Z-Wave Home Controller API Leaves Door Open To Hackers

After purchasing a RaZberry board to turn one of his Raspberry Pis into a Z-Wave gateway for home automation, Randy Westergren discovered a security issue in the control software, Z-way. He discussed the issue in a blog post, and how it exposes a home system to hacking.

After installing the software, Westergren initiated a request to turn a light switch on to test the system. The response showed that absolutely no authentication is needed to make requests, with the vendor’s website FAQs indicating that network security is the responsibility of the customer:
 
“Is there HTTP authentication in the HTTP/JSON API?”
“No, there is no authentication, your local network is supposed to be safe environment and protected from outside world using Wi-Fi passwords and firewalls. If you want to protect Z-Way using a password, you can always use projects like ngnix and other reverse proxy servers.
 
While a user’s LAN should be appropriately protected, they are not impervious to attack and the default Cross-origin Resource Sharing (CORS) header on the Z-Way web server gives access to a domain from any origin. A hacker with malicious intent could embed a JavaScript in his page capable of crawling through subnet hosts and triggering a Z-Wave operation by posting to the API with a non-existent device number, then allowing the script to iterate through device IDs attempting to turn a light switch on.

While this example relates to lights, the possibility to operate doors, garages, or turn on/off other security devices exposes just how vulnerable this system could be.

Be sure to read the next Security article: Why Your Go-To Security Tools May Not Cover APIs

Original Article

Attacking Z-Way Controlled Home Automation Devices