Z-Wave Attacks
Z-Wave runs in the 800/900 MHz ISM band (US: 908 MHz, EU: 868 MHz). Older networks used the S0 security scheme with a fixed-derivation network key — long-known to be flawed. S2 (mandatory for Z-Wave Plus v2 since 2017) uses ECDH commissioning and is significantly stronger.
Quick Workflow
- Identify region (US 908 MHz / EU 868 MHz) — adapter frequency must match
- Sniff inclusion (commissioning) traffic — that's where keys are exchanged
- Determine S0 vs S2 from frame format
- For S0: derive/replay; for S2: analyze ECDH and look for implementation flaws
Hardware
| Adapter | Use |
|---|---|
| Z-Force (legacy, hard to find) | Original research tool |
| EZ-Wave (custom HackRF firmware) | Modern, full transceiver |
| Aeotec Z-Stick | Commercial controller, useful as legitimate node |
| HackRF + open Z-Wave firmware | Multi-band SDR approach |
| RTL-SDR + ZniffMobile (passive only) | Cheap sniffer |
Sniffing
# EZ-Wave (HackRF firmware-based)
git clone https://github.com/cureHsu/EZ-Wave
ezwave-sniff -f 908.4MHz -o capture.pcap
# Wireshark with the Z-Wave dissector parses captured frames
wireshark capture.pcap
Look for the inclusion phase (controller adding new device) — that's where the network key is exchanged.
S0 Security Flaw
S0 derives the network key from a fixed all-zero PSK during the inclusion of the first device. That fixed material is well-known — any S0 network you sniff during inclusion can be decrypted offline.
S0 commissioning:
1. New node joins → controller sends key with zero-PSK encryption
2. Attacker sniffs commissioning frame → derives session key
3. All future S0 traffic on that network is decryptable
If you can:
- Trigger inclusion (factory-reset a node, or wait for legitimate inclusion)
- Sniff during the ~2-second key-exchange window
You own the network key for that mesh.
S2 (Z-Wave Plus / S2 Authenticated)
S2 fixes S0 by using ECDH for commissioning:
- Each device has a Curve25519 keypair
- Inclusion uses DSK (Device Specific Key) verified out-of-band (sticker/QR)
- Network key never traverses the air in plaintext
S2 attack surface is mostly implementation:
- Inclusion-mode-always-open (controller misconfig)
- Firmware bugs in S2 verification
- Side-channel on ECDH on resource-constrained chips
- DSK printed on a sticker → physical access yields it
Replay / Injection on Unauthenticated Nodes
Many low-end Z-Wave devices (older sensors, basic switches) don't enforce S0 or S2 — they accept commands in cleartext.
# scapy-zwave (community fork) for crafted frames
from scapy.contrib.zwave import *
frame = ZWave(home_id=0x12345678)/ZWaveBasic(set_value=0xff)
sendp(frame, iface='ezwave0')
This unlocks doors / switches lights / unarms sensors when the target lacks authentication.
Key Brute-Force
For old test deployments using default home IDs / network keys:
# Try default home IDs
for hid in 0x00000000 0x12345678 ...; do
ezwave-test --home-id $hid --target-node 1
done
Hit rate on production is low; useful only for default-config IoT lab gear.
Hub Pivots
Z-Wave devices are typically controlled by a hub (SmartThings, Hubitat, Vera, Home Assistant, Z-Wave JS UI). The hub is a Linux device with the Z-Wave PSK in plaintext storage:
- SmartThings Hub: previously cloud-only credentials; modern v3 stores network key locally
- Home Assistant:
~/.homeassistant/zwave_js.jsontypically contains keys - Hubitat: web UI with default password on older versions
Compromise the hub → walk away with the Z-Wave PSK + every paired device's command authority. See offensive-iot for hub firmware extraction.
Engagement Cheatsheet
# 1. Identify region + frequency
# US: 908.4 MHz; EU: 868.4 MHz; CN: 868.4 MHz
# 2. Sniff
ezwave-sniff -f 908.4MHz -o cap.pcap
wireshark cap.pcap # filter zwave
# 3. Identify S0 vs S2 from frame format
# 4. For S0: capture inclusion → derive key → decrypt history + control devices
# 5. For S2: focus on hub compromise / DSK theft / implementation bugs
# 6. Test unauthenticated cleartext devices with crafted frames
Detection
- Most Z-Wave deployments have no IDS comparable to Wi-Fi/Zigbee monitoring
- Hub may log unexpected commands but UI rarely surfaces these to users
- Inclusion-mode-open is visible in hub UI but ignored by inattentive admins
Reporting
- Identify chipset / firmware revision per device (ZW0500 series, ZW7000 series)
- Map S0 vs S2 per node — note any S0 left on a network with S2-capable nodes
- Document hub compromise paths separately
Key References
- EZ-Wave: github.com/cureHsu/EZ-Wave (HackRF-based)
- "Z-Force and the Z-Wave Sniffer" — original research
- Silicon Labs Z-Wave 700-series spec
- Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md