In order to verify the security of the Z-Wave communication protocol, the possible attacks in the protocol are analyzed to reduce user privacy security vulnerabilities. For the communication process and key exchange process between the controller and the node, this paper uses CPN tools to model the Z-Wave S2 protocol, and introduces the Dolev-Yao attack model to verify the security behavior of the protocol. The results show that there is a man-in-the-middle attack when using S2 authentication for device inclusion. In response to this vulnerability, we propose a lightweight static authentication scheme based on HKDF function and XOR operation, which performs authentication between Z-Wave controller and slave device. Secondly, we formally verify the security objectives of the improved scheme, and prove that the optimization scheme can effectively prevent man-in-the-middle attacks in the S2 security mode.