Hornet Device Security Model

3 minute read

Libre Home Security Model

In Libre Home, users only need to fully trust the Hub.

As the vendor of Hub, it is already a tremendous amount of trust. We must give our users the optimal security design.

Question? Why Not Trust Devices?

Because users don’t have to FULLY trust any device. By using the word “FULLY” trust, I mean the trust can always be limited to scope.

For example, assume you are the administrator of the Hub. You want to configure a remote to control one light and give that remote to a user.

The user can only use that remote to control the light you specified. The user can NOT use the remote to control other lights or front door lock or any other devices. That’s the limited trust/access I am talking about.

Even if the user cut the chips on the remote open, read every bit of data on the remote, including all security keys, the user still can’t use it to control other devices.

Security Key Management of Hornet

Hornet has many improvements over Zigbee. One of the improvements is key management.

In Hornet, every pair of devices may have a unique, secretly shared key. It is called the link key. A link key is used to perform end-to-end encrypted communication between a pair of devices.

The concept of “Application Link Key” is defined in the Zigbee protocol. But the definition is vague and incomplete. And it has not been implemented by any vendor.

Zigbee, however, only defines a special link key, which is the link key between Hub and each device, the “Trust Center Link Key”. Its function is very limited.

When a device first joins the hub, the Hub will generate a random link key and send the key to the device.

There are well known public key algorithms for key exchange. Hornet uses Curve25519 Key Exchange.

During the device join process, the device and Hub will exchange each other’s public key. Then Hub will generate a random link key, send the encrypted link key to the device. The device will be able to correctly decrypt the link key, while the eavesdropper won’t be able to compute the key.

Zigbee’s initial key exchange algorithm is not as secure.

Example

In the example below, after 3 devices joined the network. There are 3 link keys in the system.

  1. Key1 - Link key between Hub and Switch
  2. Key2 - Link key between Hub and Remote
  3. Key3 - Link key between Hub and Thermostat

The keys will be wirelessly sent to the each device by the Hub.

Remember, each device must FULLY trust the hub as well. So once the device receives the link key from the hub, it will store the key in internal flash memory.

TrustCenterLK

Assume the user wants to use the same remote to control both devices, the Switch, and Thermostat.

Users can do so using Device Linking feature.

Note in the screenshot below, the same “Remote” is linked to both “Switch” and “Thermostat”.

TrustCenterLK

Of course, users can also customize remote buttons

TrustCenterLK

Once the linking relationship is created. Two more unique secret keys are created.

  • Key4 - Link key between “Remote” and “Switch”.
  • Key5 - Link key between “Remote” and “Thermostat”.

Again, those keys will be sent to related devices by the Hub, and will be stored in the flash memory of the devices.

AppLinkKey

Once the device linking relationship is removed by Hub administrator, the Hub will notify the related devices, which will remove the related keys.

In other words, the related devices can no longer control each other.

In Other Words

When Hub Administrator sets up device links on a smartphone, the smartphone will instruct the Hub. The Hub will, in turn, instruct the devices to “trust each other”.

That’s why users only need to fully trust the hub. Also the devices only need to fully trust the hub.

Designed to Make Every Sense

Even if the Hub is down or powered off, the linking relationship still exists. The user can still use the remote to control the switch and thermostat.

However, when Hub is down,

  1. Users won’t be able to control devices with their smartphones. It has to be done through the Hub.
  2. More complex controls using Libre App won’t work because the Hub is down.

Leave a comment