Securely accessing IoT Devices
Note: This feature is in preview mode. Some information may be changed in the future according to user feedback.
Mbed secure device access (SDA) enables device owners to give users who may belong to a different organization, such as service technicians, access to their IoT devices. SDA lets you give specific users permissions to access and manipulate deployed IoT devices. Using a mobile application, once authorization has been provided by Mbed Cloud, authorized service technicians can connect to IoT devices.
You can give each group of users different levels of access to the IoT device, so for example, the device user will have a different level of access to the service company technician or the original equipment manufacturer (OEM) technician. You can set these permissions on the Mbed Cloud, providing you with the ability to update and change them as needed. As the device owner, you can set these permissions on the Mbed Cloud and update them as required, ensuring the security of your IoT devices, protecting them from unauthorized access or from authorized users accidentally changing settings they should not.
Mbed Cloud supports policy-based access to devices when the device is offline or online, enabling you to achieve a higher level of operational security.
SDA is a feature on premium accounts; if you like access to contact Mbed Cloud.
Using secure device access
Say, for example, you own a building management company, called Nice Buildings Inc., and you operate a commercial building equipped with smart HVAC systems. You employ a service company (Good Guys Ltd) to service these smart HVAC systems on your behalf. You can use SDA to give only authorized service engineers from Good Guys Ltd access to the HVACs that require maintenance. You can also give the OEM equipment service engineers access and allow them to perform tasks such as a firmware upgrade, which the service technician may not be able to do.
If one of your HVAC systems needs some maintenance, you call the service company, who sends out a technician. When the service technician is on site, they can access the HVAC and re-configure the system, according to the permissions you have set up. The service technician uses the smartphone application provided by the HVAC manufacturer to configure the HVAC. The HVAC controller validates that the technician has been given authorization to perform this change.
The IoT devices (HVAC controllers) can be assigned to an Mbed account during factory provisioning.
For your IoT devices to be able to use SDA you need:
- An IoT device, such as an HVAC, with an SDA client app, so it can communicate with an application on an authorized user device. This is provided by the IoT device OEM.
- A smartphone or tablet (proxy) application on the user's device to communicate with the IoT device and Mbed Cloud. This application will be provided by the OEM and will be tailored to:
- The type of user, such as, a maintenance application for a service technician to re-configure the device.
- The tasks that the user is going to do on the IoT device.
- SDA policies and permissions on the Mbed Cloud, that control user access to your IoT devices. The security policy and user groups will be set up by the device owner so that they can control not only who has access to their devices, but also the level of access they have.
The proxy application on the user's device requests permission from Mbed Cloud to perform a set (or "scope") of actions on the IoT device. If the user is allowed to perform these actions, based on the policies defined by the device owner, Mbed Cloud sends the application a token. The application sends this token along with the actions to the IoT device.
The IoT device only accepts a token if that token matches the private key associated with your Mbed Cloud account. The public key is added to the device as part of the provisioning process, and is used throughout the device's life.
How to enable SDA
Enabling SDA on IoT devices requires the:
- Device manufacturer to incorporate SDA components into the device development and manufacturing process.
- Device owner to set up the authorized users and actions for the IoT device.
Manufacturing an IoT device with SDA
As the device manufacturer, you will need to incorporate SDA into your IoT device solution as follows:
- Add SDA to your IoT device application so that it can communicate with the proxy application on the user's device; see Implementing secure device access on an IoT device.
- Provision the IoT device with a public key (trust anchor):
- On Mbed Cloud Portal:
- Obtain a trust anchor; refer to Manufacturing an IoT device with SDA.
- If you are using factory configurator utility, download it after you have your trust anchor.
- In the factory:
- Add the trust anchor to the information you inject into devices.
- On Mbed Cloud Portal:
- Develop a proxy app for a mobile device so that device users (such as service technicians) can securely connect to the IoT device:
- Create the proxy application to communicate between the Mbed Cloud and IoT device, using the SDA Proxy SDK; refer to Manufacturing an IoT device with SDA.
Providing SDA to IoT devices that you own
If the device manufacturer has added SDA to their IoT device and supporting applications, then you need to do the following actions to be able to benefit from SDA; on Mbed Cloud Portal:
- Create users and groups so that you can define different types of user, such as OEM technicians, service technicians or device users.
- Define user policies for each group to set up actions and scopes for your IoT device(s).
Our reference implementation
There is a reference implementation for an Android phone or tablet, connecting to an IoT device (FRDM-K64F) over a serial connection. The implementation shows both the user and IoT applications; if you want to try SDA using the reference implementation, you will need to set up your policies and the IoT trust anchor.
See the demo section for more information.