As homes become smarter—with security systems, thermostats, and lights that talk to one another and are all controlled with the touch of a finger—consumers demand that the highest level of home intelligence comes with the highest level of security.As homes become smarter—with security systems, thermostats, and lights that talk to one another and are all controlled with the touch of a finger—consumers demand that the highest level of home intelligence comes with the highest level of security. Device manufacturers need to be vigilant about consumer fears and consider the security of their own devices, but also about the security of all the devices in the ecosystem.
Fears of device hacking or security breaches in an ever-expanding internet of things (IoT) world and within a marketplace that does not have an industry standard for data transmission and instruction are not without merit. The IoT landscape, all of which is potentially hackable, includes a vast number of devices. All devices, whether professionally- or DIY-installed, communicate with each other and the internet, via one or more wireless protocols, such as Z-Wave; others include ZigBee, Bluetooth, and Wi-Fi. The protocols themselves generally feature built-in security of various levels. However, the methods that individual brands and smart home systems use to transmit data and instructions via these protocols, both inside and outside the home, can vary greatly in sophistication and unfortunately, in attention to security.
Your lines of defense
Among the various smart home protocols, Z-Wave is the longest established, and as a result, has invested the most focus on cyber protection and recently introduced the new security framework, Z-Wave Security 2 (S2). Z-Wave has always used AES-128 levels of encryption.
Fun Fact: The U.S. government considers AES-128 safe enough for classified information up to the SECRET level. Combined with S2 authentication and nonce scrambling, there is no known method for overriding this protection—even using the power of a supercomputer.
However, prior to S2, Z-Wave was built on application layers, meaning that the decision was on the manufacturers to implement the security and not all manufacturers have the same level of expertise or appreciation for the importance of security to do it well. For example, if a manufacturer is building a lock, they may only be concerned with building a reputable lock or shrug at the idea that a hacker could “turn a light switch on and off.” However, if a nefarious hacker is able to control a light switch, he may also know if you are home or not. It matters.
S2 prevents a hacker’s ability to do this entirely by eliminating application layers and replacing them with an entire protocol. Instead of saying: “Send command to this and this,” it says: “Send secure.” Now, all transmissions are sent safely. Hackers cannot circumvent the security application layer. The heavy lifting is built directly into the protocol and manufacturers can rest easy, focus on building a reputable product, and not have to be security experts. Sigma Designs, the manufacturers of Z-Wave chips, has done it for them… with the help of a few really smart friends.
Insight from cyber security community
Who are these friends? To reach this level of security, Sigma Designs stepped outside the box. The company worked with a community that can often get a bad rap, the hacker community, to create the Fort Knox of smart home protocols. Sigma opened its code entirely to the hacker community for their thoughts, additions, and input. Cooperation led to a level of security that is bar none by targeting security measures in the S2 Framework that preempt the common hacking methods “man-in-the-middle” and “brute-force” attacks. Man-in-the-middle attacks are well-described by their name; the hacker tries to intercept communications between two points and alter them. Likewise, “brute-force” attacks are just as they sound; automated, exhaustive attempts to try every possible data combination to break into the system. Consistent, pervasive encryption is the only real deterrent against these breaches and hijacks. Soon, all smart home systems, regardless of brand or protocol, will be expected to include pre-emptive measures against these attacks.
Today, there are already hundreds of Z-Wave devices with S2 in the marketplace and it has been made mandatory on all devices submitted for Z-Wave certification. Existing devices will continue to be backwards compatible with the new S2 smart devices.
This article is written by Z-Wave product marketing manager Johan Pedersen at Sigma Designs. The low-cost, low-power and narrow-bandwidth Z-Wave protocol is used for a number of IoT applications.