With the Hometec Pro, the renowned security and locking technology specialist ABUS is launching its first smart lock “Made in Germany”. Commissioned to carry out our extensive AV-TEST certification tests, we took a close look at the new smart lock. In the following, we would like to explain how well and securely the relevant security areas were designed and implemented.
Application
As befits a smart door lock, the Hometec Pro naturally also comes with mobile apps for Android and iOS (tested version 3.1.5). As usual, these were subjected to various static and dynamic analyses to assess how secure communication, control and administration via the application helpers are.
Except for a few minor things there is actually not much to report here: The implementation of the online communication looks solid, the four included trackers are all standard Google trackers and the few other issues we had to report are rather theoretical problems. There are e.g. only some included libraries that were not completely secured by all common memory access protection mechanisms (like ASLR) and a flag set in the Android application’s manifest allows backing up application data via the Android Debug Bridge – but an attacker would be required to already have full access to the user’s smartphone to exploit both things anyway. In the iOS application, we noticed that the ATS (App Transport Security) restrictions are disabled by default, which allows the app to communicate unencrypted, at least in theory. Although we did not see anything unsecurely transmitted in practice, we still recommend activating ATS. It is the easiest way to be on the safe side “by default”. According to what we could observe, there is no functional reason to allow unencrypted communication with the Hometec Pro anyway.
Local and online communication
There was only one thing that stood out about communication via the Internet: Although it was never actively used during our tests, our scanners still identified the outdated TLS version 1.0, which was apparently supported on the Hometec Pro Bridge. Thus, at least theoretically, some so-called downgrading attacks would still be possible, that would allow attackers to exploit the known vulnerabilities of the outdated protocol version. During operation of the Hometec Pro though, there were no indications that a connection via TLS 1.0 would actually be possible. Also we found no other indications of potential weaknesses or vulnerabilities regarding online communication.
The same applies to local communication, which is exclusively done via Bluetooth LE with the Hometec Pro system. At first, our testers were surprised that it was possible to connect to the lock and read out the various Bluetooth services and characteristics without authentication. However, a second look showed that the control and access to critical information is absolutely adequately secured. Potential attackers can establish a connection to the lock, but that is basically it. The lock’s control and configuration runs completely via encrypted control commands, which could not be “reused” by so-called replay attacks in the test even if we could intercept and read them. Our attempts to deny the smart lock for legitimate connection requests by flooding it with connection, write and read requests were also unsuccessful. All in all, we could not find any weak points here either.
Privacy
Our testers had the most comments for this area. Above all, we missed some essential information about data that might be collected, processed and stored by the Hometec Pro system. Since, as already mentioned, some Google trackers are also included in the Android application, we have to assume that these services also collect data in any form. Of course, this alone is not a problem, the privacy policy just has to provide detailed information about it. Of course, this also applies to data that the smart lock can collect itself (such as usage statistics, logs, etc.). A fingerprint scanner is also available as an accessory for the lock, which could naturally collect biometric data and also share it via the bridge and app. Even if this is not the case (as we suspect), the privacy policy should explicitly address this point. Especially (nowadays rightly) suspicious users will appreciate the additional transparency. Apart from that, there were only a few formal issues that we noted, but more for the sake of completeness.
All in all, the new Smart Lock from ABUS convinced us at the first attempt and even if there are still one or two points to improve in terms of the privacy policy, the system is absolutelysolid in terms of security and thus passes the AV-TEST certification process without any real problems. Accordingly, we gladly award our seal “Approved Smart Home Product”.