For the fourth time in a row, the “Homematic IP” system passes the extensive tests required to obtain the AV-TEST certificate. Already in the first run of the certification tests, the product of the German manufacturer eQ-3 convinced our laboratory experts with high security standards and good data protection. The following test report explains what has changed compared to the previous year and why the solution still offers the security level that we have already certified several times.

Mobile Applications

The mobile applications in the tested versions 2.0.6 for Android (de.eq3.pscc.android) and 2.0.1 for iOS (de.eq3.pscc.HomematicIP) do not reveal any practical weaknesses in the static and dynamic analysis. Only theoretically there is reason for optimization: For example, for two binary .so files of the Android version ASLR (address space layout randomization) could be activated for an additional increase of the already good security level and an optimization of the APIs would be possible in the iOS version. In our opinion, however, there is no real, practical threat from these points. Both app versions convince with high security standards.

Results of the binary analysis

Local and online communication

For the analysis of the IT security of Homematic IP access points and the associated applications, the hardware as well as the applications were, as usual, subjected to several scans and a dynamic examination. Here, too, the eQ-3 solution proved to be convincing: the scan of the Homematic IP access point showed no evidence of possible entry points, which is really only rarely the case. No misconfigurations, outdated protocol usages or system information leaks of any kind could be identified.

HTTP lookup at device start up

In the further analysis of the access point and app, too, only one point in principle stood out: When the device is started, a lookup is performed to identify the server to be contacted. This lookup is performed via unencrypted HTTP, so theoretically it could be manipulated. However, the possibility that attackers could gain access to the device in this way can be ruled out. All in all, there is no reason for criticism in this area either.

Data privacy

Homematic IP has also always been exemplary in the sensitive area of data protection. And this year, too, it seamlessly continues the results of previous years in the comprehensive privacy test: The system continues to operate with extremely data efficient, requires no registration for use and only collects and stores data that is necessary to guarantee functionality – this is exemplary. The accompanying data protection declaration provides all the important information on data collection, processing and storage, is formulated in an easily understandable way and can also be viewed at any time via the application.

Error page when trying to access the data privacy statement from app stores

In order to find anything at all to complain about, we would like to point out that the privacy statement was not accessible via the corresponding links in Playstore and Apple Store, as the links did not refer to a valid address at the time of testing. However, this small problem was solved by the manufacturer within a very short time.

Verdict

As in previous years, the “Homematic IP” system from eQ-3 passes through the AV-TEST certification procedure with great composure and bravura. In all relevant areas, we attest the product a well thought-out security concept with correspondingly good implementation. Only a small number of flaws could be identified, but these are practically impossible to exploit.

All in all, another convincing performance in the fourth attempt and thus, also for the new year, the well-earned certificate “Approved Smart Home Product”.