No security class granted, what does that mean?

I noticed my zwave log being filled with Dropping message with invalid payload issues after adding a Qubino 16A Wall Plug in secure mode.

I switched on silly logging and managed to grab this. Can anyone make something out of it?

2023-04-12T12:31:02.474Z SERIAL « 0x012300a80001211a9f032d00cbed6bcafd2999b22aac048b460712d8776a1468f (37 bytes)
                                  eaf00bc89
2023-04-12T12:31:02.479Z DRIVER   Dropping message with invalid payload
2023-04-12T12:31:02.481Z DRIVER « [Node 033] [REQ] [BridgeApplicationCommand]
                                  │ RSSI: -68 dBm
                                  └─[Security2CCMessageEncapsulation] [INVALID]
                                      error: No security class granted
2023-04-12T12:31:02.483Z SERIAL » [ACK]                                                                   (0x06)

I’ve tried to remove and re-include the plug and that works for a while, then this comes back again. I’ve also healed the network.

Noticed this in my log too.

[15:01:58] INFO: No 'network_key' detected, setting it to 's0_legacy_key' for backwards compatibility

But looking in the config view all four keys are defined.

Issue is for sure with the Qubino plug, it has lots of dropped packages and none of my other 15 nodes has any.

Are you trying to include this plug with S0 security? You can confirm the security level by going to the zwavejs integration in home assistant, clicking on the devices, then selecting your device, and expanding the menu that says zwave info:

Screenshot from 2023-04-12 10-34-11

S0 security should be avoided with the exception of being absolutely necessary, like a door lock. S0 security requires 3 messages to be exchanged between the device and controller, which increases bandwidth, and the likelihood of dropped messages and issues. Zwave is very low bandwidth, and combining S0 security with a plug that reports frequent power messages is a recipe for disaster.

If the device supports it, I would use S2 security, which is much more efficient and doesn’t have these issues - you would need to scan the barcode or type in the security key from it to include securely.

If the device doesn’t support S2, I would include it with no security. Even with no encrypted security, there is a level of security in zwave itself that would be difficult to crack unless someone had advanced tools and was present at your home.

If security is a major concern though, and the device doesn’t support S2 inclusion, I would upgrade the plug to a newer device that supports S2 security.

Thank you for responding, as you point out this is what I’ve picked up on too.

Strange thing is the device is S2 compatible and I had to enter a pin for it to be included securely, I had the incorrect pin for the first two attempts and then it was included insecurely,
But as we can see from the picture, it’s listed as ZWave Plus but Highest security: None which I don’t know what it means?

I haven’t setup any keys myself (that I know of), but there are keys defined.

Your security will say none, s0, or s2. None means its not using any security. I would try to re include it and see if it shows up properly.

After some exclude/include attempts it finally connected in S2 mode and (for now) the errors in the log has gone away.

Spoke too soon (of corse…).

Now getting errors like this one, not nearly as frequent though.

2023-04-13T14:49:17.060Z DRIVER « [Node 039] [REQ] [BridgeApplicationCommand]
								  │ RSSI: -66 dBm
								  └─[Security2CCMessageEncapsulation] [INVALID]
									  error: Security2CC_CannotDecode
2023-04-13T14:49:17.062Z CNTRLR » [Node 039] Message authentication failed, cannot decode command. Requesting a 
								  nonce...
2023-04-13T14:49:17.074Z SERIAL » 0x012000a90127149f02a70122669bf85b8709e1c1888cb614b6efc70500000000f (34 bytes)
								  f6f
2023-04-13T14:49:17.079Z DRIVER » [Node 039] [REQ] [SendDataBridge]
								  │ source node id:   1
								  │ transmit options: 0x05
								  │ callback id:      255
								  └─[Security2CCNonceReport]
									  sequence number:  167
									  SOS:              true
									  MOS:              false
									  receiver entropy: 0x22669bf85b8709e1c1888cb614b6efc7
2023-04-13T14:49:17.083Z SERIAL « [ACK]                                                                   (0x06)
2023-04-13T14:49:17.085Z SERIAL « 0x010401a90152                                                       (6 bytes)

Hi,
I have the same problem with the Qubino Smart Plug(tested with a series 500 and 700 controller), so it seems to be a bug, but I’m not sure if is is caused by the plug or an issue in ha/zwave js ui.

Is there anybody out there having a Qubino Smart Plug without those errors?

Greetimgs Olli

I got the plug to work with S2 authentication. It just sends status values too often. I have set parameter 40 to 100 and parameter 42 to 180. Since then it runs without problems.