Hardly any other product category in the Internet of Things makes the need for adequate security as obvious to everyone as smart locks – the direct consequence of neglected security and an exploitable vulnerability can jeopardize your own property and private security. So it’s no wonder that customers take a close look before making a purchase decision.

In the past, we have repeatedly tested products from this category and will continue to do so in the future. The majority of the most popular products in the “Smart Locks” category have also been awarded our certificate, giving customers the chance to recognize secure products directly from the label on the packaging.

In the following overview, we list all the products that we have already tested and will also carry out regular updates to include newly tested products, remove outdated tests or add new findings to products that have already been tested. We are also planning further product overviews for other relevant product categories.

Certified!

As already mentioned, over the years we have awarded our certificate to some of the most important representatives in the Smart Locks category for passing our extensive security tests. In terms of security, all of them are absolutely worthy guardians of your own front door. There are also no major differences in terms of data protection. And where there were any, they were generally rectified within a few weeks as a result of our test.

While some of the products have now reached the end of their life cycle or have simply not been recertified, the following representatives are currently still certified (with the date of the last test):

Netatmo

The latest new certification entry in the Smart Locks category is the product from French manufacturer Netatmo. With the Smart Door Lock and Keys combination, Netatmo presented its vision for a secure and interference-resistant smart locking system last year. As we were able to witness for ourselves, security was a top priority during development from the very beginning and ultimately culminated in an absolutely solidly secured Smart Lock, which provided no evidence of potential weak points in the test. We were also able to award top marks in the area of data protection: The privacy policy informs the user in an exemplary manner and data collection can also be objected too, simply and easily via the system itself.

In contrast to all the other Smart Locks we have tested so far, the Netatmo solution takes a slightly different approach to operation. Whereas virtually all competitors rely on motor-controlled operation of the locking cylinder, the Netatmo solution always has to be operated manually. The system therefore does not close and open the door directly, but merely releases or blocks the opening. This certainly only has advantages in terms of susceptibility to faults, but it could be an important factor for some interested customers. The fact that, in addition to classic control via a mobile application, the system can also be operated more or less like a normal lock using the smart keys supplied, which can be programmed and unprogrammed as required, is probably just as interesting.

Nuki

Nuki Smart Locks have been undergoing our annual certification test since the first version was released in 2017. Right from the start, we were able to observe the focus on security and data protection and certify this with our certificate. In the following years, the new, more advanced versions 2.0, 3.0 and, most recently, version 4.0 with Matter support were added, which also passed our certification process without any problems. In addition, the integrated version in the form of the Smart Door and the Opener peripheral product (not listed in the table) have also been awarded the “Approved IoT Product” rating.

Overall, the Nuki ecosystem is probably one of the most mature and widespread solutions in the smart lock sector, which is still reflected in the high level of customer popularity. The already high level of security and the continuous improvement and expansion of the products and product range also promise a high level of security for years to come.

tedee

Last year, the smart door lock from Polish manufacturer tedee was also certified for the third time, together with the tedee bridge required for remote control and the GO product variant, which is identical to the tedee lock in terms of security. From the very first test, the comparatively small smart lock impressed not only with its stylish, slim design, but also with its absolutely solid security concept. As with all other certified Smart Locks, communication via the Internet and local communication via Bluetooth is, of course, fully protected against the most common attacks. Even the mobile application is additionally protected against manipulation of the source code and, by implementing suitable integrity checks, prevents an attacker with access to the user’s smartphone from installing a modified version. In practice, this is certainly not a scenario that occurs all too frequently and the tedee app does not offer 100% protection against manipulation (we bypassed the signature checks in the test), but the fact that thought was given to this at all shows the dedication to security.

ABUS

As part of the new, digitalized ABUS One product range, the popular German manufacturer now has a new smart lock in its product portfolio, which we tested and certified in June 2024 – the Loxeris One.
This is a classic smart lock that can basically do everything you would expect in this product category. As usual, the Smart Lock is mounted on a conventional locking cylinder, which is motorized via an inserted key. As already mentioned, no special cylinder is required here, only the key used must be cut to the correct length before use.

Once the Smart Lock has been installed, it is configured, calibrated and controlled via a mobile application for Android and iOS, as usual. When used standalone, this control takes place exclusively via Bluetooth directly between the app and the device. If the user also values remote control via the Internet, Bridge One is also required, which enables and implements remote access to all devices in the ABUS One ecosystem.

In terms of security, there were no problems worth mentioning in the certification test: The mobile applications, and above all the security-relevant parts of these, are designed and implemented absolutely adequately. The particularly critical Bluetooth communication, which in the case of the ABUS One devices runs via a protocol specially developed by ABUS, provided no evidence of serious problems in the test and after a detailed review. Here, ABUS relies on strong authentication together with AES 128-bit encryption and thus adequately secures local communication. Communication via the Internet, between the bridge and the cloud and between the app and the cloud, also showed no reason for serious criticism in the test – here too, the security level can be classified as high.

When it comes to data protection, the ABUS solution leaves nothing to be desired. The privacy policy, which is available via the apps themselves and the app stores, provides everything that a good privacy policy should provide. The essential information on data collection, storage and sharing is included and explained in sufficient detail. The two Google trackers included (CrashLytics and Firebase) are mentioned and the user has the option to explicitly object to data collection and still use the app. However, even with data collection activated, the applications are quite data-efficient – no unnecessary or even excessive collection of user and usage data was observed.

The Contenders

As in virtually all popular Internet of Things product categories, new products are constantly coming onto the market in the smart lock sector, competing with the established giants. However, there are also products that have been on the market for a long time and enjoy great popularity but have not yet been examined in detail by us. We make our selection here largely on the basis of the general popularity of the products, i.e. based on sales figures and customer reviews, for example. Testing is carried out in our Quick Check format, which always provides a solid initial assessment of the level of security and data protection.

This section will also be updated and expanded as soon as new products have been subjected to our tests. The following table lists all tested products with test result and test date.

Homematic IP Door Lock Drive

Like the other competitors, the door lock drive for eQ-3 Homematic IP system also offers a convenient way to control a door lock remotely. This also requires a Homematic IP Access Point (HAP) or a central control unit (CCU). The central control unit can then be used to call up a WebUI to control the Homematic IP devices. In this case, we used the access point for our Quick Check. It is important to note that the Homematic IP door lock drive requires a cloud connection in order to be able to operate the device even in close proximity – operation via short-range radio such as Bluetooth or NFC is not possible with the Homematic IP device. This certainly has disadvantages for operation and availability, but of course it also reduces the attack surface in terms of security.

Opening request

The eQ-3 device is also quite solid – we did not find any explicit weak points during our Quick Check, but we do have a few comments. For example, we have to criticize the Homematic IP app, which can be installed on outdated devices and Android versions down to version 6.0 of the Google OS. As we have mentioned before, we would definitely avoid this for security-critical applications.

Another note concerns the “Cleartext Traffic” setting, which basically allows the application to carry out unencrypted communication via HTTP instead of HTTPS. Although we were unable to detect any unencrypted communication in the test, we would also recommend changing the configuration here so that unencrypted communication is prevented from the system side.

Everything looks quite solid in terms of communication. We would only recommend integrating a time component into the communication for requests to the cloud in order to increase security and ensure increased robustness against replay attacks. Currently, only the AUTHTOKEN, PIN (if specified by the user), DeviceID and State parameters are taken into account.

With regard to data protection and the privacy policy, there are also only minor points to note: Overall, the information content of the declaration is absolutely sufficient and all important information on data collection, processing and sharing is included. Compared to the other two candidate Smart Locks, the very modest use of trackers is particularly positive. Only one single tracker can be reliably identified in the Homematic IP application: Google Firebase Analytics. According to our dynamic analysis, this is only active sporadically and is also correctly mentioned in the privacy policy. Furthermore, the eQ-3 solution is the only one of the three Smart Locks in Quick Check format that provides a German privacy policy directly in the Google Play Store. For products that are sold on the German market, this should of course be the minimum standard.

Summary Privacy Policy Homematic IP

Last but not least, a few general points for an overview: The privacy policy comprises 2,056 words with an average of 19.77 words per sentence. It takes the user around 3.3 minutes to read the entire privacy policy. The privacy policy in the Google Play Store is displayed in German. The Flesch-Kincaid readability index was used to assess readability, which in our example indicates that a degree is required to understand the privacy policy.

Overall, the eQ-3 solution can therefore also be regarded as absolutely adequately secured. Here and there, the level of security could certainly be improved, especially in comparison to the top representatives of the “Smart Locks” product category, in order to rigorously eliminate even theoretical weak points. In terms of data protection, however, the solution is already exemplary and is rated 2 out of 3 stars according to our Quick Check format.

Lockin G30 Smart Lock

The G30 Smart Lock from Lockin is one of the relatively new representatives at the start – a classic smart lock that can control the door lock via Bluetooth and, with the included bridge, also via Wi-Fi. Operation directly in the immediate vicinity of the device and remote control of the door lock are therefore also possible with the G30, as usual. However, unlike the Nuki products, for example, an account is required to use the associated mobile application with the Lockin G30. From a security point of view, the applications look okay, but from a configuration point of view, we only noticed that the automatic update for the bridge is deactivated by default. It is really questionable why such an essential function is deactivated by default. The user should definitely activate the auto-update function here in order to benefit from security updates as quickly as possible.

Speaking of mobile apps: In our tests, it is relatively often necessary to make changes to the application code itself. There can be several reasons for this. For example, we may incorporate logging in order to understand certain functions more quickly or to be able to trace entire process chains more easily. We also repeatedly come across applications that try to prevent the app code from being manipulated. The tedee app is a previously mentioned example. However, the Lockin application tried to make life particularly difficult for us here. Not only were functions implemented here that were intended to prevent manipulation and dynamic analysis of the application, but there were also functions that only appeared to serve this purpose but were never actually called. These are either development relics or deliberate attempts to create false trails – we rarely see this in commercial products.

Apart from this, however, some functions are also implemented that actually serve to prevent manipulation and analysis, including reverse hooks that aim to detect dynamic analysis tools such as Frida, Xposed or Saurik (see following code snippet), key hash checks to ensure file integrity, detection of root access on rooted Android devices or emulator detection to determine if the app is running in a virtualized environment.

Of course, you can hardly accuse a developer of implementing too much security, but this unconditional prevention of analysis is suspicious, as it often indicates that an attempt is being made to conceal potentially inadequate security by preventing analysis – security by obscurity, so to speak. Apart from that, the whole thing is not particularly useful on Android – of course we were still able to carry out our analysis, although admittedly it was more complicated than usual.

Opening request
Opening response
Response reporting failed opening attempt after 3 successful opening via replay

During the dynamic analysis of the app, we noticed that opening via the app offers the option of repeating the same opening request several times in a replay. In the test, it was possible to replay the same request twice within a period of at least 10 minutes and thus successfully open the lock. When the request is sent for the fourth time, it is finally recognized as outdated. Improvements should definitely be made here. This potential vulnerability also seems particularly unnecessary, as a time component is already transmitted with the opening request anyway, but is apparently not checked. On a positive note, every opening (including those carried out via replay) is logged in the viewable log, allowing complete traceability.

As far as communication via Bluetooth is concerned, we were unable to identify any obvious weak points, at least during the Quick Check, even if there are indications of at least potential weak points. For example, the lock can only be operated via Bluetooth when there is an active connection to the Internet. With solid and secure Bluetooth communication, this should not really be necessary. We may investigate this further at a later date.

An additional note regarding the app is that it can be installed from Android version 6. We can of course understand that developers want to support as wide a range of devices as possible, but for a security-critical application we would advise against supporting such old versions. Android version 6, for example, has not received any security updates since 2018 and contains a number of critical vulnerabilities which, in the worst-case scenario, could also affect the installed applications.

Of course, we have also checked Lockin’s privacy policy. It contains most of the important information. During the analysis, however, we found two trackers in the code: Google Firebase Analytics and Pangle. These are not mentioned in any way in the privacy policy. Our dynamic analysis could not prove any clear activity of the trackers either, but it can be safely assumed that this takes place at least occasionally and then this should also be mentioned accordingly in the privacy policy. It should also be noted that for requests outside China, such as in the EU, a period of up to 30 days is granted for a response – customer patience needed here.

Summary Privacy Policy Lockin

Last but not least, a few general points for an overview: The privacy policy comprises 3,263 words with an average of 29.4 words per sentence. It takes the user around 4.41 minutes to read the entire privacy policy. The privacy policy in the Google Play Store is displayed in English. The Flesch-Kincaid readability index was used to evaluate readability, which in our example indicates that a degree is required to understand the privacy policy.

Overall, the Lockin G30 is rated with 2 out of 3 possible stars according to our Quick Check format: In principle, the solution is quite solid, but there are cutbacks here and there when it comes to implementation and the privacy policy.

Yale Linus L2

Like all other solutions, the Linus Smart Lock from Yale promises simple and secure remote control of the door lock. Thanks to the cooperation with BOSCH, uncomplicated integration into the German manufacturer’s smart home and operation via the BOSCH applications is also possible without any problems. Without the appropriate hardware, the lock can either be operated via Bluetooth only or the additional Yale Connect Wi-Fi Bridge can be used, which then also offers use as a completely independent solution with its own mobile application and makes it accessible from anywhere via the Internet. However, an account is also required for this. It is also worth noting that two-factor authentication (via SMS and email) is available, which can further increase the level of security here if desired.

Opening request

Our Quick Check revealed that it is a solid product. The only note from the static analysis is that the app can be installed for Android versions 6.0 and higher – as already mentioned, these old Android versions no longer receive security updates and should therefore no longer be used for security-critical applications, even if this means that the system can no longer be operated with older smartphones.

The communication itself is absolutely adequately secured. Messages are protected against manipulation and unauthorized access using AES encryption. A secret remoteOperateSecret is used for this purpose and the transmission time is also encrypted so that replay attacks can also be effectively prevented here.

Here too, we have taken a closer look at the privacy policy. Almost all the required information points of a privacy policy are covered. However, the trackers found in both the static and dynamic analysis are an exception. These were not mentioned in the privacy policy. These are two widely used trackers called Google CrashLytics, which reports crashes, and Google Firebase Analytics, which generates other reports. Nevertheless, they should definitely be mentioned in the privacy policy.

Summary Privacy Policy Yale

Last but not least, a few general points for an overview: The privacy policy comprises 2,434 words with an average of 27.35 words per sentence. It takes the user around 2.96 minutes to read the entire privacy policy. The privacy policy in the Google Play Store is displayed in English. The Flesch-Kincaid readability index was used to assess readability, which in our example indicates that a degree is required to understand the privacy policy.

The successor model Yale Linus Smart Lock L2 offers improved performance and an integrated WLAN module. Although Wi-Fi integration improves connectivity, it is crucial to ensure that robust security measures are implemented to prevent potential cyberattacks. However, in testing, we also found no evidence of potentially serious issues in this area.

Overall, the Yale Linus L2 presents itself as an absolutely solid solution in its test debut. Of course, the test depth in our Quick Check is still on the shallower side, so problems could still occur here on closer inspection. For now, however, there are no signs of this. The solution is also solid in terms of data protection and privacy. A rating of the full 3 out of 3 stars is therefore absolutely justified here.

Burg-Wächter secuENTRY active 7700

The secuENTRY active 7700 motor lock offers a convenient way to remotely control a door lock, similar to competitor products. In its basic configuration, the door can be easily opened via Bluetooth. The optional sE-Bridge 5670 allows remote operation of the lock. For our quick check, we tested the lock both with and without the bridge. Setting it up was straightforward but required providing a name and email address, even for offline use.

Additionally, the lock can be used in various ways: via PIN code (ENTRY 7711 PIN), with a wireless key (ENTRY sE-Key 7713), or using a fingerprint keyboard (ENTRY 7712 FP)—all options operate via Bluetooth.

The overall setup process was relatively smooth, though there were some peculiarities. Notably, the side panels of the bridge were swapped, which initially prevented the power cable from being connected. This issue was resolved by removing the anti-slip feet and loosening four screws to correctly position the side panels. However, this could confuse less tech-savvy users.

Correctly Assembled Side Panels (with Charging Port)
Correctly Assembled Side Panels (with Charging Port)
Incorrectly Assembled Side Panels (Charging Port Inaccessible)
Incorrectly Assembled Side Panels (Charging Port Inaccessible)

Another point worth mentioning is related to password changes: while entering the password, it is obscured as expected, but once the process is complete, the new password is displayed in plain text. This inconsistency raises concerns about privacy and security.

It’s also important to note that using the bridge for remote connection only allows the lock to be opened, not locked again remotely. Locking the door requires a direct Bluetooth connection. The reason for this limitation is unclear.

Password Displayed in Plain Text
Password Displayed in Plain Text
Notification: Remote Connection Only Allows Unlocking
Notification: Remote Connection Only Allows Unlocking

One observation regarding the bridge is that its manual only describes firmware updates via the “KeyApp,” which was replaced in 2022 by the “BURGsmart” app. We could not follow the described steps in the current app, nor does the app indicate the bridge’s firmware version. This leaves users uncertain whether an update is necessary or already performed. It remains unclear if updates are even possible without further clarification.

The secuENTRY active device leaves a solid first impression security wise—our quick check did not reveal any obvious vulnerabilities. However, there are areas for improvement. A notable concern is that the app can be installed on outdated devices and Android versions as old as 9.0, which we find problematic for security-critical applications and strongly advise against.

Firmware Update Manual
Firmware Update Manual

The communication processes initially seem well-implemented. All requests are sent to the same endpoint “api.json” on a Tuya server. Tuya, a Chinese manufacturer, is a known supplier of hard- and software for several well-known German IoT brands. Communication appears secure: each message is verified for integrity, authenticity, and validity using a signature value and timestamp. Additionally, transmitted data is encrypted with AES on top of the TLS layer.

Communication Overview (Login, Logout, Lock Operations)
Communication Overview (Login, Logout, Lock Operations)

A theoretical issue was observed during a server scan of “m2.tuyaeu.com,” which the bridge uses. The server supports outdated TLS versions 1.0 and 1.1, which have known cryptographic weaknesses. While we observed only TLS 1.2 traffic during testing, disabling TLS 1.0 and 1.1 would eliminate potential downgrade attacks and enhance communication security.

Server Vulnerabilities
Server Vulnerabilities

 

The privacy policy is thorough and provides comprehensive, understandable details about data collection, processing, and sharing. A potential improvement would be to include how users are informed of updates to the privacy policy and whether they would be notified in case of a data breach. Additionally, the privacy policy is not tailored specifically for app use with IoT devices but includes irrelevant sections, such as “Applications (Training & Job Offers).” With a reading time exceeding 10 minutes, it might deter some users. On a positive note, the policy is available in German on the Play Store, which is a welcome standard for products marketed in Germany.

Overview of Trackers
Overview of Trackers

Only two standard trackers are used—Google Crashlytics and Google Firebase Analytics. However, these trackers are active and transmitting data before the user consents to the privacy policy.

Data Transmission Prior to Privacy Consent
Data Transmission Prior to Privacy Consent
Privacy Policy Overview
Privacy Policy Overview

The privacy policy comprises 6,580 words with an average sentence length of 17.98 words. Reading the entire policy would take approximately 10.95 minutes. Notably, the privacy policy is displayed in German on the Google Play Store, which is a positive aspect for German users. The readability assessment using the Flesch-Kincaid Readability Index indicates that understanding the privacy policy would require at least a university-level education. This highlights the complexity of the document, which might pose a challenge for the average user.

Overall, the Burg-Wächter lock solution is adequately secured. Our quick check did not reveal any glaring weaknesses that could pose significant risks to users. However, minor inconsistencies, such as the inability to verify the bridge firmware version and the app’s compatibility with outdated devices, detract from the experience. In terms of privacy, the solution is nearly exemplary. We rate the secuENTRY active 7700 system 2 out of 3 stars.