In the latest Hak5 episode: http://hak5.org/episodes/hak5-1702
they interview a guy at DefCon who gave a talk on security vulnerabilities in home automation gear. One he mentioned in passing was that Z-Wave door locks were vulnerable to a replay attack. Unfortunately he didn't give any specifics as to the models impacted. I'd speculate it was a Schlage lock, as they seem to be the most popular, but could be Kwikset or both. This is rather disappointing, as this is a rookie mistake, and suggests these companies didn't really take security all that seriously. When Z-Wave security products (like door/window and motion sensors) first started appearing, I made some attempt to look into what sort of security was provided by the protocol, but couldn't find any easy answers. Is the signal encrypted? How are the keys created/distributed? Who knows. Maybe since then someone with more time and motivation has investigated more deeply and written up an executive summary on the state of Z-Wave security. Ah, here we go... Security Evaluation of the Z-Wave Wireless Protocol http://research.sensepost.com/cms/resources/conferences/2013/bh_zwave/Security%20Evaluation%20of%20Z-Wave_WP.pdf "...no public vulnerability research on Z-Wave could be found prior to this work. In this paper, we analyze the Z-Wave protocol stack layers and design a radio packet capture device and related software named Z-Force to intercept Z-Wave communications. This device enables us to decode different layers of the Z-Wave protocol and study the implementation of encryption and data origin authentication in the application layer. We then present the details of a vulnerability discovered using Z-Force tool in AES encrypted Z-Wave door locks that can be remotely exploited to unlock doors without the knowledge of the encryption keys." Should be an interesting read. I don't know the date of this paper, but it seems to be the origin of the info used in subsequent articles and talks. Some articles: Potential attack vectors against Z-Wave http://blog.opensecurityresearch.com/2013/07/potential-attack-vectors-against-z-wave.html Can Hackers Unlock My Z-Wave Door Lock? http://suretycam.com/can-hackers-unlock-my-z-wave-door-lock/ ...researchers discovered that a single, unnamed Z-Wave door lock manufacturer has a bug in their implementation of the Z-Wave secure node association protocol that could allow a hacker within Z-Wave range of the network to reset the lock's user codes and unlock the door from outside. They did not find a vulnerability in the Z-Wave AES security protocol, just a bug in one manufacturer's code. ...the manufacturer has already taken steps to fix the issue and that additional test cases have already been added to the Z-Wave certification test suite to prevent this from happening in the future. Hacking and attacking automated homes http://www.networkworld.com/article/2224849/microsoft-subnet/hacking-and-attacking-automated-homes.html I guess this is old news, as some of these refer to last year's Black Hat and Def Con conferences. The middle article doesn't seem to be describing a replay attack, so that could be something new, just presented at conferences this year. Given what researches found when they investigated wireless alarm systems (see my prior post[1]), using proprietary protocols made expressly for security, I guess Z-Wave isn't any worse off. There is at least a suggestion Z-Wave uses AES encryption, which is probably better than what the alarm systems using decades old designs are doing. 1. http://www.mail-archive.com/hardwarehacking@blu.org/msg01263.html -Tom _______________________________________________ Hardwarehacking mailing list Hardwarehacking@blu.org http://lists.blu.org/mailman/listinfo/hardwarehacking