Dear visitors of this blog, dear Smart Home and IoT friends, what a year it was! In a short review we are happy to say: It was a very successful year, for us as an IoT test laboratory, for the security of smart home products and IoT services and thus for all users of networked devices. We would like to thank you, our readers, for your great interest in the topic of IoT security, without which it would certainly be much more difficult for us to make clear the necessity of comprehensive and independent product tests in discussions with manufacturers and suppliers. Thank you!

At the same time, we would like to thank the manufacturers who not only recognized the necessity of IoT security and data protection at an early stage, but also implemented it together with us in the sense of “Security by Design” and “Privacy by Design”. We started our tests and certification of secure IoT and smart home products more than seven years ago, long before the Mirai attacks at the end of 2016, which slowly brought the topic of IoT security into the spotlight of the media and subsequently in government agencies and classic IT security companies.

The measured values show sample variants of the Mirai Bot in the year of its first media-effective outbreak.
The measured values show sample variants of the Mirai Bot in the year of its first media-effective outbreak.

In the meantime, the topic has become very popular, unfortunately not only among serious product testers, but increasingly also among companies that present themselves to the public without sufficient expertise and certify without relevant tests, just only via self-disclosure from manufacturers. Unfortunately, the focus here is not on guaranteeing secure IoT products but on selling seals. Some of these must be regarded as deliberate consumer deception. In addition, after a long deep sleep, there is the threat of over-regulation by the state, especially in Germany.

Pioneering work for IoT security

Officially we started our since then very successful comparison test series at the beginning of 2014 with the security check of Smart-Home kits. In the laboratory, we tested products from eSaver, EUROiSTYLE, Gigaset, REV Ritter, RWE (now innogy), Hama, and QIVICON, now known as Telekom’s Magenta SmartHome. Since then, the manufacturers Bosch, Telekom, Devolo and eQ-3 have their smart home products checked regularly every year from the device to the cloud service to the app by our IoT lab. With our certificate for tested Smart Home security, we guarantee that the corresponding products are well armed against common IT attacks.

The first comprehensive IoT security comparison was published by the AV-TEST experts at the beginning of 2014.
The first comprehensive IoT security comparison was published by the AV-TEST experts at the beginning of 2014.

Vacuum robots and video doorbells in security check

Since then, many tests have followed: Fitness trackers, IP cameras, Smartlocks or children’s watches. This year alone, the engineers in our IoT laboratory tested more than 20 products in certification, individual and comparative tests. As an independent test institute, AV-TEST publishes the results for customer orientation and exchange with other security researchers here in the blog and on the institute’s website for free.

This year’s tests included two major comparative tests: At the beginning of the year, our testers took on the exciting field of vacuum robots increasingly purchased by many private households. The premium models of the manufacturers Dyson, iRobot, Vorwerk and Xiaomi took part in the security check. In this test, the Xiaomi vacuum cleaner revealed a lot of security deficiencies in data transmission and the handling of customer data, which was massively transferred to third parties via the app.

The first comparative test this year examined the securityof vacuum robots.
The first comparative test this year examined the security of vacuum robots.

The second comparative test at the end of this year was devoted to a product group that is also widely sold in the market: This time the IoT engineers tested the security of video doorbells from the manufacturers Arlo (Netgear), DoorBird, Nest (Google), Ring (Amazon) and Somikon. This test also clearly showed the extreme differences in security design. And so two products, namely those from Somikon and DoorBird, showed serious security deficiencies.

In the second test in 2019, the experts from the IoT Lab took a close look at the security of video doorbells.
In the second test in 2019, the experts from the IoT Lab took a close look at the security of video doorbells.

Individual tests: from eHealth to children’s watches to sound systems

Our individual tests this year, including the Soundbox Sonos Play 1 and the blood pressure monitor iCheck 7 from Braun, have already shown good implementation of consumer protection at IT level with slight potential for improvement. But where there is light, there are also shadows or complete security failures in tests, which can lead to dangerous consequences for users. The SMA-WATCH-M2 children’s watch from the Chinese manufacturer SMA deserves special mention here. This childrens device allows attackers to determine the location of over 5,000 children and to access data from over 10,000 parent accounts. The manufacturer’s server provided access to sensitive personal data, including the parents’ name, the child’s name and picture, the names and numbers of relatives and acquaintances in the phone book, as well as data for real-time location determination and the ability to make direct contact by phone call and voice message. Thanks to broad international coverage of this test, customers around the globe were informed about the dangerous weaknesses of the Chinese children’s watch.

According to information from AV-TEST's IoT Test Lab, TV, print and online media around the globe warned of a dangerous children's watch.
According to information from AV-TEST’s IoT Test Lab, TV, print and online media around the globe warned of a dangerous children’s watch.

Increasing number of certified secure products

In the area of product certification, we are pleased that more and more manufacturers whose products are also internationally successful rely on our security tests. And we are honoured that our “Tested Smart Home Product” / “Tested IoT Product” seals and ourthree-star label of  quick checks are being used more and more frequently by customers as an argument in their purchasing decisions.

You can find out which products have been tested and certified according to the latest state of the art security testing with detailed test reports here in the blog and in the product overview on our website. This year there were already ten major manufacturers who entrusted one or more products to the security testing of our IoT lab and the consulting of our engineers. We would like to thank our customers ABUS, Devolo, LUPUS, eQ-3, Qivicon (Telekom), Nuki, Easy SmartHome, RC-TEC as well as Amazon’s camera manufacturer Ring for their confidence in us.

We are looking forward to the coming year with you!

Our IoT lab is already planning some exciting tests for the coming year. We would be delighted if you would stay with us in the coming year and join us in promoting the security of Smart Home and IoT products. When purchasing Smart Home and IoT products, ask the provider directly about IT security and data protection. This will help us to make security and the protection of privacy a fixed factor in the development of products!

Now we are leaving for Christmas break and wish you smart holidays and a safe slide into the New Year.

On behalf of the entire IoT team with best regards,

Olaf Pursche

CCO AV-TEST Institute