Will S2 Save Z-Wave?

Z-Wave has just announced an optional improvement patching the most severe security hole: the initial key exchange and initial device authentication. This move clearly shows Z-Wave wants to fight for survival and the chances are it will survive in residential implementations for some time. Mainly due to variety of products and backward compatibility. Which by the way makes the new security improvement weaker than it sounds. Yes my new, Z-Wave S2-enabled door lock may now be securely included in the network, but the moment I bring an older Z-Wave device, it may leak the network key during the inclusion process.

This is the problem with security: making one door more secure does not increase the security of a house, as long as there are other doors and windows. And securing all of them is not possible, because, in Z-Wave's case, the products are not in-field upgradable.

In-field software upgrade is the most wanted, the most praised and the least practiced IoT feature. Because it is difficult. Very difficult. It requires to double the size of a flash memory, something that is expensive and often even not possible. It requires a protocol to carry the upgrade, which, considering the size of an upgrade image vs the throughput of a low power network, requires a special coordinator of the upgrade process. It requires special security layer that many frameworks and libraries either lack or have erroneous implementations.

Security in IoT is challenging. And as Z-Wave's case shows it requires the products to be future proof, by offering in-field software upgrade option. Otherwise they may be forced to retire sooner than expected.