With the addition of S2 security support for the SmartThings hub a message was added during enrollment, "Some security features are not supported. Your device has been connected, but isn't using the highest level of security. Use a newer Z-Wave device for the highest level of security"
For some users this message is alarming providing the impression their Z-Wave network is not secure. Since inception Z-Wave has evolved adding new forms of communication with security enhancements and this message is stating the device does not support the highest level of security referred to as S2. S2 security was first implemented to provide secure communication between a hub and a secure device such as a lock. The technology has been around for many years; however now S2 security can provide secure transmissions beyond just locks, it can by applied to traditional control devices such as lights when S2 security is supported. While S2 does offer security benefits, the vast majority of Z-Wave products that have been manufactured and on the market today use Z-Wave's more traditional levels of security and do not support S2. Unless all devices in your network support S2, you will need to review the Z-Wave products you are using and weigh the importance of highly secure transmissions for traditional control devices such as a light switch. SiLabs, the provider of Z-Wave technology has published a technical document explaining the options when mixing S2 and non-S2 compatible products in a Z-Wave network.
The technical paper is available here:
https://www.silabs.com/documents/public/presentations/PMP13827-2.pdf
The following was taken from the presentation and is helpful in determining the best strategy for your Z-Wave network:
Full upgrade
- All devices are upgraded to firmware supporting S2
- Requires re-inclusion of all devices
- Upgrade to S2 access control and S2 authenticated groups require devices that support client-side-inclusion
- New devices are provided with S2-capable firmware
- System is entirely consisting of devices in the three S2 secure groups
Partial upgrade
- Controller/gateway is upgraded to support S2
- Critical devices, such as door locks, are upgraded to support S2
- Door locks are re-included using client-side-inclusion to be part of S2-AccessControl security group (requires physical access to device)
- All other existing devices are left in the unauthenticated or S0 groups
- New devices are provided with S2-capable firmware and included in appropriate security groups
Gateway-only upgrade
- Only the gateway/controller is upgraded to support S2
- Existing devices are left in current security groups (S0 or unauthenticated)
- New devices are provided with S2-capable firmware and included in appropriate groups
- Can be done entirely remote, and select devices can be upgraded when a service technician is on site at a later time
Only end device upgrade
- If only an end device is upgraded to support S2 and the gateway/controller remains with an older protocol version it is not possible to utilize S2 security improvements
- S2 devices will need to fall-back to S0 or unauthenticated for the device to be included