IoT gear will need better security to win a Z-Wave badge
- 18 November, 2016 05:55
Tighter security will soon be mandatory for IoT devices that use the popular Z-Wave wireless protocol.
Starting next April, the Z-Wave Alliance will require all products to include its S2 (Security 2) framework before they can be certified as Z-Wave compliant. S2 is designed to prevent hackers from breaking into IoT devices that are on Z-Wave networks.
Home IoT has recently proved to be a dangerous vector for internet-based attacks, such as the one that corralled thousands of IP cameras and other devices into the so-called Mirai botnet that disrupted internet service last month.
Z-Wave is one of the main networking protocols for IoT, especially in consumer devices. Like Zigbee, Thread, and Bluetooth LE, it's used for short-range, low-power communications among devices that may be too small or power-constrained to use Wi-Fi. There are more than 1,500 certified interoperable Z-Wave products on the market worldwide, and more than 40 million units shipped, according to the Z-Wave Alliance.
The industry group introduced S2 last year in a bid to make Z-Wave products safer from takeover by hackers. The framework requires a QR code or PIN on each device for authenticating it to the network, and it uses an Elliptic Curve Diffie-Hellman secure key exchange. S2 also lets Z-Wave over IP networks tunnel traffic through a Transport Layer Security 1.1 tunnel.
The framework secures communication for both end devices, such as light switches and smoke alarms, and hubs and gateways that link Z-Wave networks to the internet.
IoT devices, especially consumer products, have raised Internet security concerns because some ship with big vulnerabilities, such as default passwords that are identical on every unit. Unlike the industrial connected machines of a previous era, IoT devices link up to the internet, so it's easier for attackers to get to them and take over. At that point, they can steal personal data, remotely control the device, get into other systems through the local network, or add the device to a botnet to carry out DDoS attacks.