BACpress: Up to 100 million Internet of Things devices could be at risk.Hackers may be able to remotely unlock your smart lock if it relies on the Z-Wave wireless protocol.
According to researchers at UK firm Pen Test Partners, Z-Wave is vulnerable to an attack that forces the current secure-pairing mechanism, known as S2, to an earlier version with known weaknesses, called S0.
The problem with S0 is that when two devices, like a controller and a smart lock, are pairing, it encrypts the key exchange using a hardcoded key ‘0000000000000000’. So, an attacker could capture traffic on the network and easily decrypt it to discover the key.
S2 fixed this problem by employing the Diffie-Hellman algorithm for securely sharing secret keys, but the downgrade removes that protection.
The researchers have posted a video demonstrating the downgrade attack — dubbed Z-Shave — on a Conexis L1 Smart Door Lock from lock manufacture Yale. They note that an attacker within about 100 meters could, after the downgrade attack, then steal the keys to the smart lock.
Z-Wave chips are in 100 million smart gadgets, from lights to heating systems, but the risk is greater for things with security applications, such as locks.
Z-Wave company defense of smart lock
Silicon Labs, the company behind Z-Wave, has responded to the research and insists the ability to downgrade to S0 is not a vulnerability but a feature designed to support backwards compatibility. Plus, it claims an attacker would have a very narrow window to capture the key.
“To force a reversion from S2 to S0 during installation is not easy. You would need advanced equipment in proximity to the home during the short installation process,” the firm notes.
“When installing a new device there is a very small window of time (milliseconds) to force the S2 to S0 reversion. The homeowner or professional installer will always be present during installation and is the only one who can initiate the inclusion process.”
But Pen Test Partners researcher Ken Munro told Forbes that the attack could be automated, meaning a thief could set up a tiny box near a home that listens for Z-Wave pairing rather than laying in wait for the perfect moment.
“It should be easy to set up an automated listener waiting for the pairing, then automatically grab the key,” he said.