Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Can Hackers Unlock My Z-Wave Door Lock?

  1. #1

    Can Hackers Unlock My Z-Wave Door Lock?

    A recent paper presented at Black Hat USA that demonstrated a Z-Wave door lock being hacked and unlocked remotely has been causing a lot of turmoil in the security and home automation world. Does this mean Z-Wave door locks are no longer secure? Absolutely not! Let’s ignore the sensationalized panic being spread by certain security “experts” for a minute and take a look at what this paper actually uncovered.

    If you haven’t read the paper you can read it here. Of course, a security vulnerability is a bad thing, never a good thing. So why then is this discovery not as big a deal as some are making it out to be?

    1. The researchers discovered that a single, unnamed Z-Wave door lock manufacturer has a bug in their implementation of the Z-Wave secure node association protocol that could allow a hacker within Z-Wave range of the network to reset the lock’s user codes and unlock the door from outside. They did not find a vulnerability in the Z-Wave AES security protocol, just a bug in one manufacturer’s code. A simple firmware or chip update from that manufacturer would fix it.
    2. The paper states that the manufacturer has already taken steps to fix the issue and that additional test cases have already been added to the Z-Wave certification test suite to prevent this from happening in the future. That seems like a pretty good response to me.
    3. The paper states that “The home residents or building manager will not be alerted about the intrusion.” but fails to take into consideration that these devices are usually used in conjunction with security alarms. Even if you happen to have one of these vulnerable locks produced by this one manufacturer, and a sophisticated hacker decided to come to your house and put forth the time and effort to hack it and unlock your door, your security alarm would still detect the intrusion. If your alarm was armed then it would go off and dispatch the police. Even if it wasn’t armed, the door opening would chime and alert you that someone had opened the door.
    4. The sensationalists making this out to be a bigger deal than it is fail to compare the difficulty and likelihood of a Z-Wave door lock being hacked to the difficulty and likelihood of the lock being picked, drilled out or the frame being kicked in, or a physical key being stolen or copied. Residential door locks were never meant to secure Fort Knox. They were meant to secure a typical home with typical security requirements. There are far easier ways to break in than hacking Z-Wave. Let’s not hold the manufacturers to impossible expectations and throw the baby out with the bath water over a single company’s mistake. They’re developing products that improve the way we live.

    Is it true that adding wireless, electronic access to door locks increases the risk of vulnerabilities? Of course! However, the additional risk we assume by using this technology buys us a security increase in other ways.

    1. Electronic locks remove or reduce keys from the equation. The inappropriate use of physical keys has long been a huge security risk. People lose keys, copy keys, share keys with family, friends, neighbors, etc… The only way to revoke access after you have trusted someone with a physical key is to re-key the lock! With the electronic lock you can just remove a user code.
    2. These locks and their associated control systems can improve your ability to make sure you keep your doors locked by automatically locking themselves, reminding you to lock them and by allowing you to lock them remotely in case you forget to lock them when you leave.

    Z-Wave smart-home locks also provide added convenience as is usually the point of smart home automation.

    Don’t just jump on the band wagon and panic like so many others are doing. Think it through and weigh the pros and cons. Connecting to the Internet added risk to our security and 20 years ago some were hesitant to do it but eventually we all did, and the benefits have far outweighed the risks. When we find vulnerabilities in Internet devices we fix them and move on. We don’t throw away all the good it brings because we’re afraid of a vulnerability here and there. Likewise, the benefits of home control systems and smart locks far outweigh the risk that this one problem poses. Let the manufacturer fix it and move on.

    The researchers who did this work and made this discovery have been very honest, responsible and professional. I have the utmost respect for this type of work, having done my graduate work and thesis at Ohio State University on wireless ad-hoc and mesh networks similar to Z-Wave. I find their work fascinating, impressive and noteworthy. It’s the bloggers and writers who make a living trying to turn every little story into the scoop of the year that are blowing this out of proportion and instilling fear in the minds of gadget loving home owners like myself that I find annoying and disingenuous.

    Stop by my place some time and I’ll buzz you in with a Yale Z-Wave lock via Alarm.com.

    Update: suretyCAM recommends and sells and Yale Real Living Z-Wave locks. While we don’t know which manufacture’s lock has the vulnerability, we know it’s not Yale. Yale has issued the following statement about this story:

    “”"
    Yale Locks & Hardware was recently notified of a potential security breach in Z-Wave firmware
    used by some lock manufacturers that could interfere with the security of locks using that firmware.

    A recent communication from Sigma Designs* to our company stated the following: “Recently, in an effort to demonstrate their value for security applications, an audit was performed by Sensepost, ostensibly to see if they could break through the security system. Using techniques that are far more sophisticated than consumers or common thieves would possess, they were able to modify a door-lock key that would enable them to control the lock’s operation.” Sigma Designs did not name the specific lock manufacturer in the letter. Sigma Designs owns the intellectual property and is one of two chip makers for the Z-Wave home control technology.

    To ensure the safety of our customers and maintain the integrity of our Yale Real Living locks, Yale immediately pursued a course of lock firmware review and testing to explore any possibility of a security breach in our locks.

    Yale Locks & Hardware is pleased to inform our customers that our Yale Real Living family of locks are NOT subject to this potential security breach. The Yale Real Living lock firmware review and testing was completed by our internal engineers as well as by an independent third-party using the test protocol provided by Sigma Designs.
    “”"

    Written by Ryan Boder and originally posted at: http://suretycam.com/can-hackers-unl...ave-door-lock/

  2. #2
    Senior Member
    Join Date
    Feb 2014
    Location
    WV
    Posts
    385
    One guess on who the lock that was hacked belongs to...

    Who is notorious for having the worst locks/deadbolts regardless of zwave capability or not, that are easy to bump, pick, force, and that home depot sells special versions of with internal plastics parts?

    Ding! Ding! Ding! If you guessed Kwikset

    Regardless of whether you use a regular deadbolt or zwave lock, do yourself a favor and steer clear of Kwikset brands (Weiser, Baldwin, etc)

    The Kwikset/Weiser smartkey deadbolts can be forced open almost as fast as you can open one with a key....and with no visible signs of forced entry (the zwave versions can be set to disarm alarm system when lock opened also. Try explaining that to the Police/Insurance when your home gets cleaned out and there is no sign of forced entry, or alarm activation...)

    In residential security there are three grades of deadbolts/locks, regardless of whether the deadbolts/locks are zwave capable or not:
    ANSI 1
    ANSI 2
    ANSI 3

    ANSI Grade 1 locks are the best

    How to force open a "bump proof" ANSI 1 Kwikset deadbolt in 10 sec:

  3. #3
    Question: Is it really easy to switch from Kwikset to Yale if you are a Vivint customer? (and yes, I know, I'll switch when my contract is up).

  4. #4
    Senior Member
    Join Date
    Feb 2014
    Location
    WV
    Posts
    385
    Quote Originally Posted by agogley View Post
    Question: Is it really easy to switch from Kwikset to Yale if you are a Vivint customer? (and yes, I know, I'll switch when my contract is up).
    Its a little more difficult...the installation is the same, you will have to call tech support for assistance with pairing...just the same if you obtained your own device from their store/elsewhere and called for zwave paring, or sensor/device programming assistance.

    Call their tech support (not CS), and ask...

    Another thing...to allow you to add devices, they may need to reset the lockout...if they do you can disable it and get full control of panel.

    ...word of caution!!
    They will remote it afterwords, usually within 24 hours, and reset Q44 lockout. You only have 48 hours afterwards to disable Q44 lockout (set Q44 to 0)

    Once you disable the lockout, a rule of thumb is to check Q44 every other day to see if it has been remotely reset...and then disable it again. (I caught Vivint 3 times trying to re-enable the lockout on me).

  5. #5
    I haven't changed out the kwikset yet despite the obvious way to get it. I'd like to...just have to get around to it. I don't allow my door to disarm my panel, but that wouldn't help if I'm home.

  6. #6
    I sent an inquiry to Kwikset and got the following response:

    Kwikset has been a leader in the door hardware industry for more than 60 years, earning a strong reputation of quality products. Kwikset is a leader in innovation and design; manufacturing products to meet the needs of our customers.
    All cylinders have “by-pass” techniques (i.e. lock picking, lock bumping, drilling, etc.) – SmartKey is the most secure residential product on the market. The “force” tool is only sold to licensed locksmiths and is manufactured with high strength heat treated tool grade steel; not typical materials that can be produced at home and even with this material the tool is prone to breaking during use.

    Kwikset has made improvements to components within the cylinder making it more resistant to this type of attack. We believe that the lock on the video had previously been compromised in some way. Our lengthy testing and experience with trying this tool on our SmartKey locks does not yield the same ease of opening as the video would have you believe. We do not believe it is a proper representation of our products.

    Thank you for your email and question regarding SmartKey. I hope that these points give you confidence that you purchased a product manufactured with innovation, high quality and security.


    Posting FYI.

  7. #7
    Senior Member
    Join Date
    Feb 2014
    Location
    WV
    Posts
    385
    What did you expect them to say?

    In general, Kwikset are the worst locks you can buy. Ask any locksmith what they think of Kwikset...stick with Medeco, Yale, or Schlage.

    These articles/video were from last year (Aug, 2013)...9 months ago
    Researchers reveal that millions of ‘secure’ Kwikset smartkey locks can be opened with simple tools

    Source: http://endthelie.com/2013/08/03/rese...mhHUpfpPMy1.99
    Kwikset smartkey locks are certified Grade 1 security for residential use by the Builders Hardware Manufacturers Association and are advertised by Kwikset as being invulnerable to being hacked with wires, screwdrivers, or anything else inserted in the keyway.

    But that’s not the case, as two noted lock hackers, Marc Weber Tobias and Toby Bluzmanis, demonstrated for WIRED and plan to show attendees today at the Def Con hacker conference.

    Researchers demonstrated the ability to bypass the locks with “a screwdriver and a paper clip” and will present the technique at the DefCon hacker conference today.

    DefCon is the same conference in Las Vegas where security researcher Barnaby Jack was going to demonstrate how a pacemaker could be hacked in order to kill someone. Jack was found dead in late July.

    DefCon is also used by the National Security Agency as a way to recruit hackers, with Gen. Keith Alexander making appearances.

    The researchers, noted lock hackers Marc Weber Tobias and Toby Bluzmanis, demonstrated the troubling technique for Wired, which captured it on video.

  8. #8
    Quote Originally Posted by rive View Post
    What did you expect them to say?
    Honestly, I didn't expect them to respond at all. I wasn't offering their response for the truth just as an FYI.

    Just a note. I'm not one for taking the word of unlisted "researchers" so I did some additional study. CNET did a review of the newer Kwikset with Bluetooth. I got the impression from their articles that at first, they were pessimistic the lock could be broken. But they installed the locks in their labs and were able to break them. Granted the only person who could do it without any visible damage was a professional. But they were a little surprised because Kwikset told them they couldn't duplicate the result in their labs, which they thought was laughable (since they could do it so easily).

    http://www.cnet.com/search/?query=kwikset

  9. #9
    Quote Originally Posted by rive View Post
    Its a little more difficult...the installation is the same, you will have to call tech support for assistance with pairing...just the same if you obtained your own device from their store/elsewhere and called for zwave paring, or sensor/device programming assistance.

    Call their tech support (not CS), and ask...

    Another thing...to allow you to add devices, they may need to reset the lockout...if they do you can disable it and get full control of panel.

    ...word of caution!!
    They will remote it afterwords, usually within 24 hours, and reset Q44 lockout. You only have 48 hours afterwards to disable Q44 lockout (set Q44 to 0)

    Once you disable the lockout, a rule of thumb is to check Q44 every other day to see if it has been remotely reset...and then disable it again. (I caught Vivint 3 times trying to re-enable the lockout on me).
    I'm going to check it out. I can pair some devices without their assistance (for example lights). In this case I would need to delete a lock and add a new one, then redo all the rules on alarm.com.

    Does the Yale lock turn the bolt when you input the code? Or is it like the Schlage where you have to manually turn the bolt?

  10. #10
    Senior Member
    Join Date
    Feb 2014
    Location
    WV
    Posts
    385
    The Schlage have motorized deadbolts now that work with the panel, but you need 1.10.1 firmware which includes the support/zwave lock fixes for Schlage. The Camolot Touchscreen deadbolts also work.

    Quote Originally Posted by Jay@ Suretycam
    According to the 2GIG tech support agent I just spoke with, the Schlage motorized deadbolts are supported by 2GIG panels using the 1.10 firmware. He said they’ve tested them in the office and that they work.
    See: http://suretydiy.com/forums/topic/sc...ck-from-lowes/

    As for Yale I dunno.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •