Z-Wave: From capturing to analyzing the wave!

By Aidin Ameri

Z-Wave

Z-Wave is a sub gigahertz wireless technology that is mostly used in home automation environments to exchange information from sensors such as heat and motion sensor to the base station and eventually to the user, or transfer commands from users to the devices like thermostats or any actuators. Z-Wave is also used in Industrial, Scientific, and Medical devices. This technology is controlled by Z-Wave allegiance1 and based on the information provided by them is implemented on more than 1700 devices. Z-Wave has the following specification:

Frequency

908.4; 916.0 (USA)

Data Rate

Up to 100 Kbps

Throughput

Up to 40 Kbps

Communication between two nodes

Max. 30 Meters (line of sight is not necessary)

Physical range

Max. 100 Meters

Hop up between Nodes

4 hops

Number of Devices

Max. 232

The Z Wave network consists of two major identification mechanisms, Network ID which has 4 byte data size and the Node ID with 1-byte data size. In this blog, we focus on the security (lack of security) of this network and an easy method to capture the Z Wave traffic.

Z-Wave Security

The security layer in this protocol was designed and implemented after the major release of the protocol which makes it optional for the vendors to use. Analyzing the Z Wave devices on hand showed none of them supported this feature.

The Z Wave security layer provides confidentiality for the entire layer payload, encrypting it with AES-128 which is a symmetric block cipher algorithm with the cipher mode of operation, Output FeedBack (OFB). But then even when the security is in place the lower layers are not encrypted, and the Home IDs and Node IDs are in plain text.

Available resources

There is not much documentation about Z Wave available as any company or developer who want to use Z Wave needs to sign a non- disclosure agreement with the allegiance. If a developer wants to analyze Z Wave traffic they typically buy a $3500 kit which includes  software called Znifferr and contains a Z Wave USB stick provided by allegiance. But in this project, we are going to use a bunch of open source components.

Required Hardware & Software

Hardware

Because of the nature of Z Wave protocol, the available Z Wave controllers won’t support or capturing the traffic even when they are in the promiscuous mode. So, we must use a Software Defined Radio (SDR) dongle. These are available online for under $30. The one I used is the NooElec NESDR Mini 2 SDR (figure 1) which has RTL2832 interface IC. The frequency capability of this device is approximately 24MHz – 1750MHZ which covers the Z Wave frequency.

1

Figure 1- NooElec NESDR Mini 2 SDR

Required software

The list of software and packages necessary to capture and display the Z Wave traffic is as follows:

Capture the Z-Wave traffic

Now that you have all the software installed on the operating system, you should connect the SDR to the system; Also, you need to know another piece of information which is the frequency of Z-Wave, as it is mentioned in the Z-Wave section, the Z-Wave frequency is different in different countries. The table below has the frequency for 10 different countries.

Frequency in MHz

Used in

865.2

India

868.1

Malaysia

868.42 ; 869.85

Europe

868.4

China, Korea

869.0

Russia

908.4 ; 916.0

USA

915.0 – 926.0

Israel

919.8

Hong Kong

921.4 ; 919.8

Australia, New Zealand

922.0 – 926.0

Japan

Start capturing:

$rtl_sdr -f <frequency> -s 2048000 -g 25 – | ./rtl_zwave

For US:

$rtl_sdr -f 908.42e6 -s 2048000 -g 25 – | ./rtl_zwave

As the result an instance of Wireshark will open and it will show any sniffed Z-Wave traffic.

2

Figure 2-Z-Wave capture in Wireshark

Analyze the Z-Wave traffic

There are two security frameworks implemented for Z-Wave, S0 and S2, the first one is recommended but it’s up to the manufacturers to use it or not which unfortunately most of them ignore. The second one has better security and as of April 2017 it is mandated by the Z-Wave Alliance to be a certified Z-Wave device. However, the problem is all Z-Wave devices should be backwards compatible, so we will end up with a mixed network at  best. In both security frameworks only the data payload will be encrypted. For the sake of this blog we consider that these security frameworks are perfect and unbreakable and we use the information exchanged in plain text, this information is as follows:

  • Home ID (32 bit value to identify the Z-Wave network)
  • Source Node ID (8 bit value – The size of this ID limits the maximum number of nodes on Z-Wave network to 232)
  • Destination Node ID (8 bits long value)
  • Route (1-bit flag that indicated if the traffic has been routed)

Using the information mentioned above, we can identify a Z-Wave network and identify the nodes on the network for example windows sensors, if we capture the traffic for a long time we can identify the patterns, for example some system will send a beacon to check the nodes, to make sure they are alive. If we identify the window sensor and capture its Node ID, we will know when the window’s status has been changed by knowing that a status changed happened at the irregular time (e.g. The transferred data  is not based on the captured pattern) we don’t even need to know the content of the data payload.

Conclusion

The purpose of this blog is to make it easier for people interested in Z-Wave security and home automation to capture Z-Wave and analyze the traffic, it is beneficial if injecting Z-Wave data into the Z-Wave network functionality investigated. This is possible by using OpenZwave framework and one of the available Z-Wave controllers like Z-Stick by Aeotec. By injecting traffic into Z-Wave networks one can use the information gathered from capturing Z-Wave such as home ID, Source node ID, Destination node ID, etc., to add a new nodes to the network or cause a denial of service by using base stations resources.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s