Telekom’s “Qivicon Home Base” successfully passes the certification tests once again and receives the security certificate from the AV-TEST Institute. But two other current products from Telekom’s Magenta universe also passed the laboratory tests successfully and from now on carry the “Secure Smart Home Product” award: The Telekom router “Speedport Smart 3” and the voice assistant “Smart Speaker”.
Secure base: Qivicon Home Base 2
In the IoT security laboratory of the AV-TEST Institute, Qivicon’s Smart Home base is a good old acquaintance. In combination with Magenta SmartHome, the telecom base for home automation successfully passed the recertification procedure again. The device itself was tested together with the corresponding mobile applications on Android (v5.6.1) and iOS (v5.6.0).
Thus, “Qivicon Home Base 2” once again meets the security requirements of the AV-TEST certification procedure and receives the “Secure Smart Home Product” certificate for another year.
Certified Router: Speedport Smart 3
With the “Speedport Smart 3”, Telekom is launching the current router standard model. Compared with the previous models, it boasts higher data transmission and mesh functionality. It can also be used as the basis for Magenta SmartHome offerings. However, the functions and settings required for operating a secure smart home were also taken into account in the development of the router, as the certification test in the IoT laboratory proved.
Both in the static vulnerability analysis for known and specific vulnerabilities and in the dynamic test with a series of standard attacks, neither the Android nor the iOS app showed any flaws that could have a negative impact on the general application security. The audit of LAN communication showed well encrypted connections without critical errors or vulnerabilities and thus also offered no reason for complaints.
In the analysis of the online communication of the “Speedport Smart 3”, the entire communication between mobile application and cloud as well as between device and cloud was put to the test. Our extensive scans did not reveal any evidence of exploitable vulnerabilities at a critical level. The communication between Speedport, cloud and mobile applications is protected against usual man-in-the-middle attacks. Certificate pinning is effectively implemented.
With these regular test values, the telecom router “Speedport Smart 3” has received the security certificate of the AV-TEST Institute for the first time.
Clean announcement: Telekom Smart Speaker
Telekom’s new Smart Speaker also underwent the AV-TEST Smart Home certification process. The device was tested together with the corresponding mobile applications on Android (v1.6.0) and iOS (v1.6.0). All relevant connections between the Internet and the smart speaker as well as to the apps were found to be properly encrypted (TLS 1.2) and well equipped against standardized eavesdropping attacks and manipulation attempts. The pinning of certificates does not provide a target for man-in-the-middle attacks.
The check of the apps showed no critical flaws. A firmware update process was checked during the test procedure. The data transmission is completely encrypted via a secure connection. A series of standard man-in-the-middle attacks were carried out in the laboratory, but the Smart Speaker successfully fended off these attacks by means of appropriate certificate verification.
We observed and analyzed all communication between app and cloud and between speaker and cloud to identify potential vulnerabilities. No critical vulnerabilities were identified. Although the device revealed system information such as the operating system, system time, device type and the web server in the usual way, we did not find any critical flaws. However, none of this information can be exploited by attackers without existing vulnerabilities. However, our scan did not reveal any evidence of such an exploitable vulnerability. The Smart Speaker also communicates with the connected cloud services and mobile applications in fully encrypted way and is protected against common man-in-the-middle attacks
The permissions of the app are also explained in detail. If the telephony function is activated, parts of the phonebook are synchronized with the Telekom cloud. These can also be deleted via the app. The contact information is also only used for the telephony function. Using integrated trackers, user behavior is analyzed in anonymized / pseudonymized form. The customer can also deactivate the collection of this data in the app. Telekom shares transcribed voice data with a partner (Retresco GmbH), but also clearly mentions this in the data protection statement. When using voice assistants, other providers, including Google and Apple, follow a similar procedure. This is not an obstacle to the security certification of the device, as the data privacy statement is clearly formulated.
This means that Telekom’s Smart Speaker also receives the “Secure Smart Home Product” certificate from the AV-TEST Institute after extensive testing by our IoT laboratory.