Thursday, February 2, 2017

Cozify and security - our approach

In the latter half of 2016, the general media started publishing articles about the security level of the IoT devices. There was also a story (case Mirai) about a massive bot attack that used millions of cheap Chinese IP-cameras to block the internet traffic and caused some of the biggest Internet services to go down for a while. Furthermore, a group of hackers used drones to hijack Philips Hue lights in November 2016. In this post we explain our approach regarding the security issues. Keep on sending comments and questions to us, we are more than pleased to help and reply.

Cozify uses the internet connection to enable remote access for the users to control their devices and to update its own hub software from time to time. However, the architecture has been built in a way, that Cozify Hub can control devices at home without an internet connection. This way the home owners don't have to rely on their internet connection.

All the traffic that goes through Cozify to the internet is encrypted. We use JWT-token based technology to identify authorized users' devices from the unauthorized ones.

To ensure that the Cozify security is on the required level, our solution; meaning the application, the hub software and the backend, has been designed in co-operation with industry security experts. To ensure the level of security is at the best possible level - we also conduct a security audit at least once a year. The audit is done by 3rd party independent professionals.

In addition to the audits, we participated in a security challenge arranged by the Finnish Communications Regulatory Authority in November 2016. The main idea was to give our hub software, application and backend to teams of security experts all around the country, which then tried to find and break the security measures in all possible ways. The teams did find some minor issues, but no serious vulnerabilities were not found. We consider that as a good result. On a side note, we have already fixed the found issues.

Redundant backend

Like most of the companies today, we don't have our own datacentre to run the servers required by our back-end systems. We are currently using Amazon’s data centres in Ireland for IaaS (Infrastructure-As-A-Service). Amazon guarantees 99.95% availability for the E2 and we’ve had very good experiences with Amazon over the years with only one service outage in five years. It is important to keep in mind though, that it's much more important to have a redundant and scalable setup, than a high SLA for a single server or a single location.

Data privacy of the Cozify users

Our customer data is stored on Amazon's European data centres that have more strict security policies and conditions than for example the servers located in US. All our employees and subcontractors have signed a confidentiality agreement, and our core developers have a Security Clearance with the Finnish government.

We examine anonymous log data to improve our service and to run overall health checks, and to fix bugs. We look into customer data only when its required. We always ask for permission or inform the user if we access hub log files.

We do have plans to utilize data we collect from our users, but that will be strictly anonymised. One possible scenario for user data usage is to compare for example heating stats between different users. Or how certain rules or devices have been used. It is important to note that all such data mining is anonymised when we are looking for trends in these kind of scenarios.

All in all, we will communicate our privacy policies as clearly and transparently as possible, and ask for permission from the user to use of their data.

Conclusion

We follow and measure all the possible latest security aspects you can expect from any service holding some of your personal data. On that regards, your data is in good and safe hands once the data reaches our service.

The question you might have is, that if Cozify ensures the security from Cozify’s end? What about other IoT devices that are connected to Cozify Hub? The base rule is that the more advanced technology the device is built on, the higher standards it also has out of the box, in terms of security.

Out of the devices that Cozify supports, the more affordable 433MHz devices have the lowest security level. The ZigBee, WiFi, Z-Wave and Bluetooth devices are more secure in general. The level of quality and security often goes hand in hand.

For additional in-depth interview with Kimmo, our CEO, about the subject, visit the interview conducted by wccftech.com here: http://wccftech.com/review/launch-review-cozify-smart-home/2/

No comments:

Post a Comment

This is Cozify’s blog, where we ruminate on home automation technologies and practices and share company news. Articles come from our own team as well as other experts in the field.

You are welcome to read and comment.