Researchers have found that more than 100 million Internet-of-Things (IoT) devices from thousands of vendors are vulnerable to a downgrade attack that could permit attackers to gain unauthorized access to your devices

The issue is in the usage of the Z-Wave protocol—a wireless, radio frequency (RF) technology that is being used by home automation devices to communicate between each other.

The Z-Wave protocol was designed to provide an easy process to pair and remotely control appliances—such as lighting control, security systems, thermostats, windows, locks, swimming pools and garage door openers—over a distance of up to 100 meters (330 feet).
Silicon Labs, the company who owns Z-Wave, made it mandatory for certified IoT devices to use the latest S2 security standard, but millions of smart devices still utilize the older insecure version called S0 for compatibility.

The S0 standard was found vulnerable to a critical vulnerability in 2013, allowing attackers in range of the targeted devices to intercept the communication.

After analyzing Z-Wave, security researchers from UK-based Pen Test Partners discovered that devices which support both versions of key-sharing mechanisms could be forced to downgrade from S2 to S0.

The researchers a Smart Door Lock, a flagship product of British company Yale that ships for $360, for their exploit, and were able to downgrade its security, and eventually steal the keys and get permanent access to the Yale lock, and therefore the building protected by it, all without the actual user's knowledge.

To read the original post Click Here.

Source:   Thursday, May 24, 2018  Swati Khandelwal