Security

I’m just getting up to speed on your hardware. I think it might be valuable to add a category specifically about network security. Perhaps seed the discussion with some posts about:

  • how EI secures its connection?

  • reprogramming by someone else (a lockout feature perhaps?)

  • how I would go about making the case adding this device to a WiFi network won’t compromise its security?

We’re working on a whitepaper which will cover the security architecture which we’ll publish on the website, but here’s the short summary:

  • connection from imp is outbound, and uses TLS (AES-128)
  • we use certificates to ensure that we’re talking to the right server (no MITM)
  • VM code is transferred over this secured link
  • impOS upgrades are fetched in the plain (HTTP) but are encrypted and signed with AES-GCM
  • the data between the SoC and WiFi chip is encrypted (ie encryption happens within the SoC not the wifi chip)
  • we have a good quality hardware RNG within the SoC which we use for our random seeding
  • the SoC is locked down, JTAG disabled, and readback protection enabled so you can’t dump the code even if you disassemble the module (you can erase the device totally, but then you have to write your own OS so it’s actually just a devboard then, not an imp)
  • the imp itself has no open ports
  • squirrel code cannot make local connections, it can only talk via the secured link
  • commercial blinkup uses a nonce for every provisioning, so is not susceptible to replay attacks

If the site owner is very paranoid, then putting imps on an SSID with a locked down VLAN is a totally valid approach.

This is a great topic for commercial applications. We find ourselves in medical facilities, law offices, utilities, etc. where (along with many other industries) security is very important and the network folks don’t want to be bothered.

In the interests of strictest accuracy, the imp actually has two open ports: udp/68 (DHCP) and udp/53 (DNS). But no others.

Peter

This is just my personal opinion … as I am not an employee of Imp …

As great as the Imp is, and so much fun to use, I would still not use if for anything that depends on safety, life support, danger to life or equipment, or critical building controls. You’re relying on a cloud server “out there” in which you have no physical control. A home heating system is fine if you have a local backup control that can take-over control any over/under temperatures, or loss of the Imp.

As of yet, I have not experienced anything amiss, other than my own doing. Anything can go wrong with any electronic control (not just the Imp), but the added “man behind the curtain” does introduce another point of failure.

Indeed, the imp terms of service forbid its use for anything safety-critical. Even wifi itself is not deterministic so is ruled out for some demanding wireless communication applications…