Riding the IoT Wave with VFuzz: Discovering Security Flaws in Smart Homes

Carlos Kayembe Nkuba, Seulbae Kim, Sven Dietrich, Heejo Lee

Research output: Contribution to journalArticlepeer-review

4 Citations (Scopus)


Z-Wave smart home Internet of Things devices are used to save energy, increase comfort, and remotely monitor home activities. In the past, security researchers found Z-Wave device vulnerabilities through reverse engineering, manual audits, and penetration testing. However, they did not fully use fuzzing, which is an automated cost-effective testing technique. Thus, in this paper, we present VFUZZ, a protocol-aware blackbox fuzzing framework for quickly assessing vulnerabilities in Z-Wave devices. VFUZZ assesses the target device capabilities and encryption support to guide seed selection and tests the target for new vulnerability discovery. It uses our field prioritization algorithm (FIPA), which mutates specific Z-Wave frame fields to ensure the validity of the generated test cases. We assessed VFUZZ on a real Z-Wave network consisting of 19 Z-Wave devices ranging from legacy to recent ones, as well as different device types. Our VFUZZ evaluation found 10 distinct security vulnerabilities and seven crashes among the tested devices and yielded six unique common vulnerabilities and exposures (CVE) identifiers related to the Z-Wave chipset.

Original languageEnglish
Pages (from-to)1775-1789
Number of pages15
JournalIEEE Access
Publication statusPublished - 2022

Bibliographical note

Publisher Copyright:
© 2013 IEEE.


  • Internet of Things
  • Smart home security
  • Z-Wave
  • fuzzing
  • vulnerabilities discovery

ASJC Scopus subject areas

  • Computer Science(all)
  • Materials Science(all)
  • Engineering(all)


Dive into the research topics of 'Riding the IoT Wave with VFuzz: Discovering Security Flaws in Smart Homes'. Together they form a unique fingerprint.

Cite this