OmniFob™ Security is Paramount
Before we get started, let’s clarify a few things about OmniFob's security:
- No biometrics
- No direct device connections
- No private data stored on the device
- No history stored on the device
- No unencrypted transfer of data
OmniFob (Patent Pending) does not connect directly to your devices. It simply connects to the Keyport app on your smartphone via Bluetooth and acts as a shortcut to your smart apps. It’s that simple. All the work is done app to app, by your smartphone, just as if you are controlling your devices directly from your smartphone. When you press a button to activate a device, scene, or routine on the OmniFob, it sends a signal via Bluetooth to the Keyport App on your phone. Our app sends the command to the 3rd party app, which then triggers the action and... voila.
In the Keyport App, you connect to a compatible 3rd party app via Oauth2 validation. Once your account is linked, the devices, scenes, and routine names you have programmed in the 3rd party app automatically populate in the Keyport app. The only information written to your OmniFob is the custom names you select for each device, scene, and routine. More on this coming in another post.
What if I lose it? There is no need to worry about security if you ever lose your OmniFob. It is designed to be a shortcut to your smart phone via Bluetooth. Therefore, OmniFob will not work if it is out of Bluetooth range of your phone and the Keyport app to which it is paired. So, a potential thief would literally have to get a hold of it and be within your smart phone’s Bluetooth bubble (approximately 60 feet) for it to re-pair with your phone.
But we have a simple solution for that too. Just unpair it in the Keyport app and all your devices will be inoperable even if the thief finds his way back into your Bluetooth bubble.
In comes Chipolo - Every OmniFob comes with a Chipolo Bluetooth locator built in. This free service is setup separately in the Chipolo app. So let’s say you did lose your OmniFob. If it is in Bluetooth range, you will be able to locate if from your smart phone using the Chipolo app. If you’re out of range, it will show the last known location in the Chipolo app. But, let’s say you totally lost it and un-paired it from the Keyport app as described above. Guess what? It is still connected to Chipolo so you can mark your OmniFob as lost in the Chipolo app and you will have a chance at finding it again using their Community Search feature. When you get it back you can easily re-pair it with the Keyport app.
Anonymity - Imagine, you leave your keys somewhere and someone finds them. That person now has access to your car, house, office, and any other keys you have on there. But, unless you have your address on your keys, they are anonymous, right? Most likely, that person is just going to be a good samaritan and turn them into the lost and found. The slim chance that person would become a potential thief is eliminated with OmniFob, because when you un-pair it from the app as described above, it becomes useless.
Under the hood Security - While creating OmniFob, security was our highest priority at every level. So not only did we take the steps above to ensure its security, we also built the hardware, firmware, and software with a focus on security.
- Hardware Security - The OmniFob hardware supports any of the BLE standards up to BLE 5.0 including LE Secure Connections (LESC) to enforce GAP Security Mode 1 Level 4.
- Firmware Security - OmniFob enforces the latest security measures of BLE 5.0 and 4.2, including LE Secure Connections with Elliptic Curve Diffie-Hellman (ECDH). It does not store any personally identifiable information, and all security keys are stored in protected memory space that cannot be read back.
- Software Security - The Keyport application is housed within the AWS Cloud being built out as infrastructure-as-code with KMS data and service encryption. Along with SSL/HTTPS security, we provide tight data security and the ability to scale on demand. We use standard OAuth2 for communication between the app and the API. Other security measures such as API Keys provide app-only access to the API and its underlying data.
Testing Before Launch - In addition to the initiatives we have undertaken during design, we are already putting OmniFobs in the hands of our partners, beta testers, and prospective hackers (some of our security professional friends from DEFCON) to identify any potential issues. We will continue to study best practices and develop a community which helps us to discover and then patch any potential vulnerabilities as quickly and efficiently as possible.