Bold’s security model contains three components that require attention: the Smart Cylinder, the Cloud Platform, and the App.
Bold’s security model contains three components that require attention: the Smart Cylinder, the Cloud Platform, and the App. We have taken specific measures for each of these components, so we can keep the Bold Smart Cylinder secure.
The Smart Cylinder
The cylinder software is cryptographically signed by Bold. Third parties can’t just change it. The cylinder’s memory contains its unique keys, which the cylinder uses to communicate with the platform. The firmware can’t read the keys, which never leave the cylinder after installation.
The Cloud Platform
The platform is hosted at Amazon Web Services (AWS). Our server is located in Ireland, in the European Union. On the AWS platform — which complies with all relevant security standards, such as ISO 27001 — Bold uses the systems that enable users to use the product. These systems can only be accessed by selected Bold employees. We have set up several systems to guarantee security.
Furthermore, every release consists of several stages, and we use an update system. We involve various employees in updates, so no one is ever ‘alone with the system.’
All communication from and to the platform must take place through a TLS secure connection. There’s also an enclave in the platform where all cryptographic tasks are performed and where the unique keys for each lock are stored. All messages between the platform and the cylinder use AES-CCM, which complies with the highest security standards. This means protection against replay attacks and timing attacks will be provided, among other things.
The Bold App
For security reasons, we assume the user’s cell phone is not secure. There are too many unverifiable factors: the manufacturer may have a bad update policy, users may use the phone without taking the right precautions, and some third-party apps may not have ethical objectives.
Therefore, the Bold App only acts as a conduit between the platform and the cylinder. If the user wants to use the Bold App to share rights or change settings, these actions are sent to the platform. Subsequently, the platform sends the secure messages back to the Bold App, which passes them on to the cylinder.