Author Topic: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems  (Read 55416 times)

Offline garrettwp

  • Master Member
  • *******
  • Posts: 6371
  • Karma: +227/-128
  • Vera 3, Lite, ISY994
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #45 on: August 14, 2013, 10:56:09 pm »
Yup, the quotes are great. I always go by, if it's powered on and connected, it's vulnerable.

- Garrett


Offline redwood

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #46 on: August 15, 2013, 05:43:37 am »
The research paper and Z-Force tool that we presented in BlackHat 2013 USA conference are now online :

http://research.sensepost.com/conferences/2013/bh_zwave
http://research.sensepost.com/tools/embedded/zforce

Offline oTi@

  • Community Beta
  • Master Member
  • ******
  • Posts: 4041
  • Karma: +32/-6
  • UI what ?!
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #47 on: August 15, 2013, 08:02:31 am »
Very cool. 8)

Looks like the U.K. researchers supplied firmware for the Z-Force tool on the EU frequency (for now).
Dezwaved at the moment...

Offline Z-Waver

  • Master Member
  • *******
  • Posts: 4437
  • Karma: +249/-120
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #48 on: August 15, 2013, 08:36:33 am »
@Redwood - Excellent work! I was mildly disappointed to not see disclosure of which lock/manufacturer you attacked. I sincerely hope that this is due to you continuing to work with and pressure Sigma and the manufacturer involved. I hope that it is device specific, but I suspect that manufacturers aren't doing their own development and are relying on Sigma, so the problem may be pervasive.

In any case, the release of the Z-Force tool now makes it trivial to play with/against unencrypted devices, such as my previously described garage door, activated using standard relay switches. It behooves the user to consider the risks to every device that they connect and to be very careful to avoid "risky" installations. Unintended activation of a light may not be a risk, but I know that some people are connection loads that really should only be operated manually, when under user observation. With the availability of Z-Force, these installations just became potentially very dangerous.

I hope that this encryption vulnerability is limited and is addressed quickly, but it is my further hope that Z-Wave device manufacturers will shift to using encryption for all devices. If not Z-Wave is doomed.

Offline redwood

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #49 on: August 15, 2013, 10:03:39 am »
Thanks @Z-Waver. As you may have noticed the public version of the Z-Force tool does not include the door lock module in order to prevent possible misuses. Due to the time and resource constrains we were not able to test all available Z-Wave door locks. However, Sigma Designs has told us that they have tested all the certified Z-Wave door locks for the key reset vulnerability and only a limited number of door locks from a single manufacturer were vulnerable to this attack.

Offline SOlivas

  • Sr. Member
  • ****
  • Posts: 282
  • Karma: +1/-1
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #50 on: August 15, 2013, 08:24:42 pm »
Thanks @Z-Waver. As you may have noticed the public version of the Z-Force tool does not include the door lock module in order to prevent possible misuses. Due to the time and resource constrains we were not able to test all available Z-Wave door locks. However, Sigma Designs has told us that they have tested all the certified Z-Wave door locks for the key reset vulnerability and only a limited number of door locks from a single manufacturer were vulnerable to this attack.

Hmm, I hope we can find out so we can upgrade the firmware on the locks (if possible).  I wonder what vendor took a shortcut on their implementation?

Then again, if we do find out and people don't fix their locks, well......



Vera 3 (1.5.622) / 9x GE/Jasco 45609 / 2x GE/Jasco 45612 / 2x GE/Jasco 45614 / 1x MIMO Lite
1x Twine (http://forum.micasaverde.com/index.php/topic,15617.0.html), DSC Security System, Honeywell  YTH8320ZW1007 Thermostat, 1x Fortrezz WWA-01, 1x CA9000 Wireless PIR Sensor

Offline redwood

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #51 on: August 18, 2013, 04:50:10 am »
Very cool. 8)

Looks like the U.K. researchers supplied firmware for the Z-Force tool on the EU frequency (for now).

The current Z-force firmware only supports EU freq. We would add the US freq support  in mid September release.

Offline SOlivas

  • Sr. Member
  • ****
  • Posts: 282
  • Karma: +1/-1
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #52 on: August 31, 2013, 02:06:04 am »
Awesome!  I'm looking forward to this update.
Vera 3 (1.5.622) / 9x GE/Jasco 45609 / 2x GE/Jasco 45612 / 2x GE/Jasco 45614 / 1x MIMO Lite
1x Twine (http://forum.micasaverde.com/index.php/topic,15617.0.html), DSC Security System, Honeywell  YTH8320ZW1007 Thermostat, 1x Fortrezz WWA-01, 1x CA9000 Wireless PIR Sensor

Offline robertloll1

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #53 on: November 02, 2013, 05:36:58 am »
I have seen video of Behrang Fouladi hacking a Taiwan made Z-Wave door lock sold in the EU market.  Very impressive and a little frightening.  I won't name the manufacturer, but to my knowledge, the door lock is not sold in the US.  It was not a Yale door lock as I have seen speculated.

Offline benr

  • Jr. Member
  • **
  • Posts: 83
  • Karma: +2/-1
  • Everywhere And Nowhere
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #54 on: November 13, 2013, 11:55:49 pm »
Wow, and I was about to buy the 2gig garage door opener too. Not now. Just going to stick to sensors and switches.

Offline HouseBot

  • Full Member
  • ***
  • Posts: 210
  • Karma: +1/-1
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #55 on: November 14, 2013, 08:14:09 am »
Is this bug in all z-wave devices or only in this specific door lock? I thought you always have to press the include button (as a maniac) before you can include any device but it appears in the video as he do not need to press the include button on this specific door lock.

Offline oTi@

  • Community Beta
  • Master Member
  • ******
  • Posts: 4041
  • Karma: +32/-6
  • UI what ?!
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #56 on: November 14, 2013, 08:33:55 am »
My understanding is this is specific to the firmware in this door lock, not a generic issue. But you'd have to test all door locks, to find if other manufacturers made similar mistakes.

I think the key is that the door lock is still included, but the controller can renegotiate a new key. The door lock shouldn't allow this, if a key was previously established, i.e. the door lock has not been previously excluded.
Dezwaved at the moment...

Offline robertloll1

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #57 on: November 16, 2013, 12:43:24 am »
The Fouladi hack seemed wholly unique to the particular door lock.  I believe that he exploited a particularly poor implementation of the Z-Wave protocol by the EU lock manufacturer.  I would not worry about US lock manufacturers.  I have two Schlage Z-Wave locks.  However, for interesting reading take a look at the research paper presented at the BlackHat 2013 USA conference:

http://research.sensepost.com/conferences/2013/bh_zwave
http://research.sensepost.com/tools/embedded/zforce

Offline cjshim

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #58 on: September 09, 2015, 01:44:47 pm »
a very simple solution would be rent a web server or get a free web page, then simply have Blue Iris ftp cam pictures every 30 (or how often you like) seconds to it. keep all your ports on your home system closed secure the web server you are renting with a user name and password or https and just view the cam pics there.