Secure Z-Wave Smart Devices

Sniff, replay, and inject Z-Wave (868/915 MHz) smart home device commands to unlock doors, control lights, disable alarms

Physical security assessment of Z-Wave smart home deployments on unencrypted networks (S0) or with recovered S2 keys.

• · Z-Wave USB sniffer / GnuRadio SDR (software-defined radio) tuned to 868 MHz (EU) or 915 MHz (US)
• · Target Z-Wave device type (lock, light, thermostat, sensor) and node ID

• · Captured Z-Wave packet traces (protocol frames)
• · Decrypted command payloads (if S2 / AES key recovered)
• · Injected replayed or forged commands (e.g. unlock door, disarm alarm, kill light)

• · Z-Wave sniffer hardware (cost: $50-200, e.g. Zoroaster, ZWSniffer)
• · GnuRadio + OsmocomSDR (open-source SDR framework)
• · Wireshark with Z-Wave dissector (pcap analysis)
• · Z-Wave toolkit (Z/IPUnknown stack tools for S2 security analysis)

• · Target Z-Wave network in unencrypted mode (S0 or no security) OR S2 security key recovered (side-channel attack)
• · Hardware sniffer tuned to correct regional frequency (868 MHz EU vs 915 MHz US/Canada)
• · Target device within RF range (~100m line-of-sight typical)

• · S2 security layer (modern Z-Wave) uses AES encryption — replay attack blocked, keys not recoverable from wire
• · Packet loss on congested network (many devices, poor RF) loses critical frames
• · Device command validation (e.g. lock only accepts certain source nodes) — replayed frame ignored
• · Range limitation (Z-Wave RF ~100m) may not reach interior rooms from external position
• · Smart home hub may log intrusion attempts and alert user

• · Covers Z-Wave protocol stack (868 MHz EU, 915 MHz US/Canada frequency variants)
• · S0 (no security) vs. S2 (AES encryption) differences explained
• · Replay and injection attack vectors on smart locks, lights, thermostats, sensors