Assessing Security

Security has become the major focus of the Internet of Things (IoT) and the IoT networking protocols in particular. In this space we have a narrow league of standard protocols (Bluetooth mesh, Zigbee, Thread, LoRa) and still a long tail of proprietary options. E.G., many of the proprietary protocols use standard radios, such as 802.15.4 or Bluetooth LE. In particular there are a number of "mesh" systems running on top of Bluetooth LE. They had been developed before the official Bluetooth Mesh Specifications were adopted and there are still multiple brands / products using them.

The key challenge with proprietary protocols is assessing how secure they are. Well, I should say, they are NOT secure, unless proven otherwise.

There is no other way to assess security of any system / design other than an independent review. Regardless of what the vendors claim, unless the protocol is truly open and the specification is publicly available, you should stay away from it, security - wise.

Design of a secure system is very complex and it is very likely that any initial design will be flawed. The only way to make sure the design is right in the end is a broad review process, involving multiple security experts. And then when the reviewed design is finalized, the only way to reassure it is right is to have independent researchers analyzing it.

The above process is just not possible to apply for vendor - specific, closed designs. While they may continue to enjoy their closed security-by-obscurity status, it is only a matter of time until somebody has enough incentive to break them.

TL;DR An open protocol specification is a prerequisite to considering the protocol secure. If it is not open, and you care about security, you should never consider using it. As simple as that.