At Bishop Fox, we regularly run product security reviews of our clients’ hardware, many of which require the use of specialized equipment. During a recent security assessment of a device that communicated exclusively over the Z-Wave protocol, we worked with Z-Wave sniffing tools and we ran into a few challenges. During the process, we learned a fair amount about Z-Wave Zniffer and Z-Wave Programmer – insights that we wanted to share with readers who may be doing similar work.
Z-Wave is a wireless communications protocol that uses low-energy radio waves to communicate with compliant devices. It is primarily used for home automation devices like lighting controls and smart home security systems.
To assess these types of devices, we needed to capture the communications passing through Z-Wave protocol to check both the transport-level encryption in use and the security of the Z-Wave network during the pairing and unpairing of devices. Certain downgrade attacks can be carried out during the pairing process, so to keep a eye nose on Z-Wave security during the event, we needed to sniff the wireless traffic to simulate what a malicious third-party attacker would do. The specific tool for sniffing Z-Wave networks is called Zniffer, created by Silicon Labs. We’re grateful they created such a useful tool for this kind of work and would like to thank them for making it available to the community.
Zniffer is an official development tool for capturing Z-Wave RF that is free after registering with the site. Since we found the flashing process tricky to get right the first time, we decided to create a detailed walk-through to help other hardware security testers get their Zniffer setup running quickly.
Ideally, the Zniffer firmware can be flashed onto any Z-Wave compatible development stick, but we stuck to the following Z-Wave controller, which worked for our US-based testing:
(For devices with EU-compatible RF ranges, the comparable model is ACC-UZB3-E-STA.)
We also used a Aeotec Z-stick Gen5 to build our own Z-Wave gateway. This step is optional, but it ensured that our sniffer was working as intended.
To get started, download and install the official embedded development tools from the Silicon Labs menu shown below:
Figure 1: You’ll need to download both development tools for the setup
These tools are for the Windows platform only, and ideally, you should attempt these on a native Windows machine i.e., not a Windows VM. (Note: once the flashing process was done, we observed that the Windows VM worked just as well as native Windows for sniffing purposes.)
PC\ZW050x_USB_Programming_Driverdirectory. Right click on
zw05xxprg.infand hit Install.
Figure 2: Successful capture of Z-Wave Protocol traffic
Once we got the Zniffer up and running, we followed our product security review methodology and tested the security of the pairing process and its resilience against protocol downgrade attacks.