We are pleased to add the MCVisu.cloud solution from rc-tec GmbH to our range of certified products. As part of the certification test, we put the solution through its paces. MCVisu.cloud makes it possible to control the ABI MC1500 alarm and access system via smartphone. The corresponding app in version 1.0.6, and the cloud connection of the ABI alarm system were tested for their security. The security of the alarm system itself (sabotage, manipulation of ID chips, etc.) was not considered.
Both static and dynamic analysis could not detect any vulnerabilities in the Android app. Since the code of the app is not obfuscated, our testers could relatively easily take a look at how the app works. For example, about the way in which the certificate is validated:
The app currently “only” validates the validity and trustworthiness of the certificates used for communication, so that communication cannot be eavesdropped on or manipulated without direct access to the device. According to manufacturer information, Certificate Pinning will also be used here in the future. This checks whether the certificate provided is the expected certificate. Any other certificates are ignored, so no communication takes place. This effectively prevents man-in-the-middle attacks. Furthermore, the code will be obfuscated in the next versions, making it even more difficult to understand how the app works.
In the test, we did not observe any direct communication between the app and the alarm system. The online communication of the ABI MC1500 system is encrypted at all times. Due to the fact that a continuous communication between alarm system and cloud takes place, a kind of VPN tunnel is assumed. No obvious weak points could be identified. The communication of the app is also completely encrypted and does not provide any indication of possible weak points. With regard to the login to the cloud, it was also examined how the app behaves in a man-in-the-middle attack. The app is adequately protected against simple attacks. However, as soon as the CA certificate belonging to the mitm tool was installed on the smartphone, the communication could be eavesdropped on and manipulated. This is not rated negatively by us, since direct access to the device always gives an attacker certain possibilities, away from man-in-the-middle attacks. Furthermore, the manufacturer informed us, as already mentioned above, that Certificate Pinning is planned for the upcoming versions.
The user is adequately informed; for example, location data is collected if the operation of the alarm system is restricted to certain regions. This data is stored for a maximum of 4 weeks. Furthermore, user name, password and data of the alarm system are stored.
The Android app permissions are limited to the minimum necessary scope:
The MCVisu.cloud solution of the Austrian manufacturer rc-tec offers a secure and privacy friendly solution to control your ABI MC1500 alarm system via smartphone app. The versions currently under development also offer a view of an app prepared for all challenges. For this reason, the solution receives the AV-Test certificate “Approved Smart Home Product”.