[HH] Z-Wave door locks vulnerable to replay attack
Tom Metro
tmetro+hhacking at gmail.com
Thu Aug 28 16:04:28 EDT 2014
In the latest Hak5 episode:
http://hak5.org/episodes/hak5-1702
they interview a guy at DefCon who gave a talk on security
vulnerabilities in home automation gear. One he mentioned in passing was
that Z-Wave door locks were vulnerable to a replay attack. Unfortunately
he didn't give any specifics as to the models impacted. I'd speculate it
was a Schlage lock, as they seem to be the most popular, but could be
Kwikset or both.
This is rather disappointing, as this is a rookie mistake, and suggests
these companies didn't really take security all that seriously.
When Z-Wave security products (like door/window and motion sensors)
first started appearing, I made some attempt to look into what sort of
security was provided by the protocol, but couldn't find any easy
answers. Is the signal encrypted? How are the keys created/distributed?
Who knows. Maybe since then someone with more time and motivation has
investigated more deeply and written up an executive summary on the
state of Z-Wave security.
Ah, here we go...
Security Evaluation of the Z-Wave Wireless Protocol
http://research.sensepost.com/cms/resources/conferences/2013/bh_zwave/Security%20Evaluation%20of%20Z-Wave_WP.pdf
"...no public vulnerability research on Z-Wave could be found prior to
this work. In this paper, we analyze the Z-Wave protocol stack layers
and design a radio packet capture device and related software named
Z-Force to intercept Z-Wave communications. This device enables us to
decode different layers of the Z-Wave protocol and study the
implementation of encryption and data origin authentication in the
application layer. We then present the details of a vulnerability
discovered using Z-Force tool in AES encrypted Z-Wave door locks that
can be remotely exploited to unlock doors without the knowledge of the
encryption keys."
Should be an interesting read. I don't know the date of this paper, but
it seems to be the origin of the info used in subsequent articles and
talks. Some articles:
Potential attack vectors against Z-Wave
http://blog.opensecurityresearch.com/2013/07/potential-attack-vectors-against-z-wave.html
Can Hackers Unlock My Z-Wave Door Lock?
http://suretycam.com/can-hackers-unlock-my-z-wave-door-lock/
...researchers discovered that a single, unnamed Z-Wave door lock
manufacturer has a bug in their implementation of the Z-Wave secure
node association protocol that could allow a hacker within Z-Wave
range of the network to reset the lock's user codes and unlock the
door from outside. They did not find a vulnerability in the Z-Wave AES
security protocol, just a bug in one manufacturer's code.
...the manufacturer has already taken steps to fix the issue and that
additional test cases have already been added to the Z-Wave
certification test suite to prevent this from happening in the future.
Hacking and attacking automated homes
http://www.networkworld.com/article/2224849/microsoft-subnet/hacking-and-attacking-automated-homes.html
I guess this is old news, as some of these refer to last year's Black
Hat and Def Con conferences. The middle article doesn't seem to be
describing a replay attack, so that could be something new, just
presented at conferences this year.
Given what researches found when they investigated wireless alarm
systems (see my prior post[1]), using proprietary protocols made
expressly for security, I guess Z-Wave isn't any worse off. There is at
least a suggestion Z-Wave uses AES encryption, which is probably better
than what the alarm systems using decades old designs are doing.
1. http://www.mail-archive.com/hardwarehacking@blu.org/msg01263.html
-Tom
More information about the Hardwarehacking
mailing list