automatewhatican Posted August 21, 2021 Posted August 21, 2021 I understand that the ISY994 ZW has not, to date, supported the S2 framework for Z-Wave security. Is there a reason? ... will that change? Most every Z-Wave device I have (all series 500 or 700) supports S2, but that support is meaningless without support at the hub as well. I suppose a related question is when will ISY implementations/firmware support Z-Wave Plus V2 (series 700), which requires S2 support?
larryllix Posted August 21, 2021 Posted August 21, 2021 2 hours ago, automatewhatican said: I understand that the ISY994 ZW has not, to date, supported the S2 framework for Z-Wave security. Is there a reason? ... will that change? Most every Z-Wave device I have (all series 500 or 700) supports S2, but that support is meaningless without support at the hub as well. I suppose a related question is when will ISY implementations/firmware support Z-Wave Plus V2 (series 700), which requires S2 support? Interesting! I have no Zwave equipment yet but looking from the outside so far. What is this security used for? - Security of protocol and signal integrity? - Security against outside hacking into the signal/devices? What would ISY do with the security if a bad/hacked packet arrived?
automatewhatican Posted August 21, 2021 Author Posted August 21, 2021 I haven't really looked in great detail, but my understanding is that there are some significant advantages both in the key exchange technique employed by S2 (vs. S0) during device enrollment and in the encryption level employed for transport. So ... yes on security against hacking into the over the air communications. My recollection is that there were some pretty widely recognized weaknesses in S0 that basically exposed the network key to any attacker within RF range during device pairing. Out-of-band aspects of the S2 key exchange (device specific codes) are meant to address that. But even with S2 here are published exploits that demonstrate attacks to force a back-compatibility downgrade to S0. No panacea here, obviously, but now that security is more the responsibility of the protocol framework and less an ad hoc vendor-by-vendor thing, it kind of begs the when question for ISY. FWIW, I believe there are also some communication (and therefore power consumption for a battery-powered device) efficiencies due to a single frame transmission [S2] vs. three frames [S0]. To your question of what the ISY would do with a bad frame, I'd like to think that the S2 framework has some basic robustness to denial of service flooding or amplification attacks, but don't really know. For the RF attack surface, there are at least some practical spatial/physical limitations on sources of malicious inbound frames, though the limited channel bandwidth may be easy to saturate even from a small number of in-range transceivers.
larryllix Posted August 22, 2021 Posted August 22, 2021 We went through some of this with Insteon nay sayers also. However, with Insteon, many 500' away via powerline connections have been posted as successful. Insteon RF is not robust enough to achieve more than a few dozen feet of distance in a hop. With Zwave, from what I read here, people have a hard time to get it to connect further away than the next room, so I am not sure where a hacker could even make a connection without sitting on your front porch. Multi-residence buildings, and commercial constructs may be a problem in that area. If this is a low level security in the protocol, the 700 series boards may have made that difference.
lilyoyo1 Posted August 22, 2021 Posted August 22, 2021 On 8/21/2021 at 11:46 AM, automatewhatican said: I understand that the ISY994 ZW has not, to date, supported the S2 framework for Z-Wave security. Is there a reason? ... will that change? Most every Z-Wave device I have (all series 500 or 700) supports S2, but that support is meaningless without support at the hub as well. I suppose a related question is when will ISY implementations/firmware support Z-Wave Plus V2 (series 700), which requires S2 support? S2 was designed for perimeter protection devices which is why you'll see Alarm systems widely supporting S2 but other controllers slowly adding it. Since the Isy isn't an alarm system, I can see them not rushing to implement it for that reason alone. For lights- the speed of it (or lack there of) makes S2 a bigger pain than actually using it. By default the Isy does support SO security. If/when support comes for s2, only UDI knows. They have stated the 994 WILL NOT receive an upgrade to the 700 series chip. Polisy will have it so I suspect at that point it will have S2. Due to how zwave works by default, the weakness isn't with installed and configured devices. It's while you're adding a device to your system. This is where S2 comes into play as far as preventing stuff. Sure reading all the details behind it makes it seem like S2 is great but in the field, reality is much different 1
automatewhatican Posted August 22, 2021 Author Posted August 22, 2021 Fair enough. Kind of figured the answer was not until Z-Wave support in Polisy/ISY and then based on a 700 series USB dongle. Agree on speed issue for lighting. Will continue to use Insteon for anything with multi-responder scenes.
lilyoyo1 Posted August 22, 2021 Posted August 22, 2021 43 minutes ago, automatewhatican said: Fair enough. Kind of figured the answer was not until Z-Wave support in Polisy/ISY and then based on a 700 series USB dongle. Agree on speed issue for lighting. Will continue to use Insteon for anything with multi-responder scenes. You'd want to do that even with 700 series as zwave doesn't handle multi scenes as well
Recommended Posts