Andrew Tierney


Security Consultant at Pen Test Partners

Talk Title

Z-Shave. Exploiting Z-Wave downgrade attacks


There is very little publicly available on working with Z-Wave technology. We will be presenting the tools that can be used to examine how Z-Wave works and explain the security and encryption it uses. Through this journey, we will see how it became apparent that the new Z-Wave security standard - S2 - allows a trivial downgrade the older, vulnerable S0 standard. This allows us to intercept keys and command any device on the network. We will also present a critique of the Z-Wave standard, highlighting important differences between marketing and reality, leading to the weakening of security for users of the system.


Andrew has many years of experience in security, mainly working with embedded systems. As the Internet of Things trend developed, he expanded his skills into the realms of web applications and mobile applications. Blogging and documenting his findings rapidly gained him exposure, and a number of highprofile UK companies approached him to test their devices and systems.