Z-Wave, a Wireless Communication Protocol that widely used in IoT Smart Devices vulnerability allow attackers to perform Downgrade Attack and compromise nearly 100 Million IoT devices around the world.
Also, it Helps to share the network key exchange to secure traffic in between controller and the client devices after the device paired.
Also, This key allows to protect the communications and prevent attackers from exploiting joined devices.
There are over 100 million Z-wave chips are used in smart devices and 2,400 vendors including the communication range between the device and the operator over 100 meters.
How Does this Z-Wave Downgrade Attack
Earlier Smart device pairing process between client device and controller using “S0” that had a vulnerability and the pairing node using a key of all zero which leads to sniffed by an attacker within RF range.
So later it was fixed and improved into S2 and this Vulnerability allow attacker back to S0 by obtaining the network key.
To perform this test researchers using Sigma provided tool called ‘PC Controller’ also they said, This is not a Z-Wave certified S2 controller, and hence does not display a warning when S0 security is used. Most S2 controllers have a very limited UI, so even if they do alert the user it’s likely to be no more than a flashing LED.
This could lead to attacker Exchange the network key and they will replace the fixed key as “0000000000000000” which indicate that they obtain the network key and attack any device on the network when the device is paired with in the RF range.
S2 pairing key cannot be intercepted but the attacker exploits this vulnerability while the time of pairing and perform the downgrade an S2 pairing to S0.
So attackers intercept the key then intercept, inject S0 traffic on the Z-Wave network and there is very very less time to perform this attack and attacker would need advanced equipment to perform this attack successfully. you can read technical analysis here.