The trend towards smart home products has touched the insurance companies. But in Germany the giants of the industry are still struggling to knit special tariffs around IoT services and devices. But some progress has already been made in this area. One of them comes from a real giant of the insurance industry, Allianz. The insurer uses the hardware and IoT-services of another industry giant: Panasonic. The child of both is the Allianz tariff called Allianz Assist, an insurance warrant against burglary, water damage and lockout which is coupled to Panasonic hardware. How secure the Panasonic Starter Kit KX-HN601 offered with Allianz Assist is, was found out in the Quick Test by the experts of our IoT labs.
During the initial setup of the hub, the user has to set a secure password, which is being used for registration of new smartphones. After a phone is successfully paired, no further setup is required to gain remote access. Unfortunately, it’s not possible to set a strong password with special characters. Only letters and numbers are supported. When trying it anyway, the following message pops up.
Communication between Smartphone and Hub
Remote access to the Panasonic Hub is possible without any registration at Panasonic or other services. The communication between phone and Hub is encrypted with TLS1.2 both at home and abroad. While testing no unencrypted traffic could be detected. For the remote access, several Panasonic servers are being accessed which act as a kind of communication relay. They seem to forward the remote commands from the app to the Panasonic hub and vice versa. To prevent Man-in-the-Middle attacks the Android App as well as the hub utilize certificate pinning against a self-signed certificate from Panasonic.
The available firmware update was transferred via TLS1.2 as well. Because it wasn’t downloadable over separate channels, we did not analyze the firmware file.
Panasonic offers the Android app “Panasonic Home Network” to control and manage the installed smart home system. The app code is not obfuscated, so attackers may gain access to sensitive code parts very easily. When the app is switched to debug-mode, it shows the SIP (Session Initiation Protocol) credentials, which are used for making phone calls via the hub.
The password saved during the initial setup, will be stored plaintext in a SQLite database in the app’s data folder. It’s not accessible for other apps on a normal phone. On a rooted Android phone however, other apps might be able to read the password. Because pairing of additional phones with the hub requires a local connection and physical access to the hub, we don’t consider this as a large problem.
Many generic formulations made us think that it’s not tailored to Panasonic rather than just copy & paste. E.g. “the company” is used in nearly every sentence, but we miss a definition, that Panasonic is meant with this phrase.
The Android app grants itself a bunch of permissions. Some shouldn’t be necessary for its function:
- Device & app history (Data about installed and running apps can be collected)
- Identity (Information about the Google account for unknown purpose)
- Contacts (For the phone feature)
- Phone (For the phone feature)
- Photos/Media/Files (For Screenshots of webcams etc.)
- Camera (Unknown purpose)
- Microphone (For the phone feature)
- Wi-Fi (Establish connections to devices for initial setup)
- Bluetooth (Establish connections to devices for initial setup)
- Device ID & call information (For the phone feature)
Pingback: Unsecure surveillance: Pearl’s IP-Cam 7Links IPC-720.HD – AV-TEST Internet of Things Security Testing Blog
I think you need to rested with a wider network capturing tool. I have found about a dozen ports that need to be open for incoming as well as outgoing traffic. Some of the ports use MS fileserver protocols that are designed for LAN use only, but Panasonic send them over the web. Further you must be on the same network as the hub when you are at home, so you cannot isolate your security device from your general home network. Not very secure.
You are right, our latest tests have shown the same problems. The old test, from 2017, didn’t reveal those problems though. See https://www.av-test.org/en/news/being-secure-rather-than-just-feeling-secure-13-security-starter-kits-put-to-the-test/ for an updated test.