Skip navigation
Electronic Design

Q&A: S2’s Impact on Z-Wave and IoT Security

Z-Wave Alliance Executive Director Mitchell Klein discusses the S2 framework and what it means for the future of Z-Wave devices and beyond.

Download this article in .PDF format
This file type includes high-resolution graphics and schematics when applicable.

Mitchell Klein, Executive Director, Z-Wave Alliance

On November 17, the Z-Wave Alliance, an open consortium of leading global companies deploying the Z-Wave (see “What’s The Difference Between ZigBee And Z-Wave?”) smart-home standard, announced a new security mandate for devices receiving Z-Wave Certification after April 2, 2017. The security measures in the new framework, known as S2, provide the most advanced security for smart-home devices and controllers, gateways, and hubs in the market today.

Over the last several years, the Z-Wave Alliance along with its Board of Directors and members, have been working to develop world-class security for its devices as the IoT expands into every modern household in the U.S. and around the globe. I talked with the Z-Wave Alliance Executive Director, Mitchell Klein, about the S2 framework and what it means for the future of Z-Wave devices and beyond.

Wong: What trends do you see in IoT development?

Klein: As we head into 2017, I think we will continue to see IoT standards and frameworks opening up and creating partnerships to ensure seamless interoperability and further opportunities for adoption in the future. Security and how to secure IoT devices at all levels—enterprise, government, and consumer—continues to be a major area for concern and one that developers must address in current and future products.

Wong: What was the genesis for the S2 framework development?

Klein: As smart-home adoption began to increase, we recognized the need to prioritize the security of our devices. Intrusion and hacking of connected devices becomes more prevalent every day; our goal for the S2 security solution is to provide high security for all Z-Wave devices and to ensure there are no vulnerabilities in a Z-Wave network.

Security 2 is a result of a lengthy investigation of the market for security solutions and collaboration with cybersecurity experts, resulting in a security solution that performs on par with current Z-Wave devices in terms of battery performance and latency while improving the security. Security 2 utilizes proven industry-standard security components, making it possible to implement this comprehensive solution in a fairly short time.

Wong: Will S2 be backwards-compatible in other devices or updatable OTA?

Klein: Security will no longer be optional for Z-Wave manufacturers to deploy; therefore, through an easy update, all gateways with 500 series chips and all devices that allow over-the-air (OTA) upgrades are able to add S2 to existing devices. Z-Wave devices also include signal jam detection and the tunneling of all Z-Wave over IP (Z/IP) traffic to eliminate any cloud vulnerability.

Devices with S2 will be able to be included in an existing network using the previous security model—Z-Wave will always be backwards- and forwards-compatible regardless of the upgrades in future versions. If the controller or hub in the network is upgraded to S2, an existing device (i.e., a door lock) will be able to be included as a S2 device and be able to utilize existing nodes in the network as repeaters for the necessary S2 messages.

Wong: Does any other IoT standard or platform have this type or level of security baked in?

Klein: Z-Wave is the first protocol to enable ALL nodes in a network to have a high security level, thanks to its low cost and long battery lifetime implementation. Other home control/IoT products have similar solutions, but only for dedicated products (e.g., smart meters) and are often cost-dependent. Z-Wave has created the most efficient, secure multicast solution that outperforms other protocols when controlling large groups of products at the same time, and has the most frame-efficient security implementation in the market.

Wong: How can manufacturers prepare for the certification change?

Klein: Manufacturers have had access to the S2 framework in beta since summer 2016, and they can now download and start to implement S2 in their current products. Many have started to look at their product roadmaps and plan out where they need to implement S2. We will continue to help educate manufacturers as well as the larger market about the benefits of the new security framework.

Wong:  What are the main features of the new security framework and when will it be mandatory to implement?

Klein: The main features of the new security framework include:

• No latency or additional power consumption for devices with S2.

• Strong AES-128 encryption.

• Improved protection against eavesdropping using the industry-standard Elliptic Curve Diffie-Hellmann (ECDH) key exchange mechanism. This makes it impossible to decipher the network key.

• Authenticated deployments that remove the “man-in-the-middle” attack vector—devices can be physically authenticated by PIN code during inclusion. An option QR code can also be supported.

• Tunneling all Z/IP traffic through a secure TLS 1.1 tunnel eliminates cloud vulnerability.

The Alliance Board of Directors has voted to make the implementation of the new Security 2 (S2) framework mandatory for all products that are Z-Wave certified after April 2, 2017.

Wong: Will the consumer or end user see anything different in their devices or smart home experience? 

Klein: End consumers will experience ‘snappier’ devices with less need for new batteries while enjoying strong security. For access devices, they will see longer battery life and faster response time. All smart-home devices can now be implemented with the S2 framework, giving them comfort in knowing that the device is secure without seeing impact on usability.

Wong: Can existing Z-Wave devices be upgraded to include S2?

Klein: The 500 series-based devices can be upgraded to the 6.7 Z-Wave SDK and utilize the S2 framework.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.