Full Report
We are publishing the research paper and tool for our BlackHat 2013 USA talk on the Z-Wave proprietary wireless protocol security. The paper introduces our Z-Wave packet interception and injection toolkit (Z-Force) that was used to analyze the security layer of Z-Wave protocol stack and discover the implementation details of the frame encryption, data origin authentication and key establishment process. We developed the Z-Force module to perform security tests against the implementation of the Z-Wave security layer in encrypted home automation devices such as a door locks. The paper describes the details of a critical vulnerability discovered in a Z-Wave door lock that could enable an attacker to remotely take full control of the target device without knowledge of the network encryption key. The Z-Force download archive contains the GUI program and two radio firmware files for the receiver and transmitter TI CC1110 boards. This research will also be presented at 44Con 2013 in London next month, followed by the release of Z-Force source code and US frequency support (908.4 MHz) in the firmware.
Analysis Summary
# Research: Z-Wave Proprietary Wireless Protocol Security Analysis using Z-Force
## Metadata
- Authors: Behrang Fouladi (Implied from BlackHat presentation link)
- Institution: SensePost (Implied from publication source)
- Publication: BlackHat USA 2013 (Paper and talk release concurrent with announcement)
- Date: August 19, 2013 (Date of blog announcement)
## Abstract
This research details a comprehensive security analysis of the Z-Wave proprietary wireless protocol, focusing specifically on its security layer implementations within home automation devices, notably door locks. The methodology involved developing a custom toolkit, Z-Force, to intercept and inject Z-Wave packets. This analysis led to the discovery of a critical vulnerability in a Z-Wave door lock implementation that allows for remote full device takeover without prior knowledge of the network encryption key.
## Research Objective
The primary objective was to analyze the security layer of the Z-Wave protocol stack, investigating the implementation details of frame encryption, data origin authentication, and the key establishment process. A key goal was to test the security implementations within commercial Z-Wave-enabled devices.
## Methodology
### Approach
The approach involved developing a specialized hardware/software toolkit designed to actively probe and test the security mechanisms of Z-Wave implementations. This included capabilities for packet interception and controlled packet injection.
### Dataset/Environment
The testing environment focused on encrypted home automation devices utilizing the Z-Wave security layer, specifically mentioning Z-Wave door locks as the target application for demonstrating vulnerability impact.
### Tools & Technologies
The central research tool developed was **Z-Force**, a Z-Wave packet interception and injection toolkit. The hardware platform utilized specific low-cost radio boards: **Texas Instruments CC1110** boards configured for TX/RX operation.
## Key Findings
### Primary Results
1. A critical vulnerability was identified in the implementation of certain Z-Wave door locks.
2. This vulnerability allows an external attacker to gain **full remote control** of the target device.
3. Crucially, this attack **does not require knowledge of the pre-shared network encryption key**.
### Supporting Evidence
The findings are substantiated by the development and use of the Z-Force toolkit to execute tests leading to the discovered exploit scenario.
### Novel Contributions
1. The introduction of the **Z-Force toolkit**, providing capabilities for raw Z-Wave packet analysis, injection, and security testing.
2. The discovery and public disclosure of a critical implementation flaw bypassing Z-Wave's core encryption protection mechanisms.
## Technical Details
The research uncovered specific implementation details regarding Z-Wave's **frame encryption, data origin authentication, and key establishment**. The critical vulnerability specifically bypasses the required security assurances (confidentiality and authenticity) without compromising the actual network key. (Specific details on the vulnerability mechanism are likely contained within the unpublished paper, but the outcome—keyless control—is highlighted.)
## Practical Implications
### For Security Practitioners
This research demonstrates that protocol compliance does not guarantee implementation security, highlighting the necessity of rigorous, practical testing against embedded RF devices.
### For Defenders
Manufacturers of Z-Wave devices must urgently audit their device firmware, specifically the cryptographic handling routines and state management during secure communication setup, to remediate flaws that allow keyless remote takeover. End-users of vulnerable Z-Wave door locks face a significant risk of remote unauthorized access.
### For Researchers
The Z-Force toolkit establishes a baseline for future hardware-based security research into proprietary low-power wireless protocols, specifically within home automation ecosystems.
## Limitations
The initial public release of the tool focused only on European frequencies, with US frequency support ($\text{908.4 MHz}$) planned for a later release alongside the source code.
## Comparison to Prior Work
This work appears to be foundational in providing practical, accessible tools (Z-Force) for deep security analysis of the Z-Wave stack, moving beyond purely theoretical protocol analysis, by focusing on real-world implementation flaws in target devices.
## Real-world Applications
The primary application is demonstrating a high-impact security flaw in consumer smart home hardware (door locks), showing how such devices can be remotely compromised despite relying on established security layers.
## Future Work
1. Release of the Z-Force tool source code.
2. Release of firmware supporting US Z-Wave frequencies ($\text{908.4 MHz}$).
3. Continued analysis of remaining security aspects of the Z-Wave protocol stack.
## References
- BlackHat USA 2013 Official Briefings Schedule.
- Related information available via SensePost research links for Z-Force and the conference paper.