With the recent advent of more consumer smart tech, including personal assistants such as Alexa, smart fridges and smart locks, our lives and our property are becoming more reliant on tech with the aim of making our lives simpler and easier. But this can come at a price – what happens when the tech goes wrong – or worse still when the bad guys have a better idea than the companies making it of how to make the tech go wrong to their advantage. With more and more products in our homes all talking to each other, sometimes weak security is exploited and bad stuff can happen.
Pen Test Partners have recently shown exactly this with Z-Wave technology commonly used in home tech, including audio systems, lighting controls and smart door locks. In particular PTP have been examining weaknesses in the Yale Conexis L1 smart lock using a “downgrade attack” where backwards compatibility is taken advantage of to exploit the product and allow a locked front door to be easily opened.
When a Z-wave device joins or re-joins (pairs) to the smart device network, which may consist of lighting, heating controllers, smoke alarms, voice assistants (you name it ! there’s a Z-Wave device for it !), information is passed between the device and hub using a shared network encryption key to stop the bad guys being able to eavesdrop and potentially hijack devices in your house. There is already a known problem with an earlier version pairing process – version “S0” protocol – where the network encryption key was transmitted in a very simple way (all zeroes) that could be easily exploited over the air by an attacker nearby (up to 100 metres away) with a laptop and the right radio & electronics tools – many open source and easily available e.g. on eBay. This issue was documented by Sensepost in 2013. Why the earlier version of the protocol was so insecure allowing such classic Man-in-the-Middle (MITM) attacks is unclear !!
The trick here is to make a vulnerable Z-Wave product think it is pairing in the old way using this S0 protocol – in which case all security is pretty much switched off leaving a device wide open to attack and remote control. Pen Test Partners in their article demonstrated this with the Yale Conexis L1 smart lock – by using a easily available kit and a laptop to confuse the Z-Wave pairing process and force S0 pairing. In a real situation, a criminal may have this running on a small battery powered attack box for example hidden near a house front door say in a bush (but it could be up to 100 metres away as above!). Once it detects the lock and the house hub repairing, it forces a S0 pairing, and the lock is now running as an S0 device. The criminal can then return whenever they like and using a similar tech tool and a laptop unlock your door with ease and walk in and burgle the place! Not really breaking and entering – more just walking through the front door.
So why can this be ?! Whilst the Z-Wave standard specifies that product vendors such as Yale should ensure their products such as door locks should alert users to using older, more exploitable methods of operation, or even disallow them, many vendors appear not to have done this as it is optional not mandatory part of compliance to Z-Wave. In the early stages in design of these products, security should have been considered and also a robust way to update/maintain products already sold to customers to avoid holes like this. For example, it is likely that firmware updates to fix older versions of Yale products was not possible, hence why they need to be backwards compatible to S0.
As criminals are becoming more tech smart, performing easy break-ins to houses, cars whilst disabling security cameras and using more and more sophisticated tech gear they have easily purchased online, before rushing out and buying the latest smart home security products it may be worth letting the dust settle on this new tech so that any security issues are clearly identified. Oh and did I say that Z-Wave and Alexa talk to each other ? What could possibly go wrong … 😉
You can read more about the exploit details on Pen Test Partners website here or watch the video below.
Here at Milliamp we have significant skill in the secure design of hardware and software systems to resist software and hardware attack by remote and physical threats. We are also able to carry out security audits, design reviews and reverse engineering of existing designs to either identify weaknesses or verify compliance to security requirements. For our manufacturing activities we can ensure that our customers designs are securely manufactured and protected against modification, malicious crippling of security or copyright/cloning in untrusted OEM factories. Get in touch for more info.