Announcement

Collapse
No announcement yet.

Z-wave thermstat - safe from hacking?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Z-wave thermstat - safe from hacking?

    HI folks, my current thermostat appears to need replacement and I am contemplating a Z-wave one.
    However, while I have been using home automation devices since the 1980s, I am still reluctant to connect to a device that, if hacked, could cause significant problems and/or damage.
    Does anyone have any experience using Z-wave thermostats and are there any security concerns (above the paranoia level) that I need to be aware of?

    Right now, I'm considering between a

    Nortek 2Gig GoControl ZWave Thermostat
    and
    Honeywell Lyric T6 Pro Zwave Plus Thermostat

    Any thoughts, opinions, related personal experiences are most welcome.

    Cheers!
    -steve

    -----------------------------------------------------

    Current Date/Time: 8/11/2020 9:59:17 AM
    HomeSeer Version: HS3 ZEE S2 Edition 3.0.0.548
    Linux version: Linux HomeTrollerZeeS2V5 4.9.35-v7+ #1014 SMP Fri Jun 30 14:47:43 BST 2017 armv7l GNU/Linux System Uptime: 5 Days 3 Hours 30 Minutes 46 Seconds
    IP Address: 192.168.15.10
    Number of Devices: 242
    Number of Events: 212
    Available Threads: 399
    HSTouch Enabled: True
    Event Threads: 1
    Event Trigger Eval Queue: 0
    Event Trigger Priority Eval Queue: 0
    Device Exec Queue: 0
    HSTouch Event Queue: 0
    Email Send Queue: 0

    Enabled Plug-Ins
    3.0.0.5: CM15A
    3.0.0.71: EasyTrigger
    3.0.0.18: EnvCan
    3.0.2.0: Z-Wave

    #2
    Anything can be "hacked" if someone wants to badly enough and knows what they are doing. That said, I can't imagine anyone putting in the required effort with so little to gain. There are easier ways for someone to cause you a really bad day. I would not (and do not) worry about this at all. You can also set min and max settable temperatures on the thermostat (not changeable by Z-wave) on most thermostats.
    Of the two you indicated, I would go with the Honeywell.

    Comment


      #3
      Originally posted by joegr View Post
      Anything can be "hacked" if someone wants to badly enough and knows what they are doing. That said, I can't imagine anyone putting in the required effort with so little to gain. There are easier ways for someone to cause you a really bad day. I would not (and do not) worry about this at all.
      ^^^ This. I do information security and risk management for a living... part of the threat assessment process is admitting that all because something *could* happen doesn't necessarily mean it *will* happen.

      Comment


        #4
        Yes, my kids hack mine all the time. The ability to change the setting from bed makes it an easy target
        -Rupp
        sigpic

        Comment


          #5
          This is a really great reply - much thanks for taking the time to not just put the risk in perspective, but to also explain the hard limits (min/max) - the latter going a LONG way to my peace of mind.
          And, making the Honeywell recommendation as well.

          Truly MUCH appreciated.
          -steven

          Comment


            #6
            Originally posted by TC1 View Post

            ^^^ This. I do information security and risk management for a living... part of the threat assessment process is admitting that all because something *could* happen doesn't necessarily mean it *will* happen.
            Awesome context and perspective setting.
            Thanks for taking the time to reply - it's very helpful for me.
            -steve

            Comment


              #7
              If I was worried I'd probably create one or more events:

              IF thermostat changes to something screwy

              THEN

              Do something to mitigate or turn thermostat off
              Send an alert.

              I, too, would think the chances of actually being hacked are infinitesimally small.
              HomeSeer Version: HS3 Pro Edition 3.0.0.500
              Operating System: Microsoft Windows 10 Pro - Work Station

              Enabled Plug-Ins:
              2.1.0.119: AmbientWeather | 3.0.21.0: BLLock | 2.0.24.0: BLUPS | 1.3.6.0: Device History | 3.0.0.56: EasyTrigger | 3.1.0.7: MeiHarmonyHub | 3.0.6681.34300: UltraCID3 | 3.0.6644.26753: UltraLog3 | 3.0.6554.33094: UltraMon3 | 3.0.0.91: weatherXML | 3.0.1.245: Z-Wave | 3.0.51: HS Touch Designer | 3.0.0.40 Z-Seer+

              Comment


                #8
                Originally posted by Rupp View Post
                Yes, my kids hack mine all the time. The ability to change the setting from bed makes it an easy target
                LOL. Truth. And as others have pointed out, we can implement counter-measures.

                Then it becomes an arms-race of one-upmanship....

                Comment


                  #9
                  Originally posted by ewkearns View Post
                  If I was worried I'd probably create one or more events:

                  IF thermostat changes to something screwy

                  THEN

                  Do something to mitigate or turn thermostat off
                  Send an alert.

                  I, too, would think the chances of actually being hacked are infinitesimally small.

                  Reading this was a Homer-D'oh moment - of course!
                  Thanks for reminding me of this.
                  -steve

                  Comment


                    #10
                    Originally posted by ewkearns View Post
                    If I was worried I'd probably create one or more events:

                    IF thermostat changes to something screwy

                    THEN

                    Do something to mitigate or turn thermostat off
                    Send an alert.

                    I, too, would think the chances of actually being hacked are infinitesimally small.
                    Yes, I do have something like this too. It's not for hacking concern, but more for concern about failed Z-wave transmissions or kids making changes directly at the thermostat(s).

                    Comment


                      #11
                      Originally posted by joegr View Post

                      Yes, I do have something like this too. It's not for hacking concern, but more for concern about failed Z-wave transmissions or kids making changes directly at the thermostat(s).
                      And just remember, the better thermostats have the ability to lock-out the local front-panel so family can't make unwanted changes.

                      Comment


                        #12
                        Originally posted by TC1 View Post

                        And just remember, the better thermostats have the ability to lock-out the local front-panel so family can't make unwanted changes.
                        Yes, but it's a pretty quick internet search for the sequence to unlock it...

                        Comment


                          #13
                          The main type of hacking I worry about is "pre-hacking": devices with internet access that come with back doors that allow their manufacturers to seize control of them. I'm thinking here of Huawei and Hikvision, for example. Not so much for the damage they can do to me, but to the damage they could do to others with DDOS attacks, for example. There is no public evidence that these companies have such back doors, but the Chinese government requires Chinese companies to cooperate with them in such matters.

                          Comment


                            #14
                            I would expect that with a zwave thermostat you're biggest realistic security concern would be any wifi devices, online services, homeseer, and anyone with physical access to your network or property. There is a way to hack into your zwave network itself, but you have to be within zwave range. I also recall a way to hack a zwave lock, but the hack had to be performed while you were including the lock in your network and was an earlier generation of locks that had been updated at the time of the video. I also found an interesting video of someone using an audio transducer on your window to tell alexa or google to unlock your door.

                            https://www.youtube.com/watch?v=6JK-jrLd1yc

                            https://www.cnet.com/news/how-you-mi...for-intrusion/
                            HS4 Pro on Shuttle NC10U, Win10; Z-NET
                            Number of Devices: 449
                            Number of Events: 210

                            Plug-Ins: Arduino, BLLock, DirecTv, EasyTrigger, Honeywell WiFi Thermostat, MeiHarmonyHub, PHLocation2, Pushover 3P, UltraM1G3, WeatherXML, Worx Landroid, Z-Wave

                            External applications: Homebridge-homeseer, Geofency, EgiGeoZone.

                            Comment


                              #15
                              Originally posted by joegr View Post

                              Yes, but it's a pretty quick internet search for the sequence to unlock it...
                              EcoBee (what I use now, ditched the Z-wave thermostats) and Nests have PIN codes.

                              Comment

                              Working...
                              X