as z-wave introduces the security model (AES ENCYPTION)but yet not implemented IT in the products, i think that it is quite vulnerable to
crack the z wave network.
for example, by launching the sniffer attack while the establishment of the network and distribution of the network key.
similarly one can tepmered the existing node and transfer the keys to some intruders (physical attack).
as zwave consist of alot of secure and unsecure nodes. the flooding techniques or replay of messages can also disturb the network.
at last the social attacks can effect the privacy of any zwave network. for example one can predict the owner activities by flow of trafic in between the sensor
nodes and then transform this information to some other situation. for example if you sniff your neighbour node activities then you may be able to predict when he is at home and when he goes to sleep and when he goes to wrk etc..
my question is that does any one ever suffered due to security limitation in z-wave or any one know how zwave thandels the above discribed situations ??
Full Version: security issues in z-wave
Z-Wave is very new and not yet wide spread in people homes. I really don't think that anyone will attempt to phyically hack a network for the purpose of doing harm simply because it's not in the spotlight of hackers. I assume you idea of social hacking could be an issue but I don't think that would be directly related to Z-Wave since a "bad guy" could monitor the pattern in which you turn on your lights just as easily as they can monitor the pattern from your sensors. If anything Z-Wave would confuse the "bad guy" by allowing you to randomly turn on lights even when you are not home.
The tools for hacking a Z-Wave system do exist but the Zniffer is only available to DevKit owners as far as I know. So unless you do some social hacking first to get the HomeID then I think it will be pretty hard for you to come by a Zniffer and sniff out someones HomeID. Currently using a Zniffer and ControlThinks ThinkEssentials software you could sniff the HomeID and then use the software to create a network with that home ID and finally run their disaster recovery tool to add devices into the network. This would require you to be fairly close to the home but probably does not require being inside the home. But again I have to ask-- what is the likely hood of someone wanting to hack your lighting system and then actually obtaining the tools to do it?
In conclusion I am not at all worried about security at this time.
The tools for hacking a Z-Wave system do exist but the Zniffer is only available to DevKit owners as far as I know. So unless you do some social hacking first to get the HomeID then I think it will be pretty hard for you to come by a Zniffer and sniff out someones HomeID. Currently using a Zniffer and ControlThinks ThinkEssentials software you could sniff the HomeID and then use the software to create a network with that home ID and finally run their disaster recovery tool to add devices into the network. This would require you to be fairly close to the home but probably does not require being inside the home. But again I have to ask-- what is the likely hood of someone wanting to hack your lighting system and then actually obtaining the tools to do it?
In conclusion I am not at all worried about security at this time.
I too am not worried about having my lighting controls hacked, but as zwave moves into the home security area this will become a huge issue. We're not talking about something that is years away. Hawking already has door and window sensors on the market. Schlage is about to offer their keypad locksets with zwave. I'm surprised to hear a zwave world editor have such a short sighted view.
So the real question is once encryption is added to zwave, how much if any of the existing zwave gear we already have will become obsolete?
So the real question is once encryption is added to zwave, how much if any of the existing zwave gear we already have will become obsolete?
I guess you have a point now that I am seeing the Z-Wave Enabled Door Lock featured in this article (http://www.engadget.com/2008/05/19/schlage-announces-web-enabled-z-wave-door-locks)
I'm not sure what effect encryption will have on the older products. I can try and dig into it for you guys though.
I'm not sure what effect encryption will have on the older products. I can try and dig into it for you guys though.
In wireless sensor technology there are alot of limitations (battay,memory,transmission range, proceesing speed etc) that makes it quite ristricted to do alot of effort. As far zwave is concerned i am trying to find the security vulnerbilities to the system. til now my results are following.
1. zensys is providing the hardware and let the user or OEM to develop their own application. so the security that should be provided at application level.
2.zwave have a special challenge response mechanism , which is helping it to prevent the basic attack senerios i.e, transmission modification, record and replay attacks
3. but the security at the initialization of network key and routing layer is quite vulnerable. if some one sniff your network intialization key then he can get hold of network management key , which gives him hand to decrypt the messages and the things like denial of service attack or refusal in routing table could be possible.
the possible solution that zwave is providing is the implementation of security at the application level and protocol level.still the issue of temptation of node device or sybil attack..can disolve the whole security parameters.
1. zensys is providing the hardware and let the user or OEM to develop their own application. so the security that should be provided at application level.
2.zwave have a special challenge response mechanism , which is helping it to prevent the basic attack senerios i.e, transmission modification, record and replay attacks
3. but the security at the initialization of network key and routing layer is quite vulnerable. if some one sniff your network intialization key then he can get hold of network management key , which gives him hand to decrypt the messages and the things like denial of service attack or refusal in routing table could be possible.
the possible solution that zwave is providing is the implementation of security at the application level and protocol level.still the issue of temptation of node device or sybil attack..can disolve the whole security parameters.
i've mentioned this issue on other forums, especially in regards to the door locks and most people on there either don't care or are ignorant of any attacks being possible.
i am seriously curious how the cryptography will work with legacy devices that don't support it. maybe they will flag a bit to only use paths that support it but again that will hamper the mesh part of the network.
i am seriously curious how the cryptography will work with legacy devices that don't support it. maybe they will flag a bit to only use paths that support it but again that will hamper the mesh part of the network.
QUOTE (Rob @ May 22 2008, 09:27 PM) 
...especially in regards to the door locks...
I can see that people might want a Z-Wave lock on their front door so they can let people in while they're away - maybe have the Fedex carrier put your package inside. But that's going to require more than just a lock. You'll be wanting a webcam to cover the front porch, and you'll be wanting a squawk box/doorbell with VOIP.
Another reason for a Z-Wave lock might be to limit the number of keys in circulation, allowing people to use their cell phones instead to let themselves in. Most likely you'd have your kids using their phones to let themselves in, and their friends letting themselves in, and their friends' friends letting themselves in...
Neither of those reasons apply to me, and I won't be installing a Z-Wave door lock.
I think if someone wants to get into your house, they're going to find a way, Z-Wave or not. Most of those people are on drugs and wouldn't have the mental capacity or patience to go through the intricate steps of hacking your Z-Wave system. I also think that most burglaries are committed by people whom you know or by people who know people who have been in your house. The solution there is to not let people who enter your house see anything that can be readily converted to drug money.
If someone does go through the steps to hack your Z-Wave security, they would either do it as a stunt and leave you a lovely calling card, or they are professionals with the foreknowledge that you've got big ticket luxury items inside.
My only big-ticket luxury items are my Z-Wave gear. If someone manages to hack my gear, they can have it.
i donot think that you guys are realizing the threat that could happen to your home security ,
this technology is emerging more then door locks in your home secuity systems,
let me give a senerio...
what happens if some one locks you in your house or started to turn on and off the lights in your children room in mid of the night .
it would also be scary if some one turn on hot water while you r having a cold bath..
how people can react if the things like that start happening to them and they donot know who is operating it and how it could eb handled.
we can make this technogy more secure and comfortable by digging different aspects of it!! i hope so..
this technology is emerging more then door locks in your home secuity systems,
let me give a senerio...
what happens if some one locks you in your house or started to turn on and off the lights in your children room in mid of the night .
it would also be scary if some one turn on hot water while you r having a cold bath..
how people can react if the things like that start happening to them and they donot know who is operating it and how it could eb handled.
we can make this technogy more secure and comfortable by digging different aspects of it!! i hope so..
if the tools for sniffing homeid's become readily available on the internet, it could become just as popular as identity theft, stealing credit card info, etc. people thought those types of attacks were pretty extravagant at one time and these days you hear about people's info being stolen everday to the tune of tens of thousands at one time.
some people who break into homes are desperate drug addicts; others are serious minded people who will harm, rape, kill, etc. once they get in and are intelligent. why is the security industry such a huge billion dollar business if these things are not reality. people crack security alarms when breaking into homes, why not some wifi door lock...it baffles me that people take this issue lightly and think it will not happen to them. happens all the time in the security industry. won't happen to me, (next week you get a call about being broken into).
some people who break into homes are desperate drug addicts; others are serious minded people who will harm, rape, kill, etc. once they get in and are intelligent. why is the security industry such a huge billion dollar business if these things are not reality. people crack security alarms when breaking into homes, why not some wifi door lock...it baffles me that people take this issue lightly and think it will not happen to them. happens all the time in the security industry. won't happen to me, (next week you get a call about being broken into).
QUOTE (Rob @ May 29 2008, 01:30 AM)
if the tools for sniffing homeid's become readily available on the internet, it could become just as popular as identity theft, stealing credit card info, etc. people thought those types of attacks were pretty extravagant at one time and these days you hear about people's info being stolen everday to the tune of tens of thousands at one time.
some people who break into homes are desperate drug addicts; others are serious minded people who will harm, rape, kill, etc. once they get in and are intelligent. why is the security industry such a huge billion dollar business if these things are not reality. people crack security alarms when breaking into homes, why not some wifi door lock...it baffles me that people take this issue lightly and think it will not happen to them. happens all the time in the security industry. won't happen to me, (next week you get a call about being broken into).
some people who break into homes are desperate drug addicts; others are serious minded people who will harm, rape, kill, etc. once they get in and are intelligent. why is the security industry such a huge billion dollar business if these things are not reality. people crack security alarms when breaking into homes, why not some wifi door lock...it baffles me that people take this issue lightly and think it will not happen to them. happens all the time in the security industry. won't happen to me, (next week you get a call about being broken into).
I don't think people are taking this issue lightly. I find that whether it be a z-wave lock or a plain old fashioned "regular" lock... you still have a security risk. You can still kick in a door, You can still break a window, You can still pick a lock etc... I think Z-Wave just gives you the convenience of not having to use an old fashion key. I still think we should focus on better security measures but... we should also not stress out about it too much. I mean... We are Humans! There is always going to be a security breach somewhere.
QUOTE (Kozanator @ Jan 23 2009, 10:00 AM)
I don't think people are taking this issue lightly. I find that whether it be a z-wave lock or a plain old fashioned "regular" lock... you still have a security risk. You can still kick in a door, You can still break a window, You can still pick a lock etc... I think Z-Wave just gives you the convenience of not having to use an old fashion key. I still think we should focus on better security measures but... we should also not stress out about it too much. I mean... We are Humans! There is always going to be a security breach somewhere.
Dude you are responding to a 8month old post...
This may be an old thread but it's still relevant!
My company has been investigating Z-wave solutions for commercial customers and security is a huge issue in the business world. Consider a hospital, bank, school, or any other business for that matter and the security ramifications surrounding z-wave become impossible to ignore. Until the security has been hardened we won't be taking the step into the commercial space with any products as the liability is far too great.
By the way, where can I find articles discussing Z-Wave's developments on the security front? I can't find very much (which is the disturbing part!)
My company has been investigating Z-wave solutions for commercial customers and security is a huge issue in the business world. Consider a hospital, bank, school, or any other business for that matter and the security ramifications surrounding z-wave become impossible to ignore. Until the security has been hardened we won't be taking the step into the commercial space with any products as the liability is far too great.
By the way, where can I find articles discussing Z-Wave's developments on the security front? I can't find very much (which is the disturbing part!)
Have you been to the Z-Wave Alliance Website and looked for white papers?
Hi friends ,
Is Z-Wave Zniffer having "Proxy Chain" feature? So that we can remotely monitor the Z-Wave traffic to analyze
Answer would be grateful...Thanks in advance
Is Z-Wave Zniffer having "Proxy Chain" feature? So that we can remotely monitor the Z-Wave traffic to analyze
Answer would be grateful...Thanks in advance
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.