Skip to main content
banner image
venafi logo

Z-Shave IoT Exploit Latest Example of Why You Need Machine Identity Protection

Z-Shave IoT Exploit Latest Example of Why You Need Machine Identity Protection

z-shave IoT exploit
June 14, 2018 | Robyn Weisman

Last month we got another reminder that too many IoT devices lack proper security. English security services firm Pen Test Partners demonstrated that Silicon Labs’ Z-Wave protocol can be hacked through a downgrade exploit they call Z-Shave. Bleeping Computer describes the exploit as such:

“The attack ... relies on tricking two smart devices that are pairing into thinking one of them does not support the newer S-Wave S2 security features, forcing both to use the older S0 security standard. The problem, as security researchers from Pen Test Partners have explained this week, is that all S0 traffic is secured by default with an encryption key of “0000000000000000.”

This is potentially a huge problem because of the traction Silicon Labs semiconductors, many of which use the Z-Wave protocol, have among IoT device makers. After all, Z-Wave is like a turbocharged Bluetooth. Instead of losing connection after, say, 20 feet, Z-Wave can pair devices that are over 300 feet (100 meters) apart. According to Bleeping Computer, over 100 million IoT devices currently use Z-Wave, so this isn’t a hypothetical problem that we’re talking about.

This exploit shows yet another example of what can happen when machines don’t properly identify themselves before they share encrypted communications. It also shows how easy it is to lose track of how important it is to secure machine identities at both sides of such an interaction. It’s too late to realize the impact of these machine identities only after we have experienced an impactful event like this one.

Jing Xie, senior threat intelligence analyst at Venafi, explains IoT compromises can cause severe consequences to businesses and society, especially given that IoT ecosystems tend to be deployed at a massive scale. “The scale and all-connected nature of these machines sets a good stage for magnifying the damage,” she says.

That ‘Opportunistic Mentality’

Xie says that the Z-Shave exploit in itself won’t bring about “the end of the world,” although she points out that “this is true of all vulnerabilities until they are exploited and cause damage.” And Xie understands why Silicon Labs would want to present their side of the story in a way that downplays exposure, given that attackers have only a brief time window to carry out this type of attack.

Nevertheless, Xie says it’s undeniable that basic security considerations were lacking in the design and implementation that come with a hardcoded encryption key:

“The opportunistic mentality at play here is unacceptable. It reflects the belief that because no severe harm was done during this exploit, users will be just as lucky next time. When confronted with hard evidence, it'd be wiser to own the fault and take an effort to learn the lesson and do better in the future.”

And these exploits can potentially create worse IoT-based exploits in the enterprise world than those seen in that of the consumer:

“As more and more enterprises embrace IoT technologies in their infrastructure and applications, their businesses' IoT dependency deepens. Without the forethought of built-in security, they would not be able to escape the fate of being the primary target of bad guys. Therefore, IoT security must be taken seriously by everyone from now on. We need to anticipate attacks as opposed to being reactive to them.”

Protect Machine Identities

Virtually all security breaches, whether human- or machine-based, involve a fake identity, Xie continues. The Z-Shave hack shows that “these IoT devices cannot efficiently build a trust relationship among themselves.”

Xie goes on to say:

“Lying at the core of this issue is the fact that these IoT devices cannot efficiently build a trust relationship amongst themselves. A trust relationship is the foundation of authentic and secure activities in our society, physical and cyber. The decades of digitalization of the world has brought us more sophisticated and modern machine identities such as X509 certificates, which have been underpinning our current encrypted web and sustaining the automated machine-to-machine authentication. It is imperative for the IoT paradigm to parallel efforts to secure modern machine identities. Machine identity protection, therefore, should be brought to the forefront of security prioritization.”

No doubt you’re reading this blog (and the Venafi blog in general) because you’re concerned about protecting machine identities. This concern only grows when you consider the challenges of locating and monitoring IoT machine identities, given that IoT devices seem to be multiplying like tribbles. And you probably realize that you cannot depend on device makers themselves to keep your organization safe.

If you need this type of capability (and what enterprise doesn’t?), Venafi can help. Our platform protects encrypted communication and automatically blacklists rogue certificates and communications. So, contact us at [email protected], and together let’s avoid another close Z-Shave.

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Privileged access management, certificate manager, NIST

An Interview with CISO Shawn Irving: Why Machine Identity Protection Is Critical to Privileged Access Management

An Interview with Phil Agcaoili: Why Financial Services Organizations Need Machine Identity Protection

An Interview with Phil Agcaoili: Why Financial Services Organizations Need Machine Identity Protection

enterprise cyber security, PKI tool, iot protection

An Interview with CISO Justin Metallo: What It Takes to Protect Machine Identities

About the author

Robyn Weisman
Robyn Weisman

Robyn Weisman writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat