Security considerations
The design of a (wireless) connected lighting system takes the following main threats and mitigations into consideration:
| Vulnerability | Mitigation |
|---|---|
Changing configuration of the lights |
Limited (physical) access to the lights and gateway |
Interfering with the lighting control protocol |
Limited (physical) access to the lights and gateway |
Changing the network configuration of the lighting system |
Secure communications of the lighting devices |
Unauthorized data retrieval from the lighting system |
User management on tools using Role Based Access Control |
Secure communications to the Portal |
|
Unauthorized access to the Portal and App |
User management on tools using Role Based Access Control |
Secure communications to the Portal |
Description of vulnerabilities
Detailed description of the main threats identified in the design of the system.
The lights need a specific set of configuration parameters. For the correct functioning of the lighting system this may not be interfered with.
The components in the lighting system exchange control messages to change the status of the lighting system. For the correct functioning of the system this may not be interfered with.
The lighting system is configured in such a way that the components can find each other and communicate. For the reliable operation of the lighting system, this should not be interfered with.
The lighting system gathers information from sensors and status from its components. This information may be valuable and shall therefore be accessed only by authorized persons or entities.
Via their interfaces, the Portal and App provides full control and management of the lighting system as well as the lighting and system data. For secure and reliable operation of the system, access to these interfaces shall only be allowed to authorized persons or entities
Description of mitigations
Detailed description of the mitigations and secure configuration options of the system.
Lights and sensors will in general be located in the ceiling of the rooms, open areas and other indoor locations.
Furthermore, the maintenance access to the controllers in the lights is limited.
The gateway must be positioned at visible locations at high altitude against a wall or ceiling.
Access to the Portal and App is controlled via user accounts. These user accounts are created and managed in the portal. The following roles are being used:
-
The service provider serves as an administrator of all projects in his portfolio, including user management of all types of users:
-
Administrator (identical to service provider)
-
Installer
-
Owner
-
User
-
-
The installer installs and commissions the lighting system and can setup the following types of users of projects he is assigned to:
-
Owner
-
User
-
-
The owner uses, serves as an administrator to the system he owns, controls and monitors the lighting system, and manages the users:
-
Administrator (identical to owner)
-
Installer (owner can revoke access to an installer)
-
User
-
-
The user can only control (a limited number of areas of) the lighting system.
Access to the Portal secured via HTTPS (TLS 1.2). The security of HTTPS provides authentication of the server towards the clients as well as protection for all information that is transferred.
The gateway has a product key programmed in the device. The product keys are registered in the production cloud of the connected lighting system.
During the localization process, the product key is authenticated by means of a QR code. Only the installer that is authorized and logged in with the correct user credentials can authenticate the gateway during commissioning.
During network creation, the Zigbee devices use a TrustCenter (gateway) and can only be added when discovered in the lighting network. The installer however must be logged in with an account for the appropriate project to be able to select the fixtures in the tool. Adding devices to the system without the correct authorizations is not possible.
The Zigbee communication is secured by encrypting all messages that are exchanged using AES with a local secret key.