After purchasing a RaZberry board to turn one of his Raspberry Pis into a Z-Wave gateway for home automation, Randy Westergren discovered a security issue in the control software, Z-way. He discussed the issue in a blog post, and how it exposes a home system to hacking.
After installing the software, Westergren initiated a request to turn a light switch on to test the system. The response showed that absolutely no authentication is needed to make requests, with the vendor’s website FAQs indicating that network security is the responsibility of the customer:
“Is there HTTP authentication in the HTTP/JSON API?”
“No, there is no authentication, your local network is supposed to be safe environment and protected from outside world using Wi-Fi passwords and firewalls. If you want to protect Z-Way using a password, you can always use projects like ngnix and other reverse proxy servers.”
While this example relates to lights, the possibility to operate doors, garages, or turn on/off other security devices exposes just how vulnerable this system could be.