We value your security, and leverage industry best practices along with key relevant security expertise to deploy adequate measures to the entire mcThings IoT Chain.
Security by Design
A built-in-firewall
Because mcThings devices communicate over a specific radio bandwidth, an individual device can never send data to an arbitrary entity via the internet. All devices in a given network can only communicate with their mcThings gateway, which becomes the IP touch point. This means mcDevices cannot be hijacked to participate in a DDoS attack, and do not “phone home” like some IoT Devices.
Security of Data in Motion
The foundation of mcThings Data-in-Motion security is message authentication and robust replay avoidance measures. We treat the act of data transmission as a critical trust point in our ecosystem.
Authentication.
During manufacturing, each mcThings device is provisioned with a unique symmetrical authentication key. Every message sent or received by the device contains a cryptographic token that is computed based on its AES-128 authentication key. This ensures the validity of the sender and the integrity of the message.
During communications between the mcCloud and other application servers we use industry standard internet security approaches such as VPN or HTTPS over TLS 1.2. Data is cached and queued for transmission in encrypted state, and only unencrypted at end-point’s moment of use.
Anti-eavesdropping.
Data is conveyed over the air encrypted, so its privacy is guaranteed. The communication between the mcGateway and mcCloud is IP based and encrypted.
Anti-replay Capabilities:
Each mcThings message contains a unique sequence counter which is verified in the mcCloud, allowing it to detect and discard any replay attempts. The integrity of the counter is guaranteed by the message authentication token. This means our devices cannot be used in a replay attack.
What is a Replay Attack?
Reliability and Reliance Assurance
We meet California’s SB-327 Requirements For Connected Devices
We are GDPR Compliant
In the Radio Segment:
The mcThings Radio Access layer is built with a high level of redundancy that also protects against malicious jamming attempts. Devices broadcast their messages to all gateways within their range that in turn relay them to the could.
Since mcCloud acts as a firewall, it monitors and detects traffic anomalies, and can block traffic from specific gateways or applications if attacks are suspect. This reduces the scope and impact of DoS attacks targeting access points, and effectively rules out the devices as DDoS attack vectors.
In the IT Segment
Our cloud-based network is hosted in secured certified data centers where each rack uses biometric protection from physical access. At the application layer, each component is fully redundant, strongly monitored and scalable to support increased traffic.
Being cloud-based ensures high availability access to the mcThings operational and service components, decreasing downtime and other operational risks. Automatic failover is handled within the gateway and provides load balancing.
A dedicated solution protects mcThings data centers against a wide range of denial-of-service cyber-attacks such as denial-of-service (DoS), distributed denial-of-service (DDoS), reflective denial-of-service (RDoS), and distributed reflective denial-of-service (DRDoS). This solution offers a cloud-based protection service with several scrubbing centers in order to detect and mitigate cyber-attacks against networks and websites.
Security of firmware
Each device and gateway can receive a unique Trickle Firmware Update from mcCloud. This process periodically writes encrypted parts of the firmware in persistent memory and uses a firmware authentication key to decrypt the firmware during installation. Since the firmware key for each device is unique, in the event that a single device is compromised it will have limited impact on the larger network. Devices are outfitted with tamper resistance to protect this key and firmware.
Security of data at rest
Critical data is stored in devices, gateways and the mcCloud.
Devices and Gateways store their authentication key. Since the key is unique per device, the compromising of one device has a very limited impact. Tamper resistance is provided to protect this key. mcCloud stores devices authentication keys as well as traffic metadata. State-of-the-art solutions have been deployed to ensure the integrity, availability and confidentiality of this data.
Conclusion
We understand that security is relative and that countermeasures must balance security risk with cost and effort. The required security level will always depend on the customer’s application. We provide a range of solutions, some by default, others as options, and facilitate additional security technology and expertise through partnerships with leading suppliers. We participate in the creation of security assessment schemes adapted to specific customer requirements for cost and security levels. mcThings is continuously investing in security, working on advanced research topics such as machine learning, anomaly detection, and advanced cryptographic algorithms.
