Is it possible to 'fix' Zwave security without reinstalling the device?

I've a bunch of device I've installed in a frenzy of just getting stuff done.
I'm now seeing that when I look at the ZWAVE Details that a lot of my devices NONE as the security level.
Which they should not be, for example I have several innovelli switch with S2 set, but several others with NONE. Is it possible to re-trigger the security auth without removing and re-adding the device?

No. Security configurations only happen during pairing - by design, for security.


I was assuming so.. but on the other hand, things like my yale lock securely pairing without any prompt seems weird...
I've not delved into all the Sx levels etc, just saying that allowing a reset/re-pair with physical code prompting seems more secure than an unprompted initial set in my vast 0% knowledge of security. :wink:

1 Like

Is it S2? If so, that's weird. But if S0, that's all you'll get: there are no options or keys for S0, so no input is required, and the Z-Wave 700-series SDK that the C-7 hub is using apparently does not allow the user to downgrade if they don't want S0 (or the device doesn't need it, which a lock will, so this isn't a good example, but there are devices that can go either way).

yep. It set as S0 so that's what I get. All good. 100% sure no one was within a few miles who even know what zwave is when I paired it.

With a C5 what are the zwave security options, how do you tell which level of security your devices have paired to the hub with? Where do you find this info and how does it look?

Is it different on the C7?

I believe the C5 only supports S0, while the C7 supports S2 in addition to S0. If you look at the Z-Wave Details there is a column that shows the security pairing.

1 Like

To add to the above, yes, they are different: the C-5, as stated, allows you to choose security options for all pairings (secure for all allowed, or secure for only locks and garage doors). "Secure" in this context means S0, as that's all the C-5 supports. The C-7 doesn't have this option, but you'll get a popup with options for S2 devices when pairing. S0 will just pair that way if the device asks, which is where it's useful if the device has separate secure vs. non-secure pairing procedures if you don't want to use S0 (some devices don't, but most of mine do). We've been told this is what the 700 series specs require for "hubs"/controllers, though some people have found creative workarounds for S0 devices they don't want to pair that way if needed (PC Controller with a Z-Wave stick as a secondary controller is one way).


Is the reason I don't see the column because I don't have any zwave device that has paired with security? Or can I tell from the data in the columns I do have?

That column only shows up on the C-7 hub.

For the C-5 you need to go into the device details and see if it says it is paired secure in the details section. Something like:

EDIT: You might be able to tell from the clusters on the zwave details page too, which would be faster. An S0 paired device would have cluster 0x98.


Thanks, that is exactly the information I was looking for.

1 Like

so 0x98 means s0 inclusion

I have been tracking down slow responses on my C5 hubitat. I started by eliminating my non-Z-Wave plus devices and then re-paired my Honeywell T6 Pro that was missing clusters information. I am looking into the possibility now that some of my devices have joined as S0. On most of my Inovelli Red series I see the 0x98 cluster, but don’t see any mention of secure pairing on the device details (maybe because I use the Inovelli driver rather than built-in?)
Also, my Z-wave details page says to secure join only locks/garage door, so I am not sure why these would be S0. Do I need to exclude and re-include each of these to see if I can remove the 0x98 cluster? This effects like 8 switches used in many automations.

EDIT: Is it possible that the clusters shown on Z-Wave details page doesn't actually indicate the security it is paired with, but instead it shows the possible parameters the device supports? I am confused because I also see 0x9F on my C5 hub. Here is one of the devices in question.

I also have some inconsistencies with black series dimmers (2 show 0x98 cluster and one does not)

I believe I installed the latest firmwares prior to installing the Vanity Dimmer, whereas the Kitchen Hanging Lights/Dining Room Lights dimmers were added prior to firmware updates.

That is what they do--it's a list of the Z-Wave Command Classes the device advertises (they stole the similar Zigbee "clusters" terminology for this, perhaps because SmartThings did the same). The page on the C-7 is quite different.

On a C-5, devices will be either nothing or S0. There is no S2 support. By default, only locks and garage doors will pair with security if needed; the setting at the top of the page (not in your screenshot, but on the same page) will determine this. So, it's unlikely you have S0, but it's possible if you changed this setting. The way to tell is to look at the "Device Details" section under "Data." If you see "zwaveSecurePairingComplete: true" on a C-5 (or earlier), you're using S0. Otherwise, you have no security:



Great, I don't see any that show that on device details. Thanks!