Homey Community Forum

[App] Fibaro by Athom

The devices must support the S2 security standard in order to be included “secure”. The security standard S0 is not supported by the current Homey firmware v7.1.3.
All Fibaro devices you mentioned only support the S0 security standard, so they are included as “unsecure”.

Is this by design and the situation going forward, or a bug in the current version?

According to Z-wave Alliance certification, all Fibaro devices I own have these specs:

Supports Z-Wave Network Security? Yes
Supports Z-Wave AES-128 Security S0? Yes
Supports Security S2? No

What kind of security (of any kind) can I expect to have with Homey 7.1.3?
Am I getting AES-128 encryption at all?

Intended yes (since firmware v7.x), if that will change in future I don’t know. Please ask Athom (support@athom.com) for this.

That’s what I told you.

S2 Authenticated (with PIN)
S2 Unauthenticated (without PIN)

S2 is also an AES-128 encryption. Quote Aeotec Webseite: “S2 enhances Z-Wave Plus, Gen5, and Gen7 with an additional layer of AES 128-bit encryption of wireless signals coupled with pro-security grade UL 1023 compliance.”

I am not an in-depth Z-Wave and Internet expert, but from my point of view it is quite unlikely that a burglar would try to hack the Z-Wave network in a normal household in order to break in “more easily” or to deactivate the alarm system. The necessary effort is relatively high. Maybe the possible danger is higher in villas or commercial buildings, but there I would not use a Homey or radio-based devices.
An attack via the Internet is much easier in my view.

Homey includes all devices with S0 as unsecure, this is by design since Homey v7 as they had too many issues (too slow) with devices included as secure on S0 (especially battery devices).
Lots of users already used a workaround to include devices before as unsecure.

The developer of said app can still enable it for example for Z-Wave based locks but it will have to be enabled in the code of the app, it can’t be chosen by users.

Thank you all for your comments. Based on your responses, it seems that the current configuration is most optimal, though not the most secure.

Just an additional info. You can force a S2 device where a PIN is needed to include it as unsecured by using a wrong PIN. e.g. 00000. This could be necessary if you want to use associations.

Btw, there is already a request to Athom (Athom partially reads posts in the forum, but in principle does not respond to them) that it should be made possible for the user to choose during inclusion if a security standard should be used or not.
If you are also interested in this, then you can like the post.