[HH] Z-Wave door locks vulnerable to replay attack

Ed blu.hardware at ezf.com
Wed Sep 17 09:00:26 EDT 2014 

It looks like generic z-wave products are now entering the market.
Monoprice has begun carrying a home automation line:

http://www.electronichouse.com/article/monoprice_debuts_slew_of_home_automation_and_theater_options_at_cedia


On Thu, Aug 28, 2014 at 4:04 PM, Tom Metro <tmetro+hhacking at gmail.com>
wrote:

> In the latest Hak5 episode:
> http://hak5.org/episodes/hak5-1702
>
> they interview a guy at DefCon who gave a talk on security
> vulnerabilities in home automation gear. One he mentioned in passing was
> that Z-Wave door locks were vulnerable to a replay attack. Unfortunately
> he didn't give any specifics as to the models impacted. I'd speculate it
> was a Schlage lock, as they seem to be the most popular, but could be
> Kwikset or both.
>
> This is rather disappointing, as this is a rookie mistake, and suggests
> these companies didn't really take security all that seriously.
>
> When Z-Wave security products (like door/window and motion sensors)
> first started appearing, I made some attempt to look into what sort of
> security was provided by the protocol, but couldn't find any easy
> answers. Is the signal encrypted? How are the keys created/distributed?
> Who knows. Maybe since then someone with more time and motivation has
> investigated more deeply and written up an executive summary on the
> state of Z-Wave security.
>
> Ah, here we go...
> Security Evaluation of the Z-Wave Wireless Protocol
>
> http://research.sensepost.com/cms/resources/conferences/2013/bh_zwave/Security%20Evaluation%20of%20Z-Wave_WP.pdf
>
>   "...no public vulnerability research on Z-Wave could be found prior to
>   this work. In this paper, we analyze the Z-Wave protocol stack layers
>   and design a radio packet capture device and related software named
>   Z-Force to intercept Z-Wave communications. This device enables us to
>   decode different layers of the Z-Wave protocol and study the
>   implementation of encryption and data origin authentication in the
>   application layer. We then present the details of a vulnerability
>   discovered using Z-Force tool in AES encrypted Z-Wave door locks that
>   can be remotely exploited to unlock doors without the knowledge of the
>   encryption keys."
>
> Should be an interesting read. I don't know the date of this paper, but
> it seems to be the origin of the info used in subsequent articles and
> talks. Some articles:
>
> Potential attack vectors against Z-Wave
>
> http://blog.opensecurityresearch.com/2013/07/potential-attack-vectors-against-z-wave.html
>
> Can Hackers Unlock My Z-Wave Door Lock?
> http://suretycam.com/can-hackers-unlock-my-z-wave-door-lock/
>
>   ...researchers discovered that a single, unnamed Z-Wave door lock
>   manufacturer has a bug in their implementation of the Z-Wave secure
>   node association protocol that could allow a hacker within Z-Wave
>   range of the network to reset the lock's user codes and unlock the
>   door from outside. They did not find a vulnerability in the Z-Wave AES
>   security protocol, just a bug in one manufacturer's code.
>   ...the manufacturer has already taken steps to fix the issue and that
>   additional test cases have already been added to the Z-Wave
>   certification test suite to prevent this from happening in the future.
>
>
> Hacking and attacking automated homes
>
> http://www.networkworld.com/article/2224849/microsoft-subnet/hacking-and-attacking-automated-homes.html
>
>
> I guess this is old news, as some of these refer to last year's Black
> Hat and Def Con conferences. The middle article doesn't seem to be
> describing a replay attack, so that could be something new, just
> presented at conferences this year.
>
> Given what researches found when they investigated wireless alarm
> systems (see my prior post[1]), using proprietary protocols made
> expressly for security, I guess Z-Wave isn't any worse off. There is at
> least a suggestion Z-Wave uses AES encryption, which is probably better
> than what the alarm systems using decades old designs are doing.
>
> 1. http://www.mail-archive.com/hardwarehacking@blu.org/msg01263.html
>
>  -Tom
> _______________________________________________
> Hardwarehacking mailing list
> Hardwarehacking at blu.org
> http://lists.blu.org/mailman/listinfo/hardwarehacking
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.blu.org/pipermail/hardwarehacking/attachments/20140917/94a3b87e/attachment.html>

More information about the Hardwarehacking mailing list