Jump to content

5-year-old IoT attack resurfaces, puts millions of devices at risk


Recommended Posts

Z-Wave, a company that manufactures IoT chips present in millions of devices worldwide, has a serious security problem: Its chips can have their pairing security downgraded to give attackers near immediate access to all Z-Wave devices on a network.




The exploit is called Z-Shave, and it has been known of, and supposedly fixed, since 2013. The flaw rests in Z-Wave's pairing protocol, which in 2013 was called S0. S0 transmitted network keys to network notes using all zeroes, which allowed it to be sniffed by attackers within radio frequency (RF) range.


Z-Wave fixed the S0 exploit in 2013 by introducing S2, a new security protocol that used advanced encryption and improved authentication to protect security keys. One problem: It's easily downgradable to S0, and from there an attacker can easily take control of all the Z-Wave devices on a network.

How Z-Shave continues to this day

The continued viability of Z-Shave was discovered by Pen Test Partners, a UK-based cybersecurity firm, who noted in their blog post that all they needed to force a downgrade from S0 to S2 was a Z-Wave PC controller chip.


Pen Test Partners was able to sniff out a network key from Z-Wave devices using three different attack methods, the blog said. The first worked by enabling pairing mode on the controller and then modifying the node info it broadcast to force an S0 connection.


The second method detailed in the post was to force a device to go into pairing mode by temporarily removing the batteries, forcing it to restart and re-pair. That, along with the method used in the first attack, allowed them to downgrade the connection to S0 and gain control.


Third, Pen Test Partners jammed the Z-Wave signal with an RFCat and then listened for the node info to be broadcast from a Z-Wave device. Once they sniffed out the home ID from the node, the post said, they were able to actively jam the rest of the packet to prevent it from being received.

Why Z-Shave is so dangerous


"Once you've got the network key, you have access to control the Z-Wave devices on the network," Pen Test Partners said. "2,400 vendors and over 100 million Z-wave chips are out there in smart devices, from door locks to lighting to heating to home alarms. The range is usually better than Bluetooth too: over 100 metres."


Z-Wave chips are present in devices from GE, Amazon, Schlage, Nest, Samsung, and early 2,400 other IoT device manufacturers. It's not a bad idea to head over to Z-Wave's store page to see if you own a device affected by Z-Shave.


If you own any device listed in the Z-Wave store it's safe to assume it is vulnerable. Offices, retail stores, homes, and countless other connected spaces are affected by this exploit, and with five years since it was "fixed" you may not want to hold out hope for a quick resolution.


TechRepublic has reached out to Z-Wave for response, but didn't hear back by the time of publication.


The big takeaways for tech leaders:


  • IoT chip manufacturer Z-Wave's products are all reportedly vulnerable to an attack that can downgrade pairing security and potentially give an attacker control over all IoT devices on a network.
  • The exploit has been known about for 5 years, and was reportedly fixed when initially discovered. Researchers have found that it is possible to completely circumvent the fix, putting millions of IoT devices at risk for hijacking.



Link to comment
Share on other sites

  • Views 368
  • Created
  • Last Reply


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...