And another anniversary! Since 2018 with us in certification and thus now tested for the 5th time: The XT1 Plus Starter Kit from the German alarm system manufacturer Lupus-Electronics. On this occasion, we want to take a look on the current status of the system and explain why it still deserves our “Approved IoT Product” seal today.

The mobile apps in the current versions (Android 3.2.5 and iOS 3.1.35) still did not provide any really noteworthy problems in the static source code analysis. The iOS app, naturally less susceptible to many vulnerabilities anyway, did not give any approach for criticism at all. The Android app only exhibits the minor configuration problems typical for practically every Android application out there, which are mostly also merely theoretical weaknesses. Examples are intent receivers, which can possibly be read by other apps on the same smartphone. However, these issues are rarely relevant in practice, and we did not see any reason to assume a real vulnerability in the case of the Lupusec XT1+. Furthermore, the implementation in the security-relevant areas can be considered adequate and solid.

Local and online communication has also remained largely unchanged: In the local network, the user either accesses the control interface of the XT1+ directly via the browser or uses one of the mobile applications for this purpose. In both cases, the user communicates directly with the alarm system without having to take the detour via the Internet and is adequately secured, so that he is also protected against potential attackers in his own network. A DynDNS service is used to realize the same access but via the Internet when on the move. This assigns the system a quasi-fixed Internet address that does not change even after an IP change. The alarm system can then be accessed from anywhere via port forwarding in the user’s router. Of course, this access is also secured with a username and password query and an encrypted connection.

The iOS application recognizes a unknown certificate during a Man-in-the-Middle attack and correctly informs the user

In terms of data protection, the system scored with data efficiency from the first test on, since it allows full use of the alarm system without having to enter personal data. As far as integrated trackers are concerned, we could only identify Google Firebase Analytics in the test – which is basically included in nearly every app nowadays. The requirements for the privacy policy are therefore relatively straightforward. As long as the essential information about data collection, storage and sharing is included, you cannot really do much wrong here. However, there is also always room for improvement in this respect. In principle, we only had formalities to note here: The privacy policy, which is linked in the app stores, references the general privacy policy of Lupus-Electronics, but does not explicitly address the app usage. However, when the app is first launched, the terms of use displayed then also address the app. It would certainly be easier for the user if this information was also already accessible via the links in the app stores and before downloading the app, but this is of course not a really critical point. Also for increased user-friendliness, a date of creation or modification could be added so that you always know whether you are up to date without having to periodically read the privacy policy again and again to track down possible changes.

Overall, the Lupusec system continues to meet all requirements for successful certification. Accordingly, we award our “Approved IoT Product” seal to the Lupus-Electronics XT1 Plus Starter Kit again this year and for the fifth time in a row! Congratulations and good luck for the next 5 years!