Z-Wave steps up on security

The Z-wave protocol has long been a stalwart of the home automation industry. Dating back to 2004, it was acquired by Sigma Designs in 2008, where it has remained as a proprietary protocol dependent on SoCs produced by the one vendor. The closed nature of the protocol meant that little independent analysis was done from a security standpoint, although security has been well integrated for some time.

Use of the Z-Wave chips by manufacturers is governed by the Z-Wave Alliance, and a certification program is in place (independently administered by third parties) to ensure devices are properly compliant with the protocol to ensure inter-operability. As a result of this control, Z-Wave is well regarded as being a highly extensible and reliable home automation platform with hundreds of compatible devices on the market.

In 2013 researchers from Sensepost.com successfully demonstrated a key exchange interception attack that allowed them to compromise a specific model of smart lock. The finding was widely publicized as a major flaw, but as the researchers note in their Security Evaluation paper, the issue was not in the Z-Wave protocol, but in the implementation by the manufacturer. In spite of this Sigma Designs responded by adding additional requirements to the certification tests to prevent similar implementation errors in the future.

In 2015, Sigma Designs added enhanced security features, called Security 2 (or S2) in the specification in order to allow Alliance members to obtain industry certifications for security system use. The S2 specification appears to be state-of-the-art, and is detailed in Sigma Design's White paper, including potential attack scenarios such a key interception, rogue nodes, and RF jamming along with their mitigations. It's a good read if you're interested. The issue was that full implementation of these features was not mandatory for certification, until now.

In November 2016, the Z-Wave Alliance board voted unanimously to mandate implementation of the S2 suite for all new devices seeking certification, and has now issued a press release advising that the mandate is in effect as of April 2 this year. This is a pretty big step forward for IoT security, and will hopefully drive other industry players to follow suit.