EZ-Wave: A Z-Wave hacking tool capable of breaking bulbs, abusing Z-Wave devices

Interview with the creators of EZ-Wave, a Z-Wave hacking tool released at ShmooCon that can break fluorescent light bulbs and abusing other Z-Wave devices.

Energy saving light bulbs hanging

The synopsis for Breaking Bulbs Briskly by Bogus Broadcasts mentions the promise of smart energy and building automation, as well as the many unintended vulnerabilities that are introduced in the rush to bring IoT devices to market. The researchers believe “the ability to physically damage hardware by abusing network access is particularly interesting.” I agree.

Frustrated by the “lack of functionality in current Z-Wave hacking tools,” ShmooCon presenters Joseph Hall and Ben Ramsey created and released a new, open source EZ-Wave tool. Not only did the duo discuss how to use the tool for pen-testing Z-Wave wireless automation networks, they also discussed “a rapid process for destroying florescent lights.” They added, “Once access is gained to an automated lighting system, regardless of the protocol used, we demonstrate how to destroy florescent lamps rated for 30K hours within a single night of abuse.”

Hack A Day first covered Ramsey and Hall’s talk; the article fully piqued my interest when suggesting EZ-Wave could be “used for control with the potential for mayhem” as well as industrial espionage.

During their presentation, they referenced “Maximizing the Economic Benefits of Compact Fluorescent Lamps” (pdf), from the Journal of Industrial Technology, which states fluorescent bulbs can be quickly be broken by turning them on and off rapidly.

That could be accomplished with their EZ-Wave tools for evaluating and exploiting Z-Wave networks using software-defined radios (SDRs). Available on GitHub, EZ-Wave includes: ezstumbler, ezrecon and ezfingerprint.

In an interview, the creators discussed the tests and capabilities of the hacking tool in detail.

Did you really destroy lights or physically damage other hardware by abusing network access and Z-Wave?

Ramsey and Hall: Yes, we used two HackRFs to repeatedly turn on and off Z-Wave devices (plugs) that controlled CFLs and industrial fluorescent lights (the 4ft tube lights you typically see in office buildings). The second half of our ShmooCon presentation discussed how fast it was possible to break these bulbs. We found that a one second on, three seconds off pattern typically broke CFLs in under nine hours and broke industrial lights in under four hours. We have not directly discussed damaging other hardware; however, Mike from Hackaday brings up a great (and very possible) point about turning off thermostats and potentially causing pipes to freeze. Another attack that we have reproduced is keeping alarms from sounding when a door or window is opened.

One thing we want to make sure people understand is that EZ-Wave (as made available on GitHub) only includes tools for reconnaissance (finding and enumerating Z-Wave networks and interrogating Z-Wave devices). It does not include pre-built tools for exploiting (controlling or breaking) Z-Wave devices. However, everything one would need to exploit Z-Wave devices that do not use encryption is there.

Although the Z-Wave protocol supports AES-128, it is up to the device manufacturer to choose to use it or not. Ramsey and Hall discovered that of the 33 devices they tested, only nine supported encryption. Of those five doors locks and four newer devices, three of the four required a user to ‘opt-in’ for encryption. That’s crazy, offering extra security and privacy via encryption but manufacturers dropping the ball by not having encryption on by default!

Hall mentioned two limitations in the current release of EZ-Wave. The first is the lack of reliable communication with battery-operated Z-Wave devices, so beginners should start with devices that plug into the wall. Additionally, EZ-Wave currently communicates with devices using the 40kbps data rate, which is the most common.

Would you please be so kind as to release the names of the 33 different Z-Wave devices tested?

Ramsey and Hall: Rather than release the names of the devices that do not support encryption, we would prefer to list the devices that do.

#1-5 below are door locks and use encryption by default. #6 also uses encryption by default. #7-9 support encryption, but don't use it by default (instructions for encryption are buried in the user manual. Interestingly, all the door locks listed use older Z-Wave technology (3rd gen) while #6-9 use the latest Z-Wave technology (5th gen or Z-Wave Plus).

  1. Kwikset 910
  2. Yale YRL-220-ZW-619
  3. Schlage BE468CAM619
  4. Yale YRL-210-ZW-619
  5. Monoprice 10798
  6. Aeotec Siren Gen5
  7. Aeotec LED Bulb
  8. Aeotec Smart Switch 6
  9. Aeotec Multisensor 6

If not the names of the 33 products, would you be willing to break it down into specific device types?

Ramsey and Hall: To answer your question, we tested a variety of device types from as many manufacturers as we could. We looked at PIR sensors, smoke detectors, window/door sensors, water valves, sirens, a garage door motor, electrical outlets, light bulbs, thermostats, etc. It is our understanding that most (if not all) Z-Wave door locks use encryption. Each device manufacturer determines if encryption should be used in any given device. Generally speaking, it makes no sense to NOT use encryption with door locks; one story of a wireless lock being easy to hack would ruin them. While we complained about some of their new Z-Wave Plus devices having an ‘opt-in’ model of security, Aoetec in particular appears to be supporting encryption in many (if not all) of their Z-Wave Plus devices. This is something that other device manufacturers should replicate.

How much would one need to invest to start testing Z-Wave devices?

Ramsey and Hall: We used two HackRF Ones because they are only half duplex (one for transmitting and one for receiving). You could substitute the 2 HackRF for 1 BladeRF (which is full duplex) for roughly the same cost (~$600 + the cost of antennas). There is also the HackRF Blue which is a lower cost version of the HackRF One (only $200 each + the cost of antennas). Of course passive sniffing can be done with much cheaper hardware such as the $20 RTL-SDR, but without the ability to transmit, almost all of the functionality of EZ-Wave is lost. We anticipate that someone may port our tool functionality to the RfCat USB dongle ($85), which would be awesome.

What you would like to make sure this article includes?

Ramsey and Hall: The takeaways from our ShmooCon presentation are: #1 - open source tools for investigating Z-Wave are now available and #2 - every protocol for wireless automation should use encryption to prevent physical damage or other mayhem.

Additionally, to device manufacturers, Ramsey and Hall said in their ShmooCon presentation, “Support encryption already! Make it the default; let me decide if I don't want my stuff secure.”

Ramsey and Hall’s EZ-Wave tool and presentation are available on GitHub.


Z-Wave Alliance Executive Director Mitchell Klein issued the following statement:

In the smart home industry, many vendors have chosen to implement security only on access devices and gateways and hubs and not on the other devices for the home. Z-Wave has always offered AES 128 encryption level of security in its protocol for all devices and believes that security is of the utmost importance to address in the IoT market.

Recognizing that with the incredible growth and potential of smart home and the increasing need for the highest levels of security for IoT residential devices, Z-Wave with the help of top industry security experts recently announced the Security 2 (S2) framework for every device in the ecosystem. The new framework includes the existing AES 128 encryption with industry-accepted secure key exchange using Elliptic Curve Diffie-Hellman (ECDH) and authenticated deployments that remove ”man-in-the-middle” attacks.

Security will no longer be optional for Z-Wave manufacturers to deploy; and, through an easy update, all gateways with 500 series chips and all devices that allow OTA (over the air) upgrades are able to add S2 to existing devices. Z-Wave devices also include signal jam detection and the tunneling of all Z-Wave over IP (Z/IP) traffic to eliminate any cloud vulnerability.

Z-Wave takes IoT security very seriously and we believe with the combination of existing and new security features, our devices will be the most secure in the smart home market as we move further into mainstream adoption.

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)