Z-Wave IoT Devices Vulnerable to Security Downgrade Attack

Millions of locks, alarms, sensors, light bulbs, garage door openers and other IoT devices that communicate over the Z-Wave protocol can be forced to use weaker security than they actually support.

Z-Wave is a wireless communications protocol that uses low-energy radio waves. Its signal can travel up to 100 meters so it’s better suited for home automation than other wireless protocols such as Bluetooth. More than 2,400 vendors offer Z-Wave-enabled products and the technology is currently present in more than 100 million devices.

Z-Wave devices get paired with a controller and can be managed through a graphic interface on a smartphone or laptop. Once paired, their traffic is encrypted to prevent interception and hijacking.

An earlier version of the pairing process called S0 encrypts the network key used to secure the traffic with a string of zeroes during the initial setup, which could allow attackers to decrypt it. A newer version of the security protocol called S2 fixes this by using Elliptic Curve Diffie-Hellman (ECDH) key exchange, which is much harder to crack.

Researchers from security firm Pen Test Partners have found that most of the devices that support S2 pairing also support the S0 variant to maintain backward compatibility with older devices and networks. Because of this, an attacker within the range of a Z-Wave device can force it to use S0 instead of S2 during the pairing process, downgrading the connection security.

Silicon Laboratories, the company that develops Z-Wave, doesn’t think this is a serious security issue because backward compatibility is intentional and because the downgrade attack can be executed only during a very small time window during initial device pairing.

“The attacker would need to be within close proximity of the device during the very moment the device is installed – an extremely small window of opportunity,” a company representative said in a blog post. “Furthermore, Z-Wave devices can switch their radio to low-power transmission mode during the key exchange process to make packet interception attack much more difficult.”

Researchers from Pen Test Partners claim that their attack is relevant for security because a hacker could leave a battery-powered attack device outside a targeted property for weeks and wait for a pairing event to occur. The researchers are also investigating whether it’s possible to force an already paired Z-Wave device to de-authenticate, which could potentially expose it to the downgrade attack when it’s being paired again.

“If an S0 network key is obtained, all S0 devices connected in the past and future are placed at risk,” the researchers said in their report.

“We aren’t certain how backward compatibility with S0 can be supported whilst enforcing stronger S2 security,” the researchers continued. “This underlines the challenge with many protocols: how do you improve security without creating mountains of electronic waste for devices that are no longer supported?”

Hackers Infect Websites Linked to Insecure WordPress.com Accounts

Hackers have found a new method of infecting websites built with the WordPress platform: They hack into WordPress.com accounts and then install a malicious plug-in on websites linked through Jetpack.

Using WordPress to set up a website doesn’t require an account with WordPress.com, which is a hosted service run by Automattic. However, Automattic also offers a popular security and management plug-in for WordPress-based websites called Jetpack that does require a WordPress.com account to use.

Once linked through Jetpack, standalone WordPress websites also can be managed from a dashboard on WordPress.com, and one of the available features is to remotely install or remove plug-ins.

“When Jetpack is connected to your site, it has the same privileges as the site administrator account,” researchers from Wordfence said in a blog post. “So if you choose to upload a plugin, whatever you upload will be passed along and installed on your site, no questions asked.”

Wordfence has received multiple reports from owners of hacked websites that had a rogue plug-in called “pluginsamonsters” installed. The investigation revealed that hackers broke into WordPress.com accounts using stolen credentials and abused the Jetpack functionality to install the plug-in remotely.

“The plugin gives the attacker full control of the target website and the site is now compromised,” the Wordfence researchers said. “The plugin is visible on the WordPress.com dashboard but is invisible on the target WordPress site’s plugin list when active.”

Jetpack is not the only tool or service that allows users to administer multiple WordPress websites at once. While this is very convenient, website administrators should keep in mind that their passwords for such tools are highly valuable and should be well-protected.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin