OH2 Z-Wave S2 Security and Z-Wave network information

security
openhab2
zwave
Tags: #<Tag:0x00007fd312305c90> #<Tag:0x00007fd312305b50> #<Tag:0x00007fd312305a10>

(Mathias Knop) #1

Hi all,

I am an engineering student in electronics/ICT working on his master thesis regarding a Wireless Sensor and Actuator Network (WSAN). I chose to work with OpenHAB(OpenHABian v1.4.1) installed on a Raspberry Pi 3. Actually I am running 3 instances of OpenHAB and by connecting them in the cloud via VPN connections I am able to create a simulated web platform of a hotel environment. My goal was to scale-up Z-Wave from home automation to building automation.

Next Monday (the 11th of June) I have to hand in my thesis and I still have two unresolved topics. I am posting them here and hoping that there would be a few people who could help me out.

  1. Z-Wave now(April 2017) provides S2 security meaning that there are three network classes namely Access Control class, Authenticated class and Unauthenticated class. Sigma Design mentions that device authentication is possible by adding an additional verification step in the including process. In this process the installer should actually verify that it is the correct node by scanning the device’s QR code or submitting the first 16 bytes of the ECDH public key. Is this already implemented in the Z-Wave binding and if so, how?

  2. In order to evaluate the scalability of Z-Wave, my professors would like the see some Packet Delivery Ratio, RSSI and delay numbers. Is it possible to gather such information in OpenHAB? Academic people always love graphs and numbers so it would be a very nice addition to my conclusion.

I do not have much time left so therefore I hope you do not mind me tagging you @chris and @rlkoshak.

All help is highly appreciated and I could also publish my master thesis if people are interested in my work.

Thanks in advance,
Mathias


(Rich Koshak) #2

Unfortunately, I have pretty much no expertise in zwave. As Chris will tell you, more than half the time when I try to help I end up giving incorrect information.

But, based on this posting from Chris, I think the answer to 1. is that this is not implemented by the binding yet.

There are some statistics on the zwave controller Thing that might give you some of this info and anything in a Channel can be linked to an Item and charted.

I did a quick search through the zwave debug logs and I don’t see anything that immediately jumps out at me as being related to RSSI and the like. And in a mesh network, is RSSI all that meaningful? And what RSSI would be reported? For example, I may have a device with a truly terrible RSSI to the controler but the messages are routed through nodes so the messages always get through. What is more important is the list of neighbors and some idea of how the mesh is configured so you can find bottlenecks and orphan nodes and the like.

Sorry I can’t be of more help.

These sorts of things are always most welcome.


(Mathias Knop) #3

Thanks Rich, I really appreciate the fact that you are always willing to help other people!

I guess knowing that S2 is not implemented yet is better than guessing which security system is used. Maybe I could even contribute in adding this feature to the binding in the future.

I did see the channels for SOF, ACK, EOF, etc. but I guess this doesn’t really help me. I should really be able to observe network traffic.

A visualisation of the network topology would of course be useful but the Network Viewer in HABmin is only showing associations I was told.

Also it would be valuable to know how much time and network traffic the Z-Wave network healing takes. Maybe this is something that can be seen from Z-Wave debug logs?

For some reason the Z-Wave log viewer of CD-Jackson remains empty when adding the file. Any idea why? I can remember that I tested this feature out in the past and that it was working at that time.

Also, I came across some Z-Wave devices that were not yet listed in the Z-Wave database. I registered an account today. Could you grant me rights and guide me to the process of adding these devices @chris?


(Chris Jackson) #4

No - the ZWave binding does no support S2. It is currently not supported by most devices (only very new devices support it).

No - not at this time.

I’m sure the community would be interested in seeing this. The community here tends to be quite technical, so I think it will be well received :slight_smile: .


(Mathias Knop) #5

From April 2, 2017, this is considered as a mandatory security implementation for all Z-Wave certified devices. I guess that there are more than a few devices supporting this new security implementation, no? Quoting the following article:

As of today, April 2, 2017, Z-Wave’s technical certification program, which is administered through 3rd party test facilities in Europe, US and Asia, will check that all S2 security solutions, which contain rules for command classes, timers and device types are correctly implemented in every new certified device. S2 devices will also be backwards compatible with existing devices on the market.

Do not consider it as a blame that this is not implemented yet! In the contrary, I understand that this is an open-source project and that developers spend their time on what they think is important. I am just trying to point out the importance of S2 security for Z-Wave. Device authentication, Key exchange, Key integrity, etc. are all updated features in S2. Also, when using S0 it is very power consuming to use secure commands. This issue is handled with the use of S2 so that security and low power consumption can go hand-in-hand.
Quoting the following article:

On the other hand, a temperature sensor may be sensitive to the time spent sending or receiving. Consider a sensor based on the Sigma Designs Z-Wave 500 series chip that reports the temperature every five minutes and queries a mailbox for pending commands every 30 minutes.
Without security, such a sensor draws an average current of 2.2μA.
The S0 challenge-response overhead leads to an average current of 5.9μA.
A similar S2 sensor uses only 30% more energy than the non-secure sensor (2.9μA).

I am graduating this month and after that I have plans to go further with building automation systems and specifically automation in a hotel environment. I really like OpenHAB so I am willing to contribute in the future if I can be of any help!

I was hoping for a work around since you’ve made a Z-Wave log viewer.


This is an example of one of the views from a node in the network in your log viewer.

  • Isn’t the ‘Messages Timed Out’ the amount of msg’s that were not able to receive an ACK after three attempts?
  • What is the meaning of these ‘Response Times’ split up into three values?

In this case I will certainly publish my thesis when it’s finished!


(Chris Jackson) #6

No - I don’t believe that this is quite correct. It is mandatory only for newly certified devices - there are thousands of devices out there that will never be certified for S2.

The point is that while there are now a number of devices out there that will support S2, there are hundreds (thousands!) that don’t. We have around 850 devices in the openHAB database - 90% were added before S2 was required.

Ok, I was responding to the request for RSSI measurements which is not available. Time for response, timeouts etc is all available in the log.

You already have these devices? If not, I wouldn’t suggest to add them unless you are really sure about the information you are adding. Don’t trust the ZWave Alliance database - this is often wrong (I get told this by the manufacturers as well!).

By far the best approach is to create new devices in the database by using the XML file that OH creates (as in the database doc). This ensures that all the basic information is correct as it gets read directly from the device and we avoid later discussions when we find that information is wrong.

It is not just about this - it is more about the number of devices that support S2. As above, there are some available now (I have a few) but at the moment the number is still very low. I do have a customer asking for this, so in the future we will likely look at it this.

Done.


(Rich Koshak) #7

There is a LogViewer binding that you could use to parse through the log, populate an Item and use persistence to store the results and chart as desired. I like the flexibility of Grafana personally.


(Chris Jackson) #8

I don’t think the information is directly available in the log is it? Certainly RSSI information isn’t, and I don’t think response times are directly available if I remember correctly. You’d need to parse the log, correlate the ZWave transactions by processing the data, and calculate the response times from the correlated transaction data.

If I remember correctly, this is done in my log viewer as displayed above, and it’s not available directly in the log. Maybe the LogViewer binding can do this (I’ve never looked at it), but it’s quite a bit of processing to correlate the transactions and calculate the times…

Personally, I think if you want to do this sort of thing, it’s best done offline using a script to process the logs and output the various stats to a file…


(Rich Koshak) #9

I was interpreting this to mean the data was in a log statement. If one has to correlate separate statments then the log binding probably isn’t going to do much.


(Chris Jackson) #10

You’re right - I just checked, and some of this information is directly available in the log… It’s been a while since I looked at this as I normally get it out of the log viewer.


(Mathias Knop) #11

Could you tell me the meaning of this Response Times split up into three values?


(Mathias Knop) #12

Also, network healing was configured in the settings to take place at 2AM but I cannot see anything related in the logs. It would be interesting to see the network traffic from the healing command and have an indication on how much time this takes. Am I overseeing something in the logs? Can I trigger the heal manually?


(Chris Jackson) #13

I think they are simply the min/average/max values.


(Chris Jackson) #14

What version of the binding are you using? The healing only works in the dev binding.

You should not though that you won’t see the network traffic - only the commands between the controller and the binding which is not the same thing in this instance.


(Mathias Knop) #15

Version 2.2.0

If the healing is not done at 2AM, then how and when is the network reorganised?
Sorry for all my questions, help is much appreciated!


(Chris Jackson) #16

Healing doesn’t really reorganise the network. Routing is done by the controller only - not the binding. The controller uses a number of mechanisms to derive routes (eg explorer frames). All that healing does is to set return routes and update the neighbour table. This is also done (from memory) during startup on the 2.2 binding.


(Mathias Knop) #17

So without reboot the neighbour table is not updated?

One more important question, After how much times is a message being considered as ‘Timed Out’ in the log viewer?


(Chris Jackson) #18

It’s only updated when the binding starts in the current 2.3 binding. This doesn’t require a reboot - just the binding restart.

It’s a maximum of 5 seconds, but it can be less since it is partly controlled by the controller, and partly by the binding.