How Hackers Contributed to the Z-Wave Security Framework

Smart home security is something like a cheap horror movie plot. There’s a vexing possibility that something could go horribly wrong at any moment, but also the sense that the protagonists are making matters all too easy for the bad guys.

Of all the smart-home attack scenarios that are the most unsettling, the idea of a hacker strolling into your house after unlocking a smart lock or shutting off a home-security system stands out. “If you are the owner of a smart home, you worry about the hacker in the yard that can sniff out commands to your IoT devices and break in easily,” says Raoul Wijgergangs, vice president, IoT, at Sigma Designs’ Z-Wave business unit.

At the 2013 Black Hat conference session titled “Honey, I'm Home!,” security experts Behrang Fouladi and Sahand Ghanoun explained how they could, in theory, make that nightmare scenario a reality. In the session, they detailed how they could hack into Z-Wave smart locks and motion sensors. Wijgergangs stresses that no production-level Z-Wave device has been hacked, stating that the Black Hat hackers were working on prototype devices with key-exchange problems.

In any event, Sigma Designs and the Z-Wave Alliance ultimately decided to enlist the help of Fouladi and Ghanoun to help secure its wireless communications protocol. “We said: ‘These guys know what they are talking about in terms of security. Let’s embrace their work and the hacker community at large and have them help us create a new security platform,” Wijgergangs says.

The resulting Security 2 (S2) security framework, however, is designed to do more than prevent hackers from breaking into houses. Security officials at big organizations are often more concerned about cloud-based attacks. “Let’s say somebody is sitting in a cloud portal who can switch on 1 million air conditioners at the same time at the same location,” Wijgergangs says. “You could suddenly have a power outage on your hands.”

To address cloud-based risks, the Z-Wave team implemented security best practices from the banking industry. “We have taken those building blocks and used them to carry Z-Wave communication from a gateway to a system in the cloud.”

Another risk that the Z-Wave Alliance sought to address was the uneven focus on security across its customer base. “Makers of smart locks, for instance, are usually pretty careful in securing their products, but someone who makes a smart light might think, ‘Well, who cares if someone hacks it and flicks a light on or off,’” Wijgergangs says. “But if a hacker switches a lamp on and off 10 times and nobody responds, that person can infer that nobody is at home.”

To ensure a basic level of security across its customer base, the Z-Wave Alliance decided to require that all of its new certified products meet the S2 security standards. “Companies that want to build a product based on an older software library or older chip can’t do that any longer,” Wijgergangs explains. “They are all being pushed to the latest chip and protocol and are being forced to send data securely.”

The main lesson Wijgergangs draws from the experience of creating the S2 framework is that security is a team sport, requiring all of the parties involved to collaborate—whether they are security professionals, product designers, or hackers. “I am the first one to admit that without those experts from the hacking community and the security community, there is no way we would have come up with a platform that is as comprehensive or as secure.”

In a similar vein, the group decided to make the specs behind the S2 framework public. “You can see how it works, but that doesn’t mean that you can break into it,” Wijgergangs says. “We wanted to send a message to hackers that we think this is the best IoT security in the world,” he continues. “And if you find something that wasn’t addressed in our specification, then we would love for you to point it out to us so we can make it even more secure.”