I often receive the following question: Is it safe to put my house in the cloud? Or even stronger: I don’t trust a cloud service and would never put my house in the cloud.
« As OpenMotics, we provide the option to have connectivity to the cloud but it’s an option, you can perfectly opt for a standalone system without any outside connection. » (Pieter De Clerck – CEO)
When I receive these questions, I try to figure out what is causing this fear and what the reasoning behind them is. First of all, I want to know whether the ability to control and command (heating/cooling, lights, roller/shutters & power consumption) the house from outside the perimeter of the house is of the foremost concern. The answer is always yes, people want to control and command the house from everywhere. So my second question is: if you don’t trust the cloud option, how are you going to establish this remote connectivity? Most customers have a similar answer: “I’m going to use Dynamic DNS and open a port on my firewall to have direct connectivity to my Gateway module”.
So the real question we can ask ourselves: is using Dynamic DNS and opening ports on a firewall more secure than using the OpenMotics cloud platform?
Let’s have a look at how you could connect your OpenMotics Gateway module to the outside world by using DDNS. There are 2 options: you can put the Gateway in a DMZ, which enables you to access all ports on the Gateway from the Internet. We try to keep the open ports on the Gateway as minimal as possible, but still, if you run an extra program on the gateway that opens a port without having proper encryption and authentication, you might expose functionality to the world that you don’t wish to expose. So the safer option is to open only the HTTPS port (443) on the Gateway. This way you are sure that all Internet traffic to the Gateway is encrypted and the user must always be authenticated to execute an action. Since the Gateway does not have a domain name, the HTTPS certificates on the Gateway are self-signed and unique for each module. This means that your browser will warn about these certificates and you should always import the certificates into the browser to make sure that you are connecting to your Gateway. We will go deeper into this subject in a next blog post.
When using the OpenMotics cloud, you are sure that you are connecting to a trusted domain. We have valid certificates on our servers, and do check the self-signed Gateway certificates when connecting to your gateway. This way you don’t have to import any self-signed certificates into your browser.
At the cloud backend side, we are using the following security mechanisms to create a secured connection between the Gateway and the cloud platform:
- Every few seconds the Gateway sends the current status (lights, outputs, thermostats, power) to the cloud. This connection to the OpenMotics cloud is done using HTTPS. We make sure that the certificates of the cloud are checked, this way we know that are communicating with the OpenMotics cloud and not some other party.
- When the cloud wants to connect to the Gateway – for example to execute some actions on the Gateway – the cloud sends a request to open a VPN tunnel in the response of the above status messages.
- We use OpenVPN to create a secure tunnel from the Gateway to the cloud. All requests from the cloud to the Gateway are send through the secure tunnel, using the HTTPS protocol. So here we have double encryption: the first layer is the VPN tunnel, the second layer is the HTTPS protocol.
- The advantage of the OpenVPN tunnel initiated by the Gateway is that there is no need to open any ports on the Gateway.
- Important to note here is that all tunnels are Point-To-Point tunnels, so a Gateway can only connect to the cloud and not to any other Gateways.
For the cloud frontend we also introduced the following features to provide maximum security when logging in:
- All Gateways on the cloud are strictly separated, so that a user can only access his own Gateway. These authorization checks are done for all actions on the cloud, making it impossible to access the Gateway of your “neighbour”.
- Users can opt-in for 2-factor authentication, which provides an extra check to authenticate a user to the OpenMotics cloud. When 2-factor authentication is enabled, it is impossible to log in with only username and password, a 2-factor token is always needed. So even if someone finds your username and password, your house will still be safe.
As closing note: the OpenMotics cloud is hosted by Combell which provides 24×7 monitoring, firewall, intrusion detection and up-to-date security patching.