SensePost is SecureData’s independent elite consulting arm, renowned for its expertise, 19 year track record and innovation on the frontlines of cybersecurity.

With team members that include some of the world’s most preeminent cybersecurity experts, SensePost has helped governments and blue-chip companies both review and protect their information security and stay ahead of evolving threats.

SensePost is also a prolific publisher of leading research articles and tools on cybersecurity which are widely recognised and used throughout the industry and feature regularly at industry conferences including BlackHat and DefCon.

Hacking Z-Wave Home Automation Systems

Blackhat USA

Presented by Behrang Fouladi and Sahand Ghanoun at BlackHat 2013 USA

Home automation systems provide a centralized control and monitoring function for heating, ventilation and air conditioning (HVAC), lighting and physical security systems. The central control panel and various household devices such as security sensors and alarm systems are connected with each other to form a mesh network over wireless or wired communication links and act as a "smart home". Zigbee and Z-wave wireless communication protocols are the most common used RF technology in home automation systems. Zigbee is based on an open specification and has been the subject of several academic and practical security researches. Z-wave is a proprietary wireless protocol that works in the Industrial, Scientific and Medical radio band (ISM). Unlike Zigbee, no public security research on Z-Wave protocol was available before our work.

During this talk, we presented our analysis of the Z-Wave protocol stack layers including the security layer as well as our Z-Wave packet interception and injection tool (Z-Force). Using this tool, we identified a critical implementation vulnerability in Z-Wave security layer and demonstrated a remote attack to compomise an AES encrypted Z-Wave door lock. Detailed analysis of Z-Wave security layer and vulnerability description could be found in the research paper. The public version of the Z-Force tool and radio firmware files can be downloaded from here.