Secure Z-wave; Necessity or waste?

I’m sorry if this is a well documented issue, but I just need some clarification.

Z-wave Secure S2 - should it be used for all devices? Does it matter? Does it introduce lag and more issues than it’s worth?

I’m referring to this update:

“Twice as fast” as earlier versions or vs non-secure?

I’m about to set up a new network in my house towards Homey Pro 2023 (when it arrives) and a friends Bridge.
All devices atm. are HeatIt dimmers, buttons and thermostats. Everything is Z-Wave Plus and S2.

The thing is - I see threads about issues, HeatIt especially, with S2 and instability or having to reset devices, latency etc, and the solution is usually resetting everything and including as non-secure.

Why is this? Is it fixed now? Should S2 not be used at all on devices except door locks and garages? HeatIt states the issue is only with Homey, no other controllers.

I’m just confused. Because AFAIK secure devices have their own network/mesh, but don’t interfere or slow down?

I’m just trying to make sense of if it’s any point at all to have dimmers and thermostats secure.
And also (except when pairing) what it means for security.

I’m pretty sure none of the houses around here have z-wave. And for the few home owners that maybe do; I’m pretty sure they don’t know they do. So I don’t see any attack waiting to happen while including really…

I have the new homey bridge and various aeotec z-wave connected in ‘secure’ mode, i do not see latency (operating the door sensor inmediately generates a homey flow/notification), the z-wave signal travels 25m from sensor to bridge, then via wifi to the isp, then over the internet 1000km to aws frankfurt where my homey cloud runs.
Only the z-wave lamps are not authenticated, not sure how that works.
Z-wave mesh is stable

Now, i think that the z-wave chip used in homey is gen5, not sure if the new pro already has the gen 7 chip

But is it necessary to use S2?

I also noticed that HeatIt says to include S2 devices using “Homey” app, not the HeatIt app in Homey, why is that?
Does S2 devices have to be directly on Homey, and not through brand apps?

A developer can add a flag in the code for each device (S2) to include it unsecure, this is only necessary during pairing, if it is changed afterwards it will keep working as it was before.
Otherwise it will always try to include it secure, this is what happens if you use the Homey → Z-Wave option as that doesn’t have that flag.
There are 2 types of S2 devices, if you need to add a 5 digit code a user can also use 00000 to include it unsecure, if they use the code it will include secure (S2 authenticated).
The 2nd type the user won’t have to input a code and it will always include secure (S2 Unauthenticated).
You can include the non code one unsecure too, but that needs an app from the community app store, which has that flag.

Not every Z-Wave plus device supports S2, it really depends on each device if it supports it or not, it is a pretty new option (4/5 years, though big usage only 2/3 years or so) so it has to be a relatively new device, usually it is given by the manufacturer if it does support it, as most see it as a selling point.

They all work over the same mesh network, the only difference is that secure devices have their data encrypted, but can route over non secure devices just fine.
Only difference is that you can’t directly associate secure with unsecure devices.

It is twice as fast as the old Secure (S0), which since Homey v7 will always include unsecure as that was very unstable, S2 is pretty stable for most devices but perhaps the Heatit devices don’t and thus the developer decided to add those flags.

Unsecure will always be the fastest way, as it doesn’t need to be decrypted, but the difference is pretty small, you shouldn’t notice this in regular use.

I see. All my Z-wave devices are Z-Wave Plus or Plus V2, and all of them also supports S2, so I was hoping to just go with that for everything.

So it could be that HeatIt is using S2, but just not for the pairing?
Are the S2 issues related to Homey? It seems like Homey is the only platform HeatIt has issues with?

But if you use the “Homey Z-wave” solution - won’t that potentially remove some of the features for a Z-wave device?

There probably aren’t inclusion issues, there might just communication issues (sometimes) afterwards when included secure.
But I’m not the developer and don’t have any heatit devices, so I don’t know.

There is no “1 answer fits all”.
Lots of differences between brands.

There are devices (few of Aeotec) that don’t send all (sensor) data when included unsecure, only when included as S2.
There are also devices that won’t work at all if you try to include them unsecure (Ring keypad v2) only under S2.
But have seen enough devices that work just fine included unsecure and/or secure (S2), hence it is usually best what the developer has implemented.

Right. But in terms of actual security, and not compatibility, how bad exactly is “unsecured” z-wave? What exactly can be collected from an established Z-wave network?

Security is a bit relative, as neighbors can’t listen in without a Z-Wave stick and some special software (also called a Z-Wave Sniffer), you can’t do it with any regular Z-Wave software.
If they do have that, then it is like watching a bunch of plain text like, “measured temperature is xx degree”.

Thieves could, but don’t think anyone would benefit from listening into a temperature sensor etc, sending to devices is also possible but a bit more difficult as you need to know which Node ID the corresponding device would be.
And if they stay long enough to listen for motion commands (or rather the lack of) if you are at home or not, then you were probably already being targeted before hand.
There are other ways to see if someone is home/asleep which are way easier. (like actually looking with your eyes) or break into the WiFi router.

Absolutely right. We also have a separate AI camera system and alarm system connected to a 24/7 central, so Homey’s traffic isn’t really a worry for me.

But OK, so Sx is actually unencrypted and open?

For me it doesn’t matter too much atm, as it’s mainly lights and thermostats really. And if someone REALLY wants to listen in to this, well enjoy… :joy:

yes, unsecure (Sx) is unecrypted and technically fully open.

No, same issue with Heatit on other platforms.

1 Like

Weird, they state that it’s only Homey in their fairly long thread.

I just moved from Smartthings, they said the same thing there, that Smartthings was the only one with issues. From my experience, some Heatit devices lock up when they generate much traffic. For example if you enable power reports on Z-dim v1. Try to stay away from S0 security, that generates more traffic and makes things worse.

That sucks… I’ve went all in on HeatIt as they were possible to integrate with Elko Plus etc. (you can use Elko Plus dimmer knob on HeatIt).

I hope they’ll fix it either on hub side or with firmware updates.

I have no issues with Heatit devices (Zdim v1, Z push button4 and Z-Term3) at the moment. Just stay away from S0 security and dont set reporting interval too high and you probably will be fine :slight_smile: . Newer Heatit devices like Zdim v2 comes with a new Zwave 700 chip, so maybe they dont have the same issue.

Yeah. I have Z-Dim2 for all dimmers, and Z-Trm3 for all thermostats. And some Push 2, 4 and 8 panels.
So not all of them are Z-Wave Plus v2, but a mix. I’m waiting for Homey Pro to arrive so I can get everything connected.


From my experience, some Heatit devices lock up when they generate much traffic.

That’s mostly related to S2?
Power reports - how often is too much? I’d like to have relatively new information available. I’m planning a Home Assistant Lovelace dashboard through MQTT, would be nice to have fairly updated status there.

Just connect everything up and leave it at default settings, I think it will work just fine. :blush:

If I remember correctly, the Heatit app on homey now default connects the devices without security.

Yeah it seems like it.
Well, let’s see what breaks first; New Homey App, Homey Pro in EA or HeatIt app