In 2020, we first had the opportunity to take a detailed look at the smart lock and bridge combo from the Polish manufacturer tedee as part of our IoT certification. Back then, the stylish smart lock convinced our testers right away with an absolutely solid security concept and a clean implementation. This year in 2023, it was now time to go through the recertification process for the second time to again confirm the excellent security level.

This year, tedee is also bringing its newest representative, the tedee GO, into play, in order to achieve our “Approved IoT Product” certificate for it as well.

The tedee GO, as the name suggests, is a more mobile version of the original model. Installation is now no longer tied to the use of a special locking cylinder or adapter; the tedee GO can in principle (and similarly to other models in this product segment) be mounted on any cylinder and opens and closes via the motorized rotation of the key inserted in the cylinder. Apart from this difference, however, the tedee GO functions completely identically to the original model in terms of digital technology. All the results briefly summarized below therefore apply to both models without exception.

As always, we first took a close look at the mobile application, looking for known and obvious vulnerabilities and checking the solid implementation of essential security mechanisms. However, we were unable to find any indications of potential problems here in previous years, and there was not really much to report here this year either. In order to break the encrypted communication of the application and thus gain access to sensitive data, an attacker basically only has the option of modifying the application itself in such a way that the security concept is weakened. This means, for example, that they would have to take the original .apk file, modify the security-relevant areas (such as those for certificate pinning) and then reinstall his version to the user’s phone in order to be able to eavesdrop on subsequent communications. Not only does this sound complicated, it is. In the case of the tedee app, it is even more so, since the app is also protected by signature checks, which would also have to be bypassed for a successful modification of the source code. Even those who take it upon themselves to do this (and of course we have) then find that the security precautions that actually have to be bypassed are source out to a .so library that comes with the app. To obtain a (somewhat) human-readable representation for this is, optimistically formulated, also “quite complex”. To put it briefly, the applications are absolutely adequately secured.

One of the signature checks that must be bypassed to allow for an alteration of the original source code

The same can only be said for the devices themselves. We analyzed the online communication of the bridge and the local Bluetooth communication of the bridge and the smart locks themselves. We have launched replay, sniffing and hijacking attacks and still could not find any evidence of any problems that could pose a real threat to security during operation.

In the area of data protection and privacy, we had a few minor issues this year concerning the privacy policy. However, these were only minor inconsistencies and formalities that in no way jeopardized the recertification, but nevertheless had to be mentioned. However, we are not worried that the manufacturer does not react quickly, as usual, in an exemplary manner.

As in previous years, the tedee combination of bridge and smart locks passed all tests with flying colors and continued to demonstrate a high level of security that provides virtually no grounds for serious criticism. Accordingly, as in the last two years, we are gladly awarding our “Approved IoT Product” certificate to the tedee set and the new tedee GO.