Over the years, a number of alarm systems have undergone AV-TEST certification. As one of the newcomers last year, the alarm system from the Dutch manufacturer Egardia was subjected to the extensive tests to obtain our seal of approval and did so with relative ease. Now for 2023, it is time for the first recertification and for the alarm system to prove that it is still worthy.
Application
As always, the complete test of the alarm system also included the analysis of the associated mobile applications for Android and iOS (tested versions 2.16.4 & 2.16.6). Apart from the usual minor issues, which we practically always see, there were no major problems here. For example, some Broadcast receivers and activities appear to not be entirely protected, and the iOS version stood out due to the use of a few potentially insecure function calls and the disabled ATS (App Transport Security) restrictions, that can potentially allow unencrypted communication to defined domains. However, none of that showed practical relevance in our tests, so there was no reason for a downgrade on our part. The two Google trackers included according to the static analysis (CrashLytics and Firebase Analytics) are also standard nowadays and are used by very many apps for analysis and error handling purposes – So no criticism due here neither.
Local and online communication
The Egardia alarm system uses the Smart Home Gateway (tested firmware version 0.0.2.19.2) as the central unit. It is connected to the Internet and communicates with the Egardia servers in this way. It also handles local communication with the device peripherals, such as the window and door sensors, via short-range radio. Communication between mobile applications and the gateway, on the other hand, takes place exclusively via the cloud, so that no network-based communication directly between applications and gateway had to be analyzed.
During the first test iteration last year, we noticed a potential vulnerability in the certificate validation of the Android application, which theoretically made the online communication vulnerable. Of course, we immediately reported this to the manufacturer and they fixed the problem in record time – exemplary! Apart from this point, we did not have any further comments about the online communication last year and do not have any more this year.
In the area of local communication, which means local access to the gateway via e.g. a browser, we also only had a few minor points to note, which were rather theoretical due to their severity and the underlying attack scenario anyway, and therefore did not have a negative impact on our rating. The manufacturer nevertheless assured that improvements will be made as soon as possible.
Data privacy
In the area of data privacy and protection, we also had only minor points to comment on: For example, the privacy policy lacked further details about possible data collection and processing, and a few formal points stood out. Overall, however, these were not enough to justify a downgrade.
Overall, the Egardia alarm system, again and as expected, achieved a good result in all relevant test areas in its second test appearance, so that we can gladly award our certificate “Approved IoT Product” for another year.