In Part 1, we covered the history of smart lighting technologies and key milestones in the industry. Today we are going to focus on the advantages of LED, which led to explosive growth in the smart lighting ecosystem, and also take a sneak peek into the future.
Why Has LED Drastically Transformed Smart Lighting Ecosystem?
A number of LED’s unique properties make the technology well-suited for the
rapid development of smart lighting solutions.
These are some key advantages of LED lamps in comparison with
traditional light sources (fluorescent, incandescent, etc.):
Increased efficiency (90-112 lumens per watt vs 10-17
lumens for a traditional incandescent bulb).
Microcontroller (MCU) placement inside the bulb.
Lower voltage. Devices produce less heat, are more
compact, and are safer.
Simle Control. LED’s can be dimmed and change color
with no additional standalone hardware.
Smart lighting solutions based on LED lamps are more energy-efficient,
occupy less space and, most importantly, can be integrated wirelessly into the IoT
system of an office, house, or building. Connected capabilities allow for
control and management of smart lighting systems with the help of dashboard, be
it a consumer app or enterprise-grade cloud-based software.
Wireless connectivity along with MCU capabilities allows not only for
the management of modern smart lighting systems, but also helps make them more
intelligent with the help of AI and ML algorithms and various sensors
integrated into IoT solutions.
There are many wireless communication protocols that can be used to connect and make smart LED lighting installations. Some of them, like Zigbee, are matured and widely used, others, like Thread, are just now starting to evolve.
The current, key wireless communication protocols for smart lightning
Bluetooth Low Energy (BLE)
All of the above-mentioned technologies have their advantages and
disadvantages, but there’s no single wireless protocol which fits all the
specific requirements for a given use case.
One trend, though, has emerged and is gaining momentum. The shift from
proprietary protocols (Z-Wave, Lutron) to open ones (Zigbee, Thread, BLE). The enormous
and fast-growing smart lighting market dictates the need for interoperability,
transparency, lightning-fast bug fixing, and cost-cutting. All of these are
achieved by open communities of companies that share expertise, create common
platforms, and standardize different aspects of the technologies under the hood
of smart-lighting solutions.
According to a recent study (https://www.gminsights.com/pressrelease/smart-lighting-market) by Global Market Insights, LED lighting’s share in the global lighting market was 40% in 2019 and is expected to reach 80% by 2025 and in that time, the smart lighting market will surpass $23 billion. One of the key drivers fueling this growth will be a surge in wireless technology usage and the integration of smart lighting systems into IoT solutions for building automation, smart homes, and cities.
From Smart to Intelligent Lighting
Thanks to wireless technologies and internet connectivity, the smart
lighting of tomorrow will not just be a separate system to turn the lights on
and off with a tap on the phone screen, but a component of a more complex IoT
solution with sophisticated usage scenarios, powerful AI- and ML-driven data
analytics engines, and a vast array of sensors. Moreover, light sources
themselves will help to gather additional information such as the location of
people in the building for security purposes.
Though there are lots of challenges to overcome, such as security issues
and a lack of interoperability and a common platform, smart lighting of the future
will provide us with numerous possibilities to make our homes and workplaces
more personalized, more “green,” and more comfortable.
Imagine a day in the near future – the smartwatch on your wrist monitors
your heart rate and motion-monitoring capabilities paired with an AI-powered
health service, identifies the most appropriate time to wake you up. The smart
lighting system will be there to help you start the day refreshed and full of
energy, gently waking you from the sleep by imitating the colors of a sunrise in
During the day, while you are away from home, your smart lighting and
the rest of your smart home system shift into a “green” energy-saving mode,
keeping the lights and the thermostat on at the levels required to keep your
energy costs and carbon footprint the lowest.
Later, a security camera with face recognition capabilities identifies
you as you approached your house, and the smart lighting sub-system of your
smart home switches to your favorite lighting scheme with personalized colors, intensity,
and locations, depending on the time of the day. This scheme is created with
the help of AI, which analyzes your behavior at home, gathering data from
numerous sources, including motion sensors and even your calendar.
AI-driven smart lighting connected to smart home/office solutions will
also help to resolve purely technical issues, such as new device commissioning
So, welcome to the next stage of the smart lighting evolution: wireless,
intelligent, and human-centric.
The term “smart lightning” is widely known nowadays, though the history of the technology dates back to the late 90’s. The first solutions were quite primitive. About 20 years ago light timers connected to outdoor lamps started to be used to turn them on and off at certain times, and this solution might have been called “smart”. 5 years later, with the introduction of motion sensors, lighting systems became more complex and evolved. Half a decade later, motion sensors have combined with daylight sensors to switch the light on only when it is dark.
Modern sophisticated smart lighting solutions have come a long way from those basic systems. Let’s dive into the history of the technology to discover the key turning points and contemplate the bright future of smart lighting.
To begin with, let’s review some key milestones in the evolution of
1959 – Joel S. Spira, the founder of
Lutron Electronics Company, invents the dimmer switch.
1989 — Ericsson Mobile begins the
development of a “short-link” radio technology, which in 1997 is named Bluetooth.
1992 — Blue LED is invented by
Shuji Nakamura, The University of California, Santa Barbara. A breakthrough in
lighting technology. In 2014 Nakamura was awarded the Nobel Prize for the
1998 — Codification of DALI, the
most popular smart lighting control protocol, is made.
1999 — The term “Internet of Things”
is coined by Kevin Ashton, a creator of a global standards system for RFID
2003 — The Zigbee wireless
short-range protocol is standardized, a key technology for modern smart
2006 — Wibree communication technology,
the predecessor of Bluetooth Low Energy, is launched by Nokia.
The Prehistoric Age of Smart Lighting
While consumers enjoyed basic dimmers and timers, the DALI (Digital
Addressable Lighting Interface) control protocol was the most popular wired
solution for commercial projects, such as office lighting automation. The
technology is quite flexible, components are cheap, and the installation is
easy (if it is part of the consideration for a new building).
Nowadays it makes sense to use DALI only for new commercial buildings, otherwise
the price of installation may skyrocket due to the required routing of wires
through preexisting electric cable networks and reconfiguration of the existing
installation. For home use, it’s not a viable option.
There are also some challenges that the industry is working to overcome when
using DALI for the modern smart lighting industry:
It requires wires. Though with the help of gateways
it’s possible to connect DALI with a wireless protocol of choice, the lighting
control system will be cumbersome and not easy to manage. Moreover, the area is
The commissioning process is far from simple. DALI
groups are quite complicated to configure and thus require more resources for
the system reconfiguration.
Component and network testing, as well as fault finding, is challenging.
Interoperability issues. DALI products might be not
interoperable, even though the technology is standardized.
DALI doesn’t support the confirmation of the sent
messages. So, if a system sends a command to turn on a light and there is a
collision with another command, there is no failsafe for the light to in fact be
DALI is still quite widespread, but wired protocols are gradually
stepping down from the smart lighting stage.
Back then, smart lighting solutions were cumbersome, costly, inefficient
and could hardly be called smart.
And Then There Was LED…
The era of traditional incandescent light bulbs is almost over. LED has
begun to revolutionize smart lighting in the last decade. Since there’s a
low-voltage semiconductor inside LED bulbs, it’s quite obvious to control it
digitally. LEDs work with microcontrollers exceptionally well.
The first widespread use of this combination began to emerge at the beginning
of the 21st century, when color-changing LEDs took the planet by
storm. Spectacular lightning installations fascinated consumers and were the
first real step towards smart, and later intelligent, wireless lighting
The LED revolution has accelerated with the decreasing prices of
different sensors, network chips, and microcontrollers. At the same time,
humanity has stepped into the wireless and connected world.
In the next article, we will focus on a range of advantages that LED has brought to the smart lighting market and try to identify LED’s key advantages that helped to make the transition from obedient to intelligent lighting.
Undoubtedly the world’s largest consumer electronics show, CES is a great indicator of where the IoT market is heading and what we can expect to see in the coming 2-3 years. Out of about 4500 exhibitors at CES 2020, more than 1000 companies were “internet of things” related, including smart home and city solution providers, wearables vendors, sensors, biometrics, and vehicle automation firms. The DSR team attended the show, and we are excited to share some of our impressions.
1. IoT Will Stand For “Intelligence of Things”
The IoT universe is constantly expanding and new types of devices are connecting to the internet. At CES 2020, a smart frying pan was announced. SmartyPans are equipped with weight and temperature sensors and can record recipes as you cook (https://smartypans.io/). An Interactive smart makeup mirror, ICON.AI, is able to diagnose skin diseases, helps to choose makeup, and supports Amazon Alexa (http://icon.ai/). However, the most intelligent device for smart home ecosystem was presented by Samsung. It’s called Ballie and is described as a “life companion”, not just ordinary smart assistant (see video below).
A Rolling ball-shaped robot, unlike Apple’s Siri or the Amazon Echo, doesn’t wait for a voice command, instead, it constantly monitors your actions, behavior, and activities. Ballie is proactive. For example, it can wait and take a photo when the lightning is favorable, or give a command to the smart vacuum cleaner to clean up the dog’s mess without bothering its owner.
Google Assistant now supports a wider range of compatible smart devices and gives an option to turn them on and off on a timer. You can say: “Hey Google, run the coffee machine at 7 a.m.” Moreover, you can now connect compatible smart devices with just a few taps as well as use smart digital sticky notes across smart displays. Google also has enhanced the translation capabilities of Assistant. Now the AI-driven voice assistant is able to translate text from more than 40 languages.
Plume demonstrated a motion detection system which operates without sensors and cameras (https://www.plume.com/). Plume Motion AI analyzes Wi-Fi signal delays between compatible OpenSync nodes and Wi-Fi connected devices to identify moving objects. This AI also helps to eliminate the problem of false home alarms, such as the detection of pets.
As demonstrated at CES 2020, multi-functional smart switches and displays are going to be one of the top home automation market trends, in the coming years. One Example is the Prima Touch Switch from Hogar Controls(https://www.hogarcontrols.com/). Prima Touch allows the user to configure a set of touch-sensitive buttons to control different smart devices and switch between predefined scenes. It supports Z-Wave and Zigbee protocols. More advanced smart displays are able to stream video, help to monitor household energy consumption, and quickly adjust smart home settings for the current occupants’ needs.
CES 2020 has demonstrated that the smart home ecosystem and smart devices themselves are becoming more intelligent. Increased connectivity, along with AI-driven solutions, allow the smart home ecosystem to provide much more utility, without the user’s direct involvement.
Lots of manufacturers’ smart devices are compatible with the OCF 2.1 standard (https://openconnectivity.org/developer/specifications/). The new version of the standard was released in November by the Open Connectivity Foundation, which boasts more than 300 members (Cisco, LG, Samsung, Intel etc.). OCF 2.1 provides detailed implementations for Bluetooth, EnOcean, Zigbee, and Z-Wave.
In December, Apple, Google, Amazon, the and Zigbee Alliance announced the creation of Connected Home over IP(https://www.connectedhomeip.com/). The goal is to create a working group for the development of a new open standard for smart home products, with a heavy focus on security.
Moreover, just over a month ago, Silicon Labs and the Z-Wave Alliance announced plans to open proprietary Z-Wave standard (https://z-wavealliance.org/z-wave-specification-press-release/). Before the announcement, Silicon Labs was the only manufacturer of MCUs with Z-Wave support. In the near future, other manufacturers will be able to produce Z-Wave chips. This is the first step to make the standard fully open.
DSR Corporation also contributed to this shift, as we announced the ZBOSS Open Initiative (ZOI) at CES 2020 (http://dsr-zoi.com/). This is a community of companies with a shared understanding of the necessity to have a common Zigbee PRO software platform to overcome, together, the shared challenges around interoperability, security, testing, and optimization of Zigbee-enabled products and solutions.
3. Wi-Fi 6 to boost smart home
Wi-Fi 6 (802.11ax) will increase the throughput and speed of IoT networks, decrease delays, and make smart homes more secured. Thanks to the support of OFDMA и BSS Coloring technologies, smart home and office solutions based on Wi-Fi 6 will manage network traffic more efficiently, especially in a radio dense environment.
WPA3 will significantly improve the security of IoT networks in comparison to WPA2 thanks to the Simultaneous Authentication of Equals (SAE) protocol, which is used in Wi-Fi 6, instead of Pre-Shared Keys (PSK). The new standard will make IoT networks a lot harder to hack.
What’s more, Wi-Fi 6 routers support up to 1024 connected devices simultaneously, whereas current Wi-Fi generation is able to support only 250. This is a great step forward for smart home and office automation, hence just one Wi-Fi 6 enabled router will be able to manage more than thousand smart devices.
Quite a number of manufacturers announced routers with Wi-Fi 6 support, including D-Link, TP-Link, Linksys, and Netgear. Comcast also revealed the xFi Advanced, an IEEE 802.11ax certified gateway.
4. 5G – the first generation of cellular networks for IoT
According to an Ericsson forecast (https://www.ericsson.com/en/mobility-report/internet-of-things-forecast), over 1.5 billion IoT devices will be connected to cellular networks by 2022. 5G is the first generation of mobile networks designed with IoT industry requirements in mind. Apart from a tenfold speed increase (up to 15-20 Gbit/s) in comparison to 4G, 5G supports 250 times more connected devices — over 1 million devices per 1 square kilometer. The capacity of 4G is limited to a mere 4,000 devices per square kilometer. CTA forecasts that more than 50 mobile network operators throughout the world will launch 5G in 2020 (https://cta.tech/).
For the IoT market, the 5G network deployment means the increased use and efficiency of cloud services, significantly lower latency (down to 1 ms), and greatly increased throughput. All of these improvements will allow for the creation of a robust smart city infrastructure, an industrial IoT solution with hundreds of thousands of smart sensors and devices.
Significantly lower latency in 5G networks will allow for the control of automated vehicles and industrial machinery, remotely, from another part of the world. 5G can also can be used by farmers to oversee massive areas of land with the help of a drone fleet equipped with a variety of sensors. Drones can identify diseased plants or areas than need to be watered. It’s a great example of how 5G based IoT systems will help to solve very real-world problems.
5. Biometrics for smart home and office
Face recognition technology is making its way into the smart market. More and more devices are capable of using face recognition for access. Blurams revealed a smart doorbell at CES (https://www.blurams.com/). The doorbell sports AI facial recognition, a 1080p camera, motion detection, and 2-way talk function including hands-free calling. Faces are identified in real-time, with all of the data stored in company’s cloud storage. Blurams’s app allows users to register up to 16 people for identification.
ADT presented a range of smart cameras (https://www.adt.com/). Sophisticated computer vision technology helps to not only identify authorized users, but also distinguish between strangers and burglars. The smart camera system will notify its owner about suspicious strangers around the house via push notifications in the app and voice messages via Amazon Alexa. Cameras are equipped with a microphone and speaker for voice communication, as well as a light sensor.
Additionally, several companies at CES 2020 revealed smart door locks equipped with fingerprint scanners.
6. Wireless Charging for Smart Devices
A few companies announced wireless chargers for smart home devices at CES 2020.
Wi-Charge revealed the Powerpuck R1 charger with AirCord infrared beam technology (https://wi-charge.com/). It can be plugged into a wall or screwed into a lightbulb socket. The charger is able to charge compatible smart devices from a distance of up to 9 meters, covering almost 2.5 square meters. The receivers measure just 1×1 cm and can be embedded in the charged devices. R1 initiates the charging of compatible devices right after the installation without any additional configuration.
Unlike the Powerpuck R1, Ossia’s wireless charger, Cota, doesn’t require direct line of sight to power smart devices (https://www.ossia.com/cota/),. Cota measures 30×30 cm and transmits power via 5.8 GHz radio signal. Just like Wi-Fi, but instead of data, the chargers send power to the connected devices.
Receivers with Cota wireless charging support can be embedded in smart speakers, thermostats, cameras, smoke detectors, and other smart devices. The charger transmits power up to 9 meters, doesn’t require direct line of sight, and is able to charge notebooks, smartphones, remote controls, and other gadgets.
The variety of wireless chargers, demonstrated at CES 2020, will help to solve one of the main smart home ecosystem problems – battery changing and power limitations. However, the solutions currently have some drawbacks, like the need to embed a specific supported receiver in the end-devices and significant power loss during transmission.
7. Enhanced Voice Control
Voice assistants are used in smart home solutions more and more often, and their advancement will allow to for more sophisticated automation scenarios and features. So far, voice control is widely adopted in English-speaking countries, but thanks to significant improvements in speech recognition they’ll be used in other countries in 2020 as well. Juniper Research predicts that more than 8 billion smart devices will support voice commands by 2023 (https://www.juniperresearch.com/press/press-releases/digital-voice-assistants-in-use-to-8-million-2023).
Voice assistants are supported by a wide range of smart devices including fridges, toilets, shower cabins, door locks, and garage gate openers. However, the most recent trend in IoT is not only voice, but sounds recognition. Audio Analytic, a startup at CES 2020, announced “the second generation” of audio recognition technology for smart devices based on its extensive Alexandria library (https://www.audioanalytic.com/). The library contains more than 15 million labelled sound samples. This technology enables smart devices to identify different sounds and act accordingly. For example, a security system with Alexandria support will be able to identify the sound of shattered window glass in the house and set-off the alarm to notify the owner about a possible break-in. Or, smart home will be able to “hear” child cry and notify parents, play soothing music for him or her, and turn on the lights in the corridor leading to the child’s room. Audio Analytic’s sound recognition technology uses AI and neural network to accurately identify different sounds. It’s already supported by some smart hubs on the market, including Hive Hub 360.
8. Smart home security and privacy are in the spotlight
CES 2020 showed that in the coming years more and more efforts will be devoted to making smart home systems and IoT devices significantly more secure. The Amazon Ring cameras hack last December sounded the alarm for manufacturers and service providers to pay a lot more attention to the security flaws of current IoT solutions. The number of hackers’ attacks on smart home and office systems will only increase since they are still easy targets.
To address the issue, Comcast revealed the free app, Xfinity xFi, for it’s smart ecosystem. The app monitors and controls traffic, blocks suspicious activities and notifies the user about abnormal data sent from end devices. Apple attended CES for the first time in 28 years to discuss users’ data privacy issues, while Google Assistant will now erase data if activated accidentally. One just needs to say “Hey Google, that wasn’t meant for you”. Moreover, users can open a new dashboard to see how the service uses recorded data, view privacy settings, and delete any record from the last 18 months.
Amazon also enabled the option to erase records for Alexa with the help of the phrases: “Alexa, delete what I just said” and “Alexa, delete everything I said today.”
9. Office Automation is the Next Big thing
2020 will be the year for wider office automation systems adoption even by mid-sized companies. The systems will help to make office workspace more comfortable, controllable, safe, and energy efficient.
Smart offices will be able to automatically adjust lightning and temperature depending on the weather outside, making the workspace not only more convenient for employees, but also less energy consuming. Smart doorbells, motion sensors, door locks, and cameras will help to identify strangers and grant employees access to the certain areas of the office.
Office automation will help to book meeting rooms more efficiently, control lighting, and manage other key routine activities.
A great number of smart devices presented at CES 2020 will be used for office automation, starting with smart touch switches, all the way to wireless chargers for smart devices.
10. AI-Driven Smart Energy
A connected smart home not only makes smart device management a breeze, but also helps to reduce energy consumption. For example, there is no need to heat the house if there’s no one present. With the help of a connected thermostat and smartphone app, the owner of the house can create optimal scenarios or leave it to an AI-powered service which analyzes user’s habits and behavior patterns and can offer the most energy-efficient temperature control scenes without any impact on comfort. Lighting and other variables can also be controlled automatically in a similar way.
The use of AI makes smart home solutions more intelligent. Moreover, the geolocation capabilities of smartphones allow, for example, for the AI to prepare a certain scenario (temp, lights, coffee, music, etc.) when the user is commuting home.
DSR Corporation is participating in Wondrwall intelligent living project(http://en.dsr-corporation.com/news?id=630). Different temperature modes have already been implemented, and in the nearest future users will be able to connect solar panels and automatically buy and sell energy for the most competitive prices.
A bit of history — the creation of Zigbee standard required a lot of effort, time and knowledge to construct. Dotdot is an alias for ZCLIP, which stands for Zigbee Cluster Library (ZCL) over IP. It is about exposing ZCL functionality to the IP world, in contrast to classic Zigbee that is always isolated from IP networks and requires a Zigbee gateway to connect Zigbee mesh with the outer world. This would become a bridge between IoT and other networks. Different manufacturers have Zigbee Gateway solutions mostly for connectivity of Zigbee network with cloud.
In classic Zigbee there are all instruments for organization, self-organization, restoring and stability of the network. Above all of this sits the Cluster Library, which calls functions allowing the clusters to communicate. Although, there is one short fall with this system – it cannot get online. With ZCL exposed to IP, it becomes possible to establish a direct communication channel between Internet/Intranet application and Dotdot device when border device remains transparent for and unaffected by the details of communication. The same way communication between Dotdot devices located on different networks is also possible under condition that device services are properly advertised across network borders or devices appear bound by means of a third-party application.
New Language: Old Terms, New Sense
Dotdot is a standard that allows you to put ZCL on any “rails” other than Zigbee – WiFi, Thread, and so on. This is an add-on for Zigbee. An application level protocol that allows smart devices from closed networks (with addresses) to communicate more openly through the address space that is on the Internet and other networks. It is important to not just reach the device itself, but also to address the command to a specific cluster within, and do so securely.
Figuratively, Dotdot receives commands in one language and translates them into a language understandable for smart devices. This makes smart devices ecosystem more open. Dotdot uses the Zigbee approach in ZCL and has extended it to other types of transports as well. The mesh built for some Dotdot solution deployments is not mandated to contain only Dotdot-compatible devices.
The Commissioning Application
The Dotdot commissioning application was developed next to and based on Thread that was taken from the official Thread Commissioning App mostly as is, courtesy of the Thread Group. The application allows managing the expansion process of the Dotdot network. Seamless integration of the parts and stabilization of Thread for both mobile platforms was also performed.
This application allows third-party devices to enter, which is critical for maintaining network security. The top layer works with Dotdot enabled devices over Thread. Thread is responsible for commissioning new Thread enabled devices to the home network and discovering devices that are already there. Dotdot makes use of device lists from Thread and as a result uncovers Dotdot enabled devices and their services. The system interrogates the device, finds what services and clusters are running, on which endpoint, and which commands support the device, allowing for a complete picture of the device’s capabilities. Once this is completed, you are able to change the attributes and send commands from the application itself. There are clusters, attributes, bindings and reporting.
Why Should Companies Implement Dotdot?
Speed. Abstraction. Interoperability. Dotdot provides the opportunity to create applications in a more flexible way. This is because Dotdot solutions use “generic” border routers that are standard, easy replaceable even at run time, and are not a “single point of failure.” The same data model is provided for different IoT technologies, despite what protocols are used to send data (WiFi, BLE, Zigbee, Thread, and so on), this means there is a wider market for solution spread. You can create a wider IoT system where all the devices understand each other. This creates an easier entry point for companies to develop solutions and allows application developers to focus on the application and functionality, without delving into the underlying specifics of a particular wireless network.
How to Get Started
Download an SDK from a company that provides the solution.
Study the provided API and Zigbee clusters description. Find the needed clusters and start own device (certified by Zigbee Alliance) implementation.
Gain access to the Dotdot Commissioning Application.
To accelerate your development, engage a company with experience in Dotdot and wireless technologies.
Lastly, consider becoming a member of the Zigbee Alliance (if you are not already) to get access to even more tools and become involved in the development of IoT standards.
The Internet of Things (IoT) often brings us convenience, economy, fun, and security, but it’s also a source of numerous challenges for developers, installers, and maintainers. In this article, we are talking about one facet of the global IoT challenge – secure remote access.
Every small piece of a Smart Home, be it a Thermostat, a Security Sensor, or a Light bulb, has direct, or more often indirect, access to the Internet. Local or near-field security is a very important topic – but its meaning can’t be compared with security of access to the Cloud services responsible for configuring, notification, alarms, and all other things that make our homes smart. Personal computers, smartphones, printers, NAS have network connectivity that lasts a very long time, but we should not forget that compromising some of the small home devices mentioned above would allow an attacker some control over the physical world, which is definitely a different type of risk than associated with a personal computer.
For example, imagine an attacker has access to notifications from the home’s Thermostat. He can’t control the Thermostat, however, he has access to current mode and temperature. And using this harmless data he not only violates the abstract privacy, but most likely also knows the schedule of the house occupants, as well as if someone is home at that particular moment.
The recent research published by Symantec shows the following vulnerabilities are common for almost all Smart Home Solutions.
While passwords, encryption, account enumeration, and supply chain attacks are more or less obvious and are usually related to the user experience or the corresponding standards, attacks and issues on remote access security (including web vulnerabilities, mitm attacks, and firmware tampering) should be mitigated during design and development.
So yes – it’s recommended to have secure access from Smart Home devices or Gateways. And of course there are dozens of solutions suitable and secure, at least at the current technical level. However, sometimes even a security professional asking, “what to secure?” forgets about the “when.”
What percent of devices in the field are manufactured inside a vendor’s own facilities and prototyping factories? It’s hard to know the exact answer without using floating-point operations. And even the best scheme following all standards and guidelines can be compromised during manufacturing. So here’s where the challenge becomes really intriguing.
This leads to the following requirements:
Server side validation (e.g., server must be sure that the client is an approved device).
Client side validation (e.g., client must be sure it connects with the right server).
Client side security materials should not be accessible by the manufacturer.
With server side validation, everything is more or less standardized. The only thing required to add to the common pattern is custom security materials for each client for the purpose of client identification.
From the client side the solution is trickier – tens of thousands of devices are in sleep mode in a warehouse somewhere when it is discovered that the server is compromised, and, as a consequence, they can’t be reprogrammed. This leads to an additional server validation service. It can be, for example, a dedicated OCSP server or some custom solution with only one function – inform the device that the server’s security materials are compromised.
When talking about compromising during manufacturing, there’s another well known, but not so widely used option – updating security materials when the device is installed. It may be manual activation via the web or just an update on first connection.
All clients should have pre-programmed security materials containing unique ID for each client that should be updated as soon as the device is installed.
Server should have validation scheme for each client. Something simple like white list is more than enough.
Separate validation service should be implemented to allow clients to at least detect that the server has been compromised.
Note that for better security, it may be reasonable to set the lifetime of the security materials used for access of the validation service to a reasonably short value. For example, instead of years usually used for main services, use 20-30 days.
These 3 simple principles make the entire system much more secure and, as a bonus, this scheme can be implemented using open-source software as described below.
Sample Security Solution
Note that the scheme above is just a sample solution; the services can be replaced with some custom implementation or appropriate analogs.
Root CA – In Public Key Infrastructure (PKI) acts as Root Certificate Authority – it signs certificates for Manufacturer, OpenVPN server, and OCSP responder. In addition, you should maintain the list of compromised and expired server certificates as part of the Root infrastructure Certificate Revocation List (CRL).
openvpn-server.com – machine (or number of machines) that runs OpenVPN server and Application Server.
OpenVPN Server handles VPN connections from devices. Optionally, it can check if device ID extracted from the certificate is listed in the known device list. The device list is provided by the Manufacturer and contains IDs of issued devices. This list can be used to control number of devices issued by the Manufacturer.
Note: Server always “knows” if the certificate is issued by the Manufacturer or by the Root CA and can replace certificate on the device after the first successful connection.
Manufacturer – 3rd party in the PKI acts as an intermediate Certificate Authority – it issues certificates for devices. In addition, Manufacturer should maintain the list of IDs for all issued devices and provide this list back.
Field device – runs different applications. Application sends the gathered info to Data Server performing the following steps:
establishes tunnel to OpenVPN server using OpenVPN client
checks (using request to OCSP server) that OpenVPN server certificate was not revoked
sends data using VPN tunnel to Data Server
closes VPN tunnel
ocsp-server.com – Instance of OCSP Server.
OCSP Server – Online Certificate Status Protocol responder. This is the special service that can be used to check if the OpenVPN server certificate was revoked.
Note that the OCSP certificate is equally important as the Root CA certificate since it can be used to block all VPN connections. So it is good idea to run the OCSP service on a separate machine where no additional services are running.