The popular Z-Wave wireless protocol, used by millions of IoT devices, may allow hackers to remotely unlock your smart lock and take control of targeted gadgets, according to security researchers.
The Z-Wave protocol is deployed by some 2,400 vendors; its wireless chipsets are embedded inside up to 100 million smart devices, including lighting, heating systems, home alarms and door locks, which represent a particularly worrying risk.
According to UK cybersecurity firm Pen Test Partners who released a report on the vulnerability last week, Z-Wave uses a pairing security process (now S2) that can be downgraded to weak S0, which previously had a vulnerability and can still expose smart devices to compromise.
In order to secure traffic, Z-Wave uses a shared network key, which is exchanged between the controller and the client devices (nodes) at the time of pairing. The keys are intended to protect communication and stop attackers from being able to exploit paired devices.
The S0 pairing process had a bug – the network key was transmitted between nodes using all zeroes, which allowed attackers within RF range to capture traffic on the network and easily decrypt it to discover the key.
Subsequent upgrades fixed the vulnerability by deploying the Diffie-Hellman algorithm for securely sharing secret keys, however, the potential to downgrade it to S0 removes that protection.
The researchers posted a demonstration video, illustrating the downgrade attack on a Conexis L1 Smart Door Lock from lock manufacturer, Yale. An attacker within about 100 meters could steal the keys to the smart lock following the downgrade attack.
Silicon Labs, the company behind Z-Wave, maintains that the ability to downgrade to S0 is not a vulnerability but a deliberate feature aimed at supporting backwards compatibility. Futhermore, Silicon Labs claims an attacker would only have an extremely narrow window to capture the key.
“To force a reversion from S2 to S0 during installation is not easy. You would need advanced equipment in proximity to the home during the short installation process,” the firm notes.
“When installing a new device there is a very small window of time (milliseconds) to force the S2 to S0 reversion. The homeowner or professional installer will always be present during installation and is the only one who can initiate the inclusion process.”
However, Pen Test Partners researcher Ken Munro told Forbes, It’s not difficult to exploit. Software Defined Radio tools and a free software Z-Wave controller are all that’s needed.”