This is a tough review to write, partly due to the fact I really wanted to like the product as I had high hopes for it. Who wouldn't with the promise of being able to control your home alarm from your smart phone? In the age of IoT, this is a logical step to modernising your home physical security.
Hardware
The hardware has a nice solid build quality to it, and represents the brand of Yale well. No soft cheap feel plastic, which makes installing it really easy. The alarm is loud, both the hub and bell box will let you know if goes off.
The Smart Phone App (Android)
The app is the primary form of interaction when managing the alarm. So, you would think the app would have the same build quality of the hardware, and it would give you that well-polished experience. However, the smart phone app on Android is average to poor at best. The app feels clunky, and navigating it feels rushed and not well thought out. Its primary purpose of arming and disarming the alarm on the other hand is straight forward. So much so, it has a nice touch to arm the alarm by either swiping up to fully arm, or down to partially arm. I feel that was the selling point for the app and then everything else was just slapped together.
Using the app to configure the alarm was a little annoying. This was due to when adding devices, it was hit and miss. Sometimes it worked flawless, and others you would be trying multiple times to try and add the device. There appeared no consistency with it.
Account/user management through the app is clunky and messy, and really needs to be redone, it's just plain awful. I also noticed when the second person would set the alarm, you would be notified the main account holder had set it sometimes.
Now there is one part of the app I cannot forgive, and one I wish I knew before buying the alarm. It's such a big oversight in my eyes that Yale should be ashamed, particularly when it appears using the app is the primary form of notification if you're alarm is going off.
What's missing is the ability to set / modify the notification to your alarm being triggered from the app. This means if your alarm is triggered, the notification will use your default notification on Android. This could be easily mistaken for any generic notification, and be overlooked thinking it was a normal notification. This is inexcusable in my books. I do have a way around this, but it shouldn't be for me to put a work around in to fix such a basic function.
Furthermore, after receiving the alarm and reading the instructions there is a foot note which states Yale provide the servers for notifications / email for free, which is nice of them. However, they have the right to remove / stop this whenever they like. Which again, I wish that was clear before purchasing the alarm. As, it would in affect make your alarm a generic alarm with no way of notifying you it was going off.
Also, the app regularly crashes for me with on Android 7.1.1. It appears Yale outsourced the development of the app to a company called Mobile People. Link here: https://www.mobilepeople.com/en/forside.aspx. Maybe they or Yale will read what people are saying on the Play Store and fix the issues?
Instructions
On the surface the instructions are straight forward. There are sections that would benefit with a little more clarification, but that's being picky. What is missing, is how to control the sensitivity of the PIR sensors. I only discovered this when I realised the alarm didn't go off when I tried to set it off.
So, I called Yale Customer Support thinking the PIRs had a problem, or I had done something wrong. Had the pleasure of waiting on hold for 10 minutes, and then was told someone would call me back as they didn't know the product. Not a great start, but true to their word they did call back.
At this point, I now found out what those jumpers were for when I took the PIR apart to install it. Being the first alarm I've installed, I didn't pay any particular attention to them as they're not mentioned in the instructions. When I asked the Yale Support person was this information in the manual or online, he said it would be easier to tell me what to do. My question there is, why aren't the jumpers marked on the PCB board to indicate they're for sensitivity?
Security
Now this is where for me it gets interesting. Yale prides themselves on their physical security, it's why I went with them for the alarm. However, as this alarm is connected to the digital world, I was hoping the same would be true of the digital security as well.
I take online/digital security seriously, this is due to the nature of my job. As Liam Neeson said, But what I do have are a very particular set of skills, skills I have acquired over a very long career?. Maybe not a long as his career from Taken, but good enough to start looking.
Essentially these skills mean when I connect something to my home network, and I know it's going to be talking out to the Internet. You can bet your life I'm going to take a very hard look at what it's doing, and what I found was a little unsettling.
On my initial checks, I found the hub was running a web server. Interesting, this isn't mentioned in any information anywhere. Not in the instructions, not online, nowhere. Now this might not seem a bad thing, but it's HTTP and on port 80, which means it's in the clear and anyone sniffing that traffic could view it. Not so much of a problem on your home network, but still a surprise I didn't expect to see.
Secondly if you go to the web page on the hub you can tell it isn't for customers. It does have a password through basic authentication, but it's easily decrypted. Obviously, you need the right password, but the fact it's easily decrypted is poor. The web page is very basic, and it appears it's for managing the device, something a support engineer would connect too.
It has some interesting links on there, like firmware upgrading, uploads, users, control panel etc. My question there is who's this really for? If is a Yale Support Engineer, how are they connecting to it? Is it a home visit, or remotely? On a side note, the fact you can't assign it a static IP from the hub is annoying. The work around to this is reserve it on the DHCP server.
So, what's the web page for? Does it allow a remote session for support? Which would be worrying as who controls this? This is something I'm investigating further as this has some big questions.
From my packet traces I can see the hub is talking to the Yale servers. There is a constant flow of traffic between the hub and the server. It appears the hub initiates the call to the Yale server, and this then allows the servers to manage the hub. This is so you can manage the hub over the internet without the need for the hub to have a public IP or some DDNS configuration.
Because these are important questions, personally I've put the hub behind a firewall, so as to isolate it from my network.
More alarming, pun intended, is the remote server your hub is talking to. Looking at what ports were open on the remote server, I was worried to see ones I wouldn't expect to be open on the Internet. This is worrying as these servers are talking to the hubs, which means if the server was compromised, could someone access your hub?
In conclusion
During my research, I did come across a pen test company who looked in the hub v1.0, and had carried out similar tests as I was looking to do. This meant my findings were more around had Yale implemented any changes since that team had reported them. The good news is yes, but in my eyes, it's not enough. Yale have fallen into the trap a lot of companies make when trying to modernise their product offerings to the rapidly changing online world. It's more around get it to work and get it to market, rather than security first. Which is ironic for a company like Yale whose business is security. Any product designed to communicate across the Internet must have security at its core. Also, the hub appears to be developed by a company called climax technologies, so it appears Yale may be licensing this and not in house development.
The app needs some serious work, as at the moment for the price you pay to receive a quality product is extremely lacking. I have a case open with Yale at the moment for the Pet PIR sensors as it appears 3 don't work at all.
In all, I really wanted to like this product as it has great potential. Yale really need to step it up in my eyes as there are some huge holes that need fixing. If not, then it will have to go back as it just doesn't meet the requirements as states it can do.
TL/DR: Good build quality, terrible app, very questionable digital security, could be better.
Related Blog Articles