How to protect Z-Wave devices and IoT networks against Shodan hacks

Shodan is a search engine designed to find internet-connected devices.

Once discovered, devices on unsecured networks can become attractive targets for hacking. Because Shodan can be used to find devices connected on a Z-Wave network as well as devices commonly known as the ‘internet of things‘ (IoT), you should take precautions to keep Z-Wave and IoT networks secure.

Z-Wave networks

Z-Wave is a wireless networking technology primarily used for home automation. More than 50 million Z-Wave devices have been sold worldwide, and more than 200 companies manufacture Z-Wave hardware.

Each manufacturer is required to build products that can interoperate with those from other manufacturers. The Z-Wave Alliance and certification process assure each device works correctly in a mixed-vendor environment.

Z-Wave uses radio frequency communication to monitor, control, and read the status of devices such as electronic door locks, HVAC systems, lamp dimmers, swimming pool pumps, and garage door openers.

A Z-Wave deployment uses a mesh network topology where each device in the network can relay data packets through the network. This approach allows any given Z-Wave device to forward instructions to another device in the network, eliminating the need for a conventional router.

You can set Z-Wave home automation systems to work locally, using a hand-held remote control provided by the device manufacturer to operate each Z-Wave device, or you can install the system to allow access through the internet.

In order to connect to the internet, you must first add a gateway, which receives instructions via Wi-Fi (or, for some gateway products, via an Ethernet wired connection) and controls the Z-Wave home automation network accordingly.

Specifications

Z-Wave broadcasts on 908.42 MHz in the US and Canada, which falls within the 900 Mhz Industrial, Scientific, and Medical (ISM) band. Devices broadcasting in that band do not need to be licensed with the FCC.

Compared to protocols that use the 2.5 GHz band such as Wi-Fi and Bluetooth, signals in the ISM band are less affected by obstructions (furniture, walls, floors, etc.) between network devices.

In the US, the FCC allows Z-Wave devices to broadcast with 1 mW power. This low level makes minimal demands on the batteries that power the device. Batteries often last six to 12 months or longer.

The internet of things (IoT)

As the internet expanded to include devices other than mobile phones, tablets, and computers, the internet of things also began to grow. IoT is the network of physical objects that connect to the internet, like those in vehicles, buildings, etc.—which includes Z-Wave networks.

Such devices collect and exchange data with one another and with servers that may be local or in the cloud. Tens of billions of new devices are expected to come online in the next few years, making the IoT a major new target for hackers intent on doing harm.

Shodan threatens Z-Wave networks and IoT

As noted, Shodan.io is a search engine that discovers devices connected to the internet. It not only finds web servers and computers, but it also identifies routers and gateways such as those used in Z-Wave networks.

This is useful for researchers, penetration testers (those who find vulnerabilities in systems), and law enforcement agencies. In the right hands, it’s useful; in the wrong hands, it’s downright dangerous.

A Z-Wave home automation system can be set up with no internet connection. However, when it is configured to allow remote access through the internet, those systems can be discovered via the Shodan search engine.

Most Z-Wave devices offer the option to encrypt data and commands sent to each device. Some Z-Wave device vendors do not enable encryption by default, and installers may overlook the step required to enable encryption.

Encryption should be turned on for every device to assure the greatest protection.

A door lock on a home, for instance, should have encryption turned on to guard against man-in-the-middle and other types of attack. With encryption enabled, Shodan users may be able to discover the network, but they will not be able to access it unless they know the gateway’s login credentials.

Upcoming products promise enhanced security

In order to address concerns over security, manufacturers are ramping up to deliver a new generation of Z-Wave products expected in late 2016. These products have been certified by Underwriter’s Laboratory as complying with UL Standard 1023.

This standard expands Z-Wave equipment from the home automation market to now include household alarm systems, which requires that products be designed with strong security features.

The new Z-Wave Security 2 (S2) framework will be available in the Version 6.7 software development kit. New security measures will provide advanced security for smart home devices and controllers, gateways, and hubs.

The new product lines will use strong AES 128 encryption turned on by default in all products, secure key exchange, a secure TLS 1.1 tunnel for all Z-Wave/IP traffic, and authenticated deployments to eliminate man-in-the-middle attacks. These security improvements should make Z-Wave networks virtually inaccessible to hackers using Shodan.

Installation

Manufacturers of Z-Wave devices each provide their own installation instructions. However, the steps required to install a Z-Wave network follow these general steps:

Install the control device (if used), often called a gateway or controller, following manufacturer’s instructions. Be sure to create a hard-to-crack username and password. Too many gateways and routers use “admin/admin” for the login credentials, leaving them open to hackers.

Add Z-Wave devices to the network by “including” them. This process is also known as “pairing” or “adding.” It is most often accomplished using buttons on the controller and on the device being “included” in the network.

Once all Z-Wave devices have been included, check the network for errors using the Z-Wave Installation and Maintenance Application (IMA). This software tool checks for link stability, latency, and quality of service. Detailed troubleshooting instructions using the IMA tool can be found on the Sigma Designs website.

Conclusion

As Z-Wave networks and billions of other IoT devices come online, the need to protect against hacking becomes ever more critical. Follow the guidelines in this article and the manufacturer’s instructions to achieve the most secure installation possible.