CVE-2020-9058

Vulnerability

CVE-2020-9058 affects Z-Wave devices built on Silicon Labs 500 series chipsets that employ CRC-16 encapsulation for packet integrity. Affected products include, but are not limited to, the Linear LB60Z-1 version 3.5, Dome DM501 version 4.26, and Jasco ZW4201 version 4.05 [2][3]. These devices do not implement encryption or replay protection at the protocol level, meaning frames are sent in plaintext and can be retransmitted by an adversary without detection [1][2][3].

Exploitation

An attacker must be within physical Z-Wave radio range of the target network (typically up to 30 meters indoors, with some range extension via mesh nodes). No authentication or prior access is required: the lack of encryption allows an attacker to passively observe all Z-Wave traffic and to craft arbitrary packets [1][2][3]. By simply transmitting a replayed or malicious frame, the attacker can control a device, impersonate a controller, or send malformed messages that cause the device to malfunction [2][3][4]. No user interaction or race condition is needed for the basic replay and control attacks.

Impact

A successful remote attacker gains the ability to intercept and replay Z-Wave traffic, control vulnerable devices (e.g., locks, lights, sensors), or cause a denial of service (DoS) of individual devices or the network controller [1][2][3]. A DoS on the controller can disable intrusion and event notifications, potentially allowing physical intrusion without triggering alarms [1]. Some attacks may also lead to uncontrolled resource consumption, such as battery exhaustion on battery-powered devices [2][3]. The compromise is confined to the Z-Wave radio domain, but within that scope the attacker achieves complete control over unencrypted device functions.

Mitigation

As of the publication date (2022-01-07), no software patch can fully remediate the protocol-level absence of encryption and replay protection in the 500 series chipsets. The CERT/CC note states that mitigations vary per device and in some cases require hardware upgrades, e.g., moving to 500 or 700 series chipsets that support S2 authentication and encryption [2][3]. Affected users should ensure their devices support S2 encryption and replace older devices with models that implement proper cryptographic protections [2][3]. This vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.