this post was submitted on 06 Oct 2025
18 points (100.0% liked)
homeassistant
16534 readers
57 users here now
Home Assistant is open source home automation that puts local control and privacy first.
Powered by a worldwide community of tinkerers and DIY enthusiasts.
Home Assistant can be self-installed on ProxMox, Raspberry Pi, or even purchased pre-installed: Home Assistant: Installation
Discussion of Home-Assistant adjacent topics is absolutely fine, within reason.
If you're not sure, DM @GreatAlbatross@feddit.uk
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I've had 3 Yale deadbolts with Z-wave since 2016 or so and I love them. They use 4 AAs and I don't mind putting in rechargeables a couple times a year. They have an external way to charge them with a 9v battery in an emergency. No physical key so they can't be picked that way. At times in the past I've had problems with Z-wave delays or then losing connection to the controller, but over the last year of using Z-waveJS UI in an LXC they've been solid. Codes can be set up in HA/Z-waveJS UI or on the keypad itself.
I sorta wish the way locks had developed had been the other way around were the standard was the lock in the wall and the hole in the door. Then we would wire them up at this point.
That's a fantastic idea. You'd probably need the controls to be on the door, but I'm sure that could be done with some pogo pins or wireless charging to the wired unit in the wall.
I was thinking like long ago that the key in the wall and a simple static push/pull type handle on the door.
This lock requires a Yale account to register/setup the lock though, correct? In other words, while you can use the lock locally, it first needs to be associated with a Yale account.
Additionally, if I remember correctly, its Z-Wave module is a 500 series using the Security 0 (S0) standard instead of the more modern 800 series and/or Security 2 (S2) sandard. The 800 series (introduced in 2021) should provide much better reliability and range while the S2 standard (introduced in 2017) should make your connection more secure and less chatty. However, the 800 series does not operate as a mesh network and is still working through the final legislative approvals in Europe.
Unfortunately, I don't think there is a one-size-fits-all, perfect solution. I believe the only Z-Wave lock that addresses the two items in my comment is the Philips 4000 Series deadbolt. One issue with that lock is I believe you have less control over the combinations without the Philips app (eg: cannot specify date/time ranges when a code will work, can only add codes while physically at the device, etc.).
My Yale locks don't directly touch the Internet, they're Z-wave only, so there isn't even an option to setup an account. It's just the lock, my Zooz ZST39 controller that is bound to Z-waveJS UI in an LXC, that is then tied into home assistant.
Z-wave 800 is a mesh network. Z-wave LR is not a mesh network.
Ah, you're right about 800 mesh and LR.
I've seen multiple reports online about the lock requiring an account though and Yale's documentation stating that it only supports 500 series. Below are just a few examples of reports indicating that a Yale account is required for setup. Is yours the same model?
Your first link is talking about "FAQ: Yale Assure Lock 2 with Wi-Fi", I'm talking about Z-wave locks, not Wi-Fi.
On your second link, look for the comments from thelordzer0 "I have like 7 ZW3 modules and none of them required any accounts."
I told you that I don't have an account setup. I never have needed it with my locks/modules. My modules are ZW2s. I'm not interested in debating other locks/modules with you.
Maybe I'm not picking up on the different models correctly, but the first link I sent was about Z-Wave.
I know some people, like yourself and the commenter thelordzer0, have had success using the lock without a Yale account or app. I'm not sure why you've been able to but others are reporting differently. I was just commenting to help OP out in case they're one of the other people who were forced to create an account and/or use the Yale app to initialize their lock.
Your first link:
"supports 500 series](https://support.shopyalehome.com/yale-assure-lock-2-with-wi-fi-faq-B1q1o8M5q)"
It has wi-fi in the URL.
The title at the top of that page is:
"FAQ: Yale Assure Lock 2 with Wi-Fi"
And we know that it comes with a WiFi module because of this question from your same link:
"Do I need a Yale Connect Wi-Fi Bridge?
Because it has a Wi-Fi Smart Module, the Assure Lock 2 does not require a Wi-Fi bridge."
Notice how they put in the "ZW2" module part number in that last question? To get one of their locks to work with Z-wave you have to take out the WiFi module and put in a Z-wave module.
These locks were exploited many years ago, and I don't believe they are considered to be safe.
Mind sharing an article/video on that?
https://www.pentestpartners.com/security-blog/z-shave-exploiting-z-wave-downgrade-attacks/
I really hope the current production isn't vulnerable to an 8 year old exploit.
Sure: https://www.securityweek.com/100-million-iot-devices-possibly-exposed-z-wave-attack/
Also a 2 year old CVE yet to be addressed: https://cvefeed.io/vuln/detail/CVE-2023-26943
Thanks for that, that's good to know. But TBH, I feel much more secure with deadbolts that don't use keys. Here's a video that helped me make up my mind when I got these.
As far as I can tell, CVE-2023-26943 doesn't have anything to do with Z-wave, it looks to be related to RFID.
You mentioned Yale Smart Locks, and that CVE is specific to Yale Smart Locks. Has nothing to do with Z-Wave, but if your lock has a contact reader, it's susceptible.
Just Z-wave here. Thanks though.
You're missing the point here...🤦
Am I?
The one attack vector you provided that actually applies here is something that would require technical experience above what your average thief would reasonably have. But with a keyed deadbolt, a lot of those can be raked, picked, or opened with a Lishi tool.
So yeah, you're right that there's a vulnerability when locks are paired. But that would require someone to either be within range when that happens or to place a battery powered device and pick up that information the next time pairing happens. Pairing doesn't happen very often. I think the last time I paired any of my locks was over a year ago.
But with keyed locks, an attacker wouldn't have to wait for me to do anything, they could just walk up and pick the lock with tools that are easier to get and understand/use.
Going with your reasoning, the two videos I've shared about picking deadbolts would mean that keyed locks aren't secure either.
Two words then: Flipper Zero
You're behind the times on this one. This is a common tool used to defeat all kinds of locks. The Z-Wave exploits have been around for a LOOOONG time now. There's also BT and RFID exploits as well, hence the CVE is posted above.
Mind sharing a link to something showing that the Flipper Zero can actually do anything with Z-wave? Cause all I found are pages that talk about how hard it would be to implement zigbee, let alone*Z-wave:
https://forum.flipper.net/t/zigbee-z-wave-capacity/771
https://old.reddit.com/r/flipperzero/comments/zx05x4/why_cant_we_have_zigbee_support/
I found those two when searching for flipper zero "z-wave" and look what I found right after them, a video dismissing your whole argument about Z-wave devices/locks not being secure:
https://youtu.be/6JK-jrLd1yc
And why are you bringing up the CVE again? I already said that my locks don't use RFID and they also don't use Bluetooth. You're verging into Straw Man fallacy territory.. I knew there was a reason I had you tagged as a "very upset person".
Lol, classic deflection of someone who insecure in their knowledge about a subject and trying to change the subject. Personal attacks. Weak sauce, guy. Have a time with yourself.
You've shared nothing to make me think anything other than this accusation being projection.
I'll second Yale ZWave door systems. Þey're great, no WiFi needed.