Skip to main content
banner image
venafi logo

Z-Shave IoT Exploit Latest Example of Why You Need Machine Identity Management

Z-Shave IoT Exploit Latest Example of Why You Need Machine Identity Management

z-shave IoT exploit
June 14, 2018 | Robyn Weisman

Last month we got another reminder that too many IoT devices lack proper security. English security services firm Pen Test Partners demonstrated that Silicon Labs’ Z-Wave protocol can be hacked through a downgrade exploit they call Z-Shave. Bleeping Computer describes the exploit as such:

“The attack ... relies on tricking two smart devices that are pairing into thinking one of them does not support the newer S-Wave S2 security features, forcing both to use the older S0 security standard. The problem, as security researchers from Pen Test Partners have explained this week, is that all S0 traffic is secured by default with an encryption key of “0000000000000000.”

This is potentially a huge problem because of the traction Silicon Labs semiconductors, many of which use the Z-Wave protocol, have among IoT device makers. After all, Z-Wave is like a turbocharged Bluetooth. Instead of losing connection after, say, 20 feet, Z-Wave can pair devices that are over 300 feet (100 meters) apart. According to Bleeping Computer, over 100 million IoT devices currently use Z-Wave, so this isn’t a hypothetical problem that we’re talking about.

This exploit shows yet another example of what can happen when machines don’t properly identify themselves before they share encrypted communications. It also shows how easy it is to lose track of how important it is to secure machine identities at both sides of such an interaction. It’s too late to realize the impact of these machine identities only after we have experienced an impactful event like this one.

Jing Xie, senior threat intelligence analyst at Venafi, explains IoT compromises can cause severe consequences to businesses and society, especially given that IoT ecosystems tend to be deployed at a massive scale. “The scale and all-connected nature of these machines sets a good stage for magnifying the damage,” she says.

That ‘Opportunistic Mentality’

Xie says that the Z-Shave exploit in itself won’t bring about “the end of the world,” although she points out that “this is true of all vulnerabilities until they are exploited and cause damage.” And Xie understands why Silicon Labs would want to present their side of the story in a way that downplays exposure, given that attackers have only a brief time window to carry out this type of attack.

Nevertheless, Xie says it’s undeniable that basic security considerations were lacking in the design and implementation that come with a hardcoded encryption key:

“The opportunistic mentality at play here is unacceptable. It reflects the belief that because no severe harm was done during this exploit, users will be just as lucky next time. When confronted with hard evidence, it'd be wiser to own the fault and take an effort to learn the lesson and do better in the future.”

And these exploits can potentially create worse IoT-based exploits in the enterprise world than those seen in that of the consumer:

“As more and more enterprises embrace IoT technologies in their infrastructure and applications, their businesses' IoT dependency deepens. Without the forethought of built-in security, they would not be able to escape the fate of being the primary target of bad guys. Therefore, IoT security must be taken seriously by everyone from now on. We need to anticipate attacks as opposed to being reactive to them.”

Manage and Protect Machine Identities

Virtually all security breaches, whether human- or machine-based, involve a fake identity, Xie continues. The Z-Shave hack shows that “these IoT devices cannot efficiently build a trust relationship among themselves.”

Xie goes on to say:

“Lying at the core of this issue is the fact that these IoT devices cannot efficiently build a trust relationship amongst themselves. A trust relationship is the foundation of authentic and secure activities in our society, physical and cyber. The decades of digitalization of the world has brought us more sophisticated and modern machine identities such as X509 certificates, which have been underpinning our current encrypted web and sustaining the automated machine-to-machine authentication. It is imperative for the IoT paradigm to parallel efforts to secure modern machine identities. Machine identity management, therefore, should be brought to the forefront of security prioritization.”

No doubt you’re reading this blog (and the Venafi blog in general) because you’re concerned about managing and protecting machine identities. This concern only grows when you consider the challenges of locating and monitoring IoT machine identities, given that IoT devices seem to be multiplying like tribbles. And you probably realize that you cannot depend on device makers themselves to keep your organization safe.

If you need this type of capability (and what enterprise doesn’t?), Venafi can help. Our platform protects encrypted communication and automatically blacklists rogue certificates and communications. So, contact us at, and together let’s avoid another close Z-Shave.

Related posts

Like this blog? We think you will love this.
Featured Blog

Researchers Find 3,200 Apps Exposing Twitter API Keys, Cite ‘BOT Army’ Threat

Key Findings:

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Robyn Weisman
Robyn Weisman

Robyn is a Senior Content Writer at Venafi. She helps enterprise IT vendors pinpoint their marketing challenges and develop content marketing strategies. She worked for several well-known technology trade publications for over 15 years, and has a Master's Degree in Screenwriting from USC.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more