Device Cloud Introduction

Device Cloud Features

The Particle Device Cloud provides a secure, data-efficient way for your Particle devices to communicate.

Secure

The Device Cloud uses mutual authentication using RSA public-private key pairs to make sure your device is your device and not an impersonator and the Particle cloud is the real Particle cloud an not a man-in-the middle impostor. Thus both sides can be sure the other is who they say they are.

The initial handshaking process creates an encrypted session using DTLS over UDP (datagram TLS) on cellular and Gen 3 devices, or AES over TCP on the Photon and P1. This assures that your data cannot be monitored or tampered with in transit.

The Particle cloud connection uses the CoAP (constrained application protocol) over DTLS or AES. All features like publish, subscribe, functions, variables, and OTA firmware updates occur over a single CoAP connection.

On all devices there are no listening ports enabled for other services, making the devices hard to attack directly.

Furthermore, on cellular devices, the cellular network prevents all inbound connections from the Internet, except for the cloud connection we establish from the device. The cellular network also isolates devices from each other, so you cannot attack a cellular device from another cellular device.

By making all connections from the device to the cloud, devices on Wi-Fi networks can be used without having to make any custom port forwarding or firewall changes in most cases.

Since there is very little exposed surface for attackers, we have not had a required Device OS upgrade for security reasons. (We did provide an optional upgrade for the Wi-Fi KRACK attack, however even if the WPA2 encryption is broken, the device cloud connection is not affected because it's encrypted again using AES.) While we recommend using the current version of Device OS, even using version 0.5.3 from September 2016 is not a security risk.

Data-Efficient

In order to conserve cellular data, the Particle Cloud DTLS connections can be resumed. This allows a device to reconnect to the cloud using less than 200 bytes of data, vs. up to 5K of data for a full handshake.

Using CoAP over DTLS with session resume allows the cloud connection to be resumed very efficiently, unlike some other protocols like MQTT over TLS/SSL that require a full 5K TLS handshake on reconnection.

Using feature like Particle Publish allows data to be sent to external servers using as little as 150 to 200 bytes of data. Establishing a TLS/SSL connection to an external server directly from a device could use 5000 bytes of data for each piece of data sent when including the TLS/SSL handshake. This is possible because the TLS/SSL authentication is done off-device using webhooks or the server-sent-events stream.

Communication Features

Particle.publish

Particle.publish allows an event to be sent from a device to the cloud, from the cloud to a device, or between devices.

When sent from the device to the cloud, publish can be used to send things like sensor data and trigger events on the cloud. Once in the cloud, the event can trigger a webhook that makes a connection to an external service or web server efficiently.

Particle.variable

Particle.variable allows the cloud to query a value from the device.

  • For a publish, every time you publish, the data is sent up to the cloud.
  • For a variable, the current value is stored on the device, and is only sent when requested.

Depending on your situation, one or the other may be more efficient. Also note:

  • If you are querying a value from a large number of devices, it's almost always more efficient to use publish as you can hit the API rate limits if you need to make a variable retrieval to hundreds or thousands of devices.
  • Variables cannot be queried if the device is offline, including in sleep mode. For those applications, you'll want to publish a value before sleep instead.

Particle.subscribe

Particle.subscribe allows a device to listen for an event from another device or the cloud.

Subscribing to private events is secure, as only devices in your account can send these events. Also, subscribe works across all connection types such as Wi-Fi and cellular, and does not require any firewall modifications for Wi-Fi networks in most cases.

Particle.function

Particle.function allows the cloud to send a request to a single device. This is handy if you want to control a device from the cloud side.

There is no ability for devices to send function calls to other devices; publish and subscribe should be used instead.

OTA Firmware Updates

Updating your device firmware and Device OS can be done securely over the Particle cloud connection that's used for the other device cloud features.

Wi-Fi Support

Feature Gen 2 Gen 3
Devices Photon & P1 Argon
Particle mobile app supported
Mobile SDK for white-label setup apps  
USB configuration
BLE configuration  
Soft AP (configuration over Wi-Fi)  
Static IP address support  
WPA2 Enterprise support  

WPA2 Enterprise

WPA2 Enterprise is a variation of Wi-Fi sometimes used in corporate and educations environments. It's sometimes referred to as WPA Enterprise, and mentions of 802.1(x), RADIUS, or eduroam indicate that WPA2 Enterprise is being used.

To configure a Photon or P1 using WPA2 Enterprise, follow the WPA2 Enterprise Setup Instructions. Of note:

  • Setup can only be done over USB using the Particle CLI (no mobile app support).
  • Requires Device OS 0.7.0 for WPA2 Enterprise Support.
  • Device OS 1.5.4-rc.1 or 2.0.x or later is required if concatenated certificates (intermediate certificates) are required.
  • Only one set of WPA2 Enterprise Wi-Fi credentials can be stored.
  • The Argon does not have WPA2 Enterprise support.

There are a variety of encryption protocols for WPA2 Enterprise, however only the following are supported on the Photon and P1:

  • EAP-TLS (certificate-based)
  • PEAPv0/EAP-MSCHAPv2 (username/password challenge/reponse)
Parameter Options
Certificate type RSA certificates only
Certificate signature SHA-1, SHA-256, SHA-384, or SHA-512 only
Keyschemes RSA and DH RSA only
Ciphers AES-128-CBC only
MAC SHA-1 and SHA-256 only
TLS versions TLS1.0 and TLS1.1 only

Support has been tested with Microsoft NPS, Cisco Secure ACS, and Cisco ISE. FreeRADIUS RADIUS implementations with have been tested with Ubiquiti, Cisco, and Aruba access points. Eduroam sometimes works, however it is dependent on the university's WPA2 Enterprise configuration; some use settings that do not correspond to the requirements above.

Special Wi-Fi Considerations

The following features are not supported:

  • 5 GHz is not supported.
  • Captive portals (where you are redirected to a web page to agree to terms of service or enter an authorization code) are not supported. This is common in hotels and corporate public networks.
  • Wi-Fi networks that are 802.11 n only (do not support 802.11 b or g as well) are not supported on the Photon and P1.
  • Special configuration steps are necessary to set up a Photon or P1 with WEP encryption. It is possible, but difficult, to set up and is not recommended as WEP is also not secure.
  • Networks without a DHCP server are not supported on the Argon as there is no static IP address support.
  • IPv6 is not supported.

Cloud Services and Firewalls

The IP addresses used by the Particle cloud are subject to change without notice. Use the information here as a last resort if you have a network that restricts traffic and are unable to allow-list traffic by using techniques such as MAC address allow-lists.

Gen 3 and Gen 2 Cellular

Gen 3 devices (Argon, Boron, B Series, Tracker SoM) and Gen 2 cellular devices (Electron, E Series) all use UDP port 5684, outbound.

While you rarely need to worry about this for cellular devices, for the Argon (Wi-Fi), if you are connecting from a network with a restrictive network firewall, the devices will connect to one of these IP addresses, port 5684, outbound. Like most UDP-based protocols (like DNS), your firewall generally creates a temporary port to allow packets back to the device without creating a permanent firewall port forwarding rule. The amount of time this port will remain active ranges from seconds to hours, and you may need to use Particle.keepAlive() to keep the cloud connection active.

IP Address IP Address IP Address IP Address IP Address
3.85.71.8 3.210.194.186 3.215.122.234 3.221.51.74 3.222.22.246
3.222.253.60 3.223.76.106 3.224.151.208 3.225.113.205 3.227.163.177
3.228.117.244 3.229.60.237 3.229.224.193 18.214.12.187 34.194.48.89
34.233.0.183 50.16.101.66 52.20.217.163 52.22.68.60 52.44.229.226
52.70.88.102 52.70.247.238 54.81.159.250 54.82.141.176 54.86.198.203
54.87.6.11 54.89.110.189 54.156.243.78 54.226.52.22 100.25.253.74

Gen 2 and Gen 1 Wi-Fi

The Photon, P1, and Spark Core connect to TCP Port 5683 (CoAP), outbound.

If you are connecting from a restrictive network that does not allow outbound TCP access on Port 5683, you may need to allow-list these IP addresses or allow access based on the device's MAC address.

IP Address IP Address IP Address IP Address IP Address
3.92.116.83 3.214.233.135 3.216.239.14 3.225.178.96 3.226.200.156
3.228.52.152 3.229.48.190 3.230.53.201 3.230.94.67 18.207.91.87
18.215.131.110 23.23.9.20 34.195.89.106 34.233.110.230 35.171.39.5
52.1.233.8 52.2.199.5 54.86.95.155 54.89.85.128 54.208.229.4

Cloud API

The devices themselves do not access the Particle Cloud using the API port, but if you are using the Tinker mobile app over Wi-Fi, curl commands, node.js scripts, etc. from a computer on the Wi-Fi or LAN, and you have a restrictive outbound network connection policy, you may need to allow-list api.particle.io port 443 (TLS/SSL), outbound.

Other Services

Other common services includes:

  • console.particle.io (device management)
  • docs.particle.io (documentation)
  • build.particle.io (Web IDE)
  • support.particle.io (support and knowledge base)

If you are using network with restrictive outbound access policies, you may need to allow-list those DNS names for port 443 (TLS/SSL) outbound.