Smart lock user? Z-wave pairing flaw lets attackers open your door from yards away

Up to 100 million Internet of Things devices could be at risk.
Written by Liam Tung, Contributing Writer

Video: Researchers demonstrate the Z-Wave Z-Shave attack.

Source: Pen Test Partners/YouTube

Hackers may be able to remotely unlock your smart lock if it relies on the Z-Wave wireless protocol.

According to researchers at UK firm Pen Test Partners, Z-Wave is vulnerable to an attack that forces the current secure-pairing mechanism, known as S2, to an earlier version with known weaknesses, called S0.

The problem with S0 is that when two devices, like a controller and a smart lock, are pairing, it encrypts the key exchange using a hardcoded key '0000000000000000'. So, an attacker could capture traffic on the network and easily decrypt it to discover the key.

S2 fixed this problem by employing the Diffie-Hellman algorithm for securely sharing secret keys, but the downgrade removes that protection.

The researchers have posted a video demonstrating the downgrade attack -- dubbed Z-Shave -- on a Conexis L1 Smart Door Lock from lock manufacture Yale. They note that an attacker within about 100 meters could, after the downgrade attack, then steal the keys to the smart lock.

See: Special report: Harnessing IoT in the enterprise (free PDF)

Z-Wave chips are in 100 million smart gadgets, from lights to heating systems, but the risk is greater for things with security applications, such as locks.

Silicon Labs, the company behind Z-Wave, has responded to the research and insists the ability to downgrade to S0 is not a vulnerability but a feature designed to support backwards compatibility. Plus, it claims an attacker would have a very narrow window to capture the key.

"To force a reversion from S2 to S0 during installation is not easy. You would need advanced equipment in proximity to the home during the short installation process," the firm notes.

"When installing a new device there is a very small window of time (milliseconds) to force the S2 to S0 reversion. The homeowner or professional installer will always be present during installation and is the only one who can initiate the inclusion process."

But Pen Test Partners researcher Ken Munro told Forbes that the attack could be automated, meaning a thief could set up a tiny box near a home that listens for Z-Wave pairing rather than laying in wait for the perfect moment.

"It should be easy to set up an automated listener waiting for the pairing, then automatically grab the key," he said.

Previous and related coverage

New IoT security rules: Stop using default passwords and allow software updates

New rules set out best practice for IoT devices, but are the makers going to listen?

IoT security spending to reach $1.5 billion in 2018

Gartner estimates that worldwide IoT security spending is set to climb this year in light of an escalation in attacks targeting IoT devices.

Security flaw in LG IoT software left home appliances vulnerable

LG has updated its software security after researchers found flaw that left dishwashers, washing machines, air conditioners, and even a robot vacuum cleaner accessible by hackers.

How to create a security strategy for IoT

Data captured by an enterprise IoT deployment must be kept safe if it's going to be useful. Here's how to build an IoT strategy that prioritizes security.

Ring Video Doorbell 2 review: A fun IoT device to boost your security

With live video and two-way audio, the Ring Video Doorbell 2 is one of the most immediately useful IoT devices we've examined to date. It's fun too.

Editorial standards