Platform Security
This article provides a basic security overview of the CHESTER platform. The article is split into multiple chapters, which describe individual domains.
Physical Security
For the CHESTER hardware device itself, this domain is solely on customer's responsibility. However, the cryptographic keys (e.g., for the SIM card) are protected by smartcard platform chips.
The CHESTER mainboard integrates the MEMS accelerometer that can report a device manipulation alert, and the device position can be tracked using the optional GNSS module.
Bluetooth Radio
The CHESTER platform uses a certified Bluetooth Low Energy (BLE) stack from Nordic Semiconductor using their SoftDevice implementation. The utilized System-on-Chip (nRF52840) supports the BLE specification version 5.3. Access to all exposed Bluetooth services and characteristics is protected (encrypted and authenticated link) by the standard Bluetooth security mechanisms.
The new connections are possible only to peers who know the pre-provisioned Bluetooth passkey. The BLE passkey is a random number generated by HARDWARIO and can be changed by the user.
The Bluetooth stack in the firmware implementation is optional and can be easily disabled.
LTE Connectivity
The security of the LTE link is provided through the standard mechanism in the Evolved Packet System (EPS). The details of the EPS specification can be found in the 3GPP LTE Release 13.
The device's identity and connectivity services are derived from the Universal Integrated Circuit Card (UICC).
In the case of Vodafone carrier, HARDWARIO uses its own Access Point Name (APN) with private IP space. The devices in the APN scope are isolated from public Internet traffic.
Although the devices share the same network IP space, the devices cannot communicate with each other. They can only communicate with HARDWARIO Cloud.
Vodafone IPsec Tunnel
Connectivity between Evolved Packet System (EPS) and HARDWARIO Cloud is secured by the IPsec tunnel. The IPsec tunnel is defined by the IETF standards and uses strong cryptography.
The re-keying interval of the established tunnel is less than 60 minutes.
The IPsec tunnel uses IKEv2 (aes256-sha256-modp2048).
HARDWARIO Cloud Security
The HARDWARIO Cloud infrastructure operates in the data centers of the DigitalOcean cloud provider. All infrastructure runs on the Ubuntu LTS Linux server distribution. The HARDWARIO team performs regular security audits and maintenance of the complete infrastructure.
The complete cloud infrastructure is architected in a way that tends to eliminate a single point of failure. Every component is backed up by regular automated snapshots.
The messages are processed by the data streaming service, which enhances data delivery reliability.
Customer Infrastructure
HARDWARIO Cloud provides three services to access device data/device management features:
REST API (backend follows API-first principle)
Asynchronous callbacks (queue of webhooks)
Web portal for users (operates on top of REST API)
All these services operate in public Internet connectivity on top of HTTPS/TLS standards. Access to the services is provided through an API token, Google identity (OAuth), and user/password login.
The API tokens support access level scoping for operation authorization.