Z-Way is the communication protocol which abstracts Z-Wave specifics into an easy-to-use REST API. The API uses Angular to expose an API, which appeared to be consumed by both their Android app and the Android app. The Angular API requires absolutely no authentication. This makes a cross-origin attack on the API fairly straightforward. While a users LAN is supposed to be somewhat safe, this doesnt mean remote attacks are impossible. The below proof-of-concept shows how simple it would be for an attacker to embed malicious Javascript in his page in order to crawl through subnet hosts. Since these requests are asynchronous, the victim would have no indication that they were being performed.”]
Source: https://randywestergren.com/attacking-z-way-controlled-home-automation-devices/