ABUS – The popular German manufacturer of everything related to locking, securing, and protecting has been expanding its product portfolio in recent years to include more and more smart devices. Over the years, we have repeatedly tested some of these new products in our laboratory. Last year, ABUS expanded its ABUS One ecosystem to a total of 13 associated individual products and also to the integrability of seven cameras from its PPIC series. Six of these products were submitted to us for certification and, as always, we subjected them all to our rigorous testing procedure. This year, the ABUS One solution underwent its first recertification in order to continue to carry the “Approved IoT Product” seal.

Features

As already mentioned, the ONE product family consists of 16 individual devices and 7 cameras to date, all of which can be operated via a mobile application. As all the 16 devices are controlled in immediate vicinity via Bluetooth and do not themselves offer online functionality that would allow remote access, the Bridge One serves this purpose. It takes over local communication with the other Bluetooth devices and can itself be accessed via the Internet from anywhere in the world.

The remaining 5 devices we received, are the KeyGarage One, a small key safe that can be operated using a combination of numbers or Bluetooth, the Everox One, a smart U-lock, Cylox One, a smart locking cylinder that can also be locked and unlocked via Bluetooth without a key, and then turned manually, the Smart Lock Loxeris One, which, in typical Smart Lock fashion, also takes care of the actual turning for the user thanks to the integrated motor, and finally the Wintecto One, which performs a similar task for patio doors, making them a fully-fledged entrance door.

ABUS Cylox One

As already mentioned, all devices are accessed and controlled via a central mobile application for Android and iOS – the ABUS One App. As is now standard, it can be used to make settings, setup or reset devices, control remote access or send access invitations.

Mobile application

As always, the mobile application in question is also the starting point for our security analysis of the ABUS ONE system. From our point of view, however, there is nothing really critical to report: The implementation of security-relevant functions looks absolutely solid and our automated static analysis did not even find any theoretical vulnerabilities worth mentioning in the first step, which normally always exist.

Bluetooth communication in the app is handled by a protocol developed by ABUS itself, the implementation of which we naturally also took a very close look at, even though a strong code obfuscation was actually intended to prevent this. The protocol, named xlock in the code, works with 128-bit AES encryption with session-dependent keys and salts, so that simple attacks such as replay attacks can be ruled out. Authentication between the device and app also reveals no obvious vulnerabilities.

And when it comes to other critical areas, such as device setup, password security or communication via the Internet, the analysis of the applications, both static and dynamic, did not reveal any significant problems – in our view, ABUS has done an absolutely solid job here.

Online and offline communication

Of course, the mobile application is an enormously important factor for the general security level of communication, but it is not the only one. The devices themselves, which also communicate via Bluetooth, the Bridge One, which can do both Bluetooth and TCP/IP, and the ABUS Cloud have to deliver here so that the chain doesn’t break at the weakest link. So we also took a close look at the communication between the app and Cloud, Cloud and Bridge One, as well as the Bluetooth devices themselves.

With regard to all communication via the Internet, we have already mentioned the app-side implementation, which does not present any significant points of criticism, and the communication to and from the cloud that has been observed in practice does not provide any further potential attack surface here. Authentication is carried out in the traditional manner using refresh and access tokens, which are requested via the user credentials.

There were a few minor anomalies and inconsistencies in the Bluetooth communication between the devices themselves, but as they all communicate via quasi identical protocol, the deviations were marginal. However, the potential issues we noticed were relatively easy for the manufacturer to rectify, which they did in no time at all. The attack scenarios that we always test as standard, such as replay attacks, also came to nothing. Overall, we can also attest to an adequate level of security for all devices.

Data protection & privacy

As is also usual in all of our tests in general, data protection naturally also plays an important role when testing the ABUS ONE system. The privacy policy, which is available via the apps themselves and the app stores, provides everything that a good privacy policy should provide. The essential information on data collection, storage and transfer is included and explained in sufficient detail.

The two included Google trackers (CrashLytics and Firebase) are mentioned and the user also has the option to explicitly object to the data collection and still use the app. However, even with data collection activated, the applications are quite data-efficient – no unnecessary or even excessive collection of user and usage data was observed.

Conclusion

Overall, the ABUS One system continues to be a successful addition to ABUS’s increasingly digitized, smart product portfolio. In terms of security, we only had minor issues to note in this year’s test, which the manufacturer gratefully acknowledged and immediately addressed. The security concept remains appropriate, and the solution does not have any serious shortcomings in terms of data protection. Accordingly, we are pleased to award our “Approved IoT Product” certificate to the ABUS ONE system for another year. Congratulations!