I’m new to both z-wave and Home Assistant and I have a question that I haven’t seen directly addressed:
What is the risk of using z-wave devices that don’t use the z-wave encryption? I recently got HA up and running and installed my first dimmer (GE 14294) only to discover that it does not support encryption. So, what could someone war-driving do to 1) the specific device and/or 2) the larger network of connected devices?
Coming from a WiFi mindset, I don’t like the idea of anything connecting to my “network” that isn’t using encryption…
Thanks!
A zwave network is, in theory, vulnerable to attacks such as capturing traffic from your controller and replaying it.
IMO, the real world risk of this is essentially zero. First, because of the limited range of zwave signals, and second, because there’s no real benefit to attackers to manipulate your home’s light switches, which would limit incentive to putting together the tools necessary to pull this off.
So, one can’t use access to one node to attack the controller or other nodes? It sounds like you’re saying that only the traffic could be captured (and potentially mimicked) and that the node itself couldn’t be compromised into running arbitrary code. I keep thinking in regular IP networking terms where once someone “gets inside” through a weak device or server, they can then launch additional attacks against the rest of one’s network.
I think there are various techniques that could be used to “take over” the zwave network itself. I am not aware of any vulnerability where this can be used to escalate into taking over a host computer running the controller. I can’t rule that out, but have not seen anything like that in the research literature last time I browsed it wondering about this myself.
So, there are scenarios where this could be serious, for example disabling a sensor in an alarm system to allow entry, etc. But at that point, if you aren’t running an international spy ring or something, I think a brick through the rear slider is 10 orders of magnitude more likely.