Help understanding security and running two hubs

I'm in the process of adding a C7 to my C5 setup that I was happy with and realizing I don't really understand how security works.

I had a C5 running with a good mix of Zwave and Zigbee devices. I wasn't having any noticeable issues but wanted to try a C7 for the added Zwave features and to hopefully avoid Zigbee issues in the future.

My Zigbee devices consist mostly of Lightify lights and Aqara sensors. I wasn't having any issues, but it seems like quite a few others do when mixing those. My plan was to move all the Lighitify products to the new C7 while leaving the Aqara sensors on the C5 with Xbee repeaters. So far, this has worked fine.

I thought I'd move all my Zwave devices to C7 but I'd like to understand security a bit more before I commit to that. I've moved 20 or so Zwave devices over and have successfully joined some as S2, others as S0, and a few as unsecured. My understanding is that S0 is generally viewed as something to avoid. So I've got a few questions:

  1. Do nodes joined securely repeat for unsecured nodes and vice versa?

  2. If a device doesn't support S2 can it be joined to a C7 insecurely (my current understanding is no)?

  3. If a device doesn't support S2 can it be joined to a C5 insecurely (my current understanding is yes but I didn't pay any attention to security when setting up my C5)?

  4. Would there be any benefits or drawbacks to only pairing devices capable of S2 to the C7 while pairing all other devices insecurely to the C5?

Thanks for the help!

Yes.

Yes, unless it something like a door lock or garage door opener that will only function (presumably by design) if some level of security is present. However, if your device supports either S0 or no security and doesn't have a separate method to pair with vs. without security (check the manual), then it will probably pair with S0, and it is true that you can't control how these devices pair (unless it also supports S2, in which case you'd see the familiar prompt and can choose). This, we have been told, is a limitation of the official Z-Wave 700 SDK that Hubitat is using. However, you can work around the problem by joining the device with a secondary controller instead (e.g., a Z-Wave stick with the Z-Wave PC Controller software running on Windows).

Yes; the C-5 lets you choose security options for all device pairings in Settings > Z-Wave Details. The default is "Locks and garage doors only," which will avoid the above problem by negotiating S0 for only those devices and "regular"/non-secure pairing for all the rest. (The C-7 does not have this option, again except on a per-device basis if the device supports S2.)

I suppose the benefit of doing this over keeping everything on the C-5 is that you'd get to use S2 with devices that support it, so you'd get more security (if they'd be paired non-securely or with S0 on the C-5, as S2 is considered more secure than both of these) or likely better network performance (if they would have been paired with S0 on a C-5, as S0 can be up to three times more chatty than S2 or no security). But at the same time, I don't see any disadvantages to moving everything over to the C-7 unless it's a device that will force itself to pair as S0 (the Zooz 4-in-1 ZSE40 and Monoprice 15271 motion sensor are two I've seen mentioned here a bit, but pretty much any device that supports S0 but not S2 and doesn't list a separate secure vs. non-secure pairing method in its manual is likely to be subject to the same issue). Even that should still theoretically work, though you're correct that most people recommend against S0 unless you really need it--and, again, is technically able to be overcome with a secondary controller if you want.

The other concern is the mesh networks: making sure you have enough repeaters on both so that all your devices on both hub have reliable paths to and from the hub. Of course, that's totally separate issue from S2 and is the same general concern you'd have regardless of what hub you're using.

If I may offer some advice after just going though this...first good step asking these questions NOW rather than rebuilding the mesh later. Really think about if you need/want security on things like sensors and lights. I choose to not use any security (even S2) on anything that I really thought unnecessary like lights/sensors. Understandable to use it on locks/doors.

I ended up going back and removing some items that I had initially joined with S2 and rejoining them with no security.

Thank you for the great reply. I'm not too concerned with security in practice so my original thinking was:

  1. No reason not to use S2 vs unsecured because the performance hit is minimal and it is more secure
  2. Use no security over S0 because there is a performance penalty for security that I personally don't think I really need.

But, if I'm understanding you correctly, There are devices that I can't pair with either S2 or no security unless I implement work-around involving another controller.

The Zooz Zen25 is what got me thinking about this because it is the only device I've had issues with (reportedly I'm not the only one). When looking into it I noticed my Inovelli RGBW bulbs were paired to the C7 with S0 so I thought I'd get a better understanding before moving forward.

Thanks

Thanks for the advice. I would be fine having everything paired without security or with S2. It sounds like having a mix of the two is fine since they repeat for other S2 or unsecured nodes. I'm mainly trying to avoid S0 and trying to think of the best way to do that. It doesn't sound as straight forward with the C7 as it is with the C5.

There is no way around this right now, other than getting another controller involved as has already been mentioned. However, if you have both the C5 and the C7 on 2.2.4.x and you're using Hub Mesh, then I would suggest you keep all your devices that don't support S2 on the C5 and just share them via Hub Mesh. They will work on the C-7 just the same as if they were joined to it directly.

And definitely move the Inovelli bulbs back to the C-5.

I think this is probably exactly what I will do. All devices that I can pair with S2 will go on the C7. Everything else will go on the C5 without security. I may have to make a couple exceptions for mesh strength but it seems like a reasonable plan.

1 Like