The popular home automation protocol Z-Wave, used by millions of IoT devices, is vulnerable to a downgrade attack that could allow an adversary to take control of targeted devices, according to researchers.
Z-Wave is a wireless protocol used by 2,400 vendors; its wireless chipsets are embedded in an estimated 100 million smart devices ranging from door locks, lighting, heating systems and home alarms, according to Pen Test Partners, who released a report on the vulnerability on Wednesday.
According researchers, today’s Z-Wave systems are configured to support a “strong” S2 Z-Wave pairing security process. However, a proof-of-concept (PoC) attack demonstrates how a hacker could downgrade the higher S2 standard to a weaker S0 pairing standard, which allows an adversary to steal an encryption key and expose a device to compromise.
The PoC attack involved a hacker within RF range at the time a controller pairs with the IoT device.
“Z-Wave uses a shared network key to secure traffic. This key is exchanged between the controller and the client devices (‘nodes’) when the devices are paired. The keys are used to protect the communications and prevent attackers exploiting joined devices,” researchers explained.
A nearly identical pairing issue was identified by researchers at SensePost in 2013 (PDF), prompting Z-Wave owner at the time Sigma Designs to develop the new pairing process S2. The problem with the old mechanism was “the network key was transmitted between the nodes using a key of all zeroes, and could be sniffed by an attacker within RF range,” researchers said.
But since the introduction of S2, a similar attack scenario has been devised by Pen Test Partners. “We have shown that the improved, more secure pairing process (‘S2’) can be downgraded back to S0, negating all improvements,” researchers said.
Researchers noted that when a Z-Wave device is using the weaker S0 security (and not the S2 flavor), the S2 controller will notify the user when S0 security is being used, after the fact. “We feel this will be ignored or overlooked,” researchers said.
On Wednesday, Silicon Labs, which acquired Z-Wave from Sigma Designs earlier this year, posted a blog addressing the Pen Test Partners research, stating the PoC took advantage of a backwards-compatibility feature that allowed S2 devices to work on S0 networks. It also stated emphatically that this is not a vulnerability.
“It was a conscious choice of the Z-Wave Alliance to discount this non-vulnerability in order to offer partners and customers backwards compatibility so that they didn’t need to replace their gear,” said Lars Lydersen, senior director of product security at Silicon Labs, in an interview with Threatpost.
Lydersen said, an attack is extremely improbable given the requirements of specialized equipment, proximity to the RF network, forcing a controller reset and hacking the pairing session in the 20 milliseconds window it’s vulnerable to attack.
“The smart home controller or gateway will always notify the user if S2 is reverted to S0 during the installation process,” the post states.
How The Attacks Work
The attack exploits the fact that devices supporting the stronger S2 pairing use a type of programming “command class” code. That code is used in the process of communicating between the controller and IoT device during pairing.
“The node info command is entirely unencrypted and unauthenticated. This leads to us being able to spoof it, removing the COMMAND_CLASS_SECURITY_2 command class. The controller then assumes that the device does not support S2, and pairs using S0 security. The attacker can now intercept the key exchange, obtain the network key and then command the device,” researchers described.
In one attack scenario against a Yale Conexis L1 smart lock, researchers were able to use a controller and downgrade the device to the S0 pairing security. The PoC attack then allowed researchers to lock and unlock device at will.
Another attack scenario involves triggering an IoT device to send pairing data by replacing a battery making it possible for an adversary to “to sniff, modify and then send the data on.”
“The third method involves active jamming using an RFCat,” researchers wrote. RFCat is a USB radio dongle capable of transmitting, receiving and snooping radio frequencies. “An attacker can continuously listen for the node info from the genuine node. As soon as the home ID has been obtained, they can actively jam the rest of the packet, preventing the node info from being received.”
Pen Test Partners say the issue is a standards and implementation concern, and are critical of what they say is Silicon Labs lethargic response to securing its platform. “We’re not particularly happy that the Z-Wave Alliance appears to have been aware of the downgrade attack, but hasn’t really addressed it,” researchers wrote.
Despite the fact Silicon Labs doesn’t consider the pairing issue a vulnerability, the company said it plans on taking steps to further ensure its customers make informed decisions when downgrading. Johan Pedersen, product marketing manager, Z-Wave IoT, said it would soon change the way it notified customers that their device was going be downgraded using the S0 pairing method. “Instead of notifying customers that the pairing was going to take place after the fact, we will be notifying them of the pairing beforehand,” he said.