Hi Scott, I've been listening to a lot of smart home podcasts lately and they are always talking about security and encryption and how it VERY important in the world of IOT... I probably should have asked similar questions a while ago, but with the coming of the web interface, what steps are you taking to make sure our data and cloud based information remain safe from malitious intentions? How is the information over the cloud being sent? Encrypted or raw? How will the web based interface authenticate sign ins? Will it use a multi factor authentication and remember devices we use? Anyone else have any other security questions? Thanks in advance!
Security and encryption... Post your questions here.
- 417 Views
- Last Post 20 August 2017
weidnerj
posted this
19 August 2017
- Last edited 19 August 2017
Johnnysax good questions. But Axial Control is a lot different that IOT, which basically a headless low powered CPU internal to a appliance, thermostat, routers, etc. Most IOT is Linux (or Android) based due to open source and free of charge.
Now the question I pose to you is what do you have that is sensitive that you would need additional security like two factor athentitcation? Most hackers are looking for low hanging fruit, going for the ability to take over a IOT as a bot, or hack into a system that is valuable to them. Now a hacker in theory could get into the cloud server, but you also can put on a local server password independent of the cloud service as additional layer of protection.
There is always an inherent risk to anything on the Internet, ways to mitigate the risks to an acceptable level, or to remove them, you could completely disconnect, turn off your PC and put it in a block of concrete (the running joke of a secure PC), but that isn't practical.
Even with the concern of cloud computing (C.L.O.U.D - China Loves Our Unclassified Data), the weakest link is the local PC in this situation, which is why we always are constantly patching. I don't recall that the Axial Control asking for any identifying information other than a user name and password that links the moble client to the desktop client - used by lots of companies like Honeywell, Nest, etc.
And what is the risk? Someone could if they wanted to hack in and turn off the furnice in the middle of winter and freeze your pipes or turn your lights on and off - just like a virus writer can cause your PC to blow up by flashing the bios or making your hard drive crash by speeding up the RPM on the platters.
I see it as you can keep the honest people honest by locking your front door, yet if you had a crook that wanted to kick down your door, he still can do that. You put up a bigger door (at a higher cost to you), the same crook might not be wanting to get into your house, but if you had something that they reallly wanted, they could still compromise that heavy door (think battering ram). So you get yourself a dog to supliment that door (two factor per say). But they knock the door down and give your dog a steak? Now you have to spend more money and get something else like an alarm or securtiy guard. Point being you can spend as much as you want for protection to mitigate a risk (or threat), but if you don't have anything worth the risk of stealing (or making it worth the perceived risk of the thief verses the benefits) then they move on to the house that home owner hasn't locked the door.
rscott
posted this
19 August 2017
Hi Scott, I've been listening to a lot of smart home podcasts lately and they are always talking about security and encryption and how it VERY important in the world of IOT... I probably should have asked similar questions a while ago, but with the coming of the web interface, what steps are you taking to make sure our data and cloud based information remain safe from malitious intentions? How is the information over the cloud being sent? Encrypted or raw? How will the web based interface authenticate sign ins? Will it use a multi factor authentication and remember devices we use? Anyone else have any other security questions? Thanks in advance!
The web interface will introduce an actual user account into the mix when it comes to encryption. Your account password, along with an authentication token will be in place to encrypt data going from your client to the server.
There are no plans 2FA yet, that's not to say it won't happen though.
jonnysax
posted this
20 August 2017
Thanks for the fast responces!
I would argue that the definition of IOT has changed over the last few years to include things like smart home systems, but anyway...
Other than the security of my home (which is fairly important and the primary use for my smart home system), I wouldnt say I dont have much "sensative data" coming from my system. However, in a time when data mining is BIG business and many companies are pulling data from users at an alarming rate, sometimes with shady "terms of service" practices, its fairly obvious that the data from all users of your software would be quite desireable. I dont pretend to know what companies will do with the knowledge of my daily patterns, but the fact remains that they are collecting this data from other sources.
You are right about the risk to me... I'm not that concerned about myself, I'm really at the mercy of my ISP security, however, I'm thinking about this as a whole. Someone is not going to hack my house by itself... but, if they could get their hands on the ability to control all of your users houses... theres grounds for a lot of angy users as well as most likely a ransom request.
I feel that this web interface is a great improvement and will REALLY perfect this software and system and i think you will see an uptick in new users. I just want to to make sure that adequet security measures are in place to protect all of our data before this web interface is up and running.
If any of you reading this is interested in learning more abotu this security vulnerability and other IOT stuff, I highly reccomend listening to the "Internet of things" podcast. Stacy Higginbotham is amazing. she also has a newsletter on her website and is always talking about security and what quetions need to be asked with residential and industrial IOT on the rise.
