Rently Smart Home Security User Guide

Rently Smart Home Security

In 2077, Rently pioneered the use of tech in property management when it brought its patented self showing technology to the market. Since then, Rently has emerged as an industry leader in residential remote access and smart home technology for property management. Rently’s robust engineering teams and deep industry expertise allow us to offer flexible and customizable enterprise hardware and software solutions for both single and multifamily operators.
Today, our extensive suite of solutions allow us to help operators of any size to make their whole portfolio smart. Rently’s Smart Home is easy to in sta ll and manage. Our solution integrates with leading Property Management Systems, making move-ins and move-outs a breeze. Residents love our resident app that allows them to remotely manage and automate their home.

Rently Smart Home Overview

• Total Home Automation I Stream line property access with keyless entry locks, reduce utility bills with smart thermostats, and enhance security with sensors.
• Loved By Renters I Our best-in-class Renter applets your renters easily manage their smart home.
• Cloud Based Software I Easily manage your entire portfolio of properties from one on line platform. ISO 27007 and 27707 Certified and CCPA compliant.
• Tri-Band Hub ISeamlessly connect to cellular, Wi-Fi or ethernet to ensure superior smart home uptime.
• Convenient I All devices are pre-paired to the Rently hub and rigorously tested for quality. Nationwide in sta llation services available upon request.
• Trusted Technology I For over 70+ years, millions of renters and thousands of property managers have utilized Rently technology.

Smart Home Hardware

Rently continues to add both self-designed and OEM devices. The following are a subset of devices Rently currently offers.

Access Control
Smart locks

• Yale and Kwikset
  Common area access panel
  Garage door opener

Energy Management
Smart thermostat
Smart lighting

• On/off
• Dimmer

Damage Prevention

• Water leak sensors
• Smoke/CO alarms

Smart Monitoring
Sensors

• Motion sensor
• Door/window contact

Siren alarm
Cameras

• Video doorbell

Hub {Smart Home gateway device)

• Eng ineered and manufactured by Rently
• Not OEM’d
• Cellular, w ifi, ethernet enabled

Smart Lock
Operator features
Eliminates keys
Integrated self-guided tours
Real-time vendor/employee access notifications
Contactless move-ins/move-outs
Kwikset re-key

Resident features
Lock access v ia mobile app
Create unique, temporary, or recurring access codes for family, friends, or service providers (i.e. dog
wa lkers)
Peace of mind that your home is always locked
Real-time app access notifications
App notifications if the door is left open
Prevent porch pirates by unlocking the door for delivery drivers
Activ ity log of who accessed your home and when
Details for other devices can be found on the Rently website: use.rently.com /enterprise-smart-home/

Rently Smart Home Services

Manager Portal
The Manager Portal allows property managers to remotely manage all their Rently-enabled devices. Users can monitor energy usage, vacant unit activity, and detect/prevent property damage from their desktop or mobile devices. The dashboard, or front page, of the Manager Portal provides users with a real time snapshot of all their connected properties. Users can drill down to view the status of individual properties and devices.

Smartphone apps
The Rently mobile apps allow property managers and residents to control and automate their smart home wherever they may be. The Rently resident app can by whitelabeled and gives properties a high-tech differentiator.

iOS and Android apps

• AppStore ratings: 4.6+ stars.

Fu nctiona I ities:

• Resident interface: Remotely control devices.
• Manager interface: Remotely manage assets and devices.

Architecture Overview

The fo llowing are major components of the Rently Smart Home system:
Smart Home Keyless Server including Relational Database {ROB), the centra l control point of the
system. It performs the following functions:

• Processes requests from web and mobile apps
• Processes device messages from IOT core service v ia SQS queue
• Issues device commands to IOT core serv ice

AWS IOT core service: interaction point for all devices. It has the following functions:

• Takes commands and communicates to hub v ia MQTT protocol
• Reports status back from devices

Hub firmware and service. It relays between IOT core and devices:

• Maintains consistent Internet connections with IOT core service
• Interacts with devices, often via low-power radio communications such as Z-wave.
  Device firmware. Controls device functions and commun icates w ith Hub.
  Lambda functions. Processes messages from IOT core service.
  Operation SQS queue. Lambda functions w ill enqueue any tasks for Smart Home Keyless Server.
  DynamoDB. Keeps system and device information, also logs system activities.

Security Overview

Security risks and vulnerabilities have the potential to compromise the security and privacy of customer data in a Smart Home application. Coupled with the growing number of devices, and the data generated, the potential of harm raises questions about how to address security risks posed by Smart Home devices and device communication to and from the cloud.
Common customer concerns regarding risks center on the security and encryption of data while in transit to and from the cloud, or in transit from edge services to and from the device, along with patching of devices, device and user authentication, and access control. Securing Smart Home devices is essential, not only to maintain data integrity, but to also protect against attacks that can impact the reliability of devices.
As end users are empowered to directly control a device, the security of devices must permeate every layer of the solution.
With data security and data breaches constantly in the news, Smart Home security is always a hot topic for investors, residents, and the C-Suite. The foundation of a Smart Home solution should start and end with security, along with using services capable of continuously auditing Smart Home configurations to ensure that they do not deviate from security best practices.
Once a deviation is detected, alerts should be raised so appropriate corrective action can be implemented- ideally, automatically.
To keep up with the entry of devices into the marketplace as well as the threats coming on line, it is best to implement services that address each part of the Smart Home ecosystem and overlap in their capability to secure and protect, audit and remediate, and manage fleet deployments of Smart Home devices (with or without connection to the cloud).

ISO 27001 and 27701 Certifications
Rently has achieved Certification of Information Security Management System ISO/IEC 27007:2073 and Privacy Information Management System ISO/IEC 27707:2079.
ISO/I EC 27001:2013
ISO/I EC 27000 family of standards provide a framework for policies and procedures that include legal, physical, and technical controls involved in an organization’s information risk management processes. ISO/I EC 27007:2073 is a security standard that formally specifies an Information Security Management System {ISMS) that is intended to bring information security under explicit management control. As a formal specification, it mandates requirements that define how to implement, monitor, maintain, and continually improve the ISMS. It also prescribes a set of best practices that include documentation requirements, divisions of responsibility, availability, access control, security, auditing, and corrective and preventive measures. Certification to ISO/I EC 27007:2073 helps organizations com ply with numerous regulatory and leg a I requirements that relate to information security. ISO/IEC 27007:2073 specifies the requirements for implementing, maintaining, monitoring, and continually improving the ISMS. ISO/I EC 27002:2073 provides guidelines and best practices for information security management; however, an organization cannot get certified against ISO/IEC 27002:2073 because it is not a management standard. The audit vehicle is ISO/IEC 27007:2073, which relies on detailed guidelines in ISO/IEC 27002:2073 for control implementation.

ISO/I EC 27701:2019
ISO/I EC 27707:2079 is built as an extension of the widely -used ISO/I EC 27007 and ISO/I EC 27002 standards for information security management. It specifies requirements and provides guidance for a Privacy Information Management System {PIMS), making the implementation of PIMS a helpful compliance extension for the many organizations that rely on ISO/I EC 27007, as wel l as creating a strong integration point for aligning security and privacy controls. ISO/IEC 27707 accomplishes this integration through a framework for managing personal data that can be used by both data controllers and data processors, a key distinction for General Data Protection Regulation {GDPR) compliance.
In addition, any ISO/IEC 27707 audit requires the organization to declare applicable laws/regu lations in its criteria for the audit meaning that the standard can be mapped to many of the requirements under GDPR, California Consumer Privacy Act {CCPA), or other laws. Once mapped, the ISO/IEC 27707 operational controls are implemented by privacy professionals and audited by internal or third-party auditors resulting in a cert ification and comprehensive evidence of conformity. This universal framework allows organizations to efficiently implement compliance with new regulatory requirements.

Scope of Certification
Management of Information Security and Privacy in software development and self showing rental management with application support services provided to external customers. Departments include Research and Development, Customer Support, Operations, HR, Accounts, IT Support, Sa les, Keyless, Client Success, Customer Care, Product and Engineering. All the Four offices are included. This is in Accordance w ith the SOA {Statement of Applicability) Version 7.2 dated 09/Feb/2027.

Device Security
Physical Security
Ya le Lock Security

• BHMA{Builders Hardware Manufacturers Association) Grade 2 certified
• Fire Rating:UL-CuL listed for 90 min fire doors and windstorm applications when installed with the included fire kit
• Proven track record since 7840

Kwikset SmartKey Lock Security

• BHMA{Builders Hardware Manufacturers Association) Grade 3 certified
• Tamper resistant interior cover
• Alarm sounds after 3 consecutive incorrect codes are entered

Kwikset’s SmartKey Security is designed to protect against these types of break-ins and keep your family safe.

• Kick-in resistant
• Pick resistant
• Bump proof
• Drill resistant
• Saw resistant
• Re-key technology

Smart Key SecurityTM also allows you to rekey the lock yourself in seconds, making lost or unreturned keys inoperative.

Device Software Security

Hub
Rently hub runs open source Debi an ARM Linux OS, with a proven track record of security and sta bi I ity. The Linux OS comes with libraries to help secure device data and connections, including support for data encryption and key management. The OS includes support for Transport Layer Security {TLS vl.2) to help devices connect securely to the Keyless Server. Rently has OTA update capabilities to remotely update the hub and devices with feature enhancements or security patches.

Upcoming Rently NB Lock
Service Overview: NB Lock runs Zephyr OS, The Zephyr OS is an open source real time operating system with a small-footprint kernel designed for use on resource-constrained and embedded systems. Security Capabilities: NB Lock has the following Zephyr security capabilities: Security Functionality: The security functionality hinges mainly on the inclusion of cryptographic algorithms, and on its monolithic system design, and on Stack protection mechanisms. Execution Protection: is supported and can be categorized into the following features: Memory separation: Memory will be partitioned into regions and assigned attributes based on the owner of that region of memory. Threads will only have access to regions they control.
Stack protection: Stack guards would provide mechanisms for detecting and trapping stack overruns. Individual threads should only have access to their own stacks. Thread separation: Individual threads should only have access to their own memory resources. As threads are scheduled, only memory resources owned by that thread will be accessible. Topics such as program flow protection and other measures for tamper resistance are currently not in scope. System Level Security: System level security encompasses a wide variety of categories. Use mcuboot to ensure Secure/trusted boot. Use signing feature to ensure Over the air {OTA) updates.

Hub Authentication and Authorization with Rently loT core

X.509 Client Certificates
X.509 cert ificates provide Rently loT core with the ability to authenticate client and device connections. Hub cert ificates must be registered w ith Rently loT before a hub can communicate  ith Rently loT core

Register hub and device with Rently loT core
Rently creates fo llowing security resources during the registration process:
An X.509 cert ificate. Each hub is provisioned w ith a unique certificate during registration. A hub uses X.509 cert ificates to perform mutual authentication w ith Rently loT core service.
An loT policy. loT policies define the operations a device can perform in Rently loT. loT policies are attached to device certificates. When a device presents the cert ificate to Rently loT, it is granted the permissions specified in the policy.
MQTT topics associated with a hub are used fo real-time updates. After a hub is registered with Keyless server, the hub is responsible to register each device via Keyless Server.

Hub and Device Communication Security
Rently hubs and devices communicate using Z-wave security protocol and are in the process of migrating from SO security protocol to S2 security protocol.
SO security protocol uses AES-728 for authenticated symmetric encryption (AES CBC-MAC and A ES-OFB) for access control devices. Z-Wave’s SO Security has a proven 70 -year track record of successfully securing door locks and other trusted access control devices in the field.
To our knowledge, no explore its have taken place in the real world despite some known limitations.
The upcoming S2 protocol feature has designed a number of security features to protect communication:
Out of band authentication and Elliptic Curve Diffie Hellman. When a new device is added to the Z-Wave network, a QR code or Pl N is used together with the industry w ide recognized Elliptic Curve Diffie Hellmann key exchange method. This prevents deciphering of network keys and inclusion of rogue nodes.
Jamming detection. If a jamming signal is blocking the communication between Z-Wave devices it w ill be detected by this functionality.
Multiple network keys. S2 supports multiple network keys. This improves security because keys are compartmenta lized. E.g. physically exposed nodes can use a less trusted key.

loT Core Security
Rently loT Core is a managed AWS cloud service that lets connected devices easily and securely interact with cloud applications and other devices. loT Core provides secure communication and data processing across different kinds of connected devices and locations. IOT Core has the ability to support millions of devices and billions of messages that can be processed and routed to Rently endpoints and other devices reliably and securely.
Rently loT Core employs a number of AWS solutions to customers that help enable and maintain security. AWS Cloud security mechanisms protect data as it moves between loT and other devices or AWS services. Devices connect using X.509 certificates over a secure connection. While Rently endpoints perform the client-side validations (i.e., chain of trust validation, hostname verification, secure storage, and distribution of their private keys), loT Core provides secure transportation channels using TLS. The AWS loT rules engine also forwards device data to other devices and AWS services according to Rently-defined rules. AWS access management systems are used to securely transfer data to its final destination. These features, used in conjunction with general cybersecurity best practices, work to protect customer data. Rently uses Amazon Cognito to manage user identity. Amazon Cognito Identity provides the ability to create temporary, limited-privilege AWS credentials for use in mobile and web applications. With Amazon Cognito Identity, Rently creates identity pools that create unique identities for the users and authenticate them with identity providers like Login with Amazon service e.g. IOT core service. Amazon loT access policies are attached to an Amazon Cognito Identity and give permissions to an individual user of the Rently system. Rently uses the loT policy to assign fine-grained permissions for specific customers and their devices. In the later section of this whitepaper, we show how Rently uses AWS cognito in a sequence diagram.

Rently Keyless Server Security

Rently Keyless server is the central control point of the system. It leverazxzges AWS cognito and 1AM {Identity and Access Management) services to provide sophisticated multi-level role-based access control to properties and devices. For exam pie, community common areas can be precisely control led by the I ist of residents associated with the specific community and no more.
Rently employs the AWS encrypted database option to protect all the data stored in the database at rest.
Rently Keyless server is protected by AWS Shield and AWS WAF. AWS Shield defends against the most common, frequently occurring network and transport layer DDoS attacks. AWS WAF is a web application firewall that helps protect web applications or APls against common web exploits and bots that may affect availability, compromise security, or consume excessive resources. In addition, Keyless Server gets additional benefit from Amazon Cloud Front and Amazon Route 53, which provide comprehensive availability protection against all known infrastructure {Layer 3 and 4) attacks.

How Rently components work together for secure interaction with devices
The sequence diagram below outlines the steps how a user interacts w ith a device securely from a web portal. At each step, the communication is authenticated and encrypted. After receiving an unlock request from a user, the Keyless server updates the device’s shadow object v ia
loT core API. loT core publish status delta change in topic. Rently hub parses the message from the correspond ing MQTT topic and issues the command to the target device v ia either z-wave or Bluetooth Low-energy.
In the response direction, device status change after a successfu l execution (e.g. a lock changes from locked status to unlocked status) w ill be published by loT core. Upon publication of device status update, predefined loT core rules wi ll trigger the execution of Rently loT lambda function, which w ill log device activities into DynamoDB and insert into SQS queue. Keyless server w ill dequeue the message from the SQS queue and update device status to the user.

Mobile Application Security

User authentication
In addition to strong passwords, Rently mobile app supports platform-native biometric authentication mechanisms including FacelD and Fingerprint. Modern mobile platform also has a strong local secure vault (e.g. iPhone Secure Enclave) to store authentication data. Rently mobile app is designed to leverage platform-native secure vaults.

Real-time device status notification as a security alert
By default, Rently has a notification service enabled to mobile app for device status change. The notification setting is configurable in the mobile app. While notification service itself is not a security service, it provides real- time status to the user and is an effective way for the user to be aware of any  potential attack such as any unintended door unlock.

Unlock a door from Mobile app
Outlined below in a sequence diagram, we show how different components work together to ensure security by describing the steps involved in unlocking a door from Rently Mobile App. At each step, the communication is authenticated and encrypted.
Upon login with either username/password, FacelD, or fingerprint, the mobile app will invoke the Keyless server to obtain a list of assets/devices associated with the user account. For any device a user selects, Rently mobile app will obtain the corresponding access token, and register interest with IOT update channels.
When the user presses Unlock on a door lock icon, the mobile app sends the lock command to the Keyless Server (the detail how the Keyless Server processes the command is omitted below and is outlined in the Keyless server sequence diagram in the previous section), which in turn issues the command to the IOT core service. Upon successful execution of the lock command by the physical lock, the Rently mobile app will receive status updates from the relevant IOT channel and show the lock status on the mobile app.

Direct Bluetooth connection to access panel and lock
In addition to interaction with devices (including access panel and lock) via Keyless server and a hub, Rently Mobile app can directly connect to Access Panel and lock via Bluetooth LE{low-energy). Rently adopts out-of-band authentication using a shared key mechanism between mobile application and a device. The Bluetooth LE communication data is encrypted using a 728-bit AES key.

How is my data protected in transit

Encrypted Communications
All data in the Rently system is sent over TLS connection, using HTTPS, MQTT, and WebSocket protocols, making it secure by default while in transit.

Encryption level for TLS session
The encryption level for a TLS session w ith a server is typically AES-256. The encryption level w ith low-energy devices is typically AES-728.

Hub/Server verification
PKI digital cert ificates form the foundation of the Endpoint Management security infrastructure. A hub certificate is issued during the enrollment process and required for communications between the Hub and IOT Core service.
All data and certificates/private keys loca lly stored on the device are encrypted using AES-256 encryption in a loca l secure vau lt or a strong platform-native service such as iOS keychain.

How is my data protected at rest

Rently data is stored in AWS RDS and DynamoDB databases.

RDS Encryption at Rest
Rently employs the AWS encrypted RDS option. Data that is encrypted at rest includes the underlying storage for DB instances, its automated backups, read replicas, and snapshots.
Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt data on the server that hosts Rently Amazon RDS DB instances. After data is encrypted, Amazon RDS handles authentication of access.

DynamoDB Encryption at Rest
All Rently data stored in Amazon DynamoDB is fully encrypted at rest. DynamoDB encryption at rest provides enhanced security by encrypting all data at rest using encryption keys stored in AWS Key Management Service (AWS KMS).
DynamoDB encryption at rest provides an additional layer of data protection by securing Rently data in an encrypted table-including its primary key, loca l and global secondary indexes, streams, global tables, backups, and DynamoDB Accelerator (DAX) clusters whenever the data is stored in durable media.

Operational Security

Auditing Capability
AWS infrastructure is used for running Rently services. The system a ud iti ng of the Rently AWS infrastructure is managed w ith the help of AWS Cloudtra il. AWS Cloudtra il gives the detailed auditing of all the events happening in the AWS infra structure. Alerts are configured for important events happening in the AWS infrastructure. • • User and device activities are stored in RDS and DynamoDB.

Ensuring denial of service protection
Keyless servers are running behind the AWS Application Load Balancer and are protected by AWS Sh ield. AWS Sh ield defends against the most common, frequently occurring network and transport layer DDoS attacks, such as SYN floods or UDP reflection attacks, protecting our applications from the attack. In addition, AWS Application Load Balancer routes traffic based on content and accepts on ly well-formed web requests.

Regular penetration testing
Rently engages external security experts to perform penetration testing of our services regularly. Uncovered vu lnerabilities are resolved promptly.

Security training
We constantly provide secure cod ing training to our developers and follow the best practices while developing the applications. Similarly we keep our employees aware about the importance of information security and how to keep the information secure.

24×7 Support availability
Rently support is available 24×7 both over the phone and in email to resolve any urgent issues, including security vu lnerabilities. Bandwidth is the VOi P vendor for Rently phone service. In a recent DDoS industry-w ide attack against VOiP providers in September 2027, Bandwidth has worked 24×7 to resolve disruptions to the service, minimizing downtime, eventually restoring service within hours.

Summary

With an exponential growth in connected devices, each device in a Rently Smart Home environment provides critical operations that require reliable response to commands, sensing surrounding environments, and security. With Smart Home devices, an organization is cha llenged with managing,
monitoring, and securing business essential operations and connections from dispersed devices. Rently offers a suite of Smart Home services w ith end-to- end security, including services to operate and secure devices, software, gateways, platforms, and mobile applications as well as the commands and data traversing across these layers. Rently integrated services, spanning hardware, software, cloud service, and mobile apps, simplify secure use and management of devices and operations that continually interact with each other, allowing organizations to benefit from the innovation and efficiencies Smart Home can offer while maintaining security as a priority.

References

• Enterprise Smart Home - Rently

Read User Manual Online (PDF format)

Download This Manual (PDF format)

Download this manual  >>