Home Automation Domotica Forum Europe, Bwired Forum

also

http://www.theregister.co.uk/2013/08/13 ... ith_zwave/

I guess you can call this a big "Oops..."

If this is true...
Your theft insurance has become useless - the only other thing you can do is to quickly disable all your secure Z-Wave devices.
I'm curious about how quick this bug can & will be fixed, cause I wouldn't sleep that well anymore with such a hackable security device on my front door.

Just keep it (Z-Wave) at switching lights and monitoring stuff for the time being, that's what I would do - until the problem has been taken care of or proven to be not true.

Don't think it is all devices but it would be nice to know.

Nice to know...
I hope you're right that it doesn't affect all devices, for all those users using Z-Wave security devices.
I'm mostly thinking about the majority of those users, they won't even know about this yet. Maybe they'll never hear or read about it.
But until then, for those who do know, the best thing to do is to act on the worst case scenario - any way, that's what I would advise to do.

Damn, and then u think those expensive devices are safe

Scary article but anything can be hacked i would say, so why should Zwave be more secure then a ordinarry lock with key.

The problem is that, if the story told is true, it's less secure than an ordinary lock.
Because it can be opened by anyone, with a mouse click.

Hi Jompa,

Totally agree this is not a massive issue. My interest was around the possibility of using the code and generic device or even cheaper one to debug the z wave network.

The protocol is not the central issue but poor implementation by some unnamed vendors. The testers found 1 lock and 1 movement sensor that had a poor implementation. So we can cross some manufacturers straight of the list of suspects.

The report also points out that there is a single shared secret for initial setup. Can't see an easy way around this for an interoperable standard where all devices should talk at setup and some of the devices have no UI so no way for a secret entry. So there is a tiny risk when your controller is in add mode.

The devices in question failed to validate the message exchange after setup as they should under the standard. One in a simplistic way so just record and resend. The other actually allowed the attacker to change the key used to decrypt the message that after setup should not have been possible other than from the connected controller.

IMO in the real world this is a bit far fetched that anyone would go to the effort of doing this rather than kicking a door in or smashing a window. As most of us have cameras and alarm systems we are not the easiest target group anyway.

BR,

robmac

This! This is exactly the reason why I've never made the leap to having an electronic, remotely controllable door lock! A Z-Wave security system inside the home, sure - people who are going to break into my home aren't so sophisticated that they'd be able to identify the system, disable it, and break in - much easier for them to get into the neighbours homes and turn their places over. But having the primary entrance to my house as a node on the internet or a wireless node? That's just asking for some 14 year old (and worse) to break in IMO.