[ANSWERED]: Hacking Z-Wave
Posted: Sun Apr 17, 2016 5:14 am
I think the Hacking board name is meant as "Tinkering" but since we don't seem to have another relevant board I am posting here (Jay/Matt maybe we need a "Security" board for posts like the one I am making?).
On Jan 2016 at the ShmooCon hacker convention a paper was released showing how to "hack" Z-Wave:
http://www.networkworld.com/article/302 ... vices.html
I got lots of questions about that paper and the implications for Indigo, I will try to summarise them:
1) Is Indigo impacted by what's shown on the paper and if so in what level?
2) The paper authors tested 33 different Z-Wave devices with only 9 of them supported encryption. Does Indigo support showing which devices are encrypting communications and if so how? If not can this be added ASAP please?
3) The paper also talks about four devices that required a user to ‘opt-in’ for encryption. What's the process to enable encryption in a device in Indigo if such option is support?
4) It would appear to me that if a Z-Wave device is not encrypting communication is open to be attacked more easily and that these guys found ways to "break" through the device security rather than Z-Wave protocol security. If that's the case it seems there is little we can do to protect ourselves from this. Perhaps Indigo could add some "detection" of suspicions activity? For instance devices being turned on/off constantly (as described on the paper) or perhaps any device which a user could set as only controllable from Indigo as a honeypot detection for intrusion?
5) At the bottom of the article Z-Wave Alliance Executive Director Mitchell Klein mentions the launch of the Z-Wave Security 2 (S2) framework which combines the existing ES 128 encryption with Elliptic Curve Diffie-Hellman key exchange. Is this framework supported by Indigo? (probably not as it was only launched on Dec 2015). Are there any plans to add support to this? What are the hardware requirements for S2? Do existing Z-Wave devices support S2? Where can I find more information about this? I couldn't find any more info on the Web other than articles reporting the press release.
Thanks,
Christian
On Jan 2016 at the ShmooCon hacker convention a paper was released showing how to "hack" Z-Wave:
http://www.networkworld.com/article/302 ... vices.html
I got lots of questions about that paper and the implications for Indigo, I will try to summarise them:
1) Is Indigo impacted by what's shown on the paper and if so in what level?
2) The paper authors tested 33 different Z-Wave devices with only 9 of them supported encryption. Does Indigo support showing which devices are encrypting communications and if so how? If not can this be added ASAP please?
3) The paper also talks about four devices that required a user to ‘opt-in’ for encryption. What's the process to enable encryption in a device in Indigo if such option is support?
4) It would appear to me that if a Z-Wave device is not encrypting communication is open to be attacked more easily and that these guys found ways to "break" through the device security rather than Z-Wave protocol security. If that's the case it seems there is little we can do to protect ourselves from this. Perhaps Indigo could add some "detection" of suspicions activity? For instance devices being turned on/off constantly (as described on the paper) or perhaps any device which a user could set as only controllable from Indigo as a honeypot detection for intrusion?
5) At the bottom of the article Z-Wave Alliance Executive Director Mitchell Klein mentions the launch of the Z-Wave Security 2 (S2) framework which combines the existing ES 128 encryption with Elliptic Curve Diffie-Hellman key exchange. Is this framework supported by Indigo? (probably not as it was only launched on Dec 2015). Are there any plans to add support to this? What are the hardware requirements for S2? Do existing Z-Wave devices support S2? Where can I find more information about this? I couldn't find any more info on the Web other than articles reporting the press release.
Thanks,
Christian