Skip to content

Cyber-security

Cybersecurity involves protecting data and behavior from cyber threats such as hacking, phishing, and malware.
It ensures that sensitive information remain secure while using digital services.
Carefully considering cybersecurity is crucial because it helps prevent data and or financial loss, and ensures safe and reliable operation of connected systems.

Various tips to increase security are discussed.

Info

The default ('factory') configuration of the CANlink® wireless 4000 has all wireless interfaces disabled:

  • Wi-Fi
  • Bluetooth
  • BLE

This means that unless specifically altered, the device is impervious to unwanted connections and interference.

In order to connect to the device and enable any wireless interface, a connection over the CAN bus must be established.
See Connect over CAN bus.

Wi-Fi Password

Access Point

When configured as a Wi-Fi Access Point (AP), the CANlink® wireless 4000 allows connections from one or more Wi-Fi Clients.
(More than one connection to a Client requires Multipoint/MultiTalk).

In order to prevent an insecure network, the AP must be configured:

  • with WPA2 enabled, and
  • with a 'complex' password

The password requirements mandate all of the following:

  • length between 24 and 63 characters
  • at least 1 lower case
  • at least 1 upper case
  • at least 1 numerical (0 - 9)
  • 1 special character (! # &, etc)

Tip

If the AP does not accept Client connections, check 0x3001:0x0C [Error Code/ WiFi - Bluetooth].

  • If the password is not valid when creating the AP, the error code 0xDEADC0D1 will be present.
  • If the AP was started with Open Authentication selected, the error code 0xDEADC0DE will be present.

Client Configuration

When configured as a Client, any form of connection may be made:

  • 0: Open authentication (None)
  • 7: WPA/WPA2 Mixed with whatever password is configured on the Server.

Bluetooth PIN

Warning

For security reasons, do not disable the PIN on the Server device.
If disabled, any BT Client will be able to connect!

Disabling the PIN might be acceptable only when other measures ensure that no unauthorized personnel or device can come within connection-distance from the Server device.
For example, when the Server device is located in an area with physical restrictions.

BLE Security

The BLE interface 0x3008:0x09 [BLE Enable] is disabled by default.
Additionally, the BLE WhiteList 0x3009:0x0B [BLE Whitelist - Enable] is enabled by default.

Warning

Disabling the BLE whitelist removes access control for incoming BLE connections. When the whitelist is disabled using 0x3009:0x0B [BLE Whitelist - Enable], any BLE central device can establish a connection. Disable the whitelist only if other measures ensure that unauthorized devices cannot reach the BLE connection range. This may be acceptable in environments with physical access restrictions, such as controlled or enclosed areas.

See BLE WhiteList for more details about BLE security.

Hide Wi-Fi SSID broadcast

The CANlink® wireless 4000, if defined as a Wi-Fi Access Point (AP), can disable the broadcast of the network SSID. Clients can still connect to this AP, but they must know the SSID beforehand.

Also, when configured as a Client device, it is possible to connect to an AP with a hidden SSID (if that SSID is known).

Warning

Hiding the Wi-Fi SSID is a poor form of security, known as "Security through obscurity".
There are tools freely available that can find hidden SSIDs.

Hiding the SSID can reduce the ease of connection by a naïve user, but a determined user will be able to connect even when the SSID is 'hidden'.

Server Configuration

The device must be initially configured as a Wi-Fi® Server.

  1. Set 0x30000x1F [WiFi Hide SSID broadcast] to 1 (Enabled).

  2. Hidden SSID is only possible within a secure network, therefore, set 0x3000:0x04 [WiFi Authentication Type] to 7 [WPA/WPA2 Mixed] to enable it.

  3. As discussed in Wi-Fi Encryption, the 0x3000:0x05 [WiFi Authentication Key] must be configured.

The SSID will be hidden upon next boot of the device, and will remain hidden until either being disabled, or a Factory Reset is performed, see also Reset Device.

Client Configuration

No specific client configuration is needed in order to connect to an Access Point (AP) with a hidden SSID.

As long as:

  • the authentication 0x3000:0x04 [WiFi Authentication Type] is set to 7 [WPA/WPA2 Mixed], and
  • the correct SSID is in 0x3010:0x1A [Bluetooth SPP MAC Address 1], and
  • the password in 0x3000:0x05 [WiFi Authentication Key] matches the Server password

the the Client will connect to the hidden Wi-Fi® SSID.

Q & A

Q: Currently, Wi-Fi WPA/WPA2 mixed is in use. Is the transition to WPA3 being considered?

Not at this time.

Q: Can MAC address filtering be implemented to allow only one device connection at a time?

  • For Bluetooth connections, yes. The MAC address of the Server can be selected in the Client, and only that device will be connected to.
  • For Wi-Fi connections, not at this time.

Q: Filtering Mechanism: There is a CAN filtering mechanism available for CAN to wireless communication to reduce unnecessary traffic. Similarly, is CAN filtering from the wireless interface to the CAN bus supported?

No - all messages sent via wireless connection to the CLW4000 are forwarded to the CAN bus.
This direction should already contain relevant data only to reduce bandwidth.

Q: Locking Device Configuration: Can device configuration settings be locked from access by a wireless connection, or the CAN bus?

No, almost all CANlink® wireless 4000 settings are available for modification using CANopen by a connected peer.
Everything connected is considered trusted.

Q: Intrusion Detection: Is an intrusion detection system (IDS) implemented to monitor unauthorized access?

No. Everything already connected is considered trusted.