Is there any way with the C-7 to force S0 devices to enroll insecurely?
In my experience, yes: any device I've used that supports S0 has a different pairing mechanism for secure vs. "regular" pairing.* For example, "regular" pairing might be pressing a certain button one or twice, while S0 pairing might be holding the button or pressing it more times (this is just an example; each device, as always, is different, and you will need to consult the manual to see what it is). I'm not sure if this is required by Z-Wave spec, but my guess is yes since S0 isn't exactly the best and many people recommend not to use it for all devices unless really needed.
For S2 devices, all I've seen have the same pairing mechanism for secure vs. "regular" pairing. Again, I'm not sure if this is required by spec, but my guess here is also yes since S2 is a lot better and the hub can negotiate downward (to S0 or nothing) if the device allows it.
So, if the device is S0-only, you likely have a different pairing mechanism*, and if you use that, the hub will enroll it without security as requested. If you have an S2-capable device, if you uncheck all the S2 and S0 options when pairing, then Hubitat will also enroll it without security. (If you have an S0-only device, you won't see those prompts, but again, the device probably has a different way to enroll in that case--and if not, it's probably a lock or other device that requires security). This behavior, as you've probably seen, differs from the C-5 and earlier hubs where you had an option to choose the preferred pairing mechanism hub-wide.
*EDIT: Just remembered a couple devices I have that don't. The Inovelli Z-Wave RGBW Bulb (LZW42), for example. So, this is apparently not required, just something a lot of manufacturers (except Inovelli's manufacturer here, and some others) chose to do, possibly because they know the pitfalls of S0 vs S2 or nothing.
2 Likes
The device's features determines the Hub's response. IF the device supports S0 (chatty, 3x packet, not recommended) then you must cause it to try and join securely. Aeon products for example, use a single press to join insecurely and a double press to join securely... S0. Therefore, for Aeon products, the recommendation would be: click only once.
When the device CAN join Securely, the C-7 will popup the selection screen. If you unselect everything, it will continue the join with no security. Again the recommendation is to join devices with no security or S2 as the security option... continue to avoid S0 where possible. Many existing/installed products (Locks, Garage Door Openers) MUST be joined securely and their vintage means they only have S0... in which case, you have to accept that.
3 Likes
Unfortunately, the devices do not offer multiple mechanisms.
I need an option on the hub. With the C-5, you could control it on the Z-Wave Details page with a selector. This option is gone on the C-7.
Is your device S0-only? Have you verified the pairing procedure in the manual? (Ask and someone can probably find it if you're not sure.) Or is it a secure device like a lock, garage door opener, etc. mentioned above (in which case you won't have a choice)?
My guess is that Hubitat is aiming for Z-Wave certification and that certification (this is a reasonable guess from what I've seen but I'd love to hear if someone knows...) doesn't allow an option to blanket-disable S2/S0, so the way the options are presented had to change.
I thought on a C-7 that if a device specified it was security capable you would always get the following dialog (with different options checked based on the device capabilities). So if you wanted to do non-secure instead of S0 you would just uncheck the S0 box?
Edit: nope, I was wrong. See below.
The device does not offer S2, insecure and S0 only. It's a temperature and humidity sensor.
The hub does offer the ability to disable S2 for a device. If you uncheck all the key boxes in the S2 popup, you get insecure pairing. I don't get a popup for this S0 only device--that's really what I'm after.
Jason, You should be able to validate by double clicking to Join that Aeon device, getting the popup with S0 option selected then UNselect it to join insecurely.
I would expect this as well...
I have a spare device. I'll play around with it on my test hub and see if I can force the popup.
I'll do that tonight. I have a few unused Multisensor 6s laying around that are not currently paired. I THINK those support S0... (EDIT: They do, I just looked)
I have an Aeon Nano Switch that offers S0...
and I'll try that now. I thought you were actively testing 
1 Like
Oops. Sorry. No, I'm physically at work - on lunch break.
Didn't work per my expectations.
I Joined that Aeon Nano Switch via a double click and it joined right away. No Popup.
Secure pairing = true and S2: is 128, meaning S0
I Excluded it and Joined it again, single click, insecure and got the expected No Popup and it did indeed join insecurely:
1 Like
Not that it's specifically required for this topic, but I have a Zniffer trace of a S0 conversation showing it's 3x nature:
two sets of 3 messages each, with acks so, 6 messages to get the switch's state.
2 Likes
I stand corrected!! Thanks for taking the time to confirm that.
I'll quit guessing now (and spreading misinformation).
2 Likes
I included it a couple dozen times on my test hub. No popup. As soon as the battery goes in, it includes with S0.
In my case, I did find a work around... Put the battery in, wait until the hub finds the device (about a second), and then pull the battery before the hub finishes asking about security. Stop inclusion mode on the hub. If it works, after a bit you get rewarded with a failed device on the Z-Wave Details page. Replace the battery, and select Discover. You get a paired insecure device.
Obviously, this is a gross work-around which won't work for every device. I'm hoping that the lack of a popup is a bug that will be fixed soon.
2 Likes
Staff told me in the past that S0 devices, consistent with what I mentioned above, won't give you "the popup" on pairing, just S2 devices. But again, every S0 device I've used (unless it's required to use security) has a different procedure for secure vs. non-secure pairing on the device side. Again, I'm guessing the certification requirements have something to say about if/how this choice can be made on the controller side, which I'm guessing is why Hubitat is doing it this way...but I'd love to hear if anyone knows what it actually requires. 
Glad you found something that worked, in any case!
2 Likes
Somewhat related question. A couple of S2 devices I’ve joined will pop up and have both S2 options selected and S0. Is S0 just selected as a sort of fallback in the event communication fails over the S2 channel? Is S0 ever used when there are S2 grants also supplied?
I haven't done enough S2's to see a pattern. Can't answer those questions 
Ok.. So this is how the grants work..
If you leave the defaults which usually includes S0 it won’t use S0 for hub communications.. It uses the highest common grant.. So the hub has all the keys and as such will always use the highest grant that the device has. But if you use direct associations is where the lower security grants come into play.. So if you have a S2 authenticated device trying to talk to a S0 only device and you didn’t grant that S2 device a S0 key, then they can’t talk direct through associations.
7 Likes
