone (via a Wink hub), I can see when my door was unlocked and by who, I have a robot/script that automatically locks the door 5 minutes after it was unlocked, and I can add/remove door codes from my phone.

As far as the battery life, I can't comment on what happens when if I disable the z-wave, but I've had the lock installed since Christmas and I've only replaced the batteries once. And according to the wink app, they are at 97% health.

Security wise, I figure if someone wants into my house they are going to get in. I'm not high enough value of target for someone to spend any amount of time trying to hack my front door, and it would likely be 100x faster just to pick the old-fashioned tumbler lock that's there as a backup.

Re:Interesting question

[Pascoea]

What hub are you using? I have a Wink 2 and the damn thing won't let you automate unlocking the deadbolt or opening the garage. You can automate the closing/locking, but not the unlocking/opening. Dumb.

Re:Interesting question

[LynnwoodRooster]

I'm using SmartThings.

Re:Interesting question

[MightyYar]

but I've had the lock installed since Christmas and I've only replaced the batteries once

So for comparison, I last changed the battery in November of 2016 - so your experience of two sets in about 6 months with Z Wave enabled roughly jibes with mine. This is our main door, and most of us use the keypad, so it's not like it's just a matter of disuse.

I agree that the uses you list are interesting - they just aren't very compelling. I've never had the occasion to let someone in to my home where I couldn't just give them one of the existing codes (like the one for the babysitter). Worst case I'll just wipe out that code after the fact. As for the lock after 5 minutes, the lock has a built-in timer that will automatically lock it after a set period of time - no ZWave necessary. I can see the value in knowing who unlocked the door, though there is the whole matter of people just using the keyhole :) In my case, I have an alarm so I have a nice log of who has come and gone and when without needing a smart lock on every door.

Agreed on security - my house is mostly "protected" by panes of glass. Hacking my ZWave network would be the idiotic way to break in.

Re:Physical Access

[UnknowingFool]

The vulnerability is not in someone getting a hold of your device in your house. The vulnerability is in someone using a device to get inside your network from outside your home. The Z-Wave protocol has a range of 100m. This attack means that someone could use a device, force pair it with your door locks from a distance and then unlocking the doors without you knowing. In the article it shows researchers doing that. And that's just door locks. Any IoT device can be force paired from a distance.

Re:shocked!

[PPH]

What could go wrong?

https://www.youtube.com/watch?v=_CQA3X-qNgA

Options

[jythie]

I can recall after I got my new house I was looking into how I could better control the radiators and was kinda annoyed that my options seem to come down to either consumer-friendly z-wave or 'probably effective but more complicated industrial solutions'. I could not find a nice simple 'do this over PoE instead of wireless' type solution.

Not an effective attack for most locks

[Bruce+Perens]

The locks in question pair over short distances - by design - and generally have to be taken off of the door and held need the controller to pair. Having an outsider cause a downgrade attack at that one critical time would be extremely unlikely. Once paired, there is no path to attack.

Sure, I would have locks reflashed if the manufacturer offered it inexpensively. But there's no reason to panic.

Re: Not an effective attack for most locks

[LynnwoodRooster]

Did your attack take place at your prompting, or did you have to wait for someone to initiate pairing? If the latter - then it's essentially worthless, because the owner is right there to see you. Sure, you COULD leave a remote bug to automate the process, but how many of those are you going to scatter around the neighborhood, hope never show up in any gardener work, and not have their batteries die before someone decides to add yet another device to their home?

Re:Not an effective attack for most locks

[Nkwe]

The locks in question pair over short distances - by design - and generally have to be taken off of the door and held need the controller to pair. Having an outsider cause a downgrade attack at that one critical time would be extremely unlikely. Once paired, there is no path to attack.

Sure, I would have locks reflashed if the manufacturer offered it inexpensively. But there's no reason to panic.

This assumes that the lock controller and the lock are the only things on your z-wave network. Sure that pairing process is secure for the lock, but is the paring process for everything else your controller pairs with secure? Because if it is not, those other devices that were insecurely paired may be able to talk to your lock through the controller (it's a network after all.)

Re:Physical Access

[MikeDataLink]

Not rhetorical. Can you remotely pair? Every system I've ever used that required "pairing", required physical access. I could see someone intercepting the pairing from a distance, but I would hope that a remote attacker could force pairing from a distance.

This. You have to press a pairing button either on the webpage or on the physical controller. Either way you'd already have access if you could do either of those.

Re:Physical Access

[UnknowingFool]

Considering the range of 100m, yes. Now this vulnerability relies on attacking during a pairing process so an attacker cannot drive by and take control of all IoT networks but they can just wait outside a physical home for a pairing. How often does pairing occur? That depends. For unknown reasons my bluetooth devices required to be re-paired every now and then. If the devices do not need to be paired often then the chance of a remote attack is less

Re:Physical Access

[LynnwoodRooster]

I've never had to re-pair any Z Wave devices in my home... I guess you'll be waiting a LONG time for that event, which takes place at $RANDOM time and maybe once a year when I add a new device...

Re:Physical Access

[UnknowingFool]

Only if you will NEVER EVER add a new device or replace a device. I mean I still use all the same electronic devices I purchased in 1977. Now get off my lawn.

Impractical attack: pairing only occurs once.

[mveloso]

During the pairing process you can pair with the older version of the protocol. However, the pairing process only happens when you add the device to your network and it only happens once.

I'd agree with Sigma, this is a pretty minor issue.

Sure someone could come in, disassemble your Z-Wave device, exclude the device, then re-pair it. At that point they have physical access to your stuff, so why not just crack open your home automation system?

Re:Physical Access

[LynnwoodRooster]

You know, I still have my Coleco Electronic Quarterback you insensitive clod! :)