I’ve had several folks ask me about the security of Purple Air wifi connections lately. There is some info on the community pages, but I still don’t know how to answer the following.
It would be very helpful to better understand how secure the wifi is as we are a nonprofit and set these up regularly at people’s houses.
This is the info to the best of my knowledge. The PA folks will have more details.
What information does the device collect from a wifi network?
Nothing more than any other WiFi station does – SSID, password for configuration (don’t think these are sent outside the device); sends the signal strength to the cloud so it shows up on the map.
What outside servers does it communicate with?
From the top of my head, it communicates with:
I haven’t analyzed the traffic from mine in a while.
This is some of the info. I received from Purple Air
It is possible to see the password transmitted when sent to the sensor. After this, the password is stored in the sensor and is not accessible from the device’s setup network. The password is also never sent to PurpleAir.
If a user wants to use a separate password with their sensor, a different WiFi network will need to be created. This is what we recommend if cyber security concerns are particularly high. A common method is to set up a guest network, with details differing on the router used.
Please let us know if you still have questions or would like further clarification. We’re happy to assist in any way we can.
(Josh) contact@purpleair.com
Hello,
You can find all hostnames that PurpleAir devices communicate with here: Q: What hostnames and ports do PurpleAir sensors use?
In relation to your first question, PurpleAir devices do not collect any information from connected WiFi networks. When a location check is performed, it will scan for nearby SSIDs to send to Google’s Geolocation API.
Please let us know if you have further questions.
These devices are quite secure when operating correctly, I think the biggest vulnerability is an attacker compromising the server infrastructure and pushing code out to the devices to do malicious things. Someone mentioned using “guest” networks which is a great idea in most cases. You just need to do a little research and determine what “guest” means to that particular router manufacturer. In some cases it just means a second SSID with a separate password so you don’t share your primary password (bad). On others it tunnels all traffic to the internet and the guest can’t interact at all with anything else on the network (great). Or something in between. Keep in mind that this configuration can present some management challenges if you need to connect to the device via a browser, generally guest devices can’t see each other either.
I have worked to get all of my IOT devices on a separate network either a Guest network or a dedicated IOT wireless network. Some of the new Access Points have a way to add a separate 2.4 network since most of the IOT devices use this slower band.
The other suggestion I would look at using some sort of router that you can create groups in so you can put all of your IOT devices into a group, does not matter how they connect, which allows you to set strict rules. This is a more expensive way to do it but the link to Firewalla gives you a lot of flexibility.