The Lowdown on Z-Wave’s S2 Security Support

Q&A: The Lowdown on Z-Wave’s S2 Security Support

July 12, 2017
Technology Editor Bill Wong talks with Sigma Designs’ Raoul Wijgergangs about the latest version of Z-Wave, which includes the Security 2 (S2) framework.

Download this article in PDF format.

Z-Wave was a popular wireless technology even before the Internet of Things (IoT) became a buzzword. It has provided connectivity for a wide range of applications, from home control and security to industrial control. I recently talked to Sigma Designs’ Vice President, Raoul Wijgergangs, about IoT security and how Z-Wave’s latest S2 security support fits into the discussion.

Wong: What trends are you seeing in cyber security and what has been lacking in smart home?

Wijgergangs: IoT has introduced a wide range of new and unique security risks and challenges to connected devices, operating systems, communications, and the system through which it’s all connected. Security concerns are amplifying across all sectors of IoT, and Sigma Designs believes that in order for widespread adoption to take hold in the consumer smart-home space, the industry must mandate minimum levels of security measures to protect from cyber intrusion across the board.

Part of what’s been lacking in the smart home is that device manufacturers are thinking about the security of their specific device, not the security of the whole network. Security has been an on-going priority for our R&D team, which is why the latest SDK [software development kit] for Z-Wave supplies a best-in-class security framework known as Security 2 (S2) to ensure Z-Wave devices are the most secure in the industry.

Wong: How is the industry advancing to provide more efficient, more secure solutions?

Wijgergangs: Today’s smart-home device market is dominated by single, standalone devices. However, companies are trying to find a way to be part of the connected network of smart devices to offer greater value to consumers. That said, 58% of companies reported they were not confident in the security of their IoT devices, according to a 2016 AT&T study.

Recognizing that cybersecurity is a repeating and growing concern for consumers and manufacturers is just the first step in developing more efficient and secure solutions. Many companies, Sigma Designs included, are leveraging cybersecurity experts and “white hat hackers” to identify potential weaknesses and vulnerabilities in the protocols and coding that connect so many of the devices consumers rely on and use on a daily basis.

We want to act as an ambassador from the smart-home space, leading the charge for cybersecurity in residential IoT, and making it easier for device manufacturers to implement the highest level of security without negatively impacting other device features. Z-Wave already leads in security with AES-128 encryption level, available to all devices and mandated in access control products today. With the combination of existing and new security features released in the S2 architecture, Z-Wave will continue to be the safest, most secure ecosystem of smart devices on the global market.

Wong: What is the S2 framework and how was it developed?

Wijgergangs: S2 is the newest security framework for Z-Wave devices. It enables manufacturers to offer best-in-class security without any compromises in terms of power consumption or latency by using a single command structure that replaces a previous three-step process.

Sigma worked hand-in-hand with the cybersecurity expert community to investigate the market-accepted crypto building blocks and develop the actual specification for the S2 framework that gives Z-Wave devices new levels of impenetrability. We are so confident in the security that S2 will provide to manufacturers that the framework has been posted publicly on our website for all to see, evaluate, and test.

Wong: What’s different about this from Z-Wave’s previous security requirements?

Wijgergangs: Z-Wave already leads in security with AES-128 encryption level, which is available to all devices and mandated in access-control products on the market today. S2 uses a single command structure that replaces a previous three-step process, which reduces latency and improves battery life for devices using the new security framework.

Before, security was only built-in for a select few devices in the system. S2 is a solution for all nodes in the network in order to protect the entire network. For Z-Wave devices in the network, when implemented, S2 secures communication both locally for home- or business-based devices and in the hub or gateway for cloud functions.

This lockdown in communication virtually removes the risk of devices being hacked while they’re being included in the network. That’s because a QR or pin-code on the device level is required for unique authentication and for the device to be added to the network. This also helps to make the end devices unusable in a DDoS attack by placing the Z-Wave devices out of reach from most consumer electronics.

The new framework makes common hacks, such as man-in-the-middle or brute force, virtually powerless against S2. It implements the industry-wide-accepted secure key exchange using Elliptic Curve Diffie-Hellman (ECDH), which makes it virtually impossible to decipher the network key.

Devices are divided into two classes; access-control devices, such as door locks, must be authenticated during inclusion; other devices can choose between being authenticated or not during inclusion. S2 allows for tunneling all Z-Wave over IP (Z/IP) traffic through a secure TLS 1.1 tunnel, which eliminates cloud vulnerability as well.

Previously, Z-Wave networks already had security keys unique for each network. S2 further improves on this by having unique keys for each device group, too. Unique network keys ensure that information from one network cannot be used to decrypt another network. A hacker cannot set up a sandbox network, crack the keys, and use those keys to compromise another network.

Wong: What benefits does S2 provide to a manufacturer?  

Wijgergangs: S2 offers manufacturers the highest level of security available to ensure their devices are the most secure in the industry. Security aside, manufacturers leveraging S2 also directly benefit from reduced latency and improved battery life due to the framework being directly embedded within the chipset.

S2 being part of the mandated and certified protocol ensures that security is maintained in an interoperable ecosystem. An S2-capable end device will connect securely to any S2-capable gateway, regardless of manufacturer of each device. This ensures that security on the Z-Wave network is not compromised by incompatible manufacturer implementations.

Wong: How is S2 implemented?

Wijgergangs: The S2 framework is out today in SDK 6.7 and available for implementation immediately. As of April 2, 2017, the S2 framework has been made mandatory to implement on all devices submitted for Z-Wave certification. Existing devices will continue to be backward-compatible with the new S2 smart devices, and we encourage all manufacturers to add S2 to their existing product lines.

Wong: Will Z-Wave devices that existed previously be able to upgrade to the S2 framework?

Wijgergangs: Yes. Not only will devices with S2 be able to be included in an existing network using the previous security model, Z-Wave devices featuring the 500 Series chipset that’s upgradeable over-the-air (OTA) can be upgraded to 6.7x and utilize the S2 framework. Z-Wave will always be backward- and forward-compatible regardless of the upgrades in future versions.

As an example, if the controller or hub within the network upgraded to S2, an existing device (i.e., door lock) will be able to be included as a S2 device if it’s upgraded. It’s even able to utilize existing nodes in the network as a repeater for the necessary S2 commands and messages. We expect manufacturers to be rolling out device updates and new certified Z-Wave devices with S2 within the coming months.

Raoul Wijgergangs joined Zensys, the founding company of Z-Wave, in 2004, pioneering the U.S. IoT smart-home market, building not only a new company, but an industry at the same time. Zensys was acquired by Sigma Designs in 2008. Prior to Zensys, Mr. Wijgergangs worked at Philips for 10 years and held key positions such as senior director of global sales and marketing for Wi-Fi and Bluetooth, and helped founding Arcadyan, a Philips joint venture with Accton. He holds a Bachelor’s of Engineering in computer science and an M.B.A. from the University of Twente in the Netherlands.

About the Author

William G. Wong | Senior Content Director - Electronic Design and Microwaves & RF

I am Editor of Electronic Design focusing on embedded, software, and systems. As Senior Content Director, I also manage Microwaves & RF and I work with a great team of editors to provide engineers, programmers, developers and technical managers with interesting and useful articles and videos on a regular basis. Check out our free newsletters to see the latest content.

You can send press releases for new products for possible coverage on the website. I am also interested in receiving contributed articles for publishing on our website. Use our template and send to me along with a signed release form. 

Check out my blog, AltEmbedded on Electronic Design, as well as his latest articles on this site that are listed below. 

You can visit my social media via these links:

I earned a Bachelor of Electrical Engineering at the Georgia Institute of Technology and a Masters in Computer Science from Rutgers University. I still do a bit of programming using everything from C and C++ to Rust and Ada/SPARK. I do a bit of PHP programming for Drupal websites. I have posted a few Drupal modules.  

I still get a hand on software and electronic hardware. Some of this can be found on our Kit Close-Up video series. You can also see me on many of our TechXchange Talk videos. I am interested in a range of projects from robotics to artificial intelligence. 

Sponsored Recommendations


To join the conversation, and become an exclusive member of Electronic Design, create an account today!