In this test, we will show, whether the slogan “Made in Germany” also means something with regard to Smart Home solutions and will analyse the security of the Bosch Smart Home Starter Kit.
App without vulnerabilities
The Android App does not seem to have obvious serious vulnerabilities. The missing obfuscation of security relevant functions and classes may ease reconstruction and/or modification by potential attackers, but this is not a vulnerability per se.
Critical data saved by the application on the internal smartphone storage is well encrypted using state of the art API calls to the Android KeyStore (and device specific key pairs).
The presented security features show a high level of communication security that require an enormous amount of criminal effort and energy to hack.
Secure local & online communication
The communication between App and Controller is completely TLS1.2 encrypted, independent if it’s used in the home network or on the road. At home, App and Controller communicate directly, only a few web requests can be detected. Online, *.bosch-smarthome.com servers are being contacted, which forward the commands to the Controller.
While remote access is established, the Cloud LED keeps flashing, so owners are able to see, when somebody accesses the Smart Home system from outside.
Third Party API Usage
We also took a look on third party integrations. Despite the announcement on the IFA 2016, we could not find any applets on IFTTT for the Bosch Smart Home System. However, we were able to connect it to our Philips Hue Bridge and observe the local traffic between the two devices. The Bosch gateway uses the official Hue API, therefore the communication relies on the unencrypted http protocol. This is not a security problem of the Bosch product but should rather be fixed by Philips. (As already mentioned in our Philips Hue test)
The Controller communicates with the Smart Home components via a proprietary RF-band (868Mhz) and ZigBee (2,4Ghz), which is an international standard for home automation and other low-power needs. Except for the motion detector, all Smart Home components communicate with the 868Mhz band, using a proprietary protocol. The motion detector communicates with 2,4Ghz (ZigBee), which provides much higher bandwidth.
The ZigBee implementation of Bosch uses an advanced encryption technology with device specific link keys, which are being used for initial connection to the Controller, where individual encryption keys are being shared. Whilst other manufacturers use publicly available keys for the initial setup, the method of using device-specific encryption keys makes ZigBee a very secure wireless transmission protocol. Presumably, similar technologies are also used for the proprietary 868Mhz-protocol – these devices also have the individual device key printed on it.
The Android App permissions are limited to the necessary scope:
- Camera (Recording of QR codes for initial setup of the products)
- Wi-Fi (Communication with the Controller)
The Smart Home Starter Kit earns three of three stars in our security quick check.
In addition, the Bosch Starter Kit successfully passed the extensive certification tests of our IoT experts and is awarded by AV-TEST as a secure Smart Home product.
Pingback: AV-TEST awards manufacturers for Approved Smart Home Security – AV-TEST Internet of Things Security Testing Blog