Security considerations

Detailed description of the main threats identified in the design of the system.

The lights need a specific set of configuration parameters. For the correct functioning of the lighting system this may not be interfered with.

The components in the lighting system exchange control messages to change the status of the lighting system. For the correct functioning of the system this may not be interfered with.

The lighting system is configured in such a way that the components can find each other and communicate. For the reliable operation of the lighting system, this should not be interfered with.

The lighting system gathers information from sensors and status from its components. This information may be valuable and shall therefore be accessed only by authorized persons or entities.

Via their interfaces, the Portal and App provides full control and management of the lighting system as well as the lighting and system data. For secure and reliable operation of the system, access to these interfaces shall only be allowed to authorized persons or entities

Detailed description of the mitigations and secure configuration options of the system.

Lights and sensors will in general be located in the ceiling of the rooms, open areas and other indoor locations.
Furthermore, the maintenance access to the controllers in the lights is limited. The gateway must be positioned at visible locations at high altitude against a wall or ceiling.

Access to the Portal and App is controlled via user accounts. These user accounts are created and managed in the portal. The following roles are being used:

Access to the Portal secured via HTTPS (TLS 1.2). The security of HTTPS provides authentication of the server towards the clients as well as protection for all information that is transferred.

The gateway has a product key programmed in the device. The product keys are registered in the production cloud of the connected lighting system.

During the localization process, the product key is authenticated by means of a QR code. Only the installer that is authorized and logged in with the correct user credentials can authenticate the gateway during commissioning.

During network creation, the Zigbee devices use a TrustCenter (gateway) and can only be added when discovered in the lighting network. The installer however must be logged in with an account for the appropriate project to be able to select the fixtures in the tool. Adding devices to the system without the correct authorizations is not possible.

The Zigbee communication is secured by encrypting all messages that are exchanged using AES with a local secret key.