With the proliferation of internet connected devices in your house, security is one thing that should not be taken lightly. There are some basic questions that need to be asked of any company which provides home automation products that access your wireless network to communicate with external systems.
- What transport protocol is used for device communication?
- What authentication scheme is used for device control and communication?
- Can someone access my personal information being sent to and from my device?
At Rachio, we take security very seriously. That's why we have spent an incredible amount of time, combining industry standards with best practices, to ensure the protection of your device and private data against any malicious use.
Generation 1 controllers use HTTPS (Hypertext Transport Protocol Secure). HTTPS has been designed to provide an enhanced security layer when sending sensitive data, compared to the unsecured HTTP protocol. HTTPS encrypts every data packet using the SSL encryption technique to avoid anyone trying to extract the content of the data.
Generation 2 controllers use MQTT (Message Queuing Telemetry Transport) over TLS (Transport Layer Security) for all machine-to-machine (M2M) communication from the devices in your house to our secured cloud server. MQTT is a publish/subscribe, extremely simple and lightweight messaging protocol, designed for constrained devices and low-bandwidth, high-latency or unreliable networks.
TLS and SSL are cryptographic protocols which use a handshake mechanism to negotiate parameters to create a secure connection between the client and the server
Authentication and Secure API Design
All of our devices and cloud server are built around using a RESTful , stateless design. In order to secure our RESTful services, a hash-based message authentication code (HMAC) is used to sign the device and cloud communication requests with a secret key. So what does this mean?
Well, instead of having to send your username and password across the internet, your Rachio device and our cloud each have a secret key which is used to generate the HMAC.
When our cloud service receives communication from your device, it accesses your secret key and uses it to create an HMAC for the incoming communication. The cloud server then verifies that the submitted HMAC request matches the one sent by your device and if the two hashes match, you're authenticated.
There are some distinct advantages with using this authentication scheme. By using an HMAC passwords are never sent in the request. Also, if a hacker is able to modify the request in transit, the signatures would not match and the message would fail authentication.
Rachio Cloud Data
All of the Rachio cloud data is stored using Amazon's cloud computing services (AWS). A virtual private cloud (VPC) is used for all of our applications servers and databases. These all exist in a private subnet with no external access from the internet. Passwords are stored using a SHA-256 algorithm with random, generated text to salt the hash. The data itself is stored in multiple distinct locations called availability zones.
OAuth2 for Integrations
OAuth2 is used for all of the integrations and interactions between the Rachio and any third-party systems. This allows you to provide access to the device without actually sending your private credentials. Google, Facebook, and Twitter are among the industry leaders using OAuth2.