What is risk?
Before I start I want to briefly mention that there are two types of risks that are generally discussed:
- The risk of Clever Alert (or any third party device) to the network i.e. what if we intended harm
- The risk of a third party attempting to hack our system as a way into your system (i.e. we are the weak link)
I will address both of these concerns.
IoT in general
Clever Alert is an Internet of Things (IoT) device. That is, it joins the myriad of printers, lightbulbs, speakers, cameras, fridges, air conditioners, doorbells and so on, that have incorporated an internet connection into their functionality.
Any time you allow a new device onto your network, you open the network up to potential threats. If you have a device from an untrustworthy supplier you will be opening yourself up to risk. There are devices available on eBay that fall into this category. They are selling very cheap devices but will have spyware embedded in the drivers.
The first tip to ensuring security is to buy a device from a trustworthy supplier and trustworthy manufacturer.
This then raises the question of “who is Clever Alert?” For that, all we can answer is “we have been in business since 2000, have tens of thousands of happy clients, and can provide references for anyone who is concerned.
In terms of similarities to IoT devices, the Clever Alert gateway is like a modern printer. You will connect it to your local network. Like many modern printers, it will try to connect to a centralised server (to allow cloud based printing or check for updates). Clever Alert will attempt to connect to its cloud based server.
The Clever Alert loggers are LoRa devices that are very similar to Bluetooth beacons. They transmit data and the gateway listens for the information. They are only transmitting temperature data and have no control capabilities within the network.
I would say that the loggers are like a Bluetooth microphone, except this then jumps into people’s fear that a computer can be hacked and people can hear what you are saying. It is not the microphone that is the risk here, but the computer that is being hacked. Fundamentally, a Bluetooth microphone is just a device to monitor sound. Likewise, the loggers are just monitoring temperatures.
General protection from external hacking
Your first and most effective level of security (for all internet related risks) is a firewall. The great thing is that most users have no idea what a firewall is, where it is, or how to turn it on or off.
The good news is that every internet modem now has a firewall and it is on by default. Every computer for years now has a firewall as part of the operating system, and it is on by default.
A firewall effectively blocks everything trying to get into your network or computer. It will then allow programs from within the network/computer to access the internet and, once established, allow external things to respond. For example, if you visit a web site, the firewall will allow the request out and the response back in.
If a third party attempts to access your computer, they can’t get through your firewall because they are coming from an unknown source.
(As an aside, if you do want external devices to access a computer you then either have to tell the firewall to let certain things in, or you need to have software like TeamViewer permanently running on a computer to keep the link through the firewall open).
Specific protection from Clever Alert doing malicious damage
The issue is that Clever Alert is now sitting inside your network. For most users, they trust us and this isn’t a huge issue. For the couple of people who are concerned, this covers some basic tips on protection and some advanced tips.
At the very least, every computer network should have security on individual PCs. There should not be publicly shared folders with sensitive information on them.
Your two biggest security risks isn’t from a device like Clever Alert, but simply from a person jumping on a computer in your office and accessing sensitive information, or someone opening a virus in an email. In both cases, you need to have sufficient security in place to limit the access across the network.
BUT if you do want to be super secure, and make sure that Clever Alert can’t do damage, the solution is easy in the age of modern networks (“easy”, but not necessarily “simple”. Leave it to an IT department).
It is possible to have devices that can only access very specific locations. It means that IT can limit the addresses that Clever Alert can access to only those that we said were necessary.
Other alternatives are a VLAN or a subnet. It’s a fancy way of saying that your network is actually a bunch of totally independent networks, and they don’t see each other. This is the “advanced” stuff that normal users don’t need to know about, but comes up in conversation with corporate and institutional IT departments.
What about Clever Alert being hacked?
This is a fundamental question that we regularly ask ourselves. We need to design the system so that we cannot be hacked. We have a number of things in place to reduce the risk of us being hacked. Here are some of the answers that we are happy to share. Obviously we can’t tell you everything because that would defeat it being a secret.
Logger to Gateway
While this information is being transmitted such that any Bluetooth enabled device could “hear” the information, it is in a proprietary format, and we see it as relatively low risk even if someone did work out what the format was.
To talk to the logger and reconfigure it, there is a secret password and secure protocol in place. Accessing the log also requires a secure password.
If a third party device pretends to be a logger, the only thing they could do is fake the temperature. They can’t take control of the gateway. (And this is a big “IF”).
Gateway to server
The Gateway has been locked down to ignore virtually every signal from the network. The only thing that people can do is connect to it as a web site to see some diagnostic information. It basically has a firewall that tells everything to go away.
Likewise our servers are locked down to only allow very specific requests in, and to have very specific responses.
BUT at the same time we know that every single server on the Internet is a potential target for a huge number of known types of attacks, and new methods are always being created. We are continually reviewing and updating the security on our servers.
If, however, our servers were hacked, the problem is with us. They would potentially have access to our database and could do damage to the stored results. That’s not the best news for you, but in regards to security, your network and computers are still secure. The limit of your risk is the loss of temperature data.
By the way, all our servers are regularly backed up. If our servers ever died, you would only lose a couple of hours of data.
What do you need to do in a small office?
Nothing.
The security provided by your modem/router and your computers should be sufficient.
If, however, you really don’t trust anyone then talk to your IT people about a VLAN for the device. Even those cheap routers provided by internet providers are able to provide it.
What do you need to do in a corporate environment?
If your IT department is trying to block Clever Alert on security related issues, then please have them talk to us (or read this post).
Clever Logger is installed in many hospitals and large corporate networks. We are happy to work within their constraints when it comes to how to connect to the network, and then we need them to open access to a couple of addresses. There is detailed information about this available here.