Electric Chateau LLC provides privacy-enhancing smart home products, consisting of integrated hardware, firmware, web application software and mobile application software. Electric Chateau’s users rely on Electric Chateau products to enhance their smart home experience while protecting their privacy.
This document describes Electric Chateau’s approach to information security as well as procedures for reporting breaches or security related incidents. Our highest corporate value is the privacy and safety of our users.
The Electric Chateau team worked hard to ensure that the Electric Chateau platform is secure. What good are our privacy-enhancing devices if they allow your data to be exposed to bad actors due to poor security practices?
We built our platform using the latest best practices and guidelines for IOT devices available to us at the time of this writing. By following these best practices, we aim to eliminate common attack vectors for IOT devices and greatly decrease the likelihood of a data breach.
Security is a continuous process. We will continue to update our security after you've received your devices, and we will continue to update this white paper.
Shared Responsibility Model
Electric Chateau and its vendors are responsible for:
- Security of our cloud infrastructure platform
- Securing the connection between devices, mobile apps and the platform
- Patching security vulnerabilities in the platform in a timely manner
- Ensuring the platform is available and operating to performance specifications
- Regular review of the platform as new security threats are recognized
- Providing timely updates of security incidents
- Automatically updating the firmware of your Electric Chateau devices
Users are responsible for:
- Keeping your password secret, though we do permit you to share it with others who you deem necessary to access your account
- Local WiFI security, including keeping your WiFI router firmware up to date
- The physical security of your Electric Chateau devices
- Keeping your Electric Chateau app updated on your mobile device
- Reporting suspicious activity or phishing incidents to Electric Chateau
Security Within the Electric Chateau Platform
Electric Chateau takes many steps to protect your data and devices against unauthorized access or use. In addition to the steps outlined below, Electric Chateau has policies in place to protect your data. Our policies restrict access to your data to only those employees who need to access your data to provide service to you. We also run automated systems to monitor the health of our infrastructure and to report attempts at intrusion into the Electric Chateau platform.
The communications between Electric Chateau devices, mobile devices running Electric Chateau apps, and the Electric Chateau cloud platform is encrypted using industry best practices for Transport Layer Security (TLS). This protects the communications against eavesdropping and prevents unauthorized access to your private data.
Electric Chateau devices are protected with Secure Boot. Secure Boot prevents an attacker from loading their own firmware onto an Electric Chateau device to gain entry into the Electric Chateau Cloud. Electric Chateau devices will only load firmware signed by a private Electric Chateau cryptographic key.
Automatic Firmware Updates
To continue providing you with new features, and to address emerging security threats, we provide automatic over-the-air firmware updates for the life of the product. While your BuzzOff is connected to the Internet you don't need to do anything. Your device will update automatically. These updates are cryptographic key signed and delivered through the network using SSL encryption.
AES-256 Encrypted Flash ROM
To prevent an attacker from decompiling the Electric Chateau firmware as a means to gain entry into the Electric Chateau Cloud, we encrypt all device Flash ROM and device data with AES-256 encryption. We use a unique AES-256 encryption key for each device.
Unique, Per-device SSL Certificates
Each Electric Chateau device has its own unique SSL certificate to authenticate with the Electric Chateau cloud service. In the unlikely event of a single device breach, your Electric Chateau devices will still be safe thanks to unique SSL certificates. This prevents an attacker with a fake device from impersonating your real device.
Strong, Cryptographically Random Passwords
We're kind-of cryptography nerds here at Electric Chateau. And one of the joys of creating a secure device is the opportunity to take that knowledge and apply it to making your experience safe and secure.
There are no default, guessable passwords inside of Electric Chateau devices (like 'admin' or 'password’). Each device is provisioned with its own unique, very long, cryptographically random password before it is shipped to you. We've done this to protect your device from dictionary attacks, rainbow table attacks, and brute force attacks.
Our use of a very long password, (using a lot of 'entropy bits' in crypto-speak), means that even the most sophisticated attackers, like a state sponsored cyber-hacking group would require many millions of years to brute-force crack the password for your device.
Authentication with Industry Standard OAUTH2
BuzzOff uses industry standard OAUTH2 authentication to seamlessly work with the AWS-powered Alexa Skill linking and to support Sign In With Google and Sign In With Apple. OAUTH2 provides many security benefits, but the primary benefit to you is that it makes it easier for us to add new sign-in providers in the future, such as Sign In with Facebook or Amazon.
However, the access to your account is only as secure as your password. If you share your password or use a weak password, we cannot guarantee the security or integrity of your account. We recommend that you use a strong password in conjunction with a password manager. We also recommend and use a website such as https://passwordsgenerator.net/ to generate personal passwords. Our software enforces a minimum password length of 8 characters.
If you forget your account password, you may reset your password by using the Forgot Password feature. No one from Electric Chateau will ever ask for your password over the phone, by email, or any other means of communication. In fact, your password is encrypted and even we don’t have access to it.
Cloud Infrastructure Security
Electric Chateau implements best practices security measures and techniques to protect our data and operations in the cloud components of our platform. This means your data is stored in a secured database on a secured network which can only be accessed by our systems, which are also behind multiple levels of security. Those measures include access credentials, network access control lists, private networks inaccessible to the public, and intra-platform security trust groups. This infrastructure security is re-evaluated as security features mature and as our cloud services vendor(s) report discovered vulnerabilities. We leverage managed services wherever possible to take advantage of vendor-expedited improvements and patches.
Custom, Locked Down Firmware
Last, but not least, our first line of defense is the custom Electric Chateau firmware. You can think of our firmware as a locked-down, ultra-secure "operating system" inside each Electric Chateau device. Because our firmware is not a full-featured operating system, the attack vectors for hacking an Electric Chateau device are significantly reduced and our devices are immune from exploits that affect standard operating systems.
Hosted in the USA
The Electric Chateau cloud service runs entirely on servers located in the USA, so your account and all interactions with BuzzOff occur in the USA and never on a foreign server. We do this to protect the integrity of your data and make your BuzzOff experience better. Hosting your data in the USA helps keep latency down so that BuzzOff responds faster to your requests.
We regularly issue updates to all aspects of the Electric Chateau platform. Most of these updates happen automatically, but in some cases it is your responsibility to ensure you have the latest software updates.
Electric Chateau regularly updates our Cloud Platform with new features and content. You do not need to take any action to receive these updates.
Electric Chateau regularly updates the Alexa Skill with new features and content. You do not need to take any action to receive these updates, though you do need to ensure your Electric Chateau account is linked to your Alexa account to use the Alexa Skill.
Electric Chateau regularly updates the Electric Chateau mobile apps for IOS and Android. You do need to install these updates yourself. We recommend that you enable automatic updates so that you always have the latest functionality, bug fixes and usability improvements.
The Electric Chateau platform distributes regular, secure, over-the-air firmware updates to enhance the functionality and security of Electric Chateau devices. You do not need to take any actions for firmware updates to occur, though you will not receive firmware updates unless your Electric Chateau device is connected to the internet.
Data at Rest
We provide industry standard access controls to the data stored in the Electric Chateau platform. However, some of your personal information stored in the Electric Chateau databases is stored unencrypted so that our employees can use that data to provide you service. We attempt to minimize the impact of any potential breach by limiting what personal information we store. The personally identifiable information stored in our database is typically limited to your name, address, phone number and email address.
Electric Chateau stores the name and password to your WiFI network(s) in its cloud database for the sole purpose of sharing those credentials with your other Electric Chateau devices you register to your account. This data is encrypted to prevent a sophisticated attacker who accesses our database from being able to read your WiFi password.
Data stored within Electric Chateau devices is encrypted at rest. If an attacker gains physical access to your device and dumps the contents of the Flash ROM, your personally identifiable data is safely encrypted.
Electric Chateau data stored on mobile devices is also encrypted at rest.
We truly hope that your experience with Electric Chateau is one without incident, and we work hard to make that the most likely outcome. However, should you become aware of a security incident, we ask that you report it to us so we can help achieve the best outcome and prevent it from ever happening again to you or any other customer.
Reporting an Incident
If you suspect that your devices, Electric Chateau account, or personal information may have been compromised for any reason, please report the incident via our contact form.