tado° is a reference in the field of heating control that you will inevitably come across if you want to make your heating or radiators smart. In addition to energy savings, a significant gain in comfort is also promised. Whether tado° can also score in the area of security and privacy you can find out in the following test report.
Both the room thermostat and radiator thermostats were on hand for the test. All thermostats measure humidity and temperature. Even though the app indicates it, they do not have air quality sensors. The air quality display is only based on the time of the last ventilating (detection of a temperature drop in the room) and the temperature/humidity. In addition to open window detection, the weather forecast is also included in the heating control.
The thermostats are connected to the bridge via 868 Mhz radio. The transmission protocol used is 6LoWPAN, an IPv6-based radio transmission with optional AES encryption. According to the manufacturer, this is enabled.
The bridge is connected via Ethernet cable and connects all devices to the Internet – direct control of the thermostats is not possible apart from Apple Homekit, but is always routed via the manufacturer’s servers.
Up to 25 devices (thermostats/sensors/climate controls) and up to 100 people can be added to a home created in the tado° app. It is also possible to control the heating/air conditioning on a presence basis, but this requires a subscription/app purchase for quite some time.
We took a closer look at the tado° app (Android, iOS) in a static and dynamic analysis. Besides some third-party modules, two trackers (Google Firebase, Crashlytics) were identified in the app. On both platforms (Android & iOS), tado° should inspect the build settings of the app – here, for example, unencrypted communication to Tado servers is allowed. Even though this could not be recorded in the test, the options should be checked. The Android app writes an extensive log to the protected app area. Since it does not contain any security-relevant information, we do not rate this negatively.
The communication of the bridge and the app was TLS1.2 encrypted at all times and thus effectively protected from third-party insights. The Tado° API used is not officially documented, but has been mostly disclosed.
2-factor authentication is not supported, and the suggestion submitted in August 2019 has not been answered so far either. At first glance, Tado° may not be a critical system, but a password leak could be enough to hijack not only radiators, but also heating systems.
The recording of usage and diagnostic data can be disabled in the app. Google Firebase and Crashlytics have been detected as trackers in the app, these were no longer addressed after deactivating the switch. Tado° reserves the right to use all collected personal data in the context of further development of the products and training of the staff. It is unclear why anonymized data is not used for these purposes.
Most recorded data is stored permanently, location data is deleted after 2 weeks. The processing mainly takes place at Amazon Web Services within the EU. Tado° additionally takes the right to process data outside the European Union.
The tado° products convinced us in our test – at least the temperature in the home office was always optimal. We noticed some minor issues with the app that the manufacturer should take a look at. In terms of privacy, we would like to see a few improvements that can strengthen both transparency and user trust.