With the advent of Internet-of-Things, Z-Wave is a major communication protocol for home automation systems. Z-Wave devices have to satisfy end-users convenience and thus are plug-and-play. Additionally, high market competitiveness leads to short development cycle, pushing aside security requirements.
Indeed, Z-Wave+ standard (5th generation), including stronger security with encryption, has been lately adopted. However, many deployed Z-Wave devices do not support this new version. Furthermore, Z-Wave+ devices have to be backward compatible and thus support both secure and insecure modes. Since users are primarily looking for functionality and using devices as plug-n-play, documentation is overseen and co-existence of two modes may lead to misunderstandings while secure mode is usually deactivated by default to ease the installation.
What we called an insecure mode is a security relying on the uniqueness of the controller HomeID (network identifier) which is supposedly not alterable (in official equipment). However, with dedicated equipment (Software-Defined Radio), attackers can alleviate such a limitation (Black Hat 2014, Picod et. al). Purchasing and the difficulty to use this type of equipment limit the threat to expert attackers. Imagine now that a simple device can be used for the same purposes, by any ill-intentioned person (from the unpleasant neighbors to the common thief opening access to the home).
In this talk, we will show that using only an official and cheap mainstream device, taking over a full network is possible. We rely on a standard feature of Z-Wave (auto-discovery) and on additional functionality of an official controller (backup/restore). Both are legitimate but combined together they allow to create a universal controller by pre-filling all device identifiers in advance (without passive listening). As a result, all devices can be controlled. If a user add a new one, it will be automatically controlled by our controller as well.