Gadgets do not only bring fun and comfort – Gadget might help in case of emergency, too. Grohe, a German manufacturer known for top-quality bathroom fittings and accessories, announced a new device category at the ISH 2017 in Frankfurt: IoT water sensors. Grohe SENSE shall detect leaks and dripping water, measure humidity and notify in case of too high or low temperatures. This sounds like good protection against water damage. But how about security and data protection?
Grohe SENSE is placed on the floor e.g. next to washing machines and sends its sensor data (water, temperature, and humidity) to the Cloud via Wi-Fi. After initial setup with the Grohe ONDUS App, it establishes the Wi-Fi connection only once a day to upload the detailed sensor data of the past 24 hours. In case of a water leakage, it immediately notifies via the App.
The communication is fully cloud-based. The initial setup happens unencrypted between App and SENSE, but via an integrated (encrypted) Wi-Fi hotspot, which deactivates afterwards. The communication between App and Cloud respectively SENSE and Cloud is always TLS1.2 encrypted. Man-in-the-middle attacks were not successful, but would also have been rather difficult, due to SENSE only connects once a day for a few moments.
Checking the Application
Grohe offers the “GROHE ONDUS” App for Android and iOS. For this blog post, we took a closer look at the Android version of the application. Grohe did not use source code obfuscation, so we had few problems inspecting the decompiled code.
The implemented HTTP client uses certificate pinning for cloud communication. So, eavesdropping a connection is impossible without the knowledge of the private key. Also, all sensitive user data and even databases are encrypted with state of the art Android encryption methods.
It is noticeable that the App is relatively new (Version 1.0.3). We encountered some NullPointerExceptions in the Android Logcat, e.g. when trying to re-register a resetted SENSE device. Via the iOS App, this step worked as expected. Also, during our testing the device didn’t sync its temperature and humidity history with the Cloud for unknown reason. We hope, these issues will be fixed in one of the next updates.
The registration process in the Grohe ONDUS App requires the owner’s full name and E-Mail address, as well as postal code and city of the installation site.
The Android App requests the following permissions:
- Location (Only necessary for initial setup – unknown purpose)
- Telephone (Presumably for the upcoming feature, calling emergency contacts)
- Storage (Unknown purpose)
- Wi-Fi (Establishing the initial connection to SENSE and other Grohe devices)
Even if it’s noticeable, that we’ve tested a recently released product – some features like notifying emergency contacts are missing and we encountered some little bugs – but in the end Grohe did a good job in securing their IoT water sensor system. This is why Grohe SENSE is rated by three out of three stars in QuickCheck. By the way: SENSE only connects once a day, which is a welcome change from thousands of always-online devices.