Honey, I'm Home!! - Hacking Z-Wave Home Automation Systems

Presented at Black Hat USA 2013, Aug. 1, 2013, 10:15 a.m. (60 minutes).

Home automation systems provide a centralized control and monitoring function for heating, ventilation and air conditioning (HVAC), lighting and physical security systems. The central control panel and various household devices such as security sensors and alarm systems are connected with each other to form a mesh network over wireless or wired communication links and act as a "smart home". As you arrive home, the system can automatically open the garage door, unlock the front door and disable the alarm, light the downstairs, and turn on the TV. According to a study by the consulting firm AMA Research, in 2011, the UK home automation market was worth around £65 million with 12% increase on the previous year. The total number of home automation system installations in the UK is estimated to be 189000 by now. The home automation market in the US was worth approximately $3.2 billion in 2010 and is expected to exceed $5.5 billion in 2016.

Zigbee and Z-wave wireless communication protocols are the most common used RF technology in home automation systems. Zigbee is based on an open specification (IEEE 802.15.4) and has been the subject of several academic and practical security researches. Z-wave is a proprietary wireless protocol that works in the Industrial, Scientific and Medical radio band (ISM). It transmits on the 868.42 MHz (Europe) and 908.42MHz (United States) frequencies designed for low-bandwidth data communications in embedded devices such as security sensors, alarms and home automation control panels. Unlike Zigbee, no public security research on Z-Wave protocol was available before our work. Z-wave protocol was only mentioned once during a DefCon 2011 talk when the presenter pointed the possibility of capturing the AES key exchange phase without a demonstration.

The Z-Wave protocol is gaining momentum against the Zigbee protocol with regards to home automation. This is partly due to a faster, and somewhat simpler, development process. Another benefit is that it is less subjected to signal interference compared to the Zigbee protocol, which operates on the widely populated 2.4 GHz band shared by both Bluetooth and Wi-Fi devices.

Z-wave chips have 128-bit AES crypto engines, which are used by access control systems, such as door locks, for authenticated packet encryption. An open source implementation of the Z-wave protocol stack, openzwave , is available but it does not support the encryption part as of yet. Our talk will show how the Z-Wave protocol can be subjected to attacks.


Presenters:

  • Behrang Fouladi - SensePost
    Behrang Fouladi works as a Security Researcher at SensePost. He has been involved in vulnerability research and code reverse engineering since 2003. He completed his MSc in Information Security at The Royal Holloway University of London with a focus on Smart Cards. His current research interests are Machine-to-Machine (M2M), secure elements and embedded systems. His recent research has included: Vulnerability analysis of the .NET smart card OS (44con 2012, London): https://speakerdeck.com/44con/44connetcard-120910103019-phpapp02 Dynamic analysis of Windows phone apps (Uncon 19.5, London): http://www.slideshare.net/sensepost/dynamic-analysis-of-windows-phone-7-apps Corresponding Tool Release:XAPSpy http://www.sensepost.com/labs/tools/poc/xapspy/ Reverse engineering the RSA software token: http://www.sensepost.com/blog/7045.html
  • Sahand Ghanoun
    Sahand has been working as a senior software engineer in aerospace industry, designing software for a range of sub-systems including satellite communications. He holds a MSc degree in Robotics and has over 13 years of experience in embedded systems and kernel development. His research interests include security implementations in the embedded systems world and digital communication protocols.

Links:

Similar Presentations: