How to tell if node is secure?

hurlman · February 27, 2018, 5:57pm

Hi all,

I have installed and have been using HassIO for about a month now. I’m using an Aotec Gen5 USB ZStick, and I’ve been following the documentation for doing all of my setup so far. Everything is actually working perfectly.

My question is, is there a way to tell if a node is added securely from the UI? I have a network key in my configuration.yaml, I used the script in the documentation to create it. I have successfully added a node with the ‘Add Node Secure’ button and I’ve been using it for a week. I just can’t tell if it paired securely or not. Should I even be concerned with this? I was thinking maybe the ‘Add Node Secure’ button falls back to a non-secure add if the secure add fails.

The device is a FS20Z Isolated Contact Fixture Module, and I’m using it to control my garage door. Since it’s an entrance to my house, I want to make sure it’s secure. I will be getting a smart lock soon, and I want to make sure I properly pair that securely as well.

Thanks in advance!

Tinkerer · February 27, 2018, 7:09pm

From memory, there will be an attribute of is_secured: true or similar.

jivesinger · February 27, 2018, 7:40pm

Just check my states page and there is no way to tell by looking at attributes.
I have a door lock which I added securely and there is no indication of security.

hurlman · February 27, 2018, 8:07pm

So here is the attributes of the node from my states page. I don’t see an “is_secure” attribute.

zwave.garage_door_switch	ready	node_id: 7
                                        node_name: Garage Door Switch
                                        manufacturer_name: Linear
                                        product_name: FS20Z Isolated Contact Fixture Module
                                        old_entity_id: zwave.garage_door_switch_7
                                        new_entity_id: zwave.garage_door_switch
                                        query_stage: Complete
                                        is_awake: true
                                        is_ready: true
                                        is_failed: false
                                        is_info_received: true
                                        max_baud_rate: 40000
                                        is_zwave_plus: false
                                        capabilities: listening,beaming,routing
                                        neighbors: 1,2,3,4,5,6,8
                                        sentCnt: 30
                                        sentFailed: 0
                                        retries: 0
                                        receivedCnt: 16
                                        receivedDups: 0
                                        receivedUnsolicited: 0
                                        sentTS: 2018-02-26 16:33:05:313 
                                        receivedTS: 2018-02-26 16:33:05:349 
                                        lastRequestRTT: 25
                                        averageRequestRTT: 24
                                        lastResponseRTT: 35
                                        averageResponseRTT: 35
                                        friendly_name: Garage Door Switch

Tinkerer · February 27, 2018, 8:08pm

Did you include it with security? If not there’s nothing in the attributes.

hurlman · February 27, 2018, 8:14pm

I hit the “Add Node Secure” button in the ZWave confuration when I added the node.

Maybe the device doesn’t support it? I thought it did from the documentation…

Tinkerer · February 27, 2018, 8:36pm

There’s nothing listed to show it supports security. That list should include Security V1 like this.

dap35 · February 27, 2018, 8:39pm

My understanding is that “zwave plus” devices support security. That is displayed in the zwave panel.

Tinkerer · February 27, 2018, 8:40pm

Security existed before Z-Wave Plus, and it isn’t required for Z-Wave Plus.

hurlman · February 27, 2018, 8:44pm

That answers that, thank you for the helpful links and info! I didn’t know about those zwave alliance pages for every zwave product, that’s very useful.

What threw me, I think, is that I saw something like “security beaming” on a product info page for it. I guess that means it’ll relay for a secure node, but it’s not secure itself.

Tinkerer · February 27, 2018, 8:46pm

Depends on whether they’re using the official term, but in Z-Wave beaming refers to sending messages to battery powered devices when they’re asleep.

Of course, marketing material is often suspect

will · June 10, 2018, 12:42pm

The easiest way I’ve found to check if a z-wave device is secured or not is to download your zwcfg_xxxxx.xml file from your HA root directory and then inspect the device nodes.

If a device was added securely then its xml entry will include the line secured=“true”

For example, this GE Z-wave plus dimmer is “secured” because the first line of its xml node is:

<Node id="27" name="" location="" basic="4" generic="17" specific="1" roletype="5" devicetype="1536" nodetype="0" type="Multilevel Power Switch" listening="true" frequentListening="false" beaming="true" routing="true" max_baud_rate="40000" version="4" secured="true" query_stage="Complete">

However, my Eaton dimmer is not because its entry doesn’t have the secure=“true” entry; which makes sense because it isn’t z-wave plus which means the security is optional and it’s unlikely Eaton would have included it for a light switch.

AdamNaj · December 13, 2018, 5:41am

If you’re on a windows machine and have access to your HA through Samba (mapped drive) - I’ve written a quick PowerShell script that can list it for you:

$haPath = “I:”
[xml]$ozwCfg = Get-Content “$haPath\zwcfg_*.xml”
$ozwCfg.Driver.Node | ft id, Name, secured

Just customize the first line to point to your HA config folder.

jo-me · September 30, 2019, 12:33pm

Thanks for this little powershell script. The “Name” column was always empty though.
I enhanced it a little to include Manufacturer and product name.

$haPath = "."
[xml]$ozwCfg = Get-Content "$haPath\zwcfg_*.xml"
$ozwCfg.Driver.Node | ft id, type, 
@{LABEL="Manufacturer"; Expression={$_.Manufacturer.name}},
@{LABEL="Model"; Expression={$_.Manufacturer.Product.name}},
@{LABEL="Secured"; Expression={if($_.secured -eq "true") { "Yes" } else { "No" }}}

AdamNaj · October 4, 2019, 3:07pm

I’m maintaining this gist for a while to find the chatty devices that may slow the network down: How to check if Z-Wave node is Secure or Plus version based on QZW Config file. · GitHub

When in doubt, I just execute the last script from the gist:

I’ve just added the manufacturer, based on your recommendation, but I just find it a good practice to add the device name to my zwcfg_.xml so that I don’t get lost over time. It also works best with the graph panel I am maintaining as a side project:

jo-me · October 4, 2019, 6:59pm

Cool stuff! I’m very interested in the message count as well.
Is that also coming from the xml file or the Log file?

AdamNaj · October 4, 2019, 7:10pm

OZW_Log.txt

jo-me · October 5, 2019, 3:10pm

So the log covers almost 2 days and I let your script run over it:

Are these normal numbers? The feel kind of high.

mmiller7 · January 17, 2021, 3:01pm

Is there a way to check this for non-Windows users? I run Linux on all my main machines…and my Windows work PC is very locked down.