ABUS – The popular German manufacturer of everything to do with locking, protecting and security has been expanding its product portfolio in recent years to include more and more smart devices. Over the years, we have repeatedly had some of these new products in our lab – most recently the ABUS Comfion alarm system, which was awarded our certificate in February of this year. Now ABUS has expanded its ABUS One ecosystem to 13 devices and sent us 6 of these for certification. As always, we have subjected everything to our strict test procedure.
Features
As already mentioned, the ONE product family consists of 13 individual devices to date, all of which can be operated via a mobile application. As all the devices, when in the immediate vicinity, are controlled via Bluetooth and do not themselves offer online functionality that would allow remote access, the Bridge One serves this purpose. It takes over local communication with the other Bluetooth devices and can itself be accessed via the Internet from anywhere in the world.
The remaining 5 devices we received, are the KeyGarage One, a small key safe that can be operated using a combination of numbers or Bluetooth, the Everox One, a smart U-lock, Cylox One, a smart locking cylinder that can also be locked and unlocked via Bluetooth without a key, and then turned manually, the Smart Lock Loxeris One, which, in typical Smart Lock fashion, also takes care of the actual turning for the user thanks to the integrated motor, and finally the Wintecto One, which performs a similar task for patio doors, making them a fully-fledged entrance door.
As already mentioned, all devices are accessed and controlled via a central mobile application for Android and iOS – the ABUS One App. As is now standard, it can be used to make settings, setup or reset devices, control remote access or send access invitations.
Mobile application
As always, the mobile application in question is also the starting point for our security analysis of the ABUS ONE system. From our point of view, however, there is nothing really critical to report: The implementation of security-relevant functions looks absolutely solid and our automated static analysis did not even find any theoretical vulnerabilities worth mentioning in the first step, which normally always exist.
Bluetooth communication in the app is handled by a protocol developed by ABUS itself, the implementation of which we naturally also took a very close look at, even though a strong code obfuscation was actually intended to prevent this. The protocol, named xlock in the code, works with 128-bit AES encryption with session-dependent keys and salts, so that simple attacks such as replay attacks can be ruled out. Authentication between the device and app also reveals no obvious vulnerabilities.
And when it comes to other critical areas, such as device setup, password security or communication via the Internet, the analysis of the applications, both static and dynamic, did not reveal any significant problems – in our view, ABUS has done an absolutely solid job here.
Online and offline communication
Of course, the mobile application is an enormously important factor for the general security level of communication, but it is not the only one. The devices themselves, which also communicate via Bluetooth, the Bridge One, which can do both Bluetooth and TCP/IP, and the ABUS Cloud have to deliver here so that the chain doesn’t break at the weakest link. So we also took a close look at the communication between the app and Cloud, Cloud and Bridge One, as well as the Bluetooth devices themselves.
With regard to all communication via the internet, we have already mentioned the app-side implementation, which has no significant points of criticism and the practically observed communication to and from the cloud does not provide any more potential areas of attack. Authentication is carried out in the traditional way using refresh and access tokens, which are requested with the user credentials. During the test, we only noticed that although these credentials are transmitted adequately securely via the latest TLS, they are encrypted as plain text. However, this data is absolutely secure during transmission and is also stored as a hash on the cloud side, so there is no risk of a leak, for example.
There were a few minor anomalies and inconsistencies in the Bluetooth communication between the devices themselves, but as they all communicate via quasi identical protocol, the deviations were marginal. However, the potential issues we noticed were relatively easy for the manufacturer to rectify, which they did in no time at all. The attack scenarios that we always test as standard, such as replay attacks, also came to nothing. Overall, we can also attest to an adequate level of security for all devices.
Data protection & privacy
As is also usual in all of our tests in general, data protection naturally also plays an important role when testing the ABUS ONE system. The privacy policy, which is available via the apps themselves and the app stores, provides everything that a good privacy policy should provide. The essential information on data collection, storage and transfer is included and explained in sufficient detail.
The two included Google trackers (CrashLytics and Firebase) are mentioned and the user also has the option to explicitly object to the data collection and still use the app. However, even with data collection activated, the applications are quite data-efficient – no unnecessary or even excessive collection of user and usage data was observed.
Conclusion
Overall, the ABUS ONE system is also a successful addition to ABUS’ increasingly digitized, smart product portfolio. In terms of security, we only had minor points to comment on during the test, which the manufacturer gratefully accepted and addressed immediately. The security concept convinces and the solution is not guilty of anything serious in terms of data protection either. Accordingly, we are pleased to award our “Approved IoT Product” certificate to the ABUS ONE system. Congratulations!