As we have been getting a lot of enquiries around security issues, we are writing to explain to you that Sesame truly uses the safest system that is commercially available. It is safer than most, if not all, systems that are used by other similar products on the market, and is absolutely not less secure than any.
First of all, we use standard encryption and message authentication to secure our communication, especially for the network traffic over the Internet. Our communication use strict TLS 1.2 with ECDHE-RSA, AES256GCM for end-to-end encryption and peer authentication. Compared to DHE, which uses the same algorithm, ECDHE incorporates the ecliptic curve for generator, bringing down the computation cost. At the same time, AES is the only proven safe security system by NIST, with 256 being the largest key size available. The combination makes our system the safest possible. Since we use end-to-end encryption, hacking the Wi-Fi or Bluetooth alone does not grant access to the system. Moreover, the system requires validation of certificate every time. That means our communication is resilient against not only active attacks, like MITM, but also passive attacks, like eavesdropping. As for the Bluetooth connection, we use the BLE standard (AES-CCM) encryption.
Second, we do our best to secure the server using all possible measures. Even if somebody breaks into the server using 0-day vulnerabilities, it’s not possible to open or manipulate the Sesame devices through it. For Sesame, the server is for the sole purpose of backing up data and relaying the communication between the App on your device and the platform. It does not generate commands to individual Sesame. Only through your account, can commands be sent to your specific Sesame. No one, including employees of Candy House Inc, would be able to control any Sesame through modifying the server.
With the combination of the security pathways and the setup of our server, Sesame won’t be compromised at all time. We hope this will clear your concerns. Please feel free to let us know if you have additional concerns.