forum

Does anyone know how the z-wave controller and z-wave devices authenticate/handshake with each other? I'm wondering if it is possible for a rogue controller to try and spoof a known good controller and takeover communication with endpoints.

Normally devices distinct each other by Home ID (4 bytes) and Node ID (1 byte).
So if you're able to sniff someone's wireless traffic (and for that you need to be very close to that someone's home, because the signal is weak), and then make a custom firmware for your stick to fake HomeID and Node ID, you'll be able to send unsecure commands to devices in the network as if you're genuine controller.

For secure commands, packets are also encrypted, so (unless you was able to sniff the moment when secure device is initially included into network), you won't be able to send anything without the valid key.

Of course, there are a few faulty devices exposing critical commands (like door lock open) unsecurely, or misusing SDK, but that is an exception rather than a rule

pofs wrote:Of course, there are a few faulty devices exposing critical commands (like door lock open) unsecurely, or misusing SDK, but that is an exception rather than a rule

Is that easy to figure out? Which ones are faulty?


Good information about the security, it was one of the questions I had as well. I just started looking into z-wave and probably won't get around to getting a Razberry setup until December time frame. I already have a Rasberry Pi, just need to get the daughter chip. Anyway, I was curious as how the devices knew which controller to talk to (ie an alarm system or the Razberry).

From some quick reading, it seems as if a new Z-wave devices, when connected to the home, will take the Home Id at that time. I guess there is a way to erase the Home Id from a device, if you were to move it to a new house. If you have access to the primary controller (alarm system), then I guess you could use that id on the Razberry some how to make that a secondary controller to do other things that the primary controller can't.

LoganSix wrote:Is that easy to figure out? Which ones are faulty?

That's what Z-Wave certification is made for Z-Wave+ standard is even more strict on that (it even checks security timing, so device can only negotiate security in a 10 seconds timeframe after inclusion).
Don't remember exactly which one was at fault, but I believe it is already fixed.

LoganSix wrote:I guess there is a way to erase the Home Id from a device, if you were to move it to a new house.

Some devices have reset button, but most of them don't. Home Id is erased from device when you exclude it from controller side. The thing is, device can be excluded by any controller, not necessary from the same network. Then you can re-include it to another network.