Aeotec MotionSensor 6 secure inclusion with Z-Stick Gen7 - RPi4

Configuration Z-Wave
1

Hello,

i have a RPi 4 with Aeotec Z-Stick Gen7 running HASSIO

supervisor-2021.10.0
core-2021.10.4

From Aeotec Manual:

Short press 2
times within 1
second

  1. Send Security Node Info frame. 2. Add MultiSensor into z-wave network( Security inclusion ):
  2. Power on MultiSensor. The MultiSensor’s LED will blink slowly when you short press the Action Button.
  3. Let the primary controller into inclusion mode (If you don’t know how to do this, refer to its manual).
  4. Press the Action Button.
  5. If the inclusion is success, MultiSensor’s LED will be kept turning on for 8 seconds when you short press the
    Action Button. If the LED is still in slow blink, in which you need to repeat the process from step 2.

While its flashing blue its not implemented as secure

image
image

Also is it correct, that the Z-Stick Controller is listed as Secure: No

Other Devices such as Abus Siren is able to connect with Security

2

Controllers are always listed as “No”. The property is only applicable to nodes you include.

If you want to include a Multisensor with Legacy Security, you need to go into the “Advanced Inclusion” UI when adding the device, and select Legacy Security. The default inclusion method will not include a Multisensor with security.

3

z-wave inclusion is set to secure however the Motion Sensor does not connect with it.
where would i find the log file when i crank up the debugging?

4

the Motion Sensor 6 doesnt support S2 Protocoll but should do S0 secure inclusion. is there any reach or speed advantage between unprotected and S0 secure inclusion?

As my only aim was, to benefit from S2

5

The recommendation is to include with S2 when you can, else include security devices (locks and garage door openers) with S0, else include all other devices with no security (which is exactly HA’s default inclusion UI does). S0 is not recommended because the cost of S0 is 3 times more network traffic compared to insecure traffic. If you have too many S0 devices it can “jam” the network. S2 doesn’t have this performance hit.

The choice of S0 vs. insecure also depends on your security paranoia and personal risk factor. If you believe you have a risk of someone “hacking” your z-wave network, then maybe you want to use S0. I’ve made the calculation that I probably have a 0% risk of someone attempting to hack my network. Second, even if they did, there is nothing they could do that would cause any damage. Maybe the could turn on some lights, or trigger door sensors, etc., not much else. If you use door sensors or motion sensors within a security system, maybe S0 is important to you.

1 Like
6

thanks very good reply. i will see if i can replace a few devices with S2 and make sure the rest is included insecure due to low security risk

7

I’ve check my devices and seems my Abus Devices all support S2. Can i somehow check in HASS, what protocoll they use? Or does secure always indicates S2 Protocoll?

8

You can look at the network dump and find the “highestSecurityClass” field. It will have one of these values:

NONE = -1
S2_UNAUTHENTICATED = 0
S2_AUTHENTICATED = 1
S2_ACCESS_CONTROL = 2
S0_LEGACY = 7

In some future release, the UI will tell you this.

9

Hello,

i can see that most is S2_unauthenticated, however Silicon Lab states

Z-Wave certification will prohibit some products from operating via the S2 Unauthenticated class. This includes gateways and door locks.

So i have Door Locks from Abus, shouldnt they be S2 Secure or similar?

http://manuals-backend.z-wave.info/make.php?lang=DE&sku=ABUESHMK10000&cert=ZC10-18116318

10

Door locks should be S2 Access Control. S2 Unauthenticated is basically the same as Authenticated, except you don’t need to input the PIN.

1 Like
11

I recently added a Aeotec Flood Sensor HA asked me if i want to S2 unauthenticated vs. authenticated. I’ve choosen authenticated whic seems somewhat slower … however een after a reset i cant get HA to ask again if authenticated or unauthenticated integration.

Any idea how i can force S2 unauthenticated?

edit: after a couple of resets, i was able to include it as S2 unauthorised