Another product in the “Smart Home” category has successfully passed our certification tests – the CloudMatic solution that provides secure remote access and control for the eQ-3 HomeMatic CCU2. The following test report clarifies, how secure the combination of encrypted cloud communication and control via VPN tunnel works.

Online communication

CloudMatic provides secure remote access to the Homematic CCU via a combination of secure cloud access via mobile app and a VPN tunnel from the cloud to the CCU. These two aspects have therefore been closely examined.

The cloud connection and thus the login for remote access is carried out via a mobile application. We looked at the CloudMatic EASY App to find out, if the connections are secure – because secure control via VPN alone is not enough if access to it isĀ  not secured.

As the following images show, the observed connections of the mobile application (in the preview version 2.5.0) were adequately encrypted throughout.

User-Login over TLS 1.2 encrypted connection

Our man-in-the-middle attacks on, among others, the user login for this test scenario were not successful either – the encrypted connections are additionally secured by a so-called certificate pinning which makes it practically impossible for an attacker without the correct server certificate to gain unauthorized access to the connection.

Unsuccessful MitM attempt on user login
Application also reports MitM-attack and refuses the connection

For the establishment of the VPN connection from the cloud to the CCU, we were also unable to identify any obvious weak points in the test. At this point, it should be much harder for an attacker to launch an attack anyway, so the connection from the app to the cloud must be considered the most critical area.

Application

The Android application itself has no obvious or serious vulnerabilities: The lack of obfuscation of security-relevant functions and classes allows potential attackers to easily reconstruct or manipulate the functionality of the application, but this fact alone does not represent a real vulnerability.

Even if the app does not reveal any critical information in the form of logs or debug outputs in the Android logcat, on smartphones with root rights attackers might have the option of reading out the plain text user credentials directly from the app data folder. We do not regard this as an obvious weak point, but it should be noted, as it is absolutely within the realm of capability for modern malware.

Privacy policy

The privacy statements of CloudMatic and EASY SmartHome GmbH only refer to the use of the respective website, but not to the use of the app. However, as the app is an important component for the use of the system, we believe that it should at least be mentioned in the policy statement.

The use of the CloudMatic services is also mentioned, as well as the data collected – but a mention of the purpose of data collection would also be desirable in this point.

Since the Android app has a relatively large number of permissions, we would also recommend that the purpose of the permissions be mentioned in the privacy policy, as this would further improve transparency for the customer. Since the app consists mainly of a browser component, it might even be possible to dispense with some of the permissions at this point.

Overall, however, the CloudMatic solution does not offer any serious points of criticism in terms of privacy, so we do not see any reason for a devaluation on this point either.

Verdict

The CloudMatic solution provides a secure way to remotely manage and control the eQ-3 HomeMatic Smart Home system. The chosen combination of mobile application and VPN connection offers advantages for user-friendliness as well as a high level of security. Since no other serious or obvious weak points could be identified in the test, the CloudMatic solution can be regarded as adequately secure and therefore receives the AV-TEST certificate “Approved Smart Home Product”.