A Universal Controller to Take Over a Z-Wave Network

Presented at Black Hat Europe 2017, Dec. 7, 2017, 4:30 p.m. (30 minutes).

With the advent of Internet-of-Things, Z-Wave is a major communication protocol for home automation systems. Z-Wave devices have to satisfy end-users convenience and thus are plug-and-play. Additionally, high market competitiveness leads to short development cycle, pushing aside security requirements.

Indeed, Z-Wave+ standard (5th generation), including stronger security with encryption, has been lately adopted. However, many deployed Z-Wave devices do not support this new version. Furthermore, Z-Wave+ devices have to be backward compatible and thus support both secure and insecure modes. Since users are primarily looking for functionality and using devices as plug-n-play, documentation is overseen and co-existence of two modes may lead to misunderstandings while secure mode is usually deactivated by default to ease the installation.

What we called an insecure mode is a security relying on the uniqueness of the controller HomeID (network identifier) which is supposedly not alterable (in official equipment). However, with dedicated equipment (Software-Defined Radio), attackers can alleviate such a limitation (Black Hat 2014, Picod et. al). Purchasing and the difficulty to use this type of equipment limit the threat to expert attackers. Imagine now that a simple device can be used for the same purposes, by any ill-intentioned person (from the unpleasant neighbors to the common thief opening access to the home).

In this talk, we will show that using only an official and cheap mainstream device, taking over a full network is possible. We rely on a standard feature of Z-Wave (auto-discovery) and on additional functionality of an official controller (backup/restore). Both are legitimate but combined together they allow to create a universal controller by pre-filling all device identifiers in advance (without passive listening). As a result, all devices can be controlled. If a user add a new one, it will be automatically controlled by our controller as well.


Presenters:

  • Loïc Rouch - Mr., Inria
    Loïc Rouch works as a research and development engineer at Inria. He worked for three years as an apprentice engineer at Inria in the High Security Laboratory. The High Security Lab in Nancy is a unique platform in the French academic landscape in France allowing all types of sensitive experiments in cybersecurity with long-term storage and computational capacities. It includes many sensors such as honeypots or a dark space but also allows the execution of malware in a controlled environment. During his work, L. Rouch was in charge of restructuring the overall physical and logical infrastructure to enhance its security and maintainability, creating and deploying digital vaults, and assessing the security of Z-Wave devices. He earned his master degree in Computer Science from Telecom Nancy, Université de Lorraine, France after those three years. He is now engineer at Inria where he is particularly involved in a major project aiming at building new services on top of the High Security Lab for end-users (not only experts). This project aims at refining data collected by providing new sensor types for both collecting external information (darknet, blacklists, captured passwords on honeypots, etc.) and end-user specific one (DNS requests, traffic, types of devices/applications, etc.), aggregating all these several sources of informations within a unique analytics platform and providing intuitive data reports and dashboards to users about security events.

Links:

Similar Presentations: