With the Hometec Pro, the renowned security and locking technology specialist ABUS is launching its first smart lock “Made in Germany”. Commissioned to carry out our extensive AV-TEST certification tests, we took a close look at the new smart lock. In the following, we would like to explain how well and securely the relevant security areas were designed and implemented.
As befits a smart door lock, the Hometec Pro naturally also comes with mobile apps for Android and iOS (tested version 3.1.5). As usual, these were subjected to various static and dynamic analyses to assess how secure communication, control and administration via the application helpers are.
Except for a few minor things there is actually not much to report here: The implementation of the online communication looks solid, the four included trackers are all standard Google trackers and the few other issues we had to report are rather theoretical problems. There are e.g. only some included libraries that were not completely secured by all common memory access protection mechanisms (like ASLR) and a flag set in the Android application’s manifest allows backing up application data via the Android Debug Bridge – but an attacker would be required to already have full access to the user’s smartphone to exploit both things anyway. In the iOS application, we noticed that the ATS (App Transport Security) restrictions are disabled by default, which allows the app to communicate unencrypted, at least in theory. Although we did not see anything unsecurely transmitted in practice, we still recommend activating ATS. It is the easiest way to be on the safe side “by default”. According to what we could observe, there is no functional reason to allow unencrypted communication with the Hometec Pro anyway.
Local and online communication
There was only one thing that stood out about communication via the Internet: Although it was never actively used during our tests, our scanners still identified the outdated TLS version 1.0, which was apparently supported on the Hometec Pro Bridge. Thus, at least theoretically, some so-called downgrading attacks would still be possible, that would allow attackers to exploit the known vulnerabilities of the outdated protocol version. During operation of the Hometec Pro though, there were no indications that a connection via TLS 1.0 would actually be possible. Also we found no other indications of potential weaknesses or vulnerabilities regarding online communication.
The same applies to local communication, which is exclusively done via Bluetooth LE with the Hometec Pro system. At first, our testers were surprised that it was possible to connect to the lock and read out the various Bluetooth services and characteristics without authentication. However, a second look showed that the control and access to critical information is absolutely adequately secured. Potential attackers can establish a connection to the lock, but that is basically it. The lock’s control and configuration runs completely via encrypted control commands, which could not be “reused” by so-called replay attacks in the test even if we could intercept and read them. Our attempts to deny the smart lock for legitimate connection requests by flooding it with connection, write and read requests were also unsuccessful. All in all, we could not find any weak points here either.