Feature #504

IoT security

Added by Hammel about 2 years ago. Updated 10 months ago.

Status:NewStart date:28 Feb 2016
Priority:NormalDue date:
Assignee:Hammel% Done:

10%

Category:Research
Target version:002 - MVP
Severity:03 - Medium

Description

I've been thinking about security with IoT devices. Any data we store about IoT devices is on the PiBox server. So we need to secure that data. We can encrypt it. We need a key for that. The key cannot be kept on the PiBox server. If we put it on our phone then someone could hack the phone to get to the server and enable access to the IoT data.

The trick may be to have the key on the phone but have the server required user input to enable it. So at power up the phone is required to connect to the PiBox server to enable IoT device use. Without user input, the request from the phone is denied and IoT devices are not enabled.

Seems pretty straight forward and is known as two-factor authentication.

The problem is: what happens on power failure? The rebooted device will come up waiting on a connection from the phone (which could be automated) but requires the user to be at the PiBox server to enable it. That doesn't work if you're on vacation.

So we need some variation of this. It's not required for proof-of-concept. But it's needed in the MVP.

History

#1 Updated by Hammel about 2 years ago

  • Description updated (diff)

#2 Updated by Hammel 10 months ago

  • % Done changed from 0 to 10

Also available in: Atom PDF