We are pleased to add the MCVisu.cloud solution from rc-tec GmbH to our range of certified products. As part of the certification test, we put the solution through its paces. MCVisu.cloud makes it possible to control the ABI MC1500 alarm and access system via smartphone. The corresponding app in version 1.0.6, and the cloud connection of the ABI alarm system were tested for their security. The security of the alarm system itself (sabotage, manipulation of ID chips, etc.) was not considered.

App

Both static and dynamic analysis could not detect any vulnerabilities in the Android app. Since the code of the app is not obfuscated, our testers could relatively easily take a look at how the app works. For example, about the way in which the certificate is validated:

Certificate Validation

The app currently “only” validates the validity and trustworthiness of the certificates used for communication, so that communication cannot be eavesdropped on or manipulated without direct access to the device. According to manufacturer information, Certificate Pinning will also be used here in the future. This checks whether the certificate provided is the expected certificate. Any other certificates are ignored, so no communication takes place. This effectively prevents man-in-the-middle attacks. Furthermore, the code will be obfuscated in the next versions, making it even more difficult to understand how the app works.

The iOS app is identical to the Android app in terms of user interface and communication behaviour, and therefore just as well protected.

Online communication

In the test, we did not observe any direct communication between the app and the alarm system. The online communication of the ABI MC1500 system is encrypted at all times. Due to the fact that a continuous communication between alarm system and cloud takes place, a kind of VPN tunnel is assumed. No obvious weak points could be identified. The communication of the app is also completely encrypted and does not provide any indication of possible weak points. With regard to the login to the cloud, it was also examined how the app behaves in a man-in-the-middle attack. The app is adequately protected against simple attacks. However, as soon as the CA certificate belonging to the mitm tool was installed on the smartphone, the communication could be eavesdropped on and manipulated. This is not rated negatively by us, since direct access to the device always gives an attacker certain possibilities, away from man-in-the-middle attacks. Furthermore, the manufacturer informed us, as already mentioned above, that Certificate Pinning is planned for the upcoming versions.

Privacy

The privacy policy is available via the iOS/Android app and Appstores of these platforms as well as on the product website. It is easy to understand and informs the user clearly which data is processed for which purpose.

The user is adequately informed; for example, location data is collected if the operation of the alarm system is restricted to certain regions. This data is stored for a maximum of 4 weeks. Furthermore, user name, password and data of the alarm system are stored.

The Android app permissions are limited to the minimum necessary scope:

Android App Permissions

Conclusion

The MCVisu.cloud solution of the Austrian manufacturer rc-tec offers a secure and privacy friendly solution to control your ABI MC1500 alarm system via smartphone app. The versions currently under development also offer a view of an app prepared for all challenges.  For this reason, the solution receives the AV-Test certificate “Approved Smart Home Product”.