The silence on this topic is deafening. But you can see places with the employees have dismissed secure pairing, so they are clearly uninterested. Hubitat will be left to the 2017-and-before Z-Wave devices only.
Can you provide references for this "S1" security and how Hubitat uses it? 
Even better, please do explain how a Z-Wave user has to do development work... for features built into the chips they use. I'm looking at the libraries, and there were zero changes for S2 support. It was entirely a firmware update.
Where are you coming up with these ideas?
I don't think that downplaying an active risk scenario is good for users who might have different needs or environment. Your risk is not their risk and vice versa.
So let's be clear for people reading this: Z-Wave uses a single network key for the entire network, and during pairing it communicates it with a shared key of all zeros. So if anyone is in RF range they can just passively wait until you pair a new device, reboot a device, replace a battery, or any other thing which causes the network key to be shared again, and then they'll have control of EVERYTHING. Your previously paired locks on your door for instance.
Each person should make their own choices about whether or not they trust everyone who can get within 30-40 meters of their devices. That's 100ft in every direction, unless you have cement or metal-lined walls (aka nobody with a house built in the last 50 years)
Edit: the post I'm replying back to isn't there any more, but the accusation was that I'm intentionally misleading people.
No, we're not misleading anyone. We just have a different opinion on how big of a deal (or not, in this case) that pairing key issue is.
And I'll ask you to keep your slanderous accusations to yourself in the future. You know neither my background nor my motives.
S2 devices are required by the spec to fall back for compatibility, so Hubitat isn't leaving any devices behind at this time. 
We are moving forward with S2 implementation. It is non-trivial, and more than just a firmware change done at the chip level. We don't have a date yet for its availability.
9 Likes
Shouldn't be much longer I wouldn't think for the new 700 series chips to start rolling out, I would think that would be a good starting point......but I'm a noob.
Does "more than just a firmware change" imply that the hardware I currently have (Hubitat Elevation US) isn't going to be S2 capable? Because I specifically bought it with that intention after confirming that S2 was "mandatory" in current hardware when I made the purchase.
The fallback, of course, enables downgrade attacks like Z-Shave.
The Z-Shave authors talk about leaving a drop box in order to implement the attack without having to hang around waiting, but I got curious about the possibility of subverting an existing node to implement the attack instead, using the firmware update mechanism.
While the standard recommends that the user be expected to trigger a firmware upgrade by physically interacting with the device they want to upgrade, none of the instructions I could find actually require it, and they all seem to be able to initiate updates by radio without any physical interaction. I tried skimming over the specs but that seemed to imply that firmware updates and encryption were mutually exclusive (a packet sizing disparity) so I clearly wasn't understanding that.
Even so, it seems like if you can get control of the firmware of an unsecured device, or even an S0 device if you have the time, then you might be able to use that to launch downgrade attacks, and if you can do that then you own the whole network.
I mean... I don't know, but I've struggled to figure out how all this is prevented. Certainly a careful, downgrade-resistant S2 implementation seems like an important first step.
And it's not exactly fair to say that breaking a window is easier. Depending on what your motives are there can be a lot of value in entering a property without evidence of forced entry. Keeping an alarm silenced is the most obvious; making the authorities take it less seriously is a factor (does the homeowner even have evidence without anything being broken?); keeping the homeowner ignorant of what's been done; and in the worst possible case keeping the homeowner ignorant of the fact that someone is still in there waiting for them.
Everyone has to make their own risk assessments, but people are pretty bad at that even for themselves, let alone when it comes to considering how their designs affect more vulnerable people.
I could see this a possible concern for those who live in houses very close to each other or say apartments, but I have zero concern for anyone getting within around 100ft (the distance away from my farthest away repeater to be within range of connecting to my devices network) without me being alerted (from my personal security measures) that someone is there first.
The convention is to do it by drone. They tend to be a bit noisy, but they can usually stay out of view of cameras and motion sensors.
I have that area covered as well, but I spent a good bit of time beefing up my personal security measures. Not only that but yes for a drone to be within the RF range of my devices, it would be EXTREMELY noisy
Not to sidetrack this conversation too much, but I guess all of us with locks on Hubitat that are Z-Wave have them paired with S0. A few of these locks come in Zigbee variants. Are there any facts to support a conclusion that ZHA 1.2 is (or isn't) safer than Z-Wave with S0 at the moment for applications like these? I can certainly imagine them being much easier to pair, but I'm not sure what other considerations there may be. 
(And I guess looking forward: Zigbee 3.0 vs Z-Wave with S2, should Hubitat ever decide to support Zigbee 3.0--they seem less than enthusiastic about it due to increased difficulty in pairing, but I'm not sure what security that might add.)
You are making a claim that it's not a real security problem. Maybe you live in a place where nobody can get within 40 meters of your house, but you don't know that this is true of everyone you are speaking to. You are claiming it's secure, when I can p0wn most apartments sitting in the Starbucks a few floors below them.
You claim to be a security professional--I'm requesting that you act like one. Explain the context of your statements and the assumptions in them, rather making vague broad statements that might lead an unknowing person to make a bad choice for their own situation.
It's not like you have to be a z-wave expert to do this. You can buy a stick for $25 and download a toolkit that will break into any Z-Wave network in range. My nephew told me that his college crew used hacking Z-wave as a class project, and got control of over 100 locks in 3 days of effort.
2 Likes
Drone hacking Z-Wave? Might make for a good movie. Reality? Go find a local coffee shop that university kids haunt and hang out there. You'll find them hacking the apartments above the shop for fun.
1 Like
...or sitting in your own apartment/condo watching Z-wave from all the condos around you.
Let's be clear about this. I live on a half acre lot to myself, which is huge by San Jose standards. I have been told by planning there are only 3 other such lots within 20 miles--every lot around me has 5 townhouses or 10+ apartments. Anyway, my house is centered on the lot, giving me maximum distance from my neighbors. And I can scan my Zwave traffic from my friend two properties away, just as he can scan mine. There are 64 wi-fi networks visible on my laptop.
To sum up what I'm trying to say, is that when SiLabs says the z-wave hacks are impractical, you have to realize they live in gated mansions up in the Los Gatos hills (seriously, they do 
) and can't imagine how someone could get within 30 meters of their house. Which is patently untrue for everyone who doesn't live in a gated mansion up in the hills.
Yup. Further that the S0 network key is reshared every time a battery is replaced or power is restored to either the hub or the device. So if you live in PG&E land you can just wait with a battery powered device no more than 7-8 days and you can own any lock around.
Your statement is 100% correct if you replace "get control of the firmware" with "get within 30 meters". Your statement makes it sound hard, when it's downright trivial.
Hubs and devices which will refuse to pair without S2 security. That's it, nothing less. Remember that the network key is shared, even with S2, so a single S0 device on the network makes the entire network vulnerable.
Bingo. Thanks for making the risks clear.
Exactly. People on this forum should not being making statements about the value of security, they should be providing clear information on the risks and letting people make their own choices. Downplaying the security risk without qualifications and clarity on your basis is harmful.
1 Like
It comes down to what you're trying to achieve and where you're operating. A drone is a cheap way of covering a reasonable area quickly, looking for vulnerable homes or trying to infect as many devices as possible on a large campus, whereas doing that from your car might involve driving slowly or stopping and starting an awful lot which likely gets a lot more attention that someone sat in their car fiddling with their phone.
It is also a way of reaching sites that are too far from a public road, but that's a targeted attack.
Because I'm unaware of any Z-Wave hacks which can be done "quickly" unless you have foreknowledge of when a battery will be replaced or a power problem will happen. While Z-Wave is trivially easy to hack, it does require patiently waiting for one of the events which can be compromised.
So a movie plot to disrupt power to a property while flying a drone past... sure, plausible if you've got a multi-prong attack team . I don't categorize that as a likely risk. The guy who rents the low-cost apartment across the street who keeps getting busted for drug dealing... that's who I want to protect against. He can leave a laptop running the tools inside his apartment waiting.
1 Like
I would feel the same if I had that kind of distance. Yet that's not a common situation in Silicon Valley, or any other metropolitan area.
1 Like
What an excellent endorsement for "IF you truly care about 'security'" Do NOT live in densely populated areas......No amount of money paid to me would entice me to live that close to someone else.
This doesn't require "gated mansions" in fact is common to have that distance away from your house for 95% of the land area of the USA......Because the 5% "choose" to live on top of each other....well not every product is for everyone.
This is unacceptable in my opinion......you relying on the platform "for your security" when others provide their own with other means, shouldn't dictate that you mandate your vision unto others who prefer a different avenue.....AGAIN, not all platforms will satisfy ALL people. The subject being referenced here REQUIRES a physical presence of someone/device within your RF range......If YOU are unable to provide your OWN security within that RF range, is the fault of you alone.
I would counter that with YOU giving people the false sense of security of relying solely on the security of the Zwave security, is far more dangerous/harmful.
Fortunately, most worldwide companies do not cater their products to what works for "Silicon Valley", instead what works for the majority of the world.
