How secure is my Rachio controller?

Last Update:Feb 22 2022 1:39pm • Est. Read Time:Est. Read Time: 3 MIN

If you are concerned about how secure is your Rachio controller, this article can help you clarify that.

With the proliferation of internet-connected devices in your house, security is one thing that should not be taken lightly. There are some basic questions that need to be asked of any company which provides home automation products that access your wireless network to communicate with external systems.

  • What transport protocol is used for device communication?
  • What authentication scheme is used for device control and communication?
  • Can someone access my personal information being sent to and from my device?

Industry Standards

At Rachio, we take security very seriously. That's why we have spent an incredible amount of time, combining industry standards with best practices, to ensure the protection of your device and private data against any malicious use.

Transport Protocol

 Generation 1  controllers use  HTTPS  (Hypertext Transport Protocol Secure). HTTPS has been designed to provide an enhanced security layer when sending sensitive data, compared to the unsecured HTTP protocol. HTTPS encrypts every data packet using the  SSL  encryption technique to avoid anyone trying to extract the content of the data.

 Generation 2  controllers use  MQTT  (Message Queuing Telemetry Transport) over  TLS  (Transport Layer Security) for all machine-to-machine (M2M) communication from the devices in your house to our secured cloud server. MQTT is a publish/subscribe, extremely simple and lightweight messaging protocol, designed for constrained devices and low-bandwidth, high-latency, or unreliable networks.

TLS and SSL are cryptographic protocols that use a handshake mechanism to negotiate parameters to create a secure connection between the client and the server

Authentication and Secure API Design

All of our devices and cloud server are built around using a  RESTful  , stateless design. In order to secure our  RESTful services, a hash-based message authentication code (HMAC) is used to sign the device and cloud communication requests with a secret key.  So what does this mean?

Well, instead of having to send your username and password across the internet, your Rachio device and our cloud each have a secret key that is used to generate the HMAC.

When our cloud service receives communication from your device, it accesses your secret key and uses it to create an HMAC for the incoming communication. The cloud server then verifies that the submitted HMAC request matches the one sent by your device and if the two hashes match, you're authenticated.

There are some distinct advantages to using this authentication scheme. By using HMAC passwords are never sent in the request. Also, if a hacker is able to modify the request in transit, the signatures would not match and the message would fail authentication.

Rachio Cloud Data

All of the Rachio cloud data is stored using Amazon's cloud computing services (AWS). A virtual private cloud (VPC) is used for all of our applications servers and databases. These all exist in a private subnet with no external access from the internet. Passwords are stored using an SHA-256 algorithm with random, generated text to salt the hash. The data itself is stored in multiple distinct locations called availability zones.

OAuth2 for Integrations

OAuth2  is used for all of the integrations and interactions between the Rachio and any third-party systems. This allows you to provide access to the device without actually sending your private credentials. Google, Facebook, and Twitter are among the industry leaders using OAuth2.


Do you still need help?


We have a chat support team ready to assist you! You can submit a support request by selecting the chat icon in the bottom right of this page and a member of the support team will contact you live.


Summer Hours (April-September)

7 am - 5 pm (MST), 7 days a week.


Winter Hours (October-March)

8 am - 5pm (MST), Monday - Saturday. We are closed on Thanksgiving, Christmas, and New Years Day.