Posted 26 May 2018 - 10:10 AM
Huh. It’s sad when articles are written that try to explain the ‘possible’ risks, but don’t do any real risk analysis. I lose a lot of respect for media outlets every time I see an article written this way. At the end of the article they do mention the analysis by the vendor, but the hackers/researchers are ‘flabbergasted’ by the response.
Short summary: The hackers/researchers interviewed for the article indentified a way to compromise the pairing process of a ZWave S2 device. It sounds like this is a Yale ZWave lock purchased in April-May 2018. The attack requires them to observe and act while the owner is performing initial pairing of the device (so, be within ZWave range during the initial pairing process.)
Sounds like the article proposes this is a serious vulnerability, while the vendor and ZWave alliance have rated it lower risk. As linuxha notes, it seems it is part of the same vulnerability, but made available in the newer S2 devices for backwards compatibility with older controllers.