DavidG Posted May 12, 2015 Posted May 12, 2015 A researcher is warning users of the extensible Z-Way controller project that a weakness built into the software could inherently expose it to attacks. Z-Way is the controller and abstraction layer of software that handles Z-Wave, a standard for wireless communication between devices in smart homes. The standard is present in 35 million devices worldwide, including automated lighting, small appliances, and thermostats. The protocol transmits input from Z-Wave into an API. That API goes on to feed into web interfaces dealing with the protocol and the Z-Way app, on Android and iOS, according to Randy Westergren, a researcher with XDA Developers who discovered and discussed the weakness in a personal blog post over the weekend. Read more at the link below. https://threatpost.com/home-automation-protocol-z-way-vulnerable-to-remote-attacks/112720
G W Posted May 12, 2015 Posted May 12, 2015 That is NOT a Z-Wave vulnerability. It's a problem with the Z-Way API.
paulbates Posted May 12, 2015 Posted May 12, 2015 David Thanks for the heads up. Per Gary's comment, we want to be careful on clarifying the difference between *zway* and zwave. I'm reading it like Gary, that its an exposure with Zway's api, and not basic Zwave technology. I don't use zwave on my ISY, but if I did, this would not alarm me for ISY managed zwave control. It only would if I had some how integrated zway into the mix. The title / subject of this thread should be updated to say zway, and not zwave, its misleading. Paul Sent from my iPad using Tapatalk HD
MWareman Posted May 12, 2015 Posted May 12, 2015 That is NOT a Z-Wave vulnerability. It's a problem with the Z-Way API.This... Not an issue for ISY. Automate on....
DavidG Posted May 12, 2015 Author Posted May 12, 2015 Did not mean to suggest it was a problem with the ISY. That's why I posted the snippet of the article. I think it's always good to know what others have screwed up to avoid it and be informed.
G W Posted May 12, 2015 Posted May 12, 2015 Did mean to suggest it was a problem with the ISY. That's why I posted the snippet of the article. I think it's always good to know what others have screwed up to avoid it and be informed.We all appreciate the article but your title is very misleading.
lilyoyo1 Posted May 25, 2015 Posted May 25, 2015 Zway or Zwave doesn't matter. People have hacked the pentagon. Anything is vulnerable to the right person. The avg. person wouldn't be able to hack my system. Take common sense precautions and have good insurance. I'm not going to lose sleep over these reports. At the end of the day, someone's boot would be more effective at breaking in my house than hacking my system to open the door.
G W Posted May 25, 2015 Posted May 25, 2015 Zway or Zwave doesn't matter. People have hacked the pentagon. Anything is vulnerable to the right person. The avg. person wouldn't be able to hack my system. Take common sense precautions and have good insurance. I'm not going to lose sleep over these reports. At the end of the day, someone's boot would be more effective at breaking in my house than hacking my system to open the door.It does matter and there is a huge difference in the two.
Michel Kohanim Posted May 26, 2015 Posted May 26, 2015 Hello everyone, That's the very reason that we - unlike others - included the Z-Wave Secure Devices menu item basically not allowing ISY's secure devices (such as door locks) to be included into any other Z-Wave network. With kind regards, Michel
lilyoyo1 Posted May 30, 2015 Posted May 30, 2015 It does matter and there is a huge difference in the two. my comment was in reference to anything can be hacked. If people are able to hack into the most secure things in this country anything can be hacked. It wasn't in reference to the differences between the two.
G W Posted May 30, 2015 Posted May 30, 2015 my comment was in reference to anything can be hacked. If people are able to hack into the most secure things in this country anything can be hacked. It wasn't in reference to the differences between the two.If it's secure it can't be hacked. The truth is, the systems that have been hacked are not secure. Almost all have very weak passwords and direct links to open IP. Z-Wave has a lot of security built into the protocol. Z-Way has no security built in which is how it got hacked.
apostolakisl Posted May 30, 2015 Posted May 30, 2015 If it's secure it can't be hacked. The truth is, the systems that have been hacked are not secure. Almost all have very weak passwords and direct links to open IP. Z-Wave has a lot of security built into the protocol. Z-Way has no security built in which is how it got hacked. Systems that haven't been hacked just haven't had a proper attempt. It would be naive to think otherwise. The point made by richaree is spot on.
G W Posted May 30, 2015 Posted May 30, 2015 You can't make absolute statements. Life just doesn't work that way.
Teken Posted May 30, 2015 Posted May 30, 2015 You can't make absolute statements. Life just doesn't work that way. But you're right now? When speaking about man made things and software. Anything can be done given time, patience, imagination, and the proper skill set and resources. What is an absolute on earth is gravity and time. Anyone who doubts that can freely take a walk out a 30 story window and let me know how that turns out. ️ Anyone who believes they can rewind back time / history. Please give me some of what your smoking & drinking because that's good stuff! Ha . . . Systems that haven't been hacked just haven't had a proper attempt. It would be naive to think otherwise. The point made by richaree is spot on. Exactly, this is just like the heart bleed bug. Everyone and their dog for ages have thought Linux / Unix OS were impervious to virus's, exploits, Trojans, etc. Wrong . . . This same mentality has persisted for years where Mac OS was thought to be virus free and not impacted by PC type attacks etc. Wrong . . . People have to remember what most people believe is impossible, simply takes longer. Some perfect examples: Landing on the moon, splitting of the atom, cloning, nano technology, laser technology, micro black hole. Ideals are peaceful - History is violent
G W Posted May 30, 2015 Posted May 30, 2015 But you're right now? When speaking about man made things and software. Anything can be done given time, patience, imagination, and the proper skill set and resources. What is an absolute on earth is gravity and time. Anyone who doubts that can freely take a walk out a 30 story window and let me know how that turns out. ️ Anyone who believes they can rewind back time / history. Please give me some of what your smoking & drinking because that's good stuff! Ha . . . Exactly, this is just like the heart bleed bug. Everyone and their dog for ages have thought Linux / Unix OS were impervious to virus's, exploits, Trojans, etc. Wrong . . . This same mentality has persisted for years where Mac OS was thought to be virus free and not impacted by PC type attacks etc. Wrong . . . People have to remember what most people believe is impossible, simply takes longer. Some perfect examples: Landing on the moon, splitting of the atom, cloning, nano technology, laser technology, micro black hole. Ideals are peaceful - History is violent Part of what you said is correct and I think you for agreeing with me and pointing out the error of the others.
Teken Posted May 30, 2015 Posted May 30, 2015 Part of what you said is correct and I think you for agreeing with me and pointing out the error of the others. I think you're missing my point entirely. For me this isn't about taking sides or bolstering another persons position. Its simply stating the facts as they are and in this instance. You stated there are no absolutes in life. My comment was there are several examples of such which I provided clear examples: Gravity, Time . . . To wit, my following comment was to affirm what: apostolakisl Stated was true because every time I read, hear, or see people stating that can't be done. I have to take pause and shake my head! When dealing with man made things the limitations are imposed by man. We have all seen poorly engineered software being exploited. Then, we have seen software that has been time tested by tens of millions of people for decades. Then, out of no where some smart punk had the flash of genius to try something out and prove there was a method to exploit something that was at the time impossible: SSL, Veri Sign, Rolling Codes, etc. History has proven over and over again when you believe something is impenetrable. That line of thought simply indicates the lack of imagination, vision, and a open mind.
G W Posted May 30, 2015 Posted May 30, 2015 I think you're missing my point entirely. For me this isn't about taking sides or bolstering another persons position. Its simply stating the facts as they are and in this instance. You stated there are no absolutes in life. My comment was there are several examples of such which I provided clear examples: Gravity, Time . . . To wit, my following comment was to affirm what: apostolakisl Stated was true because every time I read, hear, or see people stating that can't be done. I have to take pause and shake my head! When dealing with man made things the limitations are imposed by man. We have all seen poorly engineered software being exploited. Then, we have seen software that has been time tested by tens of millions of people for decades. Then, out of no where some smart punk had the flash of genius to try something out and prove there was a method to exploit something that was at the time impossible: SSL, Veri Sign, Rolling Codes, etc. History has proven over and over again when you believe something is impenetrable. That line of thought simply indicates the lack of imagination, vision, and a open mind. It works both ways. Is your world so dark that you don't see the good?
Teken Posted May 30, 2015 Posted May 30, 2015 It works both ways. Is your world so dark that you don't see the good? What exactly are you going on about?!?! This discussion was about how software / hardware can be compromised. I've provided clear illustrations of such and even expanded on my line of thought. How is that being dark or not seeing the good?? Several people have also *clearly* expanded on their idea and thoughts yet you seem to be at a loss to the points being made. I am unsure if you're just joking around or just trying to troll. But, let me be clear my points have been made so it simply does not have to be expanded upon. Short Notes: - Someone started a thread about a potential threat in the Z-Wave protocol. - It was identified this was not a short coming of the Z-Wave protocol but of a software application called Z-Way. - The discussion swayed over to random topics about security and how it can be compromised. - Now the discussion is so random and out of this realm about being dark, good, etc. Which has no baring on the topic at hand, which is anything man has created can be broken, period. Ha . . .
G W Posted May 30, 2015 Posted May 30, 2015 What exactly are you going on about?!?! That there is way too much negativity. This discussion was about how software / hardware can be compromised. I've provided clear illustrations of such and even expanded on my line of thought. Why didn't you say something positive? It seems most of your comments are destruction rather than constructive. - Someone started a thread about a potential threat in the Z-Wave protocol. - It was identified this was not a short coming of the Z-Wave protocol but of a software application called Z-Way. Exactly. Yet instead of correcting the post the poster continued to state a falsehood as fact. Can you find any instance where Z-Wave has been exploited? - The discussion swayed over to random topics about security and how it can be compromised. How about some random topics where security can't be compromised? That's my point. Too much negative and not enough positive. By-the-way. Punctuation marks are not herd animals.
apostolakisl Posted May 30, 2015 Posted May 30, 2015 You can't make absolute statements. Life just doesn't work that way. You defined earlier "secure" as the absence of being able to be hacked. That is an absolute statement. "My system is secure" by your comments would mean 0 chance of being breached. That is quite an absolute statement. I would argue that I am the one making the non-absolute statement by , ironically, making the absolute statement that no system is secure. In other words, all systems have a greater than 0% chance of being hacked, even if it is 1 in a trillion to the trillionth power. For example, there is a certain probability that monkeys randomly beating on keyboards can accidentally write the novel "War and Peace". Realistically, "secure" means that some really talented people designed a system that they are pretty sure would require that an attacker use more resources than a successful hack is worth. It also realizes that "secure" is temporary and that a system may take x resources to hack today, but with next year's technology will take x-y resources.
Teken Posted May 30, 2015 Posted May 30, 2015 That there is way too much negativity. <-- These are factual statements backed with valid reference points which have been cited. Life is not a bowl of cherries. Why didn't you say something positive? It seems most of your comments are destruction rather than constructive. <- Once again I have no clue where you can state my comments are destructive. My comments have been to the point and offered a counter view along with references which you have not. Exactly. Yet instead of correcting the post the poster continued to state a falsehood as fact. Can you find any instance where Z-Wave has been exploited? <- If I must I am sure the Interwebs will turn something up as it always does. How about some random topics where security can't be compromised? <- Some back ground I am in a related security field / industry. In the 25 years of dealing with force protection, electrical, electronic, software, networks, computers, etc. I have never seen one (single) element that can stand on its own and provide complete security, none. That's my point. Too much negative and not enough positive. <- If someones comments illustrate the facts as they are. If you believe they are negative that is a point of view you alone hold. Positive things come from perspective and being able to see the opportunities in life, ideas, things. By-the-way. Punctuation marks are not herd animals. <- I have a writing style and it works for me. If all the animals in the world could take pause once in awhile perhaps my steak wouldn't be so tough! Ha Comments in line as I enjoy the banter . . .
MWareman Posted May 30, 2015 Posted May 30, 2015 Doing security right is very hard. If done right - it's impenetrable against known attacks. There is the rub - new attacks and methods are being devised all the time. It's all risk based. Do what is reasonable for your budget and risk tolerance and understand the potential consequences of risks you choose not to remediate.
G W Posted May 30, 2015 Posted May 30, 2015 Comments in line as I enjoy the banter . . .That's your comment? You enjoy the banter? Cool.
lilyoyo1 Posted May 31, 2015 Posted May 31, 2015 I don't see Teken or anyone being negative. They are just commenting on the state of things. The fact is anything is possible when it comes to something being hacked. Whether it's Apple, some bank, the Intelligence community, or the military; all have been hacked at some point. Are you going to tell me, they have some of the greatest minds but then get hacked because they chose "password" as their password? The fact is, the same things that allow us connectivity especially remote access also means there is an opening that could potentially be exploited. At the end of the day, like I said before; take the precautions you can and have good insurance. Ultimately someone's boot can achieve what a computer may not.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.