It's said the best offense is a good defense. It looks like that adage may prove true again with Z-Wave’s new Security 2 (S2) framework. In April of this year, the Z-Wave Alliance added a security requirement to its interoperability certification that requires manufacturers to implement the new S2 framework. This move was years in the making and has set the groundwork for a secure Internet of Things (IoT). Combined with a move last fall to release certain software including S2 to the public domain, manufacturers of Z-Wave devices now have the flexibility to create solutions and the confidence to know they are part of a secure network, without sacrificing battery life.
Most of us have been waiting for the IoT for so long we didn’t notice that it had arrived. It started in the early 2000s trying to stream media over wireless. It soon migrated to command and control, particularly of entertainment systems. There was a market there, but a high-end and niche one, so the majority of us weren’t buying.
In 2007, the introduction of the smart phone opened the floodgates for home security systems which has been the principal driver over the past decade. With remote access to lights, sensors and locks, the IoT went from a high-end convenience to making everyday people feel safe. A walk through your local home improvement store will show you what’s available. Smart plugs, smart light bulbs, smart cameras, smart locks and smart thermostats all waiting to bring your house under your control.
There exists a fear, whether deservingly or not, that the IoT is a vulnerable network. Images of hackers making your fluorescent bulbs explode or your thermostats turning the heat too high even made it to Primetime TV. The critically acclaimed TV show Mr. Robot showed a team of hackers essentially chase a wealthy homeowner out of her sophisticated smart house by having all of the systems go haywire at once. In general, society always has a deep desire for new technology mitigated by a healthy fear of the unknown. After all, it’s one thing to have a computer virus and quite another thing to have a home virus. So how vulnerable was Z-Wave before S2? The answer is, it depended. For devices that incorporated their existing optional security measures, the network was very secure. The problem was that the security measures required more power and effected latency, thus it was impractical to require a simple sensor to have the same security provisions as something more critical. It would have required the batteries to be replaced far too often and introduced too much latency.
Security 2 (S2) Framework
That’s why the Z-Wave Alliance knew to truly make the IoT secure, they had to have a security framework that didn’t require more power or cause latency in the devices implementing them. Furthermore, the framework needed to be backward compatible to ensure they would work with existing devices. They were meticulous, working with cybersecurity experts to secure both local and cloud communications. What they came up with was the Security 2 (S2) framework.
S2 removes the risk of devices being hacked while included in a network. Z-Wave devices in the S2 framework are uniquely authenticated to the network using QR codes (two-dimensional barcodes) or pin-codes. In addition, AES128 encryption is used for another level of communication security, this is the encryption used by major banks the US government when sending sensitive/classified information. Secure communication between devices is achieved through Elliptic Curve Diffie-Hellman (ECDH) key agreement protocol which makes it impossible to decipher the network key. Cloud communication is secured through a Transport Layer Security (TLS) 1.1 tunnel. The result is a framework resistant to common hacking techniques such as man in the middle hacks and brute force hacks. Z-Wave’s technical certification program is administered through third party test facilities in Europe, US, and Asia. S2 devices will be backwards compatible with existing devices.
The goal of Security 2 is to provide high security for all Z-Wave devices and to ensure there are no vulnerabilities in a Z-Wave network. S2 Z-Wave devices are on par with previous Z-Wave devices in terms of battery performance, latency and cost while improving security. Z-Wave is the first protocol to enable all nodes in a network to have a high security level. Network vulnerabilities have been virtually eliminated. Consumers can expect faster devices with longer times between replacing batteries.
Open-Source
So what do you do when you have a security framework you know is great? You put it out in the public domain to further validate its strengths and to quickly identify any potential issues. Manufacturers have had access to the S2 framework since the summer of 2016. In addition, the API specification for Z-Waves Z/IP (Z-Wave over IP) and Z-Ware (Z-Wave (middleware) software products were also made public. The idea is, S2 is secure whether you know how it works or don’t and the secure framework allows Z-Wave to open its software to the public for quicker and more flexible adoption. Not surprisingly, software community involvement has increased with acceleration in the development of new and innovative smart home solutions.
IoT - No Longer Pie in the Sky
Raoul Wijgergangs, Vice President of the Z-Wave for Sigma Designs says he chose to get involved with Z-Wave over a decade ago because other early attempts at standardization consisted of “Members fighting for their share before there even was a pie.”
If you ask him the lazy IoT question du jour as to whether he expects Z-Wave to emerge triumphant over Zigbee, a large competitor in the space with their own alliance, he points out that each have their strengths and he expects they will coexist. The point is, the Z-Wave Alliance isn’t obsessed with market share, they are too busy building something that is opening things up while making things secure at the same time. They’ve addressed that instinctive fear that society has when confronted with new technology and by opening things to the public, have provided the flexibility Z-Wave needs to scale. So the next time you’re in your local home improvement store and you see a Z-Wave device, forget about Mr. Robot and think about how much easier your life is about to get.