Update: Z-Wave reached out in response and provided additional details about Z-Shave. Most critically, according to Raoul Wijgergangs, VP/GM of Z-Wave for Silicon Labs, and Lars Lydersen, senior director of product security, Silicon Labs, is that the vulnerability can’t be forced from outside a Z-Wave IoT network, and the window to take advantage of it is only 20 milliseconds.
Lydersen stressed that adding a device to an IoT network has to be done from the control station, meaning no one hiding outside could add a device—they would have to be listening precisely when an IoT network user was adding a device.
Adding more context to the technical side of things, Lydersen added devices that support S2 security aren’t vulnerable if an S0 key is stolen—only other S0 devices would be exposed.
Most IoT setups are a mix of S2 and S0 devices, but the only time this vulnerability could be taken of was when devices were actively being connected by a network admin.
Z-Wave acknowledged the company was aware of the vulnerability, but leaving it in place had to be a trade-off for usability. “If we made it so S2 devices couldn’t talk to S0 ones we’d have two separate networks that could never talk to each other,” Wijgergangs said.
Z-Wave also said it was planning to change how security downgrade notifications on its products happen. From now on, instead of simply displaying an onscreen notification that a less secure IoT devices has been added, devices will require the user to actively acknowledge the notification.
Z-Wave, a company that manufactures IoT chips present in millions of devices worldwide, has a serious security problem: Its chips can have their pairing security downgraded to give attackers near immediate access to all Z-Wave devices on a network.
The exploit is called Z-Shave, and it has been known of, and supposedly fixed, since 2013. The flaw rests in Z-Wave’s pairing protocol, which in 2013 was called S0. S0 transmitted network keys to network notes using all zeroes, which allowed it to be sniffed by attackers within radio frequency (RF) range.
Z-Wave fixed the S0 exploit in 2013 by introducing S2, a new security protocol that used advanced encryption and improved authentication to protect security keys. One problem: It’s easily downgradable to S0, and from there an attacker can easily take control of all the Z-Wave devices on a network.
How Z-Shave continues to this day
The continued viability of Z-Shave was discovered by Pen Test Partners, a UK-based cybersecurity firm, who noted in their blog post that all they needed to force a downgrade from S0 to S2 was a Z-Wave PC controller chip.
Pen Test Partners was able to sniff out a network key from Z-Wave devices using three different attack methods, the blog said. The first worked by enabling pairing mode on the controller and then modifying the node info it broadcast to force an S0 connection.
The second method detailed in the post was to force a device to go into pairing mode by temporarily removing the batteries, forcing it to restart and re-pair. That, along with the method used in the first attack, allowed them to downgrade the connection to S0 and gain control.
Third, Pen Test Partners jammed the Z-Wave signal with an RFCat and then listened for the node info to be broadcast from a Z-Wave device. Once they sniffed out the home ID from the node, the post said, they were able to actively jam the rest of the packet to prevent it from being received.
Why Z-Shave is so dangerous
“Once you’ve got the network key, you have access to control the Z-Wave devices on the network,” Pen Test Partners said. “2,400 vendors and over 100 million Z-wave chips are out there in smart devices, from door locks to lighting to heating to home alarms. The range is usually better than Bluetooth too: over 100 metres.”
Z-Wave chips are present in devices from GE, Amazon, Schlage, Nest, Samsung, and early 2,400 other IoT device manufacturers. It’s not a bad idea to head over to Z-Wave’s store page to see if you own a device affected by Z-Shave.
If you own any device listed in the Z-Wave store it’s safe to assume it is vulnerable. Offices, retail stores, homes, and countless other connected spaces are affected by this exploit, and with five years since it was “fixed” you may not want to hold out hope for a quick resolution.
The big takeaways for tech leaders:
- IoT chip manufacturer Z-Wave’s products are all reportedly vulnerable to an attack that can downgrade pairing security and potentially give an attacker control over all older, less secure IoT devices on a network.
- While older S0 security devices are still vulnerable, the attack will only work when monitoring IoT devices for new device connections. According to Z-Wave, an attacker would need to know the precise 20ms window in which to act.