What if a Photon gets stolen?

I know this is a bit of a strange question, but I’m considering using a Photon or two to control things like a pool heater, sprinkler system, etc. In these scenarios, the Photon would be mounted external to the house (though in a weather tight enclosure).

So, what is the security risk should someone physically steal the Photon? When I registered my two brand-new, shiny Photons earlier today, I noticed it said something about “verifying ownership”. Does that mean that if someone were to steal one of my Photons, they’d not be able to use it for their own use? Does this also encrypt the data on the Photon for the ‘owner’ only – e.g. my wifi password/etc.

I know it’s a bit of a nebulous question, but I’d just like to understand what the security risks are should someone gain physical access to one of my Photons other than assuming control of the sprinkler/etc. We can assume an ‘average neighbor/hacker’ and not the NSA or whatever similar three letter organization, as they have plenty of other ways into systems.

Thanks!
Mike

That’s correct, the devices are tied to your account till you release them.

The SSID/PWD are also not any easier retrieved from the devices than they could be hacked in front of your door step - in fact it’s a lot harder to get them out of these Particles :sunglasses:

That’s great news - thank you ScruffR! Knowing that they device is ‘owned’ by me and cannot be used to extract the wifi password/etc. really (really!) opens-up the uses for it around the house and elsewhere!

I’m terribly sorry, but I’ve just been advised that my previous post was based on outdated information.

While your SSID/PWD are safe, the hardware is not really.
Due to some problems in the past where devices could not be (re)claimed by the original owner after lending them to someone (and other reasons) Particle decided to drop that “safety feature” for the sake of ease of use.

And even with the previous solution, only cloud access would have been tied to you.
USB flashing and non-cloud functionality would have been availably to anybody who had physical access to your device.

One (minor) word of consolation: “If someone tries to claim your device to his account, they’d need to be registeted with Particle and they have logs and will punish him, if you tell them”

We’re planning on releasing a ‘locking’ feature for devices, that would prevent someone else from re-claiming your already claimed / locked device. All cores were ‘locked’ by default, but we found this to be frustrating for users when they wanted to exchange devices. So this behavior was reversed for the photon, someone with physical access to a photon can claim it, but we’ll also support locking in the future. This was meant to be closer to the use-case for your typical physical product.

Thanks,
David

2 Likes

Thanks for the follow-up ScruffR and David! I appreciate the corrected info.

I’m far less concerned that someone would steal the Photon and be able to use it, than extracting WiFi passwords and stuff like that. Even if the Photon were locked and someone took it, they’d just throw it away, so the net outcome is that I need to buy another. Keeping people off my network (even though it’s a guest-only network they connect to) is much more important.

Mike

1 Like

I couldn’t find in the documentation/community more information about this topic.

  • Is this “locking” feature existing nowadays? Or is it still that anyone with physical access to the device can claim it?
  • What if the Particle is installed in a public place, and someone plugs an USB cable to it? Can this hacker install new firmware to the Particle?
    Thanks,
    David
1 Like

Hey David,

This locking feature doesn’t exist as far as I’m aware.

Using USB, you would indeed be able to flash new firmware. Then again, with physical access there is very little you couldn’t do.

Any scenario in particular you have in mind?

Hi @Moors7,
I thought about 2 scenarios:

  1. Particle device controlling a mechanism. Those popular rental electric scooters, for example. Maybe someone could just remove the screws from the box, plug a USB cable and upload a firmware to drive the scooter for free, no need to unlock with the company/pay for the rentals, turn off GPS, etc…
  2. If devices are installed in public places, some bad guys could steal the Particle devices and sell them in a “secondary” market for $10-20. I know it’s not the company’s intention, but this could be an “incentive” for these people. If the devices could be claimed only by the original owner (or transferred to others with Particle’s authorization), then there would be almost no incentive for people to steal these devices.

Maybe this second scenario seems weird to some people here, but where I come from, some people steal even copper wires from the streets to sell the copper in “secondary” markets…

Thanks for reaching back.