Using Security with z-wave devices

I’m wondering how secure z-wave devices are if they don’t use S2 or authentication.

According to the wiki

i’m supposed to be able to enter a security key for my z-stick and be able to change the inclusion method. I can’t see this on the stable ( or snapshot (M5).

But, maybe this is ok as this just encrypts the data and if its just temperature and such that isn’t a big deal?

The real thing I’m curious about is authentication. If I associate my device to my network through basic inclusion can someone else add it to their network without physical access to the button on the unit? I guess I’m confused as there is also S2 inclusion where you enter a PIN.

With all my devices I never get a green checkmark next to “Using Security” under the device attributes (always a question in stable and red in snapshot). Not clear if Using Security is encryption or authentication? I guess probably communication encryption?

I’m not expert on zwave, and am often wrong, but I don’t think this is possible even without security. Every device I’ve ever seen requires a physical action on the device to add it to a network. Without the physical action there is no way to cause the device to try to join a new network.

Theoretically someone with a zwave sniffer could read the messages being exchanges across the zwave mesh without security. I suppose theoretically someone should perform a playback attack, spoof attack, or perhaps a man-in-the-middle attack. I’ve seen proof of concept of some of these for zigbee but not for zwave.

OH 2.3 does not support ANY security. Support for that wasn’t added until OH 2.4 M4. If you created/discovered zwave Things running in OH 2.3, you will need to delete those Things and rediscover them after upgrading to any version of OH after 2.4 M4. See ZWave binding updates.

I do not believe S2 is supported yet though I think someone is working on it.

I believe using Security is just encryption. I don’t think there is any authentication outside of proving you have physical access to the device (i.e. performing the physical action on the device to include it into the network) at the time of inclusion.

great reply. In particular the explanation that security wasn’t added until 2.4 M5 was very useful!