“Easily hackable” doesn’t go far enough IMHO. If you turn security off, I’d be hard-pressed to argue that letting anyone do whatever they want with your network isn’t intended behavior. That’s not specific to Z-Wave either— anything that lacks security is basically screaming “hey, come play with me!”
Here’s a rough summary of what the different security levels provide:
- None (All Unchecked): Completely open. Anyone in range can read every message sent between these devices on your network, send messages to these devices on your network, and send messages to other devices on your network pretending to be these devices. I would recommend against allowing these devices to trigger any sort of automation and avoid if at all possible. No Trust
- S0: Encrypted communication; Once a device joins the network, its messages are protected from someone just casually walking in range, but it can still be passively compromised during pairing without you knowing. If compromised, same as No security. Low Trust
- S2 Unauthenticated: Encrypted communication + pairing; Like S0, but using the newer / more efficient protocol. Cannot be passively compromised, but could be actively compromised during pairing with a MITM attack without you knowing*. Low Trust
- S2 Authenticated: Like S2 Unauthenticated, but device and hub verify that they were not compromised during pairing. Medium Trust
- S2 Access Control: Functionally the same as S2 Authenticated, but expected to only be used by other highly secure devices, such as door locks and garage doors. High Trust
* Some hubs, like Hubitat, allow you to manually verify that S2 Unauthenticated devices were not compromised during pairing, but that does not stop the keys from being compromised— just lets you know if it happened.
A device can be in multiple groups, and each encrypted security group (S0/S2 Unauthenticated/S2 Authenticated/S2 Access Control) functions as it’s own mini sub-network. Devices can only see/communicate with other devices that share a common security group with each other. If a group is compromised, all devices in that group are considered compromised.
Ideally you want your access control devices (door locks, garage doors, etc.) in only S2 Access Control, and everything else in only S2 Authenticated.
If you can’t physically secure a device (i.e., an exterior light switch or bulb), you’d want to use S2 Unauthenticated, and then move only the devices that need to communicate with that device directly (i.e., associations) to S2 Unauthenticated + S2 Authenticated groups.
If you have a legacy device that only supports S0, then similarly you’d need to move any other devices that have to communicate directly with it to S0 + S2 Authenticated groups.
S0 and S2 Unauthenticated are “Low Trust” because while the window for encryption keys to be stolen is small, it’s hard to prove that nobody in range of your network is running a device that’s just constantly waiting for a Z-Wave pairing and stealing the keys. Maybe if you’re in a cabin in the woods, but for most people it will not be realistic to secure the entire area from which someone might be able to sniff or transmit a Z-Wave signal.
S2 Authenticated is “Medium Trust” because pairing will fail if someone tries to steal the keys, but most devices will use this and if there are non-zwave security vulnerabilities in any one of those devices, it could allow the entire security group to be compromised.
S2 Access Control is “High Trust” because not only will pairing fail if someone tries to steal the keys, but there should be very few devices in this security group and those devices should undergo more rigorous security design and testing than normal devices (smaller surface area for non-zwave attacks).