MILLIONS OF IOT DEVICES VULNERABLE TO Z-WAVE DOWNGRADE ATTACKS, RESEARCHERS CLAIM
May 27, 2018
Seid Yassin (557 articles)
Share

MILLIONS OF IOT DEVICES VULNERABLE TO Z-WAVE DOWNGRADE ATTACKS, RESEARCHERS CLAIM

The popular home automation protocol Z-Wave, used by millions of IoT devices, is vulnerable to a downgrade attack that could allow an adversary to take control of targeted devices, according to researchers.

Z-Wave is a wireless protocol used by 2,400 vendors; its wireless chipsets are embedded in an estimated 100 million smart devices ranging from door locks, lighting, heating systems and home alarms, according to Pen Test Partners, who released a report on the vulnerability on Wednesday.

According researchers, today’s Z-Wave systems are configured to support a “strong” S2 Z-Wave pairing security process. However, a proof-of-concept (PoC) attack demonstrates how a hacker could downgrade the higher S2 standard to a weaker S0 pairing standard, which allows an adversary to steal an encryption key and expose a device to compromise.

The PoC attack involved a hacker within RF range at the time a controller pairs with the IoT device.

“Z-Wave uses a shared network key to secure traffic. This key is exchanged between the controller and the client devices (‘nodes’) when the devices are paired. The keys are used to protect the communications and prevent attackers exploiting joined devices,” researchers explained.

A nearly identical pairing issue was identified by researchers at SensePost in 2013 (PDF), prompting Z-Wave owner at the time Sigma Designs to develop the new pairing process S2. The problem with the old mechanism was “the network key was transmitted between the nodes using a key of all zeroes, and could be sniffed by an attacker within RF range,” researchers said.

But since the introduction of S2, a similar attack scenario has been devised by Pen Test Partners. “We have shown that the improved, more secure pairing process (‘S2’) can be downgraded back to S0, negating all improvements,” researchers said.

Readmore
Source | threatpost