cross-posted from: https://slrpnk.net/post/28482551
I’m looking into installing a door lock w/ key pad at home for two use cases:
- I’m out of town and need to allow someone to enter my home, in an emergency or for any reason.
- Nice to have - “oh shit, did I lock the door” - ability to lock the door remotely from my phone, would also solve use case #1 by unlocking remotely.
If there are no privacy respecting / self hosted apps for remote control (use case #2), then a “dumb” electronic lock w/ key pad that enables me to set a PIN that I can give to a friend or neighbor in a pinch and then reset the PIN after I get home, that would be good enough. If no such keypad/electronic locks exist, then my backup plan is to just make a few copies of my key for trusted friends & family and/or hide a key, but I’d like to explore the keypad route.
Thanks for that, that’s good to know. But TBH, I feel much more secure with deadbolts that don’t use keys. Here’s a video that helped me make up my mind when I got these.
As far as I can tell, CVE-2023-26943 doesn’t have anything to do with Z-wave, it looks to be related to RFID.
You mentioned Yale Smart Locks, and that CVE is specific to Yale Smart Locks. Has nothing to do with Z-Wave, but if your lock has a contact reader, it’s susceptible.
Just Z-wave here. Thanks though.
You’re missing the point here…🤦
Am I?
The one attack vector you provided that actually applies here is something that would require technical experience above what your average thief would reasonably have. But with a keyed deadbolt, a lot of those can be raked, picked, or opened with a Lishi tool.
So yeah, you’re right that there’s a vulnerability when locks are paired. But that would require someone to either be within range when that happens or to place a battery powered device and pick up that information the next time pairing happens. Pairing doesn’t happen very often. I think the last time I paired any of my locks was over a year ago.
But with keyed locks, an attacker wouldn’t have to wait for me to do anything, they could just walk up and pick the lock with tools that are easier to get and understand/use.
Going with your reasoning, the two videos I’ve shared about picking deadbolts would mean that keyed locks aren’t secure either.
Two words then: Flipper Zero
You’re behind the times on this one. This is a common tool used to defeat all kinds of locks. The Z-Wave exploits have been around for a LOOOONG time now. There’s also BT and RFID exploits as well, hence the CVE is posted above.
Mind sharing a link to something showing that the Flipper Zero can actually do anything with Z-wave? Cause all I found are pages that talk about how hard it would be to implement zigbee, let alone*Z-wave:
https://forum.flipper.net/t/zigbee-z-wave-capacity/771
https://old.reddit.com/r/flipperzero/comments/zx05x4/why_cant_we_have_zigbee_support/
I found those two when searching for flipper zero “z-wave” and look what I found right after them, a video dismissing your whole argument about Z-wave devices/locks not being secure:
https://youtu.be/6JK-jrLd1yc
And why are you bringing up the CVE again? I already said that my locks don’t use RFID and they also don’t use Bluetooth. You’re verging into Straw Man fallacy territory… I knew there was a reason I had you tagged as a “very upset person”.
Lol, classic deflection of someone who insecure in their knowledge about a subject and trying to change the subject. Personal attacks. Weak sauce, guy. Have a time with yourself.
You’ve shared nothing to make me think anything other than this accusation being projection.