Skip to main content

Could this Z-Wave vulnerability put millions of smart home devices at risk?

If your smart home devices feature Z-Wave technology (they probably do), then you’re going to want to read this. Researchers have discovered an issue with Z-Wave that could make more than 100 million smart home devices vulnerable to a hack.

Testing firm Pen Test Partners said that it was able to obtain an older, weaker version of Z-Wave, allowing it to more easily hack devices and gain permanent control. The earlier Z-Wave pairing process, known as Z-Wave S0, had a vulnerability.

Recommended Videos

“Z-Wave uses a shared network key to secure traffic,” the researchers said on their website. “This key is exchanged between the controller and the client devices (‘nodes’) when the devices are paired. The keys are used to protect the communications and prevent attackers exploiting joined devices.”

Z-Wave released its S2 pairing process to fix the original vulnerability. However, the researchers found that, while it’s difficult to hack Z-Wave’s S2, it’s not difficult to downgrade the S2 protocol back to the original version, making any Z-Wave smart device vulnerable to attacks.

According to Forbes, this downgrade would allow hackers to use the weak key to get permanent access to the smart device without the homeowner knowing. It should be noted that the Z-Wave S2 technology can be found in more than 100 million smart home devices, including light bulbs, locks, and alarms systems.

Z-Wave released a statement in response to the findings, saying it is confident its smart devices are secure and not vulnerable to threats.

“The key can only be intercepted during the pairing of the device to the network,” according to the post. “This is only done during the initial installation process, so the homeowner or installation professional would be present when the interception would be attempted, and they would receive a warning from the controller that the security level had changed.”

The makers of Z-Wave technology, Silicon Labs, further clarified in an email to Digital Trends.

“To do this, the bad actor either has to be in close proximity during the very brief time it takes to pair a device (we’re talking milliseconds) or have advanced equipment that has enough battery life to wait long enough for this event to occur at the home,” a spokesperson noted. “And again, the homeowner would know because of the alert. There are specific, coordinated conditions needed to initiate this type of threat and because of this there has not been a real-world instance reported to date,” the company said. “Any Z-Wave device that is already installed and paired is not vulnerable to threat.”

Kayla Matthews
Former Contributor
Kayla Matthews has written about smart homes and technology for Houzz, Dwell, Curbed and Inman. She is a senior writer for…
6 smart home devices that can save you hundreds per year
A stack of ten-dollar bills.

The smart home marketplace has seen tremendous growth over the past few years. From smart thermostats and smart light bulbs to video doorbells and solar panels, there are plenty of ways to upgrade your home and give it a boost in functionality. Best of all, many of these smart home devices can save you money.

They might require a bit of an upfront investment, but there’s a look at all the smart home devices that can cut down your monthly energy bills and reduce your carbon footprint.
Smart thermostats

Read more
U.S. government to launch a new cybersecurity program for smart home devices in 2024
The US Cyber Trust Mark logo on an off-white background.

Smart home devices are only becoming more popular, and it seems they’ve now piqued the interest of the U.S. government. On July 18, the Biden administration announced a new cybersecurity certification and labeling program for smart devices that will help customers find devices that are “safer and less vulnerable to cyberattacks.”

The so-called U.S. Cyber Trust Mark program is intended to get manufacturers thinking more carefully about the cybersecurity of their products and ensure they’re safe for the general public to have in their homes. It’s not expected to roll out until 2024, but the program would cover a wide range of products, including smart refrigerators, smart microwaves, smart televisions, smart thermostats, fitness trackers, and more.

Read more
Your Google smart home devices just got a lot less talkative
A person standing in a living room while looking at a Google device.

Smart assistants are an indispensable part of any smart home, making it easy to give hands-free commands and control a variety of gadgets. Google is looking to further streamline the performance of its smart assistant, with the expansion of chime alerts to cut down on how talkative your Google Nest gadgets are when responding to instructions.

For example, after asking Google to turn on a fan, you’ll now be able to hear a quick chime to confirm the assistant has heard your instructions. Previously, confirmation would come in the form of a short sentence, such as “OK, turning on your fan.”

Read more