We want to be very clear: installed, previously paired Z-Wave devices are secure and not vulnerable to a downgrade attack. This represents practically all 100 million Z-Wave devices in homes today.
This type of attack would require physical proximity to the device during the pairing (inclusion) process. The pairing is done during initial installation or reinstallation. Pairing must be initiated by the homeowner (or installation professional), which means the homeowner is present at the time of the attempted attack. It would not be possible to execute an attack without the homeowner becoming aware that the link is running S0, as they would for any other S0 device added to the S2 controller.
We take what Pen Test Partners has reported very seriously and are taking steps to tighten the certification requirements regarding warnings presented to the user. We also believe any warning for a security step needs to be explicit. We are updating the specification to ensure that any user will not only get a warning during a downgrade to S0 but will have to acknowledge the warning and accept it to continue inclusion.
We believe it's important for all smart home devices to have the highest possible levels of security available, and our development team will continue to work with the security community to make improvements to the Z-Wave specification.