How The Z-Wave Alliance Is Balancing IoT Interoperability And Security

States like California and New York are now regulating connected device security to give consumers much-needed protections. But state-by-state piecemeal legislation can be chaotic, says Mitchell Klein, executive director of Z-Wave Alliance, a consortium of 300 smart home device manufacturers. In this month’s Intelligence of Things Tracker, Klein discusses why the Feds must pass national legislation before manufacturers wind up juggling 50 different U.S. laws, plus European law, to get a product out the door.

Consumers have begun equipping their homes with many kinds of connected devices as they seek to add convenience to their lives. This presents problems for developers, who need to make sure that their products run both smoothly and securely. These technologies are presenting increasing demands on local networks as more devices fill homes, causing aggravating performance lags. The effort required to separately manage incompatible products degrades some of the lure of convenience, too, and could even drive consumers to decide that some devices are not worth the hassle. The entire connected home can be put at risk, too, if just one smart device is vulnerable. 

Developers keen on addressing these concerns must carefully consider how to design and connect their devices to provide reliable, secure performance. This topic has been a major concern for the Z-Wave Alliance developer consortium. The group takes its name from Z-Wave, a wireless communications protocol developed in 1999 by Copenhagen-based developer Zensys that is used by a vast number of smart home devices. 

Smart homes were a distant dream when the consortium launched in 2005 — only six products used the protocol at the time. That number ballooned to 600 by 2012, and more than 2,600 devices that use Z-Wave are on the market today. 

The consortium now includes more than 700 member companies such as ADT, SmartThings, Kwikset and Yale. In a recent interview with PYMNTS, Z-Wave Alliance’s executive director, Mitchell Klein, discussed the consortium’s role in the IoT space and how it ensures the security of its interconnected devices. 

How Z-Wave works 

The Z-Wave protocol operates on a mesh network that allows each device to repeat its signal, thereby extending the range of all products. 

“Compare that to what you experience with Wi-Fi, where the more devices you add, the worse the experience becomes,” Klein explained. “On Z-Wave, the more devices you add, the stronger the network becomes.” 

Z-Wave transmits on a sub-gigahertz spectrum, with enabled devices broadcasting at 868.42 MHz in Europe and 908.42 MHz in North America. This is in direct contrast to Wi-Fi-capable smart home devices, which transmit at 2.4 GHz. 

“How many users are happy with the Wi-Fi in their homes? That’s not Wi-Fi’s fault, though,” he said. “The reality is the physical frequency that it operates on. It just doesn’t transmit well through building materials. And the more devices you add, the slower it gets.” 

The three mandates 

The Z-Wave Alliance maintains three primary mandates for its member companies to help them improve users’ experiences and bolster devices’ security. The first dictates interoperability: All Z-Wave products must be compatible with each other, regardless of which company manufactures them. 

“You cannot be a proprietary Z-Wave platform,” Klein said. “That’s not allowed.” 

“I like to use door locks as an example,” he continued. “If you have a home where you put a Kwikset door lock on the front door, but for whatever reason you’ve put a Yale lock on your back door, both will operate on the same platform. You could press a button that says, ‘Goodnight,’ and both doors will lock.” 

This interoperability is intended to create ease for the consumer. All Z-Wave products must also feature the same technical language in their user manuals, and operating information must be properly displayed on developers’ websites. 

The second requirement is that developers must provide backward compatibility. This ensures that no products will be rendered obsolete by newer ones that require customers to purchase upgraded models. 

“If you buy a cellphone today, you’re going to have to replace it in two years, and that’s no big deal. But if you put in a door lock, we know you’re not going to want to replace that ever — certainly not two years from now,” Klein explained. “The nice thing about it is, as a consumer, if you put in a dimmer from 10 years ago, it will still work with the latest and greatest Z-Wave product.” 

The third mandate requires all Z-Wave products to comply with Security 2 (S2) standards, which the alliance put into effect in April 2017. S2 stipulates that unique PINs or QR codes must be present on each device, bolstering encryption standards for transmissions between nodes. All products must also be certified for security compliance by a third-party testing lab. 

While the S2 standard makes Z-Wave networks fairly ironclad against attackers, there are still vulnerabilities when Z-Wave and Wi-Fi meet in gateways. 

“Say I want to be able to unlock my front door when I’m coming home,” Klein explained. “I have to do that via Wi-Fi, which means I [have] a Wi-Fi router and a gateway in my home that is both Wi-Fi and Z-Wave-enabled. That’s the point of exposure right there.” 

The onus falls largely on customers to secure these vulnerable points, he said. 

“That’s where consumers have to recognize the need to put in highly complex and secure passwords, and not share them. You can lock it down, but consumers have generally been somewhat lacking in that area,” he stated. 

Should customers be responsible for their own security? 

Though consumers are currently responsible for securing their smart homes, Klein feels that shouldn’t be the case. 

“To rely on a consumer to come up with and remember a highly complex password? The masses aren’t going to do that, and we’ve seen it,” he said. “[The responsibility] should be with the service provider or device maker. They’re the ones that should ensure the security. But we all know that [providers have] some self-interests that may not serve the general public the way they should.” 

Klein praised California’s SB-327 — the first smart device-focused cybersecurity law in the U.S. — which ensures that device makers are held responsible for their products’ security. The bill mandates that IoT manufacturers equip their devices with adequate security measures, like unique passwords for individual products. He added that the bill is not perfect, however. 

“The challenge there is that if California does this, and New York does something else and Michigan does another thing — you can see where I’m going with this,” Klein explained. “It has to be taken out from the state level and moved to a federal level. As a tech maker, to have to comply with up to 50 different rules just within the U.S. and then another rule in Europe? That’s a bad, bad move.” 

A federal solution could be a long time coming, especially as partisan deadlock continues in the U.S. Congress. Such a move might be the only way to ensure that IoT developers do right by their customers.