New Research Uncovers 28 Denial of Service (DoS) Vulnerabilities in Z-Wave IoT Smart Home Devices

Groundbreaking research by Dr. Nkuba Carlos and Jimin Kang has unveiled a total of 28 vulnerabilities within Z-Wave IoT smart home devices. This discovery has prompted Silicon Labs to release two significant security advisories, A-00000502 and A-00000505, and assign two Common Vulnerabilities and Exposures (CVE) identifiers: CVE-2023-6533 and CVE-2023-6640. Additional CVEs are currently under review and will be assigned in the near future

Z-Wave devices are a cornerstone in the ecosystem of smart home technologies, used extensively by consumers and manufacturers alike, including notable names such as Samsung, LG U+, KT, Yale, Schlage, Google, Amazon, ADT, Bosch, Philips, Silicon Labs, etc. The vulnerabilities identified could potentially allow attackers to disrupt smart home networks and the devices connected to them. This includes essential devices such as the main Z-Wave Controller Hub Gateway, Smart Door Lock, Smart Gas Controller, Smart Plug, and Siren, among others.

This video demonstrates found vulnerabilities impact on REAL Z-Wave devices: Video 1 and Video 2

Silicon Labs, the manufacturer of Z-Wave chipsets, has promptly acknowledged these vulnerabilities. In response, they have issued two detailed security advisories, A-00000502 and A-00000505. They have also assigned two Common Vulnerabilities and Exposures (CVE) identifiers: CVE-2023-6533 and CVE-2023-6640. These advisories, which can be accessed and downloaded after creating a free account and logging into the Silicon Labs platform, provide crucial information for addressing these security issues.

Working in close collaboration with Silicon Labs and the Z-Wave Alliance, Dr. Nkuba Carlos and Jimin Kang have contributed significantly to the development of effective countermeasures. These measures will be incorporated into the 2024 Z-Wave specification release. Key recommendations include: (1) Firmware and SDK Updates: Users are urged to promptly update their Z-Wave device firmware and software development kits (SDK) to the latest versions to mitigate potential threats. (2) Implementing strong packet validation protocols to prevent attacks that exploit malformed packets. (3) Enhanced Security Protocols: Strengthening security protocols to better identify and mitigate the risks associated with malformed packet attacks.

The discovery of these vulnerabilities underscores the importance of ongoing vigilance and proactive measures in securing smart home devices. Users are encouraged to stay informed about the latest updates and advisories from Silicon Labs and the Z-Wave Alliance, ensuring their devices are protected against emerging threats. For more detailed information, you can download the security advisories from Silicon Labs’ website following the creation of a free account and login. Stay ahead of potential threats by keeping your smart home devices updated and secure, leveraging the latest advancements and recommendations from leading researchers at CSSA and CCS Lab and industry experts.

The research paper will be made available after conference publication. The research source code and additional CVEs detailed explanations will be available for download.