Dailysale.com[dailysale.com] has Yale Push Button Deadbolt Lock with Z-Wave on sale for $79.99 - $7 w/ code SD29604 = $72. Free Shipping.
Features:
Easy to Use, Install, & Program
Programmable up to 25 users
Weather resistant durable buttons
Illuminated keypad, easy to use at night or in low light
ZWave Capability
Model: YRD110-ZW-US
UPC: 81023843850
Community Notes
This collaborative space allows users to contribute additional information, tips, and insights to enhance the original deal post. Feel free to share your knowledge and help fellow shoppers make informed decisions.
It's legit. A lot of these "sale websites" are the same company just different names. Daily "Insert Word". Some are drop shippers and some are shipping from a centralized warehouse.
I'm trying to figure out if it ships with the old ZW module that is S0 encryption or the newer one that supports S2 pairing. Anyone able to figure that out?
Our community has rated this post as helpful. If you agree, why not thank flipontheradio
Quote
from bullfrog23414
:
I'm trying to figure out if it ships with the old ZW module that is S0 encryption or the newer one that supports S2 pairing. Anyone able to figure that out?
S0 only. The only module that supports S2 is the 700 series module and it will not work in these locks. Yale doesn't even sell that module directly to consumers you have to buy it on eBay. These only support the legacy 300 series, non zwave plus, module.
Last edited by flipontheradio July 15, 2024 at 09:38 AM.
It does not offer zwave plus and only has S0 security that has known vulnerabilities.
This is a terrible price for the YRD110 model.
As far as I am aware, the only vulnerability in S0 that is fixed with S2 security is during the pairing process. There's a vulnerability if an attacker is there when you are initially pairing the device. But once it has been paired, the security is just as strong with S0 as it is with S2.
A noticeable vulnerability, but not likely one you have to worry about. Someone would have to be actively targeting you while you are in the brief window of installing and pairing.
18
2
Like
Helpful
Funny
Not helpful
Sign up for a Slickdeals account to remove this ad.
Our community has rated this post as helpful. If you agree, why not thank flipontheradio
Quote
from dymutaos
:
As far as I am aware, the only vulnerability in S0 that is fixed with S2 security is during the pairing process. There's a vulnerability if an attacker is there when you are initially pairing the device. But once it has been paired, the security is just as strong with S0 as it is with S2.
A noticeable vulnerability, but not likely one you have to worry about. Someone would have to be actively targeting you while you are in the brief window of installing and pairing.
Maybe you'll get lucky that it will come DOA and support will send you out a replacement but the new model.....this happened to me with a similar deal from Woot.
If it does, they will want you to buy the zwave module ($90) yourself so make sure to ask them to make an exception and include it.
It does not offer zwave plus and only has S0 security that has known vulnerabilities.
This is a terrible price for the YRD110 model.
I don't believe this lock is a 300 series. That was prior to any encryption methods, including s0. I have this specific lock, and it has s0 security. S2 security came out during the 500 series era, I think, but it was optional.
I could be wrong, and it is a 300 series device. But even still, it does have S0 security.
Edit - I was incorrect, and this is a 300 series device. But it does have encryption with S0 security.
Last edited by dymutaos July 15, 2024 at 02:42 PM.
That mentions 100-300 unencrypted devices, which doesn't apply to this device. It is specifically pointing out unencrypted communications.
S0 security is encrypted, as is S2. As mentioned in the full paper you linked (if you do a text search on s0), s0 security has the vulnerability I mentioned of possibly capturing the shared key during inclusion, but the rest of the attacks mentioned are in relation to fully unencrypted devices that lack even s0 security.
Last edited by dymutaos July 15, 2024 at 02:37 PM.
That mentions the 100-300 series products, which I don't believe applies to this lock. And it is specifically pointing out unencrypted communications. S0 security is also encrypted, as is S2. As mentioned in the full paper you linked (if you do a text search on s0), s0 security has the vulnerability I mentioned of possibly capturing the shared key during inclusion, but the rest of the attacks mentioned are in relation to fully unencrypted devices that lack even s0 security.
Capturing the key during inclusion was known as the z"shave" vulnerability and involves dropping S2 down to S0 during inclusion which this module is not capable of.
The 500 series module that yale sells ALSO does not support S2 security, source: I bought it and you can read the reviews.
Did I miss any of your points?
Ah yes, and per the CVE bulletin, 300 series DO NOT SUPPORT ENCYPTION CVE-2020-9057 https://www.kb.cert.org/vuls/id/1...exhaustion.
Z-Wave devices based on Silicon Labs 100, 200, and 300 series chipsets do not support encryption.
Last edited by flipontheradio July 15, 2024 at 02:37 PM.
Capturing the key during inclusion was known as the z"shave" vulnerability and involves dropping S2 down to S0 during inclusion which this module is not capable of.
The 500 series module that yale sells ALSO does not support S2 security, source: I bought it and you can read the reviews.
Did I miss any of your points?
Ah yes, and per the CVE bulletin, 300 series DO NOT SUPPORT ENCYPTION CVE-2020-9057 https://www.kb.cert.org/vuls/id/1...exhaustion[cert.org].
Z-Wave devices based on Silicon Labs 100, 200, and 300 series chipsets do not support encryption.
You're right, it is a 300 series device, not a 500 like I thought. I was remembering incorrectly, and more research showed you were correct.
However, you are incorrect in stating it does not support encryption. This device has S0 security. My point on S0 security being encrypted is still accurate. Downgrading S2 to S0 during inclusion is a possibility for some newer devices that support S2, so they can be more compatible (if your zwave controller isn't new enough to support S2). But while that opens you back up to the vulnerability of having your shared key getting captured by an attacker during the window of inclusion, it is not the same as a zwave device with no encryption at all.
Last edited by dymutaos July 15, 2024 at 02:45 PM.
2
1
Like
Helpful
Funny
Not helpful
Sign up for a Slickdeals account to remove this ad.
You're right, it is a 300 series device, not a 500 like I thought. I was remembering incorrectly, and more research showed you were correct.
However, you are incorrect in stating it does not support encryption. My point on S0 security being encrypted is still accurate. Downgrading S2 to S0 during inclusion is a possibility for some devices that support S2, so they can be more compatible (if your zwave controller isn't new enough to support S2). But while that opens you back up to the vulnerability of having your shared key getting captured by an attacker during the window of inclusion, it is not the same as a zwave device with no encryption at all.
You keep mistaking the word "security" that is associated with S0 as meaning "encryption", it does not. Again, per the CVE bulletin I posted above
CVE-2020-9057
Z-Wave devices based on Silicon Labs 100, 200, and 300 series chipsets do not support encryption.
If you want to add a hot piece of legacy garbage to your zwave network then please do. Slickdeals will HAPPILY take their comission. I had 2 of the key lock version of this. It EATS batteries and brought my network to a standstill with repeated timeouts and retrys. That was with smartthings, hubitat, and home assistant (On Nortek 500, Zooz 700, and 800 usb sticks).
Like
Helpful
Funny
Not helpful
Join The Conversation
Share information with the community. Please follow our Community Guidelines and be kind!
Join The Conversation
Share information with the community. Please follow our Community Guidelines and be kind!
49 Comments
Sign up for a Slickdeals account to remove this ad.
Our community has rated this post as helpful. If you agree, why not thank flipontheradio
It does not offer zwave plus and only has S0 security that has known vulnerabilities.
This is a terrible price for the YRD110 model.
Our community has rated this post as helpful. If you agree, why not thank flipontheradio
It does not offer zwave plus and only has S0 security that has known vulnerabilities.
This is a terrible price for the YRD110 model.
A noticeable vulnerability, but not likely one you have to worry about. Someone would have to be actively targeting you while you are in the brief window of installing and pairing.
Sign up for a Slickdeals account to remove this ad.
Our community has rated this post as helpful. If you agree, why not thank flipontheradio
A noticeable vulnerability, but not likely one you have to worry about. Someone would have to be actively targeting you while you are in the brief window of installing and pairing.
It will eat batteries.
If it does, they will want you to buy the zwave module ($90) yourself so make sure to ask them to make an exception and include it.
It does not offer zwave plus and only has S0 security that has known vulnerabilities.
This is a terrible price for the YRD110 model.
I could be wrong, and it is a 300 series device. But even still, it does have S0 security.
Edit - I was incorrect, and this is a 300 series device. But it does have encryption with S0 security.
S0 security is encrypted, as is S2. As mentioned in the full paper you linked (if you do a text search on s0), s0 security has the vulnerability I mentioned of possibly capturing the shared key during inclusion, but the rest of the attacks mentioned are in relation to fully unencrypted devices that lack even s0 security.
Also the zwave alliance lists this as NOT being zwave plus https://products.z-wavealliance.o.
Capturing the key during inclusion was known as the z"shave" vulnerability and involves dropping S2 down to S0 during inclusion which this module is not capable of.
The 500 series module that yale sells ALSO does not support S2 security, source: I bought it and you can read the reviews.
Did I miss any of your points?
Ah yes, and per the CVE bulletin, 300 series DO NOT SUPPORT ENCYPTION CVE-2020-9057 https://www.kb.cert.org/vuls/id/1...exhaustion.
Z-Wave devices based on Silicon Labs 100, 200, and 300 series chipsets do not support encryption.
Also the zwave alliance lists this as NOT being zwave plus https://products.z-wavealliance.o...ucts/1039/ [z-wavealliance.org] and ALL 500 series chips MUST be "plus" certified. https://www.silabs.com/wireless/z...es-modules [silabs.com]
Capturing the key during inclusion was known as the z"shave" vulnerability and involves dropping S2 down to S0 during inclusion which this module is not capable of.
The 500 series module that yale sells ALSO does not support S2 security, source: I bought it and you can read the reviews.
Did I miss any of your points?
Ah yes, and per the CVE bulletin, 300 series DO NOT SUPPORT ENCYPTION CVE-2020-9057 https://www.kb.cert.org/vuls/id/1...exhaustion [cert.org].
Z-Wave devices based on Silicon Labs 100, 200, and 300 series chipsets do not support encryption.
However, you are incorrect in stating it does not support encryption. This device has S0 security. My point on S0 security being encrypted is still accurate. Downgrading S2 to S0 during inclusion is a possibility for some newer devices that support S2, so they can be more compatible (if your zwave controller isn't new enough to support S2). But while that opens you back up to the vulnerability of having your shared key getting captured by an attacker during the window of inclusion, it is not the same as a zwave device with no encryption at all.
Sign up for a Slickdeals account to remove this ad.
However, you are incorrect in stating it does not support encryption. My point on S0 security being encrypted is still accurate. Downgrading S2 to S0 during inclusion is a possibility for some devices that support S2, so they can be more compatible (if your zwave controller isn't new enough to support S2). But while that opens you back up to the vulnerability of having your shared key getting captured by an attacker during the window of inclusion, it is not the same as a zwave device with no encryption at all.
CVE-2020-9057
Z-Wave devices based on Silicon Labs 100, 200, and 300 series chipsets do not support encryption.
If you want to add a hot piece of legacy garbage to your zwave network then please do. Slickdeals will HAPPILY take their comission. I had 2 of the key lock version of this. It EATS batteries and brought my network to a standstill with repeated timeouts and retrys. That was with smartthings, hubitat, and home assistant (On Nortek 500, Zooz 700, and 800 usb sticks).
Join The Conversation
Share information with the community. Please follow our Community Guidelines and be kind!