CVE-2022-24611

Vulnerability

The vulnerability resides in the Z-Wave S0 NonceGet protocol specification as implemented in Silicon Labs Z-Wave 500 series (ZW5xx) devices, including the Amazon Ring Alarm Security Kit Gen. 1. An attacker can send crafted S0 NonceGet packets with spoofed NodeIDs that belong to devices which are included in the network but currently offline. This affects both S0 and S2 networks, provided S0 NonceGet requests are allowed by the gateway [1], [2].

Exploitation

A local attacker within radio range of the victim's Z-Wave network sends a continuous stream of S0 NonceGet requests (e.g., one per 2 seconds) using a spoofed NodeID of an absent device. The Z-Wave specification requires the gateway to wait for 3 to 20 seconds for a reply from the requested node, during which it cannot issue new nonces to other devices. The attack requires no authentication and minimal bandwidth, making it efficient and easy to sustain [2].

Impact

Successful exploitation results in a complete denial of service against the target Z-Wave network, rendering it unusable for the duration of the attack. Normal operations resume immediately after the attack ceases, with no persistent traces or damage. The attack can be maintained indefinitely with very few packets, effectively blocking all S0/S2 protected communication [2].

Mitigation

As of the publication date, no official fix or patch has been released by Silicon Labs or the Z-Wave Alliance. Workarounds include ensuring all devices are properly excluded from the network when removed, and potentially disabling S0 NonceGet support on devices that support S2 only. However, no definitive mitigation is provided in the available references [1], [2].