Skip to content

Device Security

The miro Edge gateway is designed in compliance with the Radio Equipment Directive Delegated Act (RED DA), which defines cybersecurity requirements for radio equipment placed on the EU market.

Security overview

A detailed security architecture overview will be provided in a future revision of this document.

Default Credentials

The device ships with a unique default password printed on the device label. This password is individual to each unit.

Change the password on first access

You must change the default password immediately after first login. Using the factory default password in a production environment is a security risk. See Password Management below.

Password Management

The web interface password can be changed in the Accounts section of Cockpit. Choose a strong, unique password and store it securely.

Console Access

Console access is available through Cockpit and qbee.io on standard devices. No local hardware console (serial or physical terminal) is exposed.

Large-scale deployments

For large-scale projects, we strongly recommend contacting us for a project-specific configuration that disables console access entirely.

SSH Access

SSH access is disabled by default to reduce the attack surface of the device. It should only be enabled when needed and disabled again when no longer required. SSH keys can be managed in Management – SSH.

Password-based SSH login is not possible. Only public key authentication is accepted. Add your SSH public key in the Management page before starting the SSH service.

Firmware Integrity

Firmware updates are delivered as RAUC bundles (.raucb). Each bundle is cryptographically signed, and the device verifies the signature before installing. Unsigned or tampered bundles are rejected.

RAUC uses A/B partitioning: the new firmware is written to the inactive partition while the running system remains untouched. If the updated system fails to boot correctly, RAUC automatically rolls back to the previously working partition.

This mechanism ensures that a failed or interrupted update cannot leave the device in an unbootable state.

TPM and Device Identity

Remote Management

Remote management is provided by the qbee.io agent. qbee establishes an outbound encrypted tunnel from the device to the qbee cloud infrastructure. No inbound ports need to be opened on the network firewall.

Device registration is performed by a one-time bootstrap using an API key from your qbee.io account (see Management – Remote Management). Once registered, the device can be accessed and managed remotely through the qbee portal without requiring VPN or port forwarding.

The agent communicates exclusively over encrypted channels. Remote sessions and file transfers are authenticated through the qbee platform.