Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Title Silicon Labs Z-Wave chipsets contain multiple vulnerabilities
Name VU#142629 First vendor Publication 2022-01-07
Vendor VU-CERT Last vendor Modification 2022-01-09
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Overall CVSS Score 8.8
Base Score 8.8 Environmental Score 8.8
impact SubScore 5.9 Temporal Score 8.8
Exploitabality Sub Score 2.8
Attack Vector Adjacent Attack Complexity Low
Privileges Required None User Interaction None
Scope Unchanged Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:A/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 8.3 Attack Range Adjacent network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 6.5 Authentication None Required
Calculate full CVSS 2.0 Vectors scores



Various Silicon Labs Z-Wave chipsets do not support encryption, can be downgraded to not use weaker encryption, and are vulnerable to denial of service. Some of these vulnerabilities are inherent in Z-Wave protocol specifications.


Z-Wave devices based on Silicon Labs chipsets have multiple vulnerabilities. For further details, including specific devices tested, see Riding the IoT Wave With VFuzz: Discovering Security Flaws in Smart Homes.

Z-Wave devices based on Silicon Labs 100, 200, and 300 series chipsets do not support encryption.

Z-Wave devices based on Silicon Labs 500 series chipsets using CRC-16 encapsulation do not implement encryption or replay protection.

Z-Wave devices based on Silicon Labs 500 series chipsets using S0 authentication are susceptible to uncontrolled resource consumption which can lead to battery exhaustion.

Z-Wave devices based on Silicon Labs 500 series chipsets using S2 are susceptible to denial of service and resource exhaustion via malformed SECURITY NONCE GET, SECURITY NONCE GET 2, NO OPERATION, or NIF REQUEST messages.

Z-Wave devices based on Silicon Labs 500 and 700 series chipsets are susceptible to denial of service via malformed routing messages.

Z-Wave devices based on Silicon Labs 700 series chipsets using S2 do not adequately authenticate or encrypt FIND_NODE_IN_RANGE frames.


Depending on the chipset and device, an attacker within Z-Wave radio range can deny service, cause devices to crash, deplete batteries, intercept, observe, and replay traffic, and control vulnerable devices.


Mitigations for these vulnerabilities vary based on the chipset and device. In some cases it may be necessary to upgrade to newer hardware, for example, 500 and 700 series chipsets that support S2 authentication and encryption.


Thanks to Carlos Kayembe Nkuba, Seulbae Kim, Sven Dietrich, and Heejo Lee for researching and reporting these vulnerabilities.

This document was written by Timur Snoke and Art Manion.

Original Source

Url : https://kb.cert.org/vuls/id/142629

CWE : Common Weakness Enumeration

% Id Name
40 % CWE-311 Missing Encryption of Sensitive Data (CWE/SANS Top 25)
20 % CWE-770 Allocation of Resources Without Limits or Throttling
20 % CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
20 % CWE-345 Insufficient Verification of Data Authenticity

CPE : Common Platform Enumeration

Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 2
Os 1
Os 1
Os 1
Os 1

Alert History

If you want to see full details history, please login or register.
Date Informations
2022-01-18 21:29:22
  • Multiple Updates
2022-01-09 05:17:42
  • Multiple Updates
2022-01-08 00:17:43
  • First insertion