A Multifaceted Security Evaluation of Z-Wave, a Proprietary Implementation of the Internet of Things

Christopher W. Badenhop


This work is a case-study in the security of Z-Wave, a proprietary Internet of Things (IoT) wireless substrate, integrating sensors and actuators to provide home and office automation services. While the services minimize user burden in managing applications such as security monitoring and smart-energy, they introduce a cyber-physical attack surface into the deployed environment. Because Z-Wave is proprietary, the typical consumer is unable to ascertain the security risks in installing Z-Wave devices. To increase consumer awareness, a multifaceted security evaluation is performed on the Z-Wave transceiver system on chip (SoC). While Z-Wave devices originate from many vendors, a common transceiver facilitates interconnectivity. Herein, the transceiver is assessed as an embedded system and a communication protocol stack. Prior to a security assessment, the protocol, rmware, and non-volatile memory are partially reverse engineered to lift the veil of "security by obscurity", revealing several security concerns. One example is a key extraction attack, wherein network security is compromised by extracting cryptography keys from devices lacking physical security. In another example, several discovered network protocol vulnerabilities are combined to demonstrate a Black Hole attack, where routed Z-Wave commands are silently dropped.