The Z-Wave Alliance, an open consortium of global companies deploying the Z-Wave smart home standard, is adding a security requirement to its long-standing interoperability certification.
According to Mitchell Klein, Z-Wave Alliance executive director, the Alliance Board of Directors voted to mandate all devices receiving Z-Wave Certification after April 2nd, 2017 to include the new advanced Security 2 (S2) framework, an important addition to the Alliance’s certification program that will require manufacturers to adopt a stronger level of IoT security.
“The recent spate of hackings and DDoS and other things going on are more or less happy coincidences and not motivation on our part, and the reason I put it that way is because something as complex as the S2 Security protocol that we’ve established has been in development for more than four years,” Klein told Security Systems News. "No one can afford to sit on their hands and wait—consumers deserve IoT devices in their home to have the strongest levels of security possible. IoT smart home technologies that don't act will be left behind."
Klein said that the update is backwards compatible, so any devices that are running on the current chip sets can be firmware updated to include S2 without having to make any hardware changes, and the updates can be pushed.
“The reason why we moved forward with it is because we wanted to ensure that as we got more and more complex devices, and more and more complex systems, that security becomes a base part of all devices and everything in the system,” Klein explained. “In order to achieve that, we had to take it up a level and make sure that it is going to run on the current chip set, so that our members don’t have to go and change or redesign hardware.”
Z-Wave's S2 framework was developed in conjunction with cybersecurity hacking experts, giving the already secure Z-Wave devices new levels of impenetrability, according to Klein. “We are so confident that this is hack proof, that we actually post the S2 protocol on the website and it is publically available,” he said.
Klein said that by securing communication both locally for home-based devices and in the hub or gateway for cloud functions, S2 also completely removes the risk of devices being hacked while they are included in the network. By using a QR or pin-code on the device itself the devices are uniquely authenticated to the network as well. Common hacks such as man in the middle and brute force are "virtually powerless" against the S2 framework through the implementation of the industry-wide accepted secure key exchange using Elliptic Curve Diffie-Hellman (ECDH), he said.
Finally, Z-Wave also strengthened its cloud communication, enabling the tunneling of all Z-Wave over IP (Z/IP) traffic through a secure TLS 1.1 tunnel, removing vulnerability.
By changing the way security is implemented, Klein said that there are a number of improvements. “You will find that the response time from things like door locks, which actually had to require authentication, is much quicker, and with much less overhead (single exchange as opposed to a back and forth exchange),” he said.
For 2017, from a technology perspective, Klein said there will be discussions about a new generation Z-Wave chip. “We have a lot of things up our sleeve on what that is going to do and I think that is going to put a lot of smiles on people’s faces,” he said.