ABUS, the well-known brand for security technology in Germany, is expanding its consumer electronics portfolio in the Smart Home sector with the Z-WAVE Gateway. The Gateway can be used to set up smart home networks, for example with ABUS Z-WAVE hazard alarms, or to connect existing Smartvest wireless alarm systems with available Z-WAVE components. AV-TEST’s IoT-Lab has subjected the product to extensive testing in the certification process prior to official market launch. The ABUS Z-WAVE Gateway passed all necessary tests successfully, so that we can award the certificate “Approved Smart Home Product”. In the following, the tests carried out and the corresponding results are explained.

 

Applications and Firmware

For the test, the mobile applications (in the unpublished versions available at that time) were analyzed for both Android (v1.1.0) and iOS (v1.1.0) and examined for possible conceptual or implementation weaknesses.

There were hardly any weaknesses. In most cases, non-security-relevant optimization fields were due to the pre-release status of the application versions: Error messages were still missing in some places, e.g. for a failed update attempt on iOS. Not all password fields were declared as such, which could possibly allow third party applications to read input. Apart from that, there was no real reason for criticism for both Android and iOS app. After consultation with AV-TEST, the manufacturer corrected the points criticized by the testers immediately.

During the examination of the firmware for the Z-WAVE Gateway (version v040027) only one aspect was noticed: The firmware image is not protected by integrity or authentication measures. This fact alone does not represent a real weak point, but it might enable a potential attacker to reverse engineer the gateway in order to understand how it works and identify possible weak points. However, the image itself is protected against manipulation during transmission, so that users do not have to worry about installing a possibly modified version.

 

Online and local communication

The Z-WAVE Gateway also scored well in our tests in the area of local and online communication thanks to an adequate level of security. The concept used here to ensure a secure connection between app, gateway and cloud offers solid protection for the deployment scenario. For the main communication, the connectionless, by default unencrypted UDP protocol is used, where in this case the actual payload is additionally obscured. This implementation can be regarded as sufficiently secure. However, in contrast to the classical solution with SSL-secured TCP connection, it has some technical security disadvantages. For example, man-in-the-middle attacks on a UDP connection are virtually undetectable for client and server, which at least theoretically enables attack scenarios if the payload can be read.

During the firmware update process, the firmware image is transferred to the base exclusively via an SSH connection (SSH-2.0-OpenSSH_6.4), i.e. encrypted. Manipulation of the image during transmission can thus be practically ruled out.

Firmware update over securely encrypted SSH

 

Data privacy

The terms of use for the ABUS Z-WAVE Gateway also include the data privacy statement (as of 01.12.2018) for the product. The essential and most important information is made available to the customer. Accordingly, when using the Z-WAVE Gateway, only the public IP (including network access ports) and the device ID itself are recorded and stored. Data-efficient and therefore exemplary!

For an even better privacy statement, additional information on the use of the quite extensive app permissions (audio recording, closing background processes, etc.) as well as on storage location and duration would be useful. In the case of ABUS Z-WAVE Gateway, however, only relatively uncritical data is stored anyway according to the data privacy statement, so that the absence of this information is of no further importance. However, transparency for the customer could be improved by extending the privacy statement in these areas. After consultation with AV-TEST, the manufacturer has already declared its willingness to adapt the data privacy statement accordingly.

 

Applications permissions on Android

 

Verdict

The ABUS Z-WAVE Gateway offers an overall adequate security level. Some points that we believe are less critical could still be improved. However, we are convinced that ABUS will still make adjustments here. We were able to accompany the manufacturer during the development and follow the continuous improvement step by step. In the area of data privacy there is also no real reason for complaint – additional information, such as storage location and duration as well as use of the required app permissions, would be a plus, but do not cloud the otherwise overall good impression. The ABUS Z-WAVE Gateway successfully passes the AV-TEST certification process and is therefore awarded with “Approved Smart Home Product”.