FEEDBACK WANTED: IoT secure radio comms
In a couple of weeks time we will deploying our first few hundread OpenTRV valves. If we achieve our vision of being on 400 million EU domestic radiators, a failure to protect sensitive data and prevent hacking of devices could be very serious indeed.
We have a spec and a working implementation on an Arduino-like 8-bit microcontroller (and a permissively-licensed small AES-GCM implementation to boot).
The basic concept is to be small enough to run on many IoT devices with cheap radios in frames no larger than ~64 bytes, to get data securely (authenticated and encrypted) to a hub and/or more powerful Internet gateway, though the crypto is strong enough that we are using it to protect data in flight across the public Internet also for now.
All is available under an Apache licence, including our reference implementation and tests, in Arduino C/C++ and in other languages.
We'd like scrutiny, and opinions on whether we're reinventing the wheel, and if so whose wheel we should be using instead.
I just wanted to highlight this security element from the previous blog entry.