I think it's mandatory to have S0 or S2 "Access Control"--so I'm not sure you have any choice for a door lock
Obviously, S2 is much preferred if there's an option. But, if you have some sort of choice, at least choose S0.
1 Like
gotcha. so just don't pair random other stuff as S0, got it. =)
1 Like
Are you aware that Bryan Copeland (@bcopeland) recently found a bug in the Aeotec Recessed Door Sensor 7 firmware that prevented it working with S2, and got Aeotec to release updated firmware? Since you’ve got a C-7, use the Device Firmware Updater app to do the update.
You will need to wake up the device with a paper clip to get the transfer going. Details in the thread I linked above. It fixed my 3 RDS7 devices on my C-7.
1 Like
Definitely not!
S0 uses a lot more "bandwidth" to communicate than unauthenticated. S2 is much more efficient (and likely much more secure) than S0, which is why there are fewer concerns with pairing everything S2.
However, there have been some compatibility issues with S2 and it is notoriously picky about pairing properly (you often need to bring the hub within a few feet of an S2 device to get proper S2 secure pairing to work).
While there has been some heated and bizarre discussion surrounding the general need for S2 security--a lot of people aren't super concerned about whether or not the local sniffer person can tell if their x'1C' node turned off or on (or even if some hacker turned it off/on for them) given the unlikeliness of that happening and the dangers it might create.
However if, say, you have an S2-capable device that you use to control door locks, alarms, etc., you should probably use the S2 Access Control level at least (e.g., say you use a "double tap" up on the kitchen light switch to open your garage doors--it would be smart to use S2 Access Control on that switch).
3 Likes
Makes total sense. And yeah, I recall reading into how S0 and S2 worked, and S2 was much more secure.
I know locks, at least, use whisper when pairing, so kinda curious if other stuff does too. But yes, probably don't need to worry about pairing a light switch as S2 (in most cases), or a contact sensor. I mean, all for the entire mesh being secure, but we're probably a ways off from that.
I seem to recall there were also issues with the ZooZ 4-in-1 sensors... has that been resolved?
Not sure about that one. Try doing a search?
I have joined my Zooz 4-in-1 at security:none with a Uzb stick a little while back. I had lots of mesh issues initially, and had some issues with them at the time. Now that my mesh is stable and working well, I have no issues with them.
2 Likes
think it had something to do with them pairing as S2 and rapidly draining batteries, and the spec for the 700 chipset not allowing no security for devices that supported it (or something)
here it is...
Specifically what @bcopeland mentioned in the thread:
"I’m not sure I came through clearly. The lack of prevention of S0 bootstrapping is a limitation of the current specifications imposed by Silicon Labs and Z-Wave Alliance on 700 series hubs, this was not a decision made by Hubitat."
But seems like this might be addressed if you can uncheck all the boxes (wouldn't that mean to prevent S0)? Did HE get them to adjust the spec?
I have a zstick, I could easily add that way.
1 Like
No - sorry if that was confusing. My point just above was to not select S0 as a security choice if you want security and have S2 security options.
If all you have is SO and it's a lock/garage door then I would accept the S0.
My door lock and garage door are both connected via S0. I just don't use security on any other devices if I can help it.
2 Likes
Right. But above, the list of checkmarks include "S0 - Unauthenticated". Does that mean a device will pair with NO security if they're all unchecked (this would indicate Silicon Labs adjusted the SDK after @bcopeland's statement. Or is there "S0 - Authenticated" that cannot be disabled if the device speaks it?
This is a S2 device that supports S0.. So it falls into S2 bootstrapping.. S0 bootstrapping for S0 only devices still has no prompt
Not entirely sure I understand. If they're S2, then we should be able to pair them as S2 and be good? Or are they not properly pairing as S2 and falling back to S0?
If you want
1 Like
Yes, if all boxes are unchecked the device joins w/no security.
What @bcopeland said still applies:
"I’m not sure I came through clearly. The lack of prevention of S0 bootstrapping is a limitation of the current specifications imposed by Silicon Labs and Z-Wave Alliance on 700 series hubs, this was not a decision made by Hubitat."
Bryan would have to confirm (ah, I see he has) but my understanding is that an S0-only device has to join S0 to a C7. No option to deselect S0. If you have an S2-capable device that also supports SO, I believe that's the case when you can "uncheck everything" and not be forced to S0, since the devices offers S2.
Every time I think about this stuff my brain hurts. 
5 Likes
kk. guess I'm not understanding the issue with them then unless it's just why bother pairing a motion sensor with any security (just additional overhead).
Yeah, I'm not wrapping my head around it either. Is there a flowchart somewhere that explains how each pairing mode falls back to the next, etc.
You are correct.. There are some who take security to the extreme and want everything included securely.. And if you are using the device for security purposes, you might want to.. I have never seen the need for automation purposes..
4 Likes
There aren't really "fall-backs" per se, as in if you do x, y happens.
S2 device on a C7:
- Security dialog appears during pairing with the security options supported by that device pre-checked. You can then choose which security type you prefer from the pre-checked options. I.e., if S2 Unauthenticated isn't pre-checked, you can't use that.
- You uncheck the options you don't want to use.
- There are (currently) up to four security types that may be supported/pre-checked:
- You could choose to use S0 but you'd be crazy as that's a noisey older standard that should be avoided.
S0 Device on a C7:
- No security dialog appears during pairing. The device joins S0, no way to change that in the C7 pairing flow for S0 devices.
That's pretty much it.
3 Likes
Word of warning.. If you ever use ring devices they will get stupid if you change any check marks..
Ring is the only devices I have seen so far that refuse to use no security.
9 Likes
I like their devices too.. I replaced all my contact sensors with ring gen 2
2 Likes
