Riding the IoT Wave with VFuzz: Discovering Security Flaws in Smart Homes
Carlos Kayembe Nkuba, Seulbae Kim, Sven Dietrich, Heejo Lee

Korea University, Seoul 136-713, South KOREA


This homepage presents VFuzz-Public work which is a fuzzing approach for finding vulnerabilities in smart homes devices that use the Z-Wave chipset. We found security flaws in major Z-Wave chipsets used by Millions of smart devices from major vendors. These vulnerabilities allow an attacker to inject malicious Z-Wave packets that can control, impersonate, or cause a denial-of-service (DoS) on vulnerable devices. For instance, a DoS on a recent Z-Wave main controller/Gateway that support S2 encryption, can prevent house owner from receiving smart home devices' events and intrusion remotely. For illustration, in case of fire, the remote user cannot open his door lock or start security systems when his home controller is under a DoS. Because all automations and device actuations are managed and launched by the controller. In the paper we present also additional remote control and injection attacks that affect all Z-Wave legacy devices that do not support S0 or S2 encryption. Attacks on these legacy devices enable an attacker to totally control them any time; to list but a few, turning ON and OFF smart lightning devices, turning on/off house water valve (critical in case of fire), starting smart power energy devices (increase energy bills), etc. More attacks vectors are available in the paper.

Journal paper

This work is a collaboration between 3 universities: Korea University, Georgia Tech, and City University of New York. VFuzz details, implementations, and experimental results are available for download Here

C. K. Nkuba, S. Kim, S. Dietrich and H. Lee, "Riding the IoT Wave with VFuzz: Discovering Security Flaws in Smart Homes," in IEEE Access, vol. 10, pp. 1775-1789, 2022, doi: 10.1109/ACCESS.2021.3138768.

Demo video

This video demonstrates found vulnerabilities impact on REAL Z-Wave devices. The video is located at the top of the webpage below the Abstract. Video link


Depending on the chipset and device, an attacker within Z-Wave radio range can deny service, cause devices to crash, deplete batteries, intercept, observe, and replay traffic, and control vulnerable devices.

How to stop the attacks?

Mitigations for these vulnerabilities vary based on the chipset and device. In some cases, it may be necessary to upgrade to newer hardware, for example, 500 and 700 series chipsets that support S2 authentication and encryption. For devices with 500 and 700 chipset series, the above-mentioned vulnerabilities can be mitigated through vendor firmware updates. Millions of Z-Wave devices used since 2003 to 2019 with chipsets series 100, 200, 300 are one-time-programmable (OTP) and cannot be updated to fix the vulnerabilities. For the above-listed devices, we are developing an intrusion detection system to mitigate these external attacks. We also advise house owners to have a diversified set of smart home devices with different technologies such as Z-Wave, ZigBee, Thread, etc. so that when the former is attacked, the latter can capture the intrusion, activate security systems, and notify the remote user via mobile app.

Responsible disclosure

We conducted a responsible disclosure and actively worked since April 28, 2019 with the United State CERT Coordination Center (CERT/CC) to coordinate with the respective chipsets and device manufacturers to fix and mitigate the threats that we discovered. CERT/CC has granted us 6 common vulnerability enumerations identifiers (CVE) and has officially released the vulnerability report Here.
The CVE references are as follows: CVE-2020-9057, CVE-2020-9058, CVE-2020-9059, CVE-2020-9060, CVE-2020-9061, CVE-2020-10137

Availability and Ethical Considerations

The VFuzz public version provides simple and reduced core Z-Wave fuzzing functionalities to researchers. We reduce the advanced features to avoid devices misuse by bad actors who can attack them. For the same ethical considerations, we are not releasing the VFuzz PoC exploit code. We advise researchers to test ONLY their PERSONAL smart devices in a CONTROLLED-ENVIRONMENT because testing unknown third-party devices is ILLEGAL. VFuzz-public is WITHOUT WARRANTY; hence be RESPONSIBLE while testing.
The VFuzz public source code and CVE detailed explanations will be available for download Here.