Comfy integrates with the existing building system by connecting a physical gateway box, the Comfy Gateway, to the building management system via BACnet/IP network. The Comfy Gateway is the interface between the building management system and the Comfy Cloud, and so must provide bidirectional protection — both to block external parties from attacking the Comfy infrastructure and to prevent the opening of additional attack pathways into the customer network. BACnet Lock is the endpoint security solution that protects the system from a capable attacker who has either physical or network access to the Comfy Gateway device.
BACnet Lock uses a combination of hardware and software to provide comprehensive protection to data and code stored on the Gateway. Attackers will find it difficult to:
The software running the Gateway is built using the Ostro Project operating system framework, built on the popular open-source Yocto Project for embedded devices. Both projects are supported by Intel, whom Gartner considers as a leader in Security, and widely used in the embedded software community. Intel is active in ongoing development and patches for threat intelligence which includes monitoring Common Vulnerabilities and Exposures (CVEs) for included packages. We build on this framework to achieve our objective of thwarting network threats by adding additional features specific to BACnet Lock, including:
The core of the Comfy Gateway’s security is the ability to detect whether the software running on the platform has not been modified. To do this, we use two related technologies: Secure Boot and the Integrity Measurement Architecture (IMA). Secure Boot is a technology built into the platform firmware which, when enabled, will only allow booting signed applications. All firmware used in our application is signed. The Ostro Project generates a single EFI binary containing the Linux kernel, initrd, and boot stub which are signed and verified by the platform before booting. If this binary is tampered with or corrupted, the platform will not boot.
Once a trusted kernel is booted, the remainder of the system is verified using IMA, which is a flexible technology. BACnet Lock configures an IMA policy which requires a valid signature on all files stored on the root filesystem. The certificate used to verify these signatures is stored as part of signed EFI binary, and thus protected from tampering. This policy is applied before the root filesystem is mounted, meaning the kernel will refuse to open any file which has been tampered.
Private cryptographic keys are used to authenticate physical devices to the Comfy Cloud. An attacker who is able to recover these keys can impersonate the device to the Comfy Cloud. In order to prevent this, Comfy incorporates the use of a separate hardware component called a Trusted Platform Module. This component is a dedicated tamper-resistant chip which stores a disk encryption key, and measures the boot process. It will only release the disk encryption key if the system has booted a valid and signed kernel. This key is used to lock a hard disk partition encrypted with AES-256. The partition is used to store data which must be written locally such as user configuration files where the IMA signature system is not applicable. It also contains the keys authenticating the device to the cloud, and thus prevents offline access or tampering of that material.
The Comfy Gateway does not require general Internet access; it only needs to access the Comfy Cloud. All communications between the Gateway and the Comfy Cloud are encrypted using TLS/1.2. The Gateway verifies that the services it accesses have certificates signed by a private root, and the cloud verifies the client's private key. The device private keys are unique per-device and are generated on the device in Private Storage. They are signed during provisioning and are never removed.
Comfy follows a robust security hardening procedure for all remaining system software. This includes:
Predicting all future software vulnerabilities is impossible, which is why it is critical to enable prompt and secure in-situ updates of all platform software including kernel updates. The software update mechanism used in the Comfy Gateway is image-based and assigns the entire platform state a single version. Updates are verified using the same Secure Boot and IMA signatures used at runtime for integrity.