At our labs for the 7th time for recertification: the Smart Home System from BOSCH. To mark the occasion, BOSCH provided us with the new, slimmer Smart Home Controller II this year. Together with the latest app versions, it  underwent our usual tests and performed just as exemplary as its predecessor. The following short test report will explain whether and what else has changed.

In the area of mobile applications for the BOSCH Smart Home System, there were only ever marginal points to note in previous tests and we also had no cause for serious criticism with the versions examined this year (Android v10.16.2986 and iOS v10.16.1): the implementation of security-relevant functions, such as communication encryption, is adequately implemented and without any obvious weak points. From a purely static analysis, there is also nothing suspicious from a data protection perspective. Only three standard Google trackers can be identified (Firebase, Analytics, Tag Manager), which in principle are included in every Android application these days, and neither the required authorizations nor the observable communication suggest any unnecessary or even excessive data collection. New in the iOS application is the integration of a new tracker from Qualtrics, the use of which is explained in detail in the privacy policy.

Integrated Android (top) and iOS (bottom) trackers

The Smart Home Controller II (in firmware v10.17.3151-29317) itself was again subjected to all scans and vulnerability analyses in the test and, as with its predecessor, no serious problems were identified. Also in version 2, the system still offers a small attack surface, meaning that the risk of a vulnerability being exploited in practice appears to be very low.

Tested device and firmware version

As usual for certification, we also looked at all incoming and outgoing communication of the applications and the device itself in order to search for possible implementation or configuration errors in this area that could lead to a vulnerability. We also ran various types of replay, spoofing and man-in-the-middle attacks against the BOSCH smart home system, but were unable to find any evidence of a potential problem.

Unsuccessful man-in-the-middle attacks on the communication of the app (bottom) and the smart home controller (top)

The BOSCH solution has always been exemplary in the area of data protection in previous tests and nothing major has changed this year either. The privacy policy is still very detailed and easy to understand. The user is informed in detail about all the implications of using the system – but in the case of the BOSCH solution, these are quite clear anyway, as the system is very data-efficient.

All in all, also with the new Smart Home Controller II the BOSCH Smart Home system gives us no cause for serious criticism this year. The solution is still at a high level in terms of security and therefore still highly deserves the “Approved IoT Product” certificate. Congratulations and on to the next 7 years!