With the proliferation of internet connected devices in your house security is one thing that should not be taken lightly. There are some basic questions that need to be asked of any company which provides home automation products that access your wireless network to communicate with external systems.
- What transport protocol is used for device communication?
- What authentication scheme is used for device control and communication?
- Can someone access my personal information being sent to and from my device?
Industry Standards
At rachio we take security very seriously. That's why we have spent an incredible amount of time using industry standards to make sure that there is no malicious use of our products.Transport Protocol
HTTPS (Hypertext Transport Protocol Secure) is used for all machine-to-machine (M2M) communication from the devices in your house to our secured cloud server. HTTPS has been designed to provide an enhanced security layer when sending sensitive data, compared to the unsecured HTTP protocol. HTTPS encrypts every data packet using the SSL encryption technique to avoid anyone trying to extract the content of the data.Authentication and Secure API Design
All of our devices and cloud server are built around using a RESTful, stateless design. In order to secure our RESTful services, a hash-based message authentication code (HMAC) is used to sign the device and cloud communication requests with a secret key. So what does this mean?Well, instead of having to send your username and password across the wire, your Iro and our cloud each have a secret key which is used to generate the HMAC.
When our cloud service receives communication from your Iro, it accesses your secret key and uses it to create an HMAC for the incoming communication. The cloud server then verifies that the submitted HMAC request matches the one sent by your Iro and if the two hashes match, your're authenticated.
There are some distinct advantages with using this authentication scheme. By using an HMAC passwords are never sent in the request. Also, if a hacker is able to modify the request in transit, the signatures would not match and the message would fail authentication.
