The trend towards smart home products has touched the insurance companies. But in Germany the giants of the industry are still struggling to knit special tariffs around IoT services and devices. But some progress has already been made in this area. One of them comes from a real giant of the insurance industry, Allianz. The insurer uses the hardware and IoT-services of another industry giant: Panasonic. The child of both is the Allianz tariff called Allianz Assist, an insurance warrant against burglary, water damage and lockout which is coupled to Panasonic hardware. How secure the Panasonic Starter Kit KX-HN601 offered with Allianz Assist is, was found out in the Quick Test by the experts of our IoT labs.
Initial setup
During the initial setup of the hub, the user has to set a secure password, which is being used for registration of new smartphones. After a phone is successfully paired, no further setup is required to gain remote access. Unfortunately, it’s not possible to set a strong password with special characters. Only letters and numbers are supported. When trying it anyway, the following message pops up.
Communication between Smartphone and Hub
Remote access to the Panasonic Hub is possible without any registration at Panasonic or other services. The communication between phone and Hub is encrypted with TLS1.2 both at home and abroad. While testing no unencrypted traffic could be detected. For the remote access, several Panasonic servers are being accessed which act as a kind of communication relay. They seem to forward the remote commands from the app to the Panasonic hub and vice versa. To prevent Man-in-the-Middle attacks the Android App as well as the hub utilize certificate pinning against a self-signed certificate from Panasonic.
The available firmware update was transferred via TLS1.2 as well. Because it wasn’t downloadable over separate channels, we did not analyze the firmware file.
Android App
Panasonic offers the Android app “Panasonic Home Network” to control and manage the installed smart home system. The app code is not obfuscated, so attackers may gain access to sensitive code parts very easily. When the app is switched to debug-mode, it shows the SIP (Session Initiation Protocol) credentials, which are used for making phone calls via the hub.
The password saved during the initial setup, will be stored plaintext in a SQLite database in the app’s data folder. It’s not accessible for other apps on a normal phone. On a rooted Android phone however, other apps might be able to read the password. Because pairing of additional phones with the hub requires a local connection and physical access to the hub, we don’t consider this as a large problem.
Privacy
The privacy policy of Panasonic is only applicable to their website. It should be easily understood by 15-16-year-olds (Flesch Kincaid Reading Ease) and is only available in English.
Many generic formulations made us think that it’s not tailored to Panasonic rather than just copy & paste. E.g. “the company” is used in nearly every sentence, but we miss a definition, that Panasonic is meant with this phrase.
No contact address for privacy concerns is mentioned. No storage time for collected data is mentioned; the last modification date is missing as well. It is nowhere to be found, which data is recorded (and for what purpose). Although there is mentioned that data of the last point will be shown on the corresponding input fields. Because it is only intended for the website, no privacy policy exists for Panasonic’s products itself or we were not able to easily find it. This means that data protection does not meet the minimum requirements of the Quick-Test of the AV-TEST Institute and misses a positive assessment in this test point.
The Android app grants itself a bunch of permissions. Some shouldn’t be necessary for its function:
- Device & app history (Data about installed and running apps can be collected)
- Identity (Information about the Google account for unknown purpose)
- Contacts (For the phone feature)
- Phone (For the phone feature)
- Photos/Media/Files (For Screenshots of webcams etc.)
- Camera (Unknown purpose)
- Microphone (For the phone feature)
- Wi-Fi (Establish connections to devices for initial setup)
- Bluetooth (Establish connections to devices for initial setup)
- Device ID & call information (For the phone feature)
Conclusion
Panasonic made a good job with their security implementations. Data is always transmitted encrypted. Whether or not user data is secure on Panasonic’s servers wasn’t part of this test, but due to the fact of the non-existing privacy policy it might be one topic of a certification test. In this Quick-Check Panasonic’s Starter Kit KX-HN601 passes with 2 of 3 Stars. There were no easily detectable security gaps, but due to the insufficient privacy policy, unfortunately a better rating is not possible. Panasonic should quickly improve on this point. And an insurer like the Allianz should keep an eye on it.
Pingback: Unsecure surveillance: Pearl’s IP-Cam 7Links IPC-720.HD – AV-TEST Internet of Things Security Testing Blog
I think you need to rested with a wider network capturing tool. I have found about a dozen ports that need to be open for incoming as well as outgoing traffic. Some of the ports use MS fileserver protocols that are designed for LAN use only, but Panasonic send them over the web. Further you must be on the same network as the hub when you are at home, so you cannot isolate your security device from your general home network. Not very secure.
You are right, our latest tests have shown the same problems. The old test, from 2017, didn’t reveal those problems though. See https://www.av-test.org/en/news/being-secure-rather-than-just-feeling-secure-13-security-starter-kits-put-to-the-test/ for an updated test.