In this test, we will show, whether the slogan “Made in Germany” also means something with regard to Smart Home solutions and will analyse the security of the Bosch Smart Home Starter Kit.

App without vulnerabilities

The Android App does not seem to have obvious serious vulnerabilities. The missing obfuscation of security relevant functions and classes may ease reconstruction and/or modification by potential attackers, but this is not a vulnerability per se.

Critical data saved by the application on the internal smartphone storage is well encrypted using state of the art API calls to the Android KeyStore (and device specific key pairs).

The presented security features show a high level of communication security that require an enormous amount of criminal effort and energy to hack.

Secure local & online communication

The communication between App and Controller is completely TLS1.2 encrypted, independent if it’s used in the home network or on the road. At home, App and Controller communicate directly, only a few web requests can be detected. Online, *.bosch-smarthome.com servers are being contacted, which forward the commands to the Controller.

While remote access is established, the Cloud LED keeps flashing, so owners are able to see, when somebody accesses the Smart Home system from outside.

TLS encrypted traffic
TLS encrypted traffic

Third Party API Usage

We also took a look on third party integrations. Despite the announcement on the IFA 2016, we could not find any applets on IFTTT for the Bosch Smart Home System. However, we were able to connect it to our Philips Hue Bridge and observe the local traffic between the two devices. The Bosch gateway uses the official Hue API, therefore the communication relies on the unencrypted http protocol. This is not a security problem of the Bosch product but should rather be fixed by Philips. (As already mentioned in our Philips Hue test)

RF communication

The Controller communicates with the Smart Home components via a proprietary RF-band (868Mhz) and ZigBee (2,4Ghz), which is an international standard for home automation and other low-power needs. Except for the motion detector, all Smart Home components communicate with the 868Mhz band, using a proprietary protocol. The motion detector communicates with 2,4Ghz (ZigBee), which provides much higher bandwidth.

The ZigBee implementation of Bosch uses an advanced encryption technology with device specific link keys, which are being used for initial connection to the Controller, where individual encryption keys are being shared. Whilst other manufacturers use publicly available keys for the initial setup, the method of using device-specific encryption keys makes ZigBee a very secure wireless transmission protocol. Presumably, similar technologies are also used for the proprietary 868Mhz-protocol – these devices also have the individual device key printed on it.

Privacy

The privacy policy of the Bosch Smart Home App is tailored to their services and can be easily understood by 18- to 19-year-olds (Flesch Kincaid Reading Ease). Thematic areas are clearly defined, also the collected data and the collection purpose. Smart Home System data is only being exchanged with Bosch’s update and time servers. Also, this data is being used for statistical analysis purposes.

Smart Home System data consists of Username, attached accessories, Controller specifications, serial number and software versions of individual components. Additional data is only being recorded in case of support. The privacy policy left only three little points, where Bosch should improve. The privacy policy is correctly linked into the Google Play Store, but not in the Apple App Store. The Android App itself only links to the German version of the Privacy statement (presumably because the products aren’t available outside of Germany and Austria), and contains the last date of change (11.04.2017).

The Android App permissions are limited to the necessary scope:

  • Camera (Recording of QR codes for initial setup of the products)
  • Wi-Fi (Communication with the Controller)
Android App permissions
Android App permissions

Conclusion

The Bosch Smart Home Set left an overall very good impression on us. The communication between the devices is well secured and needs considerable effort to be attacked. The physical interaction with the controller (e.g. when adding a new sensor to the controller) is also a good additional security layer. We were also pleased to see that Bosch’s Privacy Policy is a very detailed and privacy-friendly one.

The Smart Home Starter Kit earns three of three stars in our security quick check.

In addition, the Bosch Starter Kit successfully passed the extensive certification tests of our IoT experts and is awarded by AV-TEST as a secure Smart Home product.