Author Topic: [security] z-wave replay attack  (Read 3158 times)

valent

  • Guru
  • ****
  • Posts: 380
    • View Profile
    • /kernel_reloaded/
[security] z-wave replay attack
« on: May 22, 2011, 06:08:20 pm »
Hi guys,
was giving LinuxMCE talk on annual Croatian Linux Users Conference and was asked one z-wave security related question: How secure is Z-Wave and could if it is not encrypted is is possible to carry out an replay attack?

AFAIK current generation of z-wave devices doesn't encrypt data, and security model is similar to bluetooth - key exchange happens during device pairing or joining new devices to existing network, right? From what I have seen, soon new generation of z-wave chips will have encryption out of the box.

So if z-wave traffic is not encrypted is there any other security and protection mechanism in place to prevent z-wave replay attacks or not?

Is it possible and how would somebody who is malicious carry out an z-wave replay attack? Is it enough to watch the z-wave traffic and spot when some command is sent, record it any replay it when ever you wish?

That way somebody could take over control over any devices you have that use z-wave...

Thank you in advance for your replies.
LinuxMCE - If it was easy, everybody would be doing it!!
My setup - http://wiki.linuxmce.org/index.php/User:Valent

hari

  • Administrator
  • LinuxMCE God
  • *****
  • Posts: 2421
    • View Profile
    • ago control
Re: [security] z-wave replay attack
« Reply #1 on: May 22, 2011, 07:29:20 pm »
yes, a replay attack is feasible. Another option would be to sniff the id of the network and program a controller to use the same one (e.g. with the skd/szniffer). But hey, we talk about light control and such..

Z-wave door locks use the encryption command class (iirc with AES encryption) to prevent hacks like this.

br Hari
rock your home - http://www.agocontrol.com home automation

posde

  • Administrator
  • LinuxMCE God
  • *****
  • Posts: 3009
  • Wastes Life On LinuxMCE Since 2007
    • View Profile
    • My Home
Re: [security] z-wave replay attack
« Reply #2 on: May 22, 2011, 08:22:36 pm »
Oh, and blinds control...

Honey, make sure the blinds are down to protect against intruders...

valent

  • Guru
  • ****
  • Posts: 380
    • View Profile
    • /kernel_reloaded/
Re: [security] z-wave replay attack
« Reply #3 on: May 24, 2011, 12:38:58 am »
yes, a replay attack is feasible. Another option would be to sniff the id of the network and program a controller to use the same one (e.g. with the skd/szniffer). But hey, we talk about light control and such..

Z-wave door locks use the encryption command class (iirc with AES encryption) to prevent hacks like this.

br Hari

It is never nice to underestimate what can be done, I would prefer to have all zwave devices with encrypted data transmission. It would cost probably not so much more but give a peace of mind.

There are z-wave alarms, motion sensors and valves and that is not something I would like to have others be able to control with simple replay attacks.

Will new z-wave chips solve this as I read somewhere. Any news when will they be shipped?
LinuxMCE - If it was easy, everybody would be doing it!!
My setup - http://wiki.linuxmce.org/index.php/User:Valent

posde

  • Administrator
  • LinuxMCE God
  • *****
  • Posts: 3009
  • Wastes Life On LinuxMCE Since 2007
    • View Profile
    • My Home
Re: [security] z-wave replay attack
« Reply #4 on: May 24, 2011, 08:02:17 am »
Valent,

if you care about security, don't go wireless.

hari

  • Administrator
  • LinuxMCE God
  • *****
  • Posts: 2421
    • View Profile
    • ago control
Re: [security] z-wave replay attack
« Reply #5 on: May 24, 2011, 08:23:17 am »
It is never nice to underestimate what can be done, I would prefer to have all zwave devices with encrypted data transmission. It would cost probably not so much more but give a peace of mind.
If somebody invests this amount of energy to mess with your HA setup, you probably have set him up enough that he just takes an easier route to get you into trouble...

So I agree that it is necessary to think about attack vectors, but paranoia does not help any further..
As possy said, if you need higher security (for whatever reason) use e.g. KNX, but then better make sure that the bus cable is not accessible from the outside (e.g. in the garden between buildings, ...)

br Hari
rock your home - http://www.agocontrol.com home automation

posde

  • Administrator
  • LinuxMCE God
  • *****
  • Posts: 3009
  • Wastes Life On LinuxMCE Since 2007
    • View Profile
    • My Home
Re: [security] z-wave replay attack
« Reply #6 on: May 24, 2011, 08:40:19 am »
What did the alarm technician said to a friend:

There are two types of intruders:

1) They want easy money: Add some blinds and they won't come in, as it is too much of a hazzle

2) They want YOU or something special that you own: Try to build a compound like Bin Laden did and you will still end up without 100% security.

valent

  • Guru
  • ****
  • Posts: 380
    • View Profile
    • /kernel_reloaded/
Re: [security] z-wave replay attack
« Reply #7 on: May 25, 2011, 09:06:23 pm »
I agree, wired closed loop is best thing for HA security. Has anybody payed attention to new zwave chips and that they claim to have builtin encryption? Will new gear backward compatible or will ne need to have all new zwave devices that support encryption?
LinuxMCE - If it was easy, everybody would be doing it!!
My setup - http://wiki.linuxmce.org/index.php/User:Valent

posde

  • Administrator
  • LinuxMCE God
  • *****
  • Posts: 3009
  • Wastes Life On LinuxMCE Since 2007
    • View Profile
    • My Home
Re: [security] z-wave replay attack
« Reply #8 on: May 25, 2011, 09:41:37 pm »
valent,

EVERY wireless transmission will eventually be broken.