Telekom’s “Qivicon Home Base” successfully passes the certification tests once again and receives the security certificate from the AV-TEST Institute. But two other current products from Telekom’s Magenta universe also passed the laboratory tests successfully and from now on carry the “Secure Smart Home Product” award: The Telekom router “Speedport Smart 3” and the voice assistant “Smart Speaker”.

Secure base: Qivicon Home Base 2

In the IoT security laboratory of the AV-TEST Institute, Qivicon’s Smart Home base is a good old acquaintance. In combination with Magenta SmartHome, the telecom base for home automation successfully passed the recertification procedure again. The device itself was tested together with the corresponding mobile applications on Android (v5.6.1) and iOS (v5.6.0).

During the extensive tests, all relevant connections to the Internet from and to Home Base 2 as well as to the corresponding applications via TLS 1.2 proved to be well encrypted. This effectively prevents eavesdropping on communications and the manipulation of data by potential attackers. By using certificate pinning, the communication is also effectively protected against man-in-the-middle attacks. The testers also did not find any critical defects in the test of the associated apps for Android and iOS. And the detailed and informative privacy policy can be regarded as exemplary for smart home products.

Thus, “Qivicon Home Base 2” once again meets the security requirements of the AV-TEST certification procedure and receives the “Secure Smart Home Product” certificate for another year.

Certified Router: Speedport Smart 3

With the “Speedport Smart 3”, Telekom is launching the current router standard model. Compared with the previous models, it boasts higher data transmission and mesh functionality. It can also be used as the basis for Magenta SmartHome offerings. However, the functions and settings required for operating a secure smart home were also taken into account in the development of the router, as the certification test in the IoT laboratory proved.

Both in the static vulnerability analysis for known and specific vulnerabilities and in the dynamic test with a series of standard attacks, neither the Android nor the iOS app showed any flaws that could have a negative impact on the general application security. The audit of LAN communication showed well encrypted connections without critical errors or vulnerabilities and thus also offered no reason for complaints.

In the analysis of the online communication of the “Speedport Smart 3”, the entire communication between mobile application and cloud as well as between device and cloud was put to the test. Our extensive scans did not reveal any evidence of exploitable vulnerabilities at a critical level. The communication between Speedport, cloud and mobile applications is protected against usual man-in-the-middle attacks. Certificate pinning is effectively implemented.

The privacy policy of the “Magenta SmartHome App” (25.05.2018) informs the customer in detail and it is clearly defined what kind of data is collected by which instance, e.g. the Home Base 2 itself or the corresponding apps. The data is processed in Germany or other European countries. If data must be processed outside the EU, an appropriate level of data protection applies.

With these regular test values, the telecom router “Speedport Smart 3” has received the security certificate of the AV-TEST Institute for the first time.

Clean announcement: Telekom Smart Speaker

Telekom’s new Smart Speaker also underwent the AV-TEST Smart Home certification process. The device was tested together with the corresponding mobile applications on Android (v1.6.0) and iOS (v1.6.0). All relevant connections between the Internet and the smart speaker as well as to the apps were found to be properly encrypted (TLS 1.2) and well equipped against standardized eavesdropping attacks and manipulation attempts. The pinning of certificates does not provide a target for man-in-the-middle attacks.

The check of the apps showed no critical flaws. A firmware update process was checked during the test procedure. The data transmission is completely encrypted via a secure connection. A series of standard man-in-the-middle attacks were carried out in the laboratory, but the Smart Speaker successfully fended off these attacks by means of appropriate certificate verification.

Test setup of the Speaker Test: Among other things, all IP-based connections between device, app and cloud-based services are tested.

We observed and analyzed all communication between app and cloud and between speaker and cloud to identify potential vulnerabilities. No critical vulnerabilities were identified. Although the device revealed system information such as the operating system, system time, device type and the web server in the usual way, we did not find any critical flaws. However, none of this information can be exploited by attackers without existing vulnerabilities. However, our scan did not reveal any evidence of such an exploitable vulnerability. The Smart Speaker also communicates with the connected cloud services and mobile applications in fully encrypted way and is protected against common man-in-the-middle attacks

The privacy policy of the app “Hallo Magenta” (15.11.2019) informs about all data protection relevant terms with a high level of detail. All collected data is stored and processed in the EU. In exceptional cases, and to solve extraordinary technical problems of the system infrastructure, experts from outside the EU are allowed to access the data. This access is limited to the repair as such. The data will only be passed on to contract processors and cooperation partners. The voice data is stored for up to 2 years. During this time they are used for research, development and improvement purposes. Customers can delete individual or all data records in the “Hello Magenta” app within 90 days.

The permissions of the app are also explained in detail. If the telephony function is activated, parts of the phonebook are synchronized with the Telekom cloud. These can also be deleted via the app. The contact information is also only used for the telephony function. Using integrated trackers, user behavior is analyzed in anonymized / pseudonymized form. The customer can also deactivate the collection of this data in the app. Telekom shares transcribed voice data with a partner (Retresco GmbH), but also clearly mentions this in the data protection statement. When using voice assistants, other providers, including Google and Apple, follow a similar procedure. This is not an obstacle to the security certification of the device, as the data privacy statement is clearly formulated.

This means that Telekom’s Smart Speaker also receives the “Secure Smart Home Product” certificate from the AV-TEST Institute after extensive testing by our IoT laboratory.