Jump to content


Photo
- - - - -

ZWAVE Hack


  • Please log in to reply
2 replies to this topic

#1 batwater

batwater

    Dedicated Cocooner

  • Registered
  • PipPipPip
  • 261 posts
  • Location:St. Louis
  • Experience:guru
  • Software:CQC, EventGhost, Harmony, Custom
  • Hardware:DSC, Custom
  • Tech:X10-RF, UPB, Z-Wave, ZigBee
  • Audio:Sonos
  • Video:Custom
  • CCTV:analog, ip, dvr
  • Phone:Asterisk, OBi100/110

Posted 24 May 2018 - 06:46 PM

Article title says it all...

 

A Basic Z-Wave Hack Exposes Up To 100 Million Smart Home Devices

 

 



#2 linuxha

linuxha

    Dedicated Cocooner

  • Registered
  • PipPipPip
  • 412 posts
  • Location:NJ, USA
  • Experience:average
  • Software:Mister House, Custom
  • Hardware:Elk M1, Custom
  • Tech:X10-RF, Z-Wave, ZigBee, 1-Wire, Custom
  • Audio:Custom
  • Video:Custom
  • CCTV:ip
  • Phone:Asterisk

Posted 25 May 2018 - 08:38 AM

If I'm not mistaken this is the same hack from a few years ago. Seems some new vendors have ignored the issue. I don't know if it pertains to the vendors that fixed it the last time.

 

Do we know if the researchers had new devices or old devices?



#3 cobra

cobra

    Dedicated Cocooner

  • Registered
  • PipPipPip
  • 358 posts
  • Location:SouthEast PA, USA
  • Experience:average
  • Software:Custom
  • Tech:UPB, Z-Wave

Posted 26 May 2018 - 10:10 AM

Huh. It’s sad when articles are written that try to explain the ‘possible’ risks, but don’t do any real risk analysis. I lose a lot of respect for media outlets every time I see an article written this way. At the end of the article they do mention the analysis by the vendor, but the hackers/researchers are ‘flabbergasted’ by the response.

Short summary: The hackers/researchers interviewed for the article indentified a way to compromise the pairing process of a ZWave S2 device. It sounds like this is a Yale ZWave lock purchased in April-May 2018. The attack requires them to observe and act while the owner is performing initial pairing of the device (so, be within ZWave range during the initial pairing process.)

Sounds like the article proposes this is a serious vulnerability, while the vendor and ZWave alliance have rated it lower risk. As linuxha notes, it seems it is part of the same vulnerability, but made available in the newer S2 devices for backwards compatibility with older controllers.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users