Gadgets do not only bring fun and comfort – Gadget might help in case of emergency, too. Grohe, a German manufacturer known for top-quality bathroom fittings and accessories, announced a new device category at the ISH 2017 in Frankfurt: IoT water sensors. Grohe SENSE shall detect leaks and dripping water, measure humidity and notify in case of too high or low temperatures. This sounds like good protection against water damage. But how about security and data protection?

Grohe SENSE is placed on the floor e.g. next to washing machines and sends its sensor data (water, temperature, and humidity) to the Cloud via Wi-Fi. After initial setup with the Grohe ONDUS App, it establishes the Wi-Fi connection only once a day to upload the detailed sensor data of the past 24 hours. In case of a water leakage, it immediately notifies via the App.

Grohe SENSE detects leaks and dripping water.
Grohe SENSE detects leaks and dripping water.

Online communication

The communication is fully cloud-based. The initial setup happens unencrypted between App and SENSE, but via an integrated (encrypted) Wi-Fi hotspot, which deactivates afterwards. The communication between App and Cloud respectively SENSE and Cloud is always TLS1.2 encrypted. Man-in-the-middle attacks were not successful, but would also have been rather difficult, due to SENSE only connects once a day for a few moments.

Wireshark shows TLS traffic.
Wireshark shows TLS traffic.

Checking the Application

Grohe offers the “GROHE ONDUS” App for Android and iOS. For this blog post, we took a closer look at the Android version of the application. Grohe did not use source code obfuscation, so we had few problems inspecting the decompiled code.

The implemented HTTP client uses certificate pinning for cloud communication. So, eavesdropping a connection is impossible without the knowledge of the private key. Also, all sensitive user data and even databases are encrypted with state of the art Android encryption methods.

GROHE ONDUS uses state of the art Android encryption methods.
GROHE ONDUS uses state of the art Android encryption methods.

It is noticeable that the App is relatively new (Version 1.0.3). We encountered some NullPointerExceptions in the Android Logcat, e.g. when trying to re-register a resetted SENSE device. Via the iOS App, this step worked as expected. Also, during our testing the device didn’t sync its temperature and humidity history with the Cloud for unknown reason. We hope, these issues will be fixed in one of the next updates.

Privacy Check

The registration process in the Grohe ONDUS App requires the owner’s full name and E-Mail address, as well as postal code and city of the installation site.
The Privacy Policy of the ONDUS App and the according devices is easily understandable by 18-to-19-year-olds. It explains, which data is being sent to Grohe’s cloud services: In case of the Grohe SENSE, Usage (ambient temperature, humidity level, flooding status, alarm information) and technical information (Device-ID, Serial number, firmware version, battery status, Wi-Fi settings, IP address) is being stored by Grohe. If entered, also contact details like E-Mail addresses and telephone numbers of emergency contacts are being saved. We miss the clarification of storage time, and which data is being transferred to third parties, but it’s mentioned that users are always allowed to ask Grohe about details, which data is stored. (its origin, recipients, categories of recipients, purpose of storage etc.)

The Android App requests the following permissions:

  • Location (Only necessary for initial setup – unknown purpose)
  • Telephone (Presumably for the upcoming feature, calling emergency contacts)
  • Storage (Unknown purpose)
  • Wi-Fi (Establishing the initial connection to SENSE and other Grohe devices)
Requested permissions
Requested permissions

Conclusion

Even if it’s noticeable, that we’ve tested a recently released product – some features like notifying emergency contacts are missing and we encountered some little bugs – but in the end Grohe did a good job in securing their IoT water sensor system. This is why Grohe SENSE is rated by three out of three stars in QuickCheck. By the way: SENSE only connects once a day, which is a welcome change from thousands of always-online devices.