IoT Security

Securing IoT devices is an ongoing problem. Typically username and passwords are the only method available to secure a device. Practically speaking these are rarely changed and are therefore exploited by denial of service bots.

One way to secure an IoT device in a robust and scalable manner is to put a firewall in front of each IoT device. Access to and from the IoT device can be controlled at a very granular level.

In one case we had a camera that out of the box would dial ‘home’ for instructions. By putting a simple firewall rule to block all access except to the video management system was a quick and practical solution to the problem.

Firewall rules can customized by type of IoT device. The network management tools allow managing these routers at scale.

Lutron Radio Ra 2 notes

I am in the process of setting up a Radio Ra 2 system for a client. Went through dealer training provided by Lutron. Let me just say the documentation leaves a lot to be desired.I will keep these notes updated as I learn more.


The website to download the Lutron essential software is  Yes a user name and password is required. The only way I know how to get this is to attend Lutron’s BLAST training. The brains of the lighting control is called a repeater. It is possible to extend the wireless range with up to 4 auxiliary repeaters. It is possible to setup a system without a PC by doing the ‘tap-tap’ dance. Here I will focus only on the setting up the system with the Lutron Essential Software(LES). The software version is currently Radio Ra 2 Beta 4.1.10. If a system is setup without a PC all devices will need to be reset to factory default before activating with LES. To reset a device to factory tap 3 time quickly, holding on the last tap. You will see flashing LED’s. Quickly release the hold and tap three times again. More flashing will occur and the device will be factory reset. In order to use the iPhone or iPad app the system must be setup using LES. During power outage the main repeater retains it’s configuration unless the power outage is flickering in which case it loses it’s configuration. Happened to me once. Best to keep the main repeater on a UPS. 

Using the LES

The system I am using is a Mac mini running a virtual Windows XP instance loaded with LES. The Mac Mini is used a an integrated controller for many function in this client application. One advantage of using a Mac Mini is the ability to remotely ssh into the Mac Mini and perform system maintenance and fine tune LES.The main repeater should be set up with a static IP address. Do this first.Define the user name/password for telnet access to the main repeater. Only one user name/password can be active. So it is not possible for multiple iPhones or iPads using the Lutron app to access the system with the same credentials.

Steps to setup a system are Design>program>activate>transfer.

Design Step

In the design step all devices are entered into the system. Lutron uses the term device to refer to all physical hardware.  LES has a concept of Room, Location and Zone. I use the concept of Room to define devices controlling that room. I use location to describe the physical location of the device(dimmer/keypad) I also include the serial number of the device in this field. Zones describe the load controlled by a dimmer/switch.It is very helpful to have the device model number and serial #’s when entering the devices in the design step.

Program Step

In this step keypad buttons and main repeater phantom buttons are linked with zones. Time clock events are also defined during this step. Time Clocks events include Fixed time, Sunrise, Sunset and a few others. Time clock events are also tied to a mode. Modes can be normal, away or custom.Still trying to figure out the best practice around programming buttons. Most examples I see are buttons assigned to activities during the day for instance: Dinner Time or Going to Bed.My automation design aesthetic leans toward using the time clock feature a lot. To have certain lights come on precisely at sunset and sunrise really informs. The cadence is anticipated. try it. I try to keep keypad usage and LED feedback consistent.

Activate Step

In this step the devices are paired with the main repeater. The devices must be physically installed in order to activate. This is a major limitation. If you have the serial number for a device the system should allow you to activate and pair the device. Beats running around a 10k sq ft or greater home.

Transfer Step

During this step the configuration in LES is transferred to the main repeater which in turn downloads it to the individual devices. I would be very reluctant to install a Radio Ra 2 system without the LES system running on some PC accessible remotely in the client’s network as it would require a field trip for every change.

Integration with 3rd party software

Integration is through either serial or telnet. Command are all plain ASCII. You can specify a command and the repeater responds with the result, error and yes sometimes nothing. This will require the interfacing program to have a lot of domain specific smarts to handle the ‘nothing’ response. The main repeater can be setup to broadcast all system state changes. The command to enable all state changes is #MONITORING,255,1.The command to control keypad buttons and main repeater phantom buttons is the #DEVICE command. The command to control individual devices like dimmers and switches is the #OUTPUT command. I have to do some real life system testing to determine if the time delay from button press >  to repeater broadcast > to interface program > to response is too great and therefore a ‘deal breaker’.

The ?HELP command list all the available commands. Majority of the commands are not documented anywhere else. The current list is ?AREA,#AREA,?DEVICE,#DEVICE,?ETHERNET,#ETHERNET,?HELP,#HVAC,?HVAC,#INTEGRATIONID,?INTEGRATIONID,#MODE,?MODE,#MONITORING,?MONITORING,#OUTPUT,?OUTPUT,?REPEATERMODE,#REPEATERMODE,#RESET,#SHADEGRP,?SHADEGRP,#SYSTEM,?SYSTEM,?SYSVAR,#SYSVAR,#TIMECLOCK,?TIMECLOCK,SETMEMLOGTIME. Type “?HELP,command name=””” for help on specific command. Dimmer values are reported as a percentage from 0 to 100. 

The key to integration is to use the phantom button in the main repeater. For instance: Set up a phantom button for flashing some lights using LES and trigger it through 3rd party software whenever the door bell rings.

Example: Main repeater integration ID of 1 Button 1 has a component ID of 1. The command to toggle this button is #device,1,1,3. The status of this button can be queried by examining the state of the LED ?device,1,101,9. Note the component ID 101 corresponds to the LED for button 1. In the response 0=off and 1-on. Integration ID’s and Components ID are available in the integration report generated by the LES. This report is extremely helpful when programming an interface.