Thursday, February 16, 2017

Cozify News: Security Challenge 2016 - Summary


Cozify participated the Information Challenge finals hosted by Finnish Communications Regulatory Authority November 2016. Event was part of Junction Hackatlon -2106, where tech enthusiasts meet, design and develop ideas into actual projects with like-minded hackers. Cozify and a few other companies gave their smart home hub and supported devices for the teams to hack. The target for each team was to find as many security vulnerabilities as possible during the given time.

The results were as we expected. The feedback we received from the teams was excellent quality and most importantly, the teams could not break the security of our system during the event.

“It was interesting to follow how different teams work. I think it is important to offer challenges like this for talented and extremely professional young hackers to really show what they can do. Good result was not a huge surprise for us. We audit all components of our solutions at least yearly, including Cozify Hub, Cozify application, and our backend systems. Security is top priority for us and have been taken into consideration from the begin.”, says Kimmo Ruotoistenmäki, CEO, Cozify.

This was the first-time Security Challenge event was organized. “We are happy to join security challenge event also in the future, if such events are arranged. To challenge yourself and the way how you work time to time is always useful. And if security issues are found, it is better to find possible those in controlled environment and fix immediately, compared to some vague notifications. This was a great event and we want to thank Finnish Communications Regulatory Authority for taking care of all the arrangements.”, he continues.

The aim for the security challenge was to challenge teams to solve information security related questions and search vulnerabilities from different kind of systems; devices, applications, backend systems, and combinations of these all. “Security challenge was a huge success, not only because teams were talented and highly professional, but also because of great support from companies who joined the challenge. During the event it was obvious, that there are huge differences between companies and products in means of security. Companies coming from Finland tend to take security more seriously compared to other similar companies. Still, there are always something need to be improved, and companies must develop their own security competence all the time.", says Jarkko Saarimäki, director of cyber security centre, Finnish Communications Regulatory Authority.

Espoo, 16. February 2017

Thursday, February 9, 2017

433 MHz devices - Overview

433 MHz devices have their place in today's home automation space. Simple and straightforward technology enables low-cost devices, but is also vulnerable to security and reliability issues. These problems can often be avoided, as long as you keep in mind a few basics.



In the autumn of 2015 Cozify added support for a selection of Nexa and Proove sensors and smart plugs that operate on the 433 MHz frequency. That lead to a steep increase in the sales to consumers. At the beginning of 2016 we were very happy with the choice we had made: our customers were able to reap more benefits from the devices they had already acquired and it significantly lowered the threshold to start using the Cozify Smart Home. In appropriate use, they are handy and worry-free.

However, as always, there are reasons for low cost. The 433 MHz devices are not based on any common protocol as all manufacturers have to come up with their own protocol or loan it from their neighbour. Partly due to inexpensive components there is quite a bit of variation in the implementation of the protocol even between two devices that should be the same. This has resulted in significant amount of unexpected work, which has in turn delayed some other projects. Implementation of Z-Wave support is one of them, unfortunately.

All 433MHz devices that we have encountered so far are only capable of one-way communication. I.e. the smart plug can only receive a command to turn on or off, but cannot acknowledge that the command has been executed. Therefore, the Cozify Hub must assume the state of the device, which is not optimal. In practice, hub commands plug five times "Turn the plug on", but cannot verify from the plug if the message was really received.

Some 433 MHz devices only send their status into the air. For example, the thermometer transmits the data once every minute regardless of the traffic in the same frequency at that moment. This leads to mixing of the messages as more 433MHz devices are added to the system. Hub cannot ask from the thermometer what the temperature is, but have to wait until the value is sent next time, meaning after a minute or so.

Cozify Hub prioritizes listening to the traffic instead of sending. We recently visited the home of a customer where the 433MHz devices were practically unusable. They randomly worked, but always with a significant delay. Using a sniffer, we found out that the cable modem wall mount sent disturbance on a wide frequency band, thus jamming Cozify to listen to possible messages. By moving the Hub by 1,5 meters the system became fully functional.



433 MHz frequency devices work well, as long as the technology used by the restrictions are taken into account. Positioning the motion sensor is careful, because if the motion detector continuously detects motion, it covers other 433 MHz devices signals thus making it impossible for the hub to receive or send commands to other 433 MHz devices. Positioning devices is important, because signal must go through from the hub to the device, and vice versa. Depending of the device type. Changing hub or device place a bit, might make a huge difference in reliability. In general, the case survives by experimenting and observing the situation on the ground.

Pros

  • Inexpensive devices
  • Simple technology to implement
  • Widely used technology
  • Devices been in the market for some time

Cons

  • One-way signal traffic (hub is not able to confirm or ask device state
  • No agreed standard between device manufacturers
  • Sensitive to interference
  • Signals to and from the device cannot be encrypted
List of Cozify supported 433 MHz devices can be found here.

Order Cozify newsletter Order Cozify newsletter  to stay on top of our latest news.

Thursday, February 2, 2017

Cozify and security - our approach

In the latter half of 2016, the general media started publishing articles about the security level of the IoT devices. There was also a story (case Mirai) about a massive bot attack that used millions of cheap Chinese IP-cameras to block the internet traffic and caused some of the biggest Internet services to go down for a while. Furthermore, a group of hackers used drones to hijack Philips Hue lights in November 2016. In this post we explain our approach regarding the security issues. Keep on sending comments and questions to us, we are more than pleased to help and reply.

Cozify uses the internet connection to enable remote access for the users to control their devices and to update its own hub software from time to time. However, the architecture has been built in a way, that Cozify Hub can control devices at home without an internet connection. This way the home owners don't have to rely on their internet connection.

All the traffic that goes through Cozify to the internet is encrypted. We use JWT-token based technology to identify authorized users' devices from the unauthorized ones.

To ensure that the Cozify security is on the required level, our solution; meaning the application, the hub software and the backend, has been designed in co-operation with industry security experts. To ensure the level of security is at the best possible level - we also conduct a security audit at least once a year. The audit is done by 3rd party independent professionals.

In addition to the audits, we participated in a security challenge arranged by the Finnish Communications Regulatory Authority in November 2016. The main idea was to give our hub software, application and backend to teams of security experts all around the country, which then tried to find and break the security measures in all possible ways. The teams did find some minor issues, but no serious vulnerabilities were not found. We consider that as a good result. On a side note, we have already fixed the found issues.

Redundant backend

Like most of the companies today, we don't have our own datacentre to run the servers required by our back-end systems. We are currently using Amazon’s data centres in Ireland for IaaS (Infrastructure-As-A-Service). Amazon guarantees 99.95% availability for the E2 and we’ve had very good experiences with Amazon over the years with only one service outage in five years. It is important to keep in mind though, that it's much more important to have a redundant and scalable setup, than a high SLA for a single server or a single location.

Data privacy of the Cozify users

Our customer data is stored on Amazon's European data centres that have more strict security policies and conditions than for example the servers located in US. All our employees and subcontractors have signed a confidentiality agreement, and our core developers have a Security Clearance with the Finnish government.

We examine anonymous log data to improve our service and to run overall health checks, and to fix bugs. We look into customer data only when its required. We always ask for permission or inform the user if we access hub log files.

We do have plans to utilize data we collect from our users, but that will be strictly anonymised. One possible scenario for user data usage is to compare for example heating stats between different users. Or how certain rules or devices have been used. It is important to note that all such data mining is anonymised when we are looking for trends in these kind of scenarios.

All in all, we will communicate our privacy policies as clearly and transparently as possible, and ask for permission from the user to use of their data.

Conclusion

We follow and measure all the possible latest security aspects you can expect from any service holding some of your personal data. On that regards, your data is in good and safe hands once the data reaches our service.

The question you might have is, that if Cozify ensures the security from Cozify’s end? What about other IoT devices that are connected to Cozify Hub? The base rule is that the more advanced technology the device is built on, the higher standards it also has out of the box, in terms of security.

Out of the devices that Cozify supports, the more affordable 433MHz devices have the lowest security level. The ZigBee, WiFi, Z-Wave and Bluetooth devices are more secure in general. The level of quality and security often goes hand in hand.

For additional in-depth interview with Kimmo, our CEO, about the subject, visit the interview conducted by wccftech.com here: http://wccftech.com/review/launch-review-cozify-smart-home/2/

This is Cozify’s blog, where we ruminate on home automation technologies and practices and share company news. Articles come from our own team as well as other experts in the field.

You are welcome to read and comment.