One of the bigger themes around IoT in 2015 – and one that will likely be even bigger in 2016 – is security. Nowhere is the continued rise to prominence of security as an issue for IoT more evident than at security conferences like DEF CON, where each year speakers warn of the imminent danger in a world where everything is connected. In fact, IoT got top billing at this year’s DEF CON, where one of the conference’s famed “hacking villages” was IoT themed for the very first time.
It makes sense then that one of the primary consumer-centric IoT networking technologies, Z-Wave, would look to up its security game. So this morning, Sigma Designs, the main supplier of Z-Wave silicon, announced an improved set of security technology called Z-Wave Security Framework 2 (which they refer to as S2), in its latest software development kit.
The main differences between S2 and previous security frameworks for Z-Wave is this means devices with S2 will require a PIN code or QR code on the device itself. It also means that Z-Wave security will now move beyond AES 128 bit cypher security (which is now baseline security in most IoT networking technologies such as Bluetooth, Zigbee and Thread) to using one of the most advanced curves (aka algorithms) in Curve25519 for the Elliptic Curve Diffie-Hellman key agreement security scheme. Curve25519, the same curve used in HomeKit, doesn’t have any known backdoors and has gained popularity as AES128 encryption and other forms of elliptic curve cryptography has fallien victim to a variety of hacks.
All of this is a complicated way to say that Z-Wave has made security one of its key differentiators. I think it’s a good focus for them in terms of defining what their outward perception is vis-a-vis other IoT networking technologies, even if I think the vast majority of vulnerabilities will come not through local link layer attacks, but through the cloud. The reality is smart home and IoT networks are only as strong as their weakest link, and adding Internet connectivity creates potential vulnerabilities that will be nearly impossible to completely fortify against.
This isn’t to say Z-Wave shouldn’t make this a point of emphasis. Bluetooth and Wi-Fi have continued to be plagued by security issues, and by pointing out the differences with Z-Wave and putting security on par with HomeKit, this is likely is something that will resonate to a certain degree with product manufacturers.