Homey Community Forum

Z-wave: one security concern

Hello I have one concern regarding z-wave security with Homey.

I have been playing with associations - just wanted to explore scenarios when Homey is down etc…
Scenario was one switch (Fibaro doubble switch) and one z-wave bulb.

All z-wave devices connected to my Homey are included in secure mode

Secure (S0) or Secure (x)

however associations were not working. In this forum I found that it’s probably by design that secure associations are not working.
So I disabled secure associations on switch

and everything started to work…

Now my concern - there was no action on bulb side (and this applies to all my devices - I have checked) and it accepted unsecure onoff message from switch. Does it mean, that if somebody traces my message and resend it later time - he can theoretically have full control over every device even though they are “securely” connected to network?

You are way over thinking it.
There is a reason why association can only be set by the controller, and signals need to come from within the mesh.

So called hackers/thiefs can listen in, but send to let other devices respond is a little (much) harder.
And it will be a lot easier to break in, then try to be funny and turn off a light or socket.
Or break into your WiFi, as that has the same type of protection, but lot more options to annoy/harm you.

Thanks for reply @Caseda.

Just for clarification - I opened this topic just for discussion and maybe it will help somebody… So if somebody is annoyed, please skip this topic.

To react to your message - What’s the reason having all communication in mesh secure? If there is easier to break in to house then braking into mesh network, then why one established z-wave plus V2 with communication encryption?

As I understand associations - if device receive associated message from any device, it’s not checking it’s origin. Controller is not included into this communication (so there is no validity check if it is from device included in network).

And there was no pairing between devices - so any device in network is accepting non-encrypted message from any device…

it still looks to me like “weakest link in chain”

Security (S0) is so it is harder to listen in on traffic, still not impossible as that security key has been broken for years now (easy to crack), and if you are able to listen in, you are also able to send.

S2 security makes it a lot harder as that encryption is a lot stronger, and also there during pairing unlike S0, but Homey doesn’t support S2 yet.

And you know all that is send?
The z-wave log doesn’t show all data that is transmitted (by far), so that way you won’t know.
There is no such thing as broadcast in z-wave, so a node that sends to another node needs to know that other node’s ID, without that ID no device will listen.

But devices of course do check if they are in the same network, could you imagine if your neighbours also have zwave device’s, they could just turn off a device of yours cause they have a device(s) also on the same ID? (with maximum of only 231 ID’s it isn’t that hard to happen accidentally).