Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vulnerability in Z-Wave Wireless Communications Protocol, Used By Some IoT and Smart Devices, Exposes 100 Million Devices To Attack (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

An anonymous reader writes: The Z-Wave wireless communications protocol used for some IoT/smart devices is vulnerable to a downgrade attack that can allow a malicious party to intercept and tamper with traffic between smart devices. The attack -- codenamed Z-Shave -- relies on tricking two smart devices that are pairing into thinking one of them does not support the newer S-Wave S2 security features, forcing both to use the older S0 security standard.

The Z-Shave attack is dangerous because devices paired via an older version of Z-Wave can become a point of entry for an attacker into a larger network, or can lead to the theft of personal property. While this flaw might prove frivolous for some devices in some scenarios, it is a big issue for others -- such as smart door locks, alarm systems, or any Z-Wave-capable device on the network of a large corporation. The company behind the Z-Wave protocol tried to downplay the attack's significance, but its claims were knocked down by researchers in a video.

7 of 60 comments (clear)

  1. Neat, but you have to know when it's pairing by Bearhouse · · Score: 2

    Neat trick, but if you watch the video, they have to be able to connect to the device while it's pairing to inject the attack...so, pretty cool, but I wonder how practical an attack it is in practise.

    1. Re:Neat, but you have to know when it's pairing by MightyYar · · Score: 2

      I'm worried that the neighborhood kids are going to lie in wait until I pair a new ZWave device, exploit this weakness, and then turn my ceiling fan on remotely.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    2. Re:Neat, but you have to know when it's pairing by msauve · · Score: 2

      Precisely. Which means that the summary's statement that "[Z-Wave's] claims were knocked down by researchers" is simply not true.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    3. Re:Neat, but you have to know when it's pairing by LynnwoodRooster · · Score: 2

      Well, for starters, you have to wait until a new device is added to the home so a pairing event is triggered. Second, most Z wave devices will only pair to something within 4-5m or so; the last set of Philips Hue bulbs I added to my Z Wave home had to be paired in the office - where my Z Wave controller is - and then relocated to other parts of the house. But I guess you can park and live 100m from my house for an undetermined amount of time and wait for me to actually pair something new that has a 100m pairing range...

      --
      Browsing at +1 - no ACs, I ignore their posts. So refreshing!
    4. Re: Neat, but you have to know when it's pairing by MountainLogic · · Score: 2

      To be a bit pedantic, they do not interoperate as they need a bridge device that can receive/translate a message form one protocol to the other and retransmit it. Completely different modulation, etc. Plus most consumer IEEE-802.15.4/ZigBee devices are going to run at 2.45 GHz (ZigBee does have a few channels at 902) and Z-Wave runs at 902MHz.

  2. Interesting question by Locke2005 · · Score: 2

    Which electronic front door locks are using this vulnerable protocol? Asking for a friend, it's not like I go around breaking into houses or anything...

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.
    1. Re:Interesting question by Bruce+Perens · · Score: 2

      It's a pairing attack, and most locks by design pair over a short distance - so you have to take them off the door and hold them near the controller. IMO this is not a viable attack for an outsider to mount and you should not panic. If this attack worked at any time other than pairing, there would be more reason to worry.

      --
      Bruce Perens.