Examining the S2 Security Protocol for Z-Wave

Posted By

If you have been keeping up with Z-Wave home automation lately, then you have likely at least heard about the S2 Security Protocol. The security suite offers an advanced level of protection to keep smart home devices safe. Today, we're checking out the S2 Protocol to learn more about it.


Before we get into the specifics of Security 2 (S2), it is important to understand which Z-Wave setups will support it. In order to achieve a proper S2 setup, the Z-Wave controller and the paired device itself must both support the S2 Protocol. If either end is not S2-compatible, then the protocol will not be used. If you pair a non-S2 device with a controller that supports S2, then the device will simply pair using the S0 Protocol instead. Likewise if you have a hub that does not support S2, then none of the devices on the network will use S2, including those that technically are capable of supporting the protocol. Not to worry, if you do have an S2-compatible controller, then it is certainly possible to have a mixture of S2 and S0 devices on the same Z-Wave network.

The S2 Security Protocol is optional for 500-Series Z-Wave Plus devices and hubs. In other words, some 500-Series Z-Wave Plus smart home devices and controllers will support S2, while others will not. You need to check the specifications for the exact device and hub that you are working with to see if it is supported. In some cases, it may be possible to perform an over-the-air (OTA) update for a 500-Series accessory or controller so that it can support the S2 protocol, even if it did not previously. An example of this is when you upgrade the Z-Wave firmware on the Qolsys IQ Panel 2 Plus to Version 6.81.03. That is the first Z-Wave firmware version for the system that supports S2. Older versions do not. The panel firmware should be on version 2.5.3 or higher when using S2.

But for 700-Series Z-Wave Plus V2 equipment, support for S2 is required. In order for a device or hub to be certified as 700-Series by the Z-Wave Alliance, it must support the S2 Protocol. Therefore, if you see equipment listed as 700-Series, then you will know for certain that the technology is supported. As of October 2020, we have not seen many Z-Wave Plus V2 controllers or devices available. One 700-Series device that is available now is the 2GIG STZ-1 Thermostat. We hope that more 700-Series equipment will be hitting the market soon.

Looking at what S2 actually entails, you should understand that it isn't just one aspect or factor that makes the protocol what it is. There are many different components coming together to create a single protocol that is extremely secure. But perhaps the single most crucial aspect of S2 is that it is readily built into the Z-Wave framework for use by software developers. This makes it very easy for a developer to implement the technology into any given Z-Wave Plus device. Prior to the introduction of S2, there was no security built into the Z-Wave framework. The only option for a developer was to implement their own security protocol, and this was completely optional. Many develops would elect not to provide any security and just leave automation devices vulnerable. But when a device is listed as S2, you can be absolutely certain that it is meeting an advanced standard of security and protection.

Just like many other secure protocols, S2 makes use of an asymmetric key exchange, which at the simplest level involves a public key and a private key. Any command can be encrypted using the public key, but only the specific private key can unlock it. This ever-crucial private key is protected using Elliptic Curve Diffie-Hellman (ECDH) technology. Thanks to this advanced method, the task of deciphering the key is all but impossible. Additionally, different devices on the same network can be separated into different groups. Each device group can be assigned its own set of encryption keys. Often, devices that require greater security, such as door locks, are included with more secure groups that also require authentication during the network inclusion process. Meanwhile, the support of a highly secure TLS 1.1 Tunnel for all Z-Wave Over IP (Z/IP) traffic removes almost any possibility of cloud vulnerability. For the record, the S2 Protocol is rated at 128-bit AES in terms of overall security level.

One other big factor for the S2 Protocol is that it makes use of a single-frame transmission, which is a massive improvement over the three-frame transmission used by the S0 Protocol. Simply put, single-frame transmission is significantly more efficient than three-frame transmission. The improvement in efficiency allows for extended battery life, enhanced reliability, and a huge cut-down on latency. This means that a device using S2 technology will require less maintenance, including fewer battery changes. It will provide more consistent performance, and experience shorter operation delays. This alone makes S2 vital for anyone looking to achieve the most efficient automation network possible.

Understanding this technology in advanced detail may seem a bit daunting. But you just need to know that S2 makes Z-Wave home automation more secure, faster, and more efficient than ever before. If you have any further questions about S2, or if you want some tips for getting started with home automation, please email us at support@alarmgrid.com. We check our email from 9am to 8pm Eastern Time M-F. Also remember to check our monitoring page if you are interested in learning more about the monitoring services we offer. We look forward to hearing from you!

Tags: , , , , , , , , , , ,

Comments


TLS <b>1.1</b> has been officially deprecated by the relevant internet standards body for at least a year now due to it being insecure and vulnerable to attacks. TLS <b>1.2</b> and TLS <b>1.3</b> are the versions now considered secure and officially designated as such. It appears that Z-Wave Over IP (Z/IP) traffic involving Z/IP Z-Wave controller gateways are still officially using TLS <b>1.1</b> according to Silicon Labs’ most recent official Z/IP z-wave controller gateway docs. (Z/IP Gateway SDK 7.16.00 June 10, 2021) <b>This is a disturbingly poor security practice, and this is surprising to see it being used in such an official manner, despite the widespread ceasing of the use TLS v1.1 in virtually every industry following its official deprecation.</b> It would be interesting and helpful if you could get a comment from Silicon Labs about this. <blockquote> Meanwhile, the support of a highly secure TLS 1.1 Tunnel for all Z-Wave Over IP (Z/IP) traffic removes almost any possibility of cloud vulnerability. </blockquote>

Related Products

Resideo Tuxedo-RES - Commercial Touchscreen Keypad w/ Built-In Z-Wave Plus Controller for VISTA
Resideo Tuxedo
Commercial Touchscreen Keypad w/ Built-In Z-Wave Plus Controller for VISTA
List Price: $488.00
Our Price: $341.99
Qolsys IQ Panel 2 Plus Verizon LTE, DSC Compatible - 433MHz Wireless Alarm Panel w/ PowerG
Qolsys IQ Panel 2 Plus Verizon LTE, DSC Compatible
433MHz Wireless Alarm Panel w/ PowerG
Qolsys IQ Panel 2 Plus - AT&T LTE with PowerG, S-Line & Legacy Interlogix
Qolsys IQ Panel 2 Plus AT&T LTE, Interlogix/GE Compatible
319.5 MHz Wireless Alarm Panel w/ PowerG
Qolsys IQ Panel 2 Plus AT&T LTE, DSC Compatible - 433MHz Wireless Alarm Panel w/ PowerG
Qolsys IQ Panel 2 Plus AT&T LTE, DSC Compatible
433MHz Wireless Alarm Panel w/ PowerG
Honeywell T6 Pro Z-Wave - Smart Thermostat
Honeywell T6 Pro Z-Wave
Smart Thermostat
Honeywell Home Tuxedo-RES - Residential Touchscreen Keypad w/ Built-In Z-Wave Plus Controller for VISTA
Honeywell Home Tuxedo
Residential Touchscreen Keypad w/ Built-In Z-Wave Plus Controller for VISTA
List Price: $448.00
Our Price: $341.99
2GIG STZ-1 - Z-Wave Plus 700-Series Smart Thermostat
2GIG STZ-1
Z-Wave Plus 700-Series Smart Thermostat
List Price: $204.00
Our Price: $161.99