Not sure it’s described anywhere (feel free to point me to the documentation) but I was wondering what each encryption type on https://tools.developer.homey.app/tools/zwave means, so it you are like me, here you go :
- Secure (Authenticated): This indicates that the device uses basic Z-Wave security (sometimes referred to as S0). It provides encryption for network-wide communication but was susceptible to certain hacking techniques.
- Basic Encryption: This is the original form of Z-Wave security (S0). It encrypts all network-wide communication, preventing eavesdropping on the basic commands sent to Z-Wave devices.*
- Vulnerability:* This method was found to be susceptible to hacking techniques like “man-in-the-middle” attacks in certain situations.
- Secure (Access): This is similar to “Secure (Authenticated)” (S0) but offers some additional security features aimed at preventing unauthorized control of specific devices (like door locks).
- Targeted Protection: This is a slightly enhanced version of S0 security focusing specifically on commands that can be used to control access-sensitive devices, such as door locks and some sensors.
- Partial Encryption: It doesn’t encrypt every single command like Secure (Authenticated) S0, rather it focuses on the most critical commands to provide some additional protection.
- Still Considered Weak: Similar to Secure (Authenticated) S0, this variation is also considered less secure than the newer S2 standard.
-
Secure (⨯): This flag typically means there’s no encryption in place for communication with that device. Data is transmitted in plain text and could be intercepted.
-
Secure (S2 (Authenticated)): This is the newer and significantly more robust Z-Wave S2 security framework. It uses strong encryption (AES-128) and improved authentication methods to mitigate previous vulnerabilities.
Compatibility / communication
-
Basic Communication: Z-Wave devices with different security levels (S0, S2, no security) can still communicate at a basic level. They can exchange status updates, simple commands, and general network information.
-
Secure Commands: Here’s where the difference lies:
- S0 to S0: Devices using either Secure (Authenticated) S0 or Secure (Access) S0 can exchange secure commands between them.
- S2 to S0: S2 devices can send unencrypted commands to S0 devices, but not vice versa. S0 devices cannot initiate secure communication with S2 devices.
- No security to S0/S2 Devices without encryption can send commands to both S0 and S2 devices, but the communication will be unencrypted.
Impact of Security Types on mesh routing
- S2 Strength: Devices using S2 security provide the most reliable routing. They have robust communication and error-checking, ensuring messages are delivered successfully even with multiple hops.
- S0 Considerations: While devices with S0 security can function as repeaters, communication may be slightly less reliable. Potential vulnerabilities in S0 could lead to occasional message failures.
- Unencrypted Devices: Devices without encryption can also act as repeaters. However, this introduces a security risk, as unencrypted data can be intercepted when being relayed across the mesh.