Comfy integrates with the existing building system by connecting a physical gateway box, the Comfy Gateway, to the building management system via BACnet/IP network. The Comfy Gateway is the interface between the building management system and the Comfy Cloud, and so must provide bidirectional protection — both to block external parties from attacking the Comfy infrastructure and to prevent the opening of additional attack pathways into the customer network. BACnet Lock is the endpoint security solution that protects the system from a capable attacker who has either physical or network access to the Comfy Gateway device.
BACnet Lock uses a combination of hardware and software to provide comprehensive protection to data and code stored on the Gateway. Attackers will find it difficult to:
- Modify the software running on the Comfy Gateway without disabling it
- Extract cryptographic key material used to authenticate communications between the Comfy Gateway and the Comfy Cloud
- Interpose between the Comfy Gateway and Comfy Cloud
- Alter the set of BACnet objects the device communicates with
The software running the Gateway is built using the Ostro Project operating system framework, built on the popular open-source Yocto Project for embedded devices. Both projects are supported by Intel, whom Gartner considers as a leader in Security, and widely used in the embedded software community. Intel is active in ongoing development and patches for threat intelligence which includes monitoring Common Vulnerabilities and Exposures (CVEs) for included packages. We build on this framework to achieve our objective of thwarting network threats by adding additional features specific to BACnet Lock, including:
- Secure Boot Chain and Tamper Resistant Filesystem to detect that software has not been modified
- Separate, private hardware storage for encryption keys
- Limited internet access and network security
- Service hardening
- Ongoing security updates
Hardware Root of Trust
The core of the Comfy Gateway’s security is the ability to detect whether the software running on the platform has not been modified. To do this, we use two related technologies: Secure Boot and the Integrity Measurement Architecture (IMA). Secure Boot is a technology built into the platform firmware which, when enabled, will only allow booting signed applications. All firmware used in our application is signed. The Ostro Project generates a single EFI binary containing the Linux kernel, initrd, and boot stub which are signed and verified by the platform before booting. If this binary is tampered with or corrupted, the platform will not boot.
Once a trusted kernel is booted, the remainder of the system is verified using IMA, which is a flexible technology. BACnet Lock configures an IMA policy which requires a valid signature on all files stored on the root filesystem. The certificate used to verify these signatures is stored as part of signed EFI binary, and thus protected from tampering. This policy is applied before the root filesystem is mounted, meaning the kernel will refuse to open any file which has been tampered.
Private cryptographic keys are used to authenticate physical devices to the Comfy Cloud. An attacker who is able to recover these keys can impersonate the device to the Comfy Cloud. In order to prevent this, Comfy incorporates the use of a separate hardware component called a Trusted Platform Module. This component is a dedicated tamper-resistant chip which stores a disk encryption key, and measures the boot process. It will only release the disk encryption key if the system has booted a valid and signed kernel. This key is used to lock a hard disk partition encrypted with AES-256. The partition is used to store data which must be written locally such as user configuration files where the IMA signature system is not applicable. It also contains the keys authenticating the device to the cloud, and thus prevents offline access or tampering of that material.
Limited Internet Access and Network Security
The Comfy Gateway does not require general Internet access; it only needs to access the Comfy Cloud. All communications between the Gateway and the Comfy Cloud are encrypted using TLS/1.2. The Gateway verifies that the services it accesses have certificates signed by a private root, and the cloud verifies the client's private key. The device private keys are unique per-device and are generated on the device in Private Storage. They are signed during provisioning and are never removed.
Comfy follows a robust security hardening procedure for all remaining system software. This includes:
- Compiling all application software with strong compiler options (-fstack-protector, PIC) to prevent buffer overflow and stack attacks
- Removing inessential software from the root image
- Disabling and removal of unused kernel features
- Running individual services at a reduced privilege level
- Removing public SSL certificates
Predicting all future software vulnerabilities is impossible, which is why it is critical to enable prompt and secure in-situ updates of all platform software including kernel updates. The software update mechanism used in the Comfy Gateway is image-based and assigns the entire platform state a single version. Updates are verified using the same Secure Boot and IMA signatures used at runtime for integrity.