Security Evaluation of the Z-Wave Wireless Protocol

The Z-Wave wireless communication protocol has been widely used in home automation and wireless sensors networks. Z-Wave is based on a proprietary design and a sole chip vendor. There have been a number of academic and practical security researches on home automation systems based on ZigBee and X10 protocols, however, no public vulnerability research on Z-Wave could be found prior to this work. In this paper, we analyze the Z-Wave protocol stack layers and design a radio packet capture device and related software named Z-Force to intercept Z-Wave communications. This device enables us to decode different layers of the Z-Wave protocol and study the implementation of encryption and data origin authentication in the application layer. We then present the details of a vulnerability discovered using Z-Force tool in AES encrypted Z-Wave door locks that can be remotely exploited to unlock doors without the knowledge of the encryption keys.