S0-No-More: A Z-Wave NonceGet Denial of Service Attack utilizing included but offline NodeIDs

In this paper a vulnerability in the Z-Wave protocol specification, especially in the S0 Z-Wave protocol is presented. Devices supporting this standard can be blocked (denial of service) through continuous S0 NonceGet requests. This way a whole network can be blocked if the attacked devices are Z-Wave network controller. This also effects S2 network controller as long as they support S0 NonceGet requests. As only a minimal amount of nonce requests (1 per ~2 seconds) is required to conduct the attack it cannot be prevented by standard countermeasures against jamming.