Many smart home systems include burglary protection as an additional feature. There are few systems that focus on protecting your own home. One of them is Ring Alarm. We took a close look at the alarm system and checked the IT security and privacy of the solution.

Paired devices and the protocol in the Ring app

 

Technical data

The Ring Alarm Starter Set in the smallest configuration consists of the base station, a keypad, a door/window contact as well as a motion detector and repeater.

Both the base station and the repeater have an internal battery (5100mAh resp. 1100mAh), with which the devices can cover a 15 minute power failure with all or further 24 hours with limited features. The base station also has a SIM card (in our case from AT&T), so that even Internet failures can be bypassed, provided mobile phone reception is available and the Plus subscription has been purchased.

The base station is equipped with WiFi, Z-Wave and Zigbee. All devices supplied with the base operate via Z-Wave Plus. This wireless standard improves the Z-Wave standard in terms of power consumption, range and bandwidth. Furthermore, better fault tolerance and a standardized procedure for firmware updates (OTA) have been implemented.

All devices have a device-specific, printed-on key. This means that parts of the key exchange between base and device do not take place in the Z-Wave communication itself, so that the exchange cannot be fully eavesdropped. At delivery, all devices are already paired with the base station.

Applications

The Ring App (Android, iOS) was subjected to a static and dynamic analysis. Since the app has to cover the rather extensive product portfolio, the app permissions are also comparatively extensive. However, they are only requested when necessary.

The analysis did not reveal any significant weaknesses.

Integrated trackers

The app has a relatively high number of trackers, but the communication with them was encrypted at all times. Furthermore, certificate pinning is implemented in the app so that man-in-the-middle attacks are effectively prevented.

Online communication

As we already suspected based on our earlier test of the Ring Doorbell 2, we could not detect any unencrypted communication when testing the Ring Alarm solution. All communication between app and cloud or base and cloud was TLS1.2 encrypted.

Ring Base: Communication to European Amazon servers

Ring app: Communication to servers in the USA

When checking the communication, however, it was noticed that the Ring base station communicated with a European Amazon server (Frankfurt am Main, Germany), but the app only contacted American Amazon servers. The fact that this is causing a problem is discussed separately in the privacy section of the test.

Alarm feature

Since we only evaluate the IT security of the system, this test point is only of an informative nature.

In contrast to some other systems tested by us, e.g. in the comparative test of Security Starter Kits, Ring integrates sabotage contacts into the sensors. Manipulations of the sensors are therefore detected and noted in the protocol and, depending on the status of the arming, an alarm is triggered. According to the app settings, a push notification should also appear in case of tampering, but this did not work during the test.

Protocol notes the tampering of sensors

Provided that you have the appropriate subscription, the system also notifies or alerts you if the Internet is down – via the integrated mobile modem. By the accumulators built in the Repeater and in the base they bypass also longer power failures, as mentioned at the beginning.

Privacy

Ring’s privacy policy is versioned, so users can check back to see what has changed over time. We have taken a closer look at the latest version from 21.10.2020. When registering, you have to enter your full name and a mail address. When adding devices, you also have to enter the address where the devices are installed. Why this is absolutely necessary is not entirely clear to us. Here Amazon should improve or provide an additional explanation.

If the owner allows it, the current location is recorded when using the app. This does not have any advantages; geofencing features or similar, which would justify this, do not exist (yet).

The numerous integrated trackers of the Ring App are not listed in the privacy policy, but only briefly described in general terms. It also does not state exactly which data is transferred to the analysis services. Personalized advertising and the recording of web or app analytics data can be disabled by the user in the Control Center.

As mentioned in the online communication section, the Ring App communicates with US-American servers. The privacy policy refers to the EU-US Privacy Shield, which was invalidated by the European Court of Justice in mid-July. Accordingly, the standard contractual clauses used by Ring are also invalid and urgently need to be updated, as the current state of affairs means that the transfer of data from EU citizens to the USA could violate applicable law.

Conclusion

Ring Alarm performed well in most areas of our test catalog. The security concept of the entire system is fully thought through and very well secured. However, since the privacy policy refers to standard contract clauses that have been invalid since months and some information is missing, we can only award a few points in this area.