As of April 2, the Z-Wave Alliance of Internet of Things (IoT) companies has imposed a new mandatory security protocol for all IoT devices seeking Z-Wave certification. The Security 2 (S2) framework, developed in conjunction with cybersecurity experts, aims to strengthen IoT security in the sensitive market of smart home technology.
Security 2
The S2 framework improves the original Z-Wave S0 framework by further reducing the risk of devices being hacked while in the Z-Wave network. The Alliance claims that S2 virtually eliminates common hacker attacks such as brute force and man-in-the-middle, and as an added bonus, S2 devices will be backwards compatible with current Z-Wave devices.
S2 operates with three security classes, each with a unique network key. From most to least trusted, the S2 classes are “Access Control,” intended for high-security devices such as door locks, “Authenticated,” used for most household devices with a user interface, and “Unauthenticated,” meant for devices that are too limited to provide out-of-band (OOB) authentication (an example of OOB authentication is manually entering a PIN on the device).
S2 employs the widely trusted Elliptic Curve Diffie-Hellman method of key exchange and uses AES-128 encryption for all security classes. It also reduces vulnerability from IoT devices communicating with the cloud by tunneling all “Z-Wave over IP” (Z/IP) traffic though a TLS1.1 tunnel.
A True Smart Home Security Solution
In a white paper describing the Z-Wave security ecosystem, Alliance member Sigma Designs was confident about the potential of the new protocol, saying, “S2 may be considered the first true smart home security solution.”
That’s a sentiment shared by Z-Wave Alliance Executive Director Mitchell Klein. “We are absolutely committed to making Z-Wave the safest, most secure ecosystem of smart devices on the global market,” said Klein. “Our work, in conjunction with the entire Alliance membership, will ensure that developers, service providers, manufacturers and consumers alike will look to Z-Wave as the most trusted solution with the highest levels of protection.”
With consumers increasingly worried about IoT security, a number of organizations have set forth standards to raise the security bar, ranging from the Industrial Internet Consortium to Consumer Reports. The Z-Wave Alliance mandating S2 on all its devices raises this bar a step higher, and IoT engineers would be wise to follow this lead in prioritizing security.
Still unconvinced? Read about real IoT security risks in “DDOS Attack Made Possible by Lack of IoT Security.”