See attached documents provided by the OEM, Treon (Finland).
Device Identity
Each sensor and gateway device has a unique serial number which is derived from unique hardware property. Both sensors and gateway add their serial number to the data they send. Gateway identity is also stored into a X.509 certificate.
Mesh network
Local mesh network operates on 2.4GHz ISM band radio. Wirepas is used as a communication protocol between sensors and gateways. The network may have one or many gateways in the same network. Wirepas protocol dynamically handles message routing in the network.
All communication, including protocol headers, is protected by 128-bit encryption key. Communication also requires a separate 128-bit authentication key. Both keys are symmetric.
Keys can be provisioned during production by Treon or customer may do it independent of Treon. Provisioning is done by a separate application available in the gateway. Keys are not stored anywhere in the gateway linux filesystem, but they are moved inside a microcontroller that runs wirepas stack in the gateway.
Gateway Security
Gateway runs a custom embedded Linux image created by Treon. Used build system is Yocto.
User access may be necessary if a customer needs to do some configuration to the gateway e.g. for their own data backend. Users can access the embedded linux shell over ssh. Gateway has two default users: gwadmin and gwuser. Only gwadmin can perform commands with root privileges. Each gateway has unique user passwords assigned in production. Passwords are provided to the customer on a separate channel.
Hardware security features like secure boot or TPM are product specific.
Linux iptables firewall is configured to block all unused incoming ports. There are no limitations set for outgoing ports.
System Partitioning
Mesh network processing, including all mesh network encrypt/decrypt operations are done in a separate microcontroller embedded in the gateway electronics. Data or program memory of the microcontroller cannot be externally read.
Linux based software gets sensor payload from Wirepas stack which is processed and sent over TLS1.2 protected link.
Comments