1. Introduction
This policy outlines the security considerations and procedures for deploying AirGradient air quality monitors (specifically models like the AirGradient ONE (I-9PSL) and AirGradient Open Air (O-1PST)) within school or enterprise networks. AirGradient monitors are already deployed in large enterprises, government offices, embassies, schools, and universities, providing valuable environmental data. However, careful integration is required to maintain network security and data integrity.
2. Device Overview
AirGradient monitors are open-source hardware devices that measure various air quality parameters. Importantly, they do not contain microphones or cameras. The open-source nature of both the hardware and firmware allows for independent auditing and verification of their functionality and security.
3. Network Security
- Dedicated Network: AirGradient monitors should be deployed on a dedicated and isolated WiFi network, separate from the primary corporate or school network. This network should have its own SSID and password, distinct from any other network.
- Network Segmentation: This separate WiFi network should be logically isolated from the main network. Firewall rules should be implemented to prevent any traffic from the AirGradient network to the primary network, and wider internet, except for specifically allowed outbound traffic to the IP address 128.140.49.53.
- Strong Passwords: Use strong, unique passwords for the dedicated WiFi network’s SSID and administrative access to the network infrastructure.
- Disable Unnecessary Services: Disable any unnecessary services or protocols (e.g., telnet) on the dedicated WiFi network.
- Regular Security Updates: Keep the firmware of the access points and any other network devices on the dedicated network updated with the latest security patches.
4. Data Transmission
- Secure Protocols: Data transmission from the AirGradient monitors can utilize secure protocols such as HTTPS.
- Authorized Destination: All AirGradient monitors will send data exclusively to the IP address 128.140.49.53. Firewall rules should explicitly define this as the only allowed outbound destination.
5. Firmware Security
- Firmware Updates: The firmware on the AirGradient monitors is automatically updated over the air and thus on the latest version. Only lock the firmware version to a specific version if really needed. Ensure that over the air updates are not blocked by the firewall rules.
6. Device Management
- Inventory Management: Maintain a detailed inventory of all deployed AirGradient monitors, including their MAC addresses, location, and firmware versions.
- Decommissioning Process: Establish a secure process for decommissioning and removing monitors from the network when they are no longer needed.
7. Disclaimer
This policy provides general guidelines for securing the deployment of AirGradient monitors. Specific implementation details may vary depending on the network environment and security requirements. It is essential to conduct a thorough risk assessment and tailor the security measures accordingly.
AirGradient provides no warranty or guarantee regarding the effectiveness of this policy in preventing security breaches. The responsibility for implementing and maintaining the security of the deployed AirGradient monitors rests solely with the deploying organization.