Z-Wave Attacks

Z-Wave runs in the 800/900 MHz ISM band (US: 908 MHz, EU: 868 MHz). Older networks used the S0 security scheme with a fixed-derivation network key — long-known to be flawed. S2 (mandatory for Z-Wave Plus v2 since 2017) uses ECDH commissioning and is significantly stronger.

Quick Workflow

1. Identify region (US 908 MHz / EU 868 MHz) — adapter frequency must match
2. Sniff inclusion (commissioning) traffic — that's where keys are exchanged
3. Determine S0 vs S2 from frame format
4. For S0: derive/replay; for S2: analyze ECDH and look for implementation flaws

Hardware