Not to sidetrack this conversation too much, but I guess all of us with locks on Hubitat that are Z-Wave have them paired with S0. A few of these locks come in Zigbee variants. Are there any facts to support a conclusion that ZHA 1.2 is (or isn't) safer than Z-Wave with S0 at the moment for applications like these? I can certainly imagine them being much easier to pair, but I'm not sure what other considerations there may be. 
(And I guess looking forward: Zigbee 3.0 vs Z-Wave with S2, should Hubitat ever decide to support Zigbee 3.0--they seem less than enthusiastic about it due to increased difficulty in pairing, but I'm not sure what security that might add.)
You are making a claim that it's not a real security problem. Maybe you live in a place where nobody can get within 40 meters of your house, but you don't know that this is true of everyone you are speaking to. You are claiming it's secure, when I can p0wn most apartments sitting in the Starbucks a few floors below them.
You claim to be a security professional--I'm requesting that you act like one. Explain the context of your statements and the assumptions in them, rather making vague broad statements that might lead an unknowing person to make a bad choice for their own situation.
It's not like you have to be a z-wave expert to do this. You can buy a stick for $25 and download a toolkit that will break into any Z-Wave network in range. My nephew told me that his college crew used hacking Z-wave as a class project, and got control of over 100 locks in 3 days of effort.
2 Likes
Drone hacking Z-Wave? Might make for a good movie. Reality? Go find a local coffee shop that university kids haunt and hang out there. You'll find them hacking the apartments above the shop for fun.
1 Like
...or sitting in your own apartment/condo watching Z-wave from all the condos around you.
Let's be clear about this. I live on a half acre lot to myself, which is huge by San Jose standards. I have been told by planning there are only 3 other such lots within 20 miles--every lot around me has 5 townhouses or 10+ apartments. Anyway, my house is centered on the lot, giving me maximum distance from my neighbors. And I can scan my Zwave traffic from my friend two properties away, just as he can scan mine. There are 64 wi-fi networks visible on my laptop.
To sum up what I'm trying to say, is that when SiLabs says the z-wave hacks are impractical, you have to realize they live in gated mansions up in the Los Gatos hills (seriously, they do 
) and can't imagine how someone could get within 30 meters of their house. Which is patently untrue for everyone who doesn't live in a gated mansion up in the hills.
Yup. Further that the S0 network key is reshared every time a battery is replaced or power is restored to either the hub or the device. So if you live in PG&E land you can just wait with a battery powered device no more than 7-8 days and you can own any lock around.
Your statement is 100% correct if you replace "get control of the firmware" with "get within 30 meters". Your statement makes it sound hard, when it's downright trivial.
Hubs and devices which will refuse to pair without S2 security. That's it, nothing less. Remember that the network key is shared, even with S2, so a single S0 device on the network makes the entire network vulnerable.
Bingo. Thanks for making the risks clear.
Exactly. People on this forum should not being making statements about the value of security, they should be providing clear information on the risks and letting people make their own choices. Downplaying the security risk without qualifications and clarity on your basis is harmful.
1 Like
It comes down to what you're trying to achieve and where you're operating. A drone is a cheap way of covering a reasonable area quickly, looking for vulnerable homes or trying to infect as many devices as possible on a large campus, whereas doing that from your car might involve driving slowly or stopping and starting an awful lot which likely gets a lot more attention that someone sat in their car fiddling with their phone.
It is also a way of reaching sites that are too far from a public road, but that's a targeted attack.
Because I'm unaware of any Z-Wave hacks which can be done "quickly" unless you have foreknowledge of when a battery will be replaced or a power problem will happen. While Z-Wave is trivially easy to hack, it does require patiently waiting for one of the events which can be compromised.
So a movie plot to disrupt power to a property while flying a drone past... sure, plausible if you've got a multi-prong attack team . I don't categorize that as a likely risk. The guy who rents the low-cost apartment across the street who keeps getting busted for drug dealing... that's who I want to protect against. He can leave a laptop running the tools inside his apartment waiting.
1 Like
I would feel the same if I had that kind of distance. Yet that's not a common situation in Silicon Valley, or any other metropolitan area.
1 Like
What an excellent endorsement for "IF you truly care about 'security'" Do NOT live in densely populated areas......No amount of money paid to me would entice me to live that close to someone else.
This doesn't require "gated mansions" in fact is common to have that distance away from your house for 95% of the land area of the USA......Because the 5% "choose" to live on top of each other....well not every product is for everyone.
This is unacceptable in my opinion......you relying on the platform "for your security" when others provide their own with other means, shouldn't dictate that you mandate your vision unto others who prefer a different avenue.....AGAIN, not all platforms will satisfy ALL people. The subject being referenced here REQUIRES a physical presence of someone/device within your RF range......If YOU are unable to provide your OWN security within that RF range, is the fault of you alone.
I would counter that with YOU giving people the false sense of security of relying solely on the security of the Zwave security, is far more dangerous/harmful.
Fortunately, most worldwide companies do not cater their products to what works for "Silicon Valley", instead what works for the majority of the world.
Some of us have no choice. I also live in Silicon Valley (Grew up here) and have two grandchildren that I would not abandon. Both of my sons jobs and future are tied to this area. A five acre home with a gun tower would be my preference, but it's not to be.
Not always about money.
2 Likes
That's not an economically feasible choice for most people. I'm glad you're rich. I make very high wages, and could not afford to re-purchase my small half-acre lot.
You're confusing land space with people. 95, actually I think it's 98% of the US population lives in dense urban areas, and it's even worse in Europe and Asia where it's far past four 9s.
I never said mandate. That word would be MUST. I said WILL == "can be configured" And in case it's not clear, I'm not forcing my view on anyone. I'm expressly clearly the risks so that people can make their own choices. You're forcing your point of view on me, and not allowing me to make my own choices.
Apparently you are rich beyond imagination, and capable of dictating where jobs will be and how much you'll pay for property. I don't have control of any of those, and I don't know anyone else who does either.
I don't recall ever making an argument that Z-Wave is secure. I find your accusation unbelievable, and challenge you to prove it.
I've stated quite clearly in this forum that my locks currently only support s0, and that I have many neighbors I don't trust within range of my house. I don't rely on or trust Z-Wave security, and I think my statements have been very clear on this matter.
You are completely out of line with your accusation. It is baseless and without merit.
Yes, and the vast majority of the world lives in dense urban housing. In fact, the number of individuals with RF range control of their boundaries are insignificant both numerically and as a market segment. Not insignificant as people, just less than a rounding error in total market share.
1 Like
My whole point is that you may only need to find an unsecured device and install malicious firmware right away, and then use that device to do the sitting and waiting for you to mount an attack against S0 and S2 nodes when they're vulnerable.
While S0 is an option, it comes with a performance penalty and it's only recently become an option to force its use for devices that "don't need" security. Even then, I can't figure out how S0 actually protects firmware updates so I haven't been able to show that S0 is sufficient to prevent attacks from people who don't want to wait around. I was hoping somebody could answer that and then I wouldn't need to worry about it anymore.
I'm not rich, actually below the poverty line for income.....That AGAIN is the "Choice" YOU made choosing "very high wages, and can barely afford my small half-acre lot" OVER low wages and providing your own security..
I didn't say population nor was it implied, I'm not confusing anything please re-read.
That is NOT what you are referencing, Hubitat Staff has clearly stated they are "looking into this" You state the "silence is deafening"
because they have not currently implemented Your vision of
Are you in backwards land? You're "choice" is to go with a platform that DOES provide what you choose......YOU posting on here demanding "That's it, nothing else" is RESTRICTING choices who DON'T agree with "your" vision.
Apparently you've never ventured much outside of the "bubble" of silicon valley as there are LOTS of places that exist that middle income people live AND WORK that DON'T require you to live on top of one another......again YOUR CHOICE, YOUR DECISION.
The above quote clearly implies that "IF" this is implemented the "risks" are alleviated, which is completely false.
Factually incorrect, the USA has over 330 million people, "urban areas" make up about 50-75 million.
I'm very glad to hear that. Can you share any of the problems you're running into?
I've taken code bases that haven't changed in 4 years and run them successfully on S2-capable cards and they work just fine, so I'm honestly very interested in hearing what the challenges are.
Square footage of property doesn't buy Z-wave devices. People buy Z-Wave devices, so if 95% of the land has RF separation but the vast majority live close together it's not 95% of people.
Check the order. S2 was questioned on March 24th. Hubitat never responded. 2 months later I said the (two months of) silence was deafening. They responded AFTER that. So no, that wasn't me trying to force everyone else to do anything.
And asking them to offer S2 support is hardly forcing anyone else to use it.
Someone asked how a specific vulnerability could be stopped, and I gave him the answer chosen and promoted by both the Z-Wave alliance and numerous security organizations. That a specific attack can only be stopped by the security changes specifically designed to stop that attack... is not forcing anything on anyone.
You should quote the question that was in reply to. I had a specific technical reply to a specific question. You can't grab phrases out of context and then claim I'm saying something I'm not.
And if you say that S2 doesn't solve that problem, shouldn't you address this with the SiLabs and the Z-Wave alliance members? Or what are you trying to say here? I really have no clue.
According to the Cencus it's more than 250 million Our Changing Landscape
If you're going to claim my facts are wrong, you need to show yours.
1 Like
100% False
False again.....The Same claim was made for S0 technology, when that turned out false came the S2 technology, now that is turning out false by upgrades implemented in the 700 series chips. NONE of this is "actual security" it's only patches for problems discovered.
I just did with the above statement.
I'll even use YOUR own source.... Search Results
Your "chart" classify's any area of 50k people as "urban" at which makes up 486 "urban" areas.....therefore small little Joplin, Mo, is classified the same when counted as Los Angeles....
This is now completely off topic. Time for a break guys. 
8 Likes
