Z-Wave Alliance Initiates Mandatory Security Protocol for All Certified Devices

Z-Wave Alliance Initiates Mandatory Security Protocol for All Certified Devices

By: HomeTheaterReview.com, April 4, 2017

The Z-Wave Alliance has announced that, effective immediately, all new Z-Wave certified devices must adhere to a new security protocol to ensure that users of Z-Wave smart home products are protected. Z-Wave is a wireless mesh networking protocol utilized by many smart home products, including lights, cameras, thermostats, dock locks, and more. According to the official announcement below, the Alliance’s Board of Directors voted unanimously in November 2016 to require mandatory implementation of the new Security 2 (S2) framework, and the Z-Wave certification program will now include checks to ensure that all S2 security solutions are correctly implemented in every new certified device. 

From The Z-Wave Alliance
The Z-Wave Alliance, an open consortium of leading global companies deploying the Z-Wave smart home standard, as of [April 2] will require strict and uniform adoption of a new security protocol for all Z-Wave devices receiving certification. The Alliance Board of Directors voted unanimously in November 2016 to require mandatory implementation of the new Security 2 (S2) framework, the most advanced security for smart home devices and controllers, gateways and hubs in the market today.

According to a 2016 AT&T study, 58% of companies reported they were not confident in the security of connected devices. Other consumer studies have shown that security and privacy is a major concern among those looking to adopt smart home. The industry focus on IoT security continues to amplify and today’s milestone demonstrates Z-Wave’s early leadership role in the space. The Z-Wave Alliance has been working for several years with chipmaker Sigma Designs to develop world-class security standards for all Z-Wave devices as IoT expands into homes around the globe.

“We are absolutely committed to making Z-Wave the safest, most secure ecosystem of smart devices on the global market,” commented Mitchell Klein, executive director of the Z-Wave Alliance, “Our work, in conjunction with the entire Alliance membership, will ensure that developers, service providers, manufacturers and consumers alike will look to Z-Wave as the most trusted solution with the highest levels of protection.”

As of April 2, 2017, Z-Wave’s technical certification program, which is administered through 3rd party test facilities in Europe, US and Asia, will check that all S2 security solutions, which contain rules for command classes, timers and device types are correctly implemented in every new certified device. S2 devices will also be backwards compatible with existing devices on the market.

The Z-Wave S2 framework was developed in conjunction with the cybersecurity expert community to give the already secure Z-Wave devices new levels of impenetrability. By securing communication both locally for home-based devices and in the hub or gateway for cloud functions, S2 also virtually removes the risk of devices being hacked while they are included in the network. By using a QR or pin-code on the device itself the devices are uniquely authenticated to the network as well. Common hacks such as man in the middle and brute force are virtually powerless against the S2 framework through the implementation of the industry-wide accepted secure key exchange using Elliptic Curve Diffie-Hellman (ECDH). Finally, Z-Wave also strengthened its cloud communication, enabling the tunnelling of all Z-Wave over IP (Z/IP) traffic through a secure TLS 1.1 tunnel, removing vulnerability.