Z-Wave smart-home gadgets announce new IoT security standards

Poorly secured IoT devices were largely to blame for last month's massive internet outage. Now, the makers of devices that broadcast using Z-Wave are shoring up their defenses.

Ry Crist Senior Editor / Reviews - Labs
Originally hailing from Troy, Ohio, Ry Crist is a writer, a text-based adventure connoisseur, a lover of terrible movies and an enthusiastic yet mediocre cook. A CNET editor since 2013, Ry's beats include smart home tech, lighting, appliances, broadband and home networking.
Expertise Smart home technology and wireless connectivity Credentials
  • 10 years product testing experience with the CNET Home team
Ry Crist
2 min read
Tyler Lizenby/CNET

Less than a month ago, hackers took control of an ocean of unsecured connected home devices, then essentially crashed the entire internet by using them to flood the web's largest internet management company with bogus traffic. Now, the makers of smart gadgets that communicate using Z-Wave are ratcheting up their security standards to help reassure consumers that their products don't come with glaring vulnerabilities.

"No one can afford to sit on their hands and wait," says Mitchell Klein, executive director of the Z-Wave Alliance. "Consumers deserve IoT devices in their home to have the strongest levels of security possible. IoT smart home technologies that don't act will be left behind."

The new standards are called the "Security 2" framework, or S2 for short. Aside from shoring up encryption standards for transmissions between sensors, cameras, and thermostats that broadcast using Z-Wave, S2 also mandates new pairing procedures for each device -- namely, unique PIN or QR codes on the devices themselves. That's similar to the approach Apple takes with HomeKit-compatible smart gadgets, each of which comes with a unique pairing code printed on the device.

That device-specific layer of authentication helps keep would-be hackers from taking control of your gadgets from afar, and also helps to separate Z-Wave gear from the kinds of devices that were used in last month's massive cyber-attack. According to reports, the majority of those devices were things like internet-connected printers, DVR boxes and cheap IP cameras that use default passwords out of the box to launch setup. Many users never think to change those passwords once their device is up and running, which is how hackers were able to take control of so many of them all at once.

Engineers from the Z-Wave Alliance also tell me that the S2 framework will largely be backward compatible for existing Z-Wave devices that support over-the-air firmware updates. Wherever possible, these updates will include client-side authentication that helps fill the same role as those device-specific pairing codes. For instance, if you have a Z-Wave keypad deadbolt that you want to update, it could display a randomized code on the lock for you to punch in first.

The new framework isn't expected to have any noticeable impact on device performance -- in fact, Z-Wave engineers tell me that the streamlined encryption process could actually speed up response times and improve battery life in addition to making things harder to hack.

The Z-Wave Alliance certifies the security of its devices at third-party test facilities in the US, Europe and Asia, and says that it will require all devices to be S2-compliant by April of 2017.