A recent paper presented at Black Hat USA that demonstrated a Z-Wave door lock being hacked and unlocked remotely has been causing a lot of turmoil in the security and home automation world. Does this mean Z-Wave door locks are no longer secure? Absolutely not! Let's ignore the sensationalized panic being spread by certain security "experts" for a minute and take a look at what this paper actually uncovered.
If you haven't read the paper you can read it here. Of course, a security vulnerability is a bad thing, never a good thing. So why then is this discovery not as big a deal as some are making it out to be?
- The researchers discovered that a single, unnamed Z-Wave door lock manufacturer has a bug in their implementation of the Z-Wave secure node association protocol that could allow a hacker within Z-Wave range of the network to reset the lock's user codes and unlock the door from outside. They did not find a vulnerability in the Z-Wave AES security protocol, just a bug in one manufacturer's code. A simple firmware or chip update from that manufacturer would fix it.
- The paper states that the manufacturer has already taken steps to fix the issue and that additional test cases have already been added to the Z-Wave certification test suite to prevent this from happening in the future. That seems like a pretty good response to me.
- The paper states that "The home residents or building manager will not be alerted about the intrusion." but fails to take into consideration that these devices are usually used in conjunction with security alarms. Even if you happen to have one of these vulnerable locks produced by this one manufacturer, and a sophisticated hacker decided to come to your house and put forth the time and effort to hack it and unlock your door, your security alarm would still detect the intrusion. If your alarm was armed then it would go off and dispatch the police. Even if it wasn't armed, the door opening would chime and alert you that someone had opened the door.
- The sensationalists making this out to be a bigger deal than it is fail to compare the difficulty and likelihood of a Z-Wave door lock being hacked to the difficulty and likelihood of the lock being picked, drilled out or the frame being kicked in, or a physical key being stolen or copied. Residential door locks were never meant to secure Fort Knox. They were meant to secure a typical home with typical security requirements. There are far easier ways to break in than hacking Z-Wave. Let's not hold the manufacturers to impossible expectations and throw the baby out with the bath water over a single company's mistake. They're developing products that improve the way we live.
Is it true that adding wireless, electronic access to door locks increases the risk of vulnerabilities? Of course! However, the additional risk we assume by using this technology buys us a security increase in other ways.
- Electronic locks remove or reduce keys from the equation. The inappropriate use of physical keys has long been a huge security risk. People lose keys, copy keys, share keys with family, friends, neighbors, etc... The only way to revoke access after you have trusted someone with a physical key is to re-key the lock! With the electronic lock you can just remove a user code.
- These locks and their associated control systems can improve your ability to make sure you keep your doors locked by automatically locking themselves, reminding you to lock them and by allowing you to lock them remotely in case you forget to lock them when you leave.
Z-Wave smart-home locks also provide added convenience as is usually the point of smart home automation.
Don't just jump on the band wagon and panic like so many others are doing. Think it through and weigh the pros and cons. Connecting to the Internet added risk to our security and 20 years ago some were hesitant to do it but eventually we all did, and the benefits have far outweighed the risks. When we find vulnerabilities in Internet devices we fix them and move on. We don't throw away all the good it brings because we're afraid of a vulnerability here and there. Likewise, the benefits of home control systems and smart locks far outweigh the risk that this one problem poses. Let the manufacturer fix it and move on.
The researchers who did this work and made this discovery have been very honest, responsible and professional. I have the utmost respect for this type of work, having done my graduate work and thesis at Ohio State University on wireless ad-hoc and mesh networks similar to Z-Wave. I find their work fascinating, impressive and noteworthy. It's the bloggers and writers who make a living trying to turn every little story into the scoop of the year that are blowing this out of proportion and instilling fear in the minds of gadget loving home owners like myself that I find annoying and disingenuous.
Stop by my place some time and I'll buzz you in with a Yale Z-Wave lock via Alarm.com.
Update: suretyCAM recommends and sells and Yale Real Living Z-Wave locks. While we don't know which manufacture's lock has the vulnerability, we know it's not Yale. Yale has issued the following statement about this story:
Yale Locks & Hardware was recently notified of a potential security breach in Z-Wave firmware
used by some lock manufacturers that could interfere with the security of locks using that firmware.
A recent communication from Sigma Designs* to our company stated the following: “Recently, in an effort to demonstrate their value for security applications, an audit was performed by Sensepost, ostensibly to see if they could break through the security system. Using techniques that are far more sophisticated than consumers or common thieves would possess, they were able to modify a door-lock key that would enable them to control the lock’s operation.” Sigma Designs did not name the specific lock manufacturer in the letter. Sigma Designs owns the intellectual property and is one of two chip makers for the Z-Wave home control technology.
To ensure the safety of our customers and maintain the integrity of our Yale Real Living locks, Yale immediately pursued a course of lock firmware review and testing to explore any possibility of a security breach in our locks.
Yale Locks & Hardware is pleased to inform our customers that our Yale Real Living family of locks are NOT subject to this potential security breach. The Yale Real Living lock firmware review and testing was completed by our internal engineers as well as by an independent third-party using the test protocol provided by Sigma Designs.