Z-wave not at all secure

Have you guys seen this?


Is it posible to implement a feature that detects this kind of attack?

From the article:

This means that an attacker in RF range when the device is paired can obtain the network key and attack any device on the network.

I don’t mean to imply that this is not a problem, but I think this is a relatively lower risk issue. Someone would have to be in very close proximity to your house (i.e., in or right next to) and watching your z-wave traffic at the moment your pair a device.

Attacks like this are lower risk because it’s so low yield for an attacker. They have to be in range of your z-wave controller at the moment a new device is paired - so it’s not like they can drive around looking for houses with z-wave and immediately open the z-wave door lock or exploit it with a script over the internet, etc.

This reminds me of early bluetooth days when similar issues existed with the pairing process.


Maybe it’s possible to detect, but I’m with @ha_steve - it’s overblown (IMO bordering on FUD). If something like this worries you then you should be more concerned that somebody could take a picture of your key when you approach your front door, and then 3D print a copy :wink:


This is super low risk… For this attack to work you need:

  1. Attacker aware of your intent to add new z-wave devices
  2. Attacker in radio range of where you will add new device
  3. Perfect timing to force S0 versus S2 mode; as once S2 is negotiated and joined to network the window is closed! (the window is about 15 seconds - or less)
  4. Continue to stay inside radio range to be able to exploit the network

So the conditions for it to be exploited are pretty narrow. I am not saying it could not happen but it’s not likely.

I for one will continue to watch for strange vans on my front street before adding z-wave devices to ensure no deep-state attempts to gain control over my home lighting occurs!