RoboKind Networking Requirements and Security Considerations

Requirements:

Recommended Internet speed of 5Mb/s or greater.
10/100 Ethernet or 2.4Ghz or 5Ghz band WiFi connection for robot. (RoboKind will supply external 5 Ghz WiFi adapters to organizations on request)
Tablets & Robots must be able to establish outbound connections on TCP port 443 to *.robokind.us (including downloads.robokind.us, auth.robokind.us, data.robokind.us, cdn-api.robokind.us, acapela-wrap.dev.robokind.us), and d23kggeguwanja.cloudfront.net.
Most schools/organizations have internet content filtering, and robokind.com and robokind.us need to be classified as approved sites (for example, placing them in a category of educational).
Organizational and individual spam filters should allow incoming e-mails from the @robokind.com domain (password reset tokens arrive from auto@robokind.com).

Unsupported Configurations:

WiFi networks with a captive portal (for example with guest or visitor networks that redirect to a page before connecting)
WiFi SSID’s that are hidden - These may work if the SSID is simply not being broadcasted, or it may be possible to replace this with the BSSID, however RoboKind would not be able to guarantee that these approaches would work.
WiFi networks using WEP security (not recommended/supported due to security vulnerabilities)
When using tethered WiFi connections on an iPad, it must not be in “Low Data” mode. https://support.apple.com/en-us/HT210596
Note that the WiFi adapters built into RoboKind R25 robots have MAC addresses that being with “2E”, even though we do not randomize the MAC addresses. If you are blocking MAC addresses in this range, please alert the team that they will need to use the 5 Ghz adapters from RoboKind.
Enterprise authentication certificate types of PKCS#12 and .cer are not supported. See Advanced Robot WiFi Networking Guide for details.

Some of these configurations may be possible, however given the wide diversity of networking configurations and known issues, RoboKind cannot provide technical support in these cases.

Security Information:

iPads and Web browsers running RoboKind robots4Autism curriculum do not require or use direct connections to the robot.

For maximum security, customers are encouraged to allow only approved network traffic to the robots.

See https://www.robokind.com/mobile-app-privacy-policy for more information.

Best practices include:

Configure organization firewalls to not allow incoming connection requests to the robot(s), and to allow only outgoing network sessions on TCP port 443 from the robots to downloads.robokind.us, auth.robokind.us, data.robokind.us, and cdn-api.robokind.us.
- If iPad’s/ tablets are also being installed in the same private network, then TCP port 443 traffic should also be open to d23kggeguwanja.cloudfront.net.
Options for enforcing firewall rules on robots may include:
- Using a hardwired ethernet connection for the robot, where the port is connected to a specified VLAN with the above security rules.
- A guest WiFi network without direct access to organization resources could be used for robot connections. (Note that guest WiFi networks with captive portals are not supported)
- Using wireless network controllers to specify that devices with the specified MAC address(es) should be assigned to a particular VLAN.
- Using wireless network setup with enterprise username/password authentication with a user account dedicated to the robot(s). (Recommend using a strong password which is shared only with individuals responsible for the connecting the robots to the network) Robots can be connected to the network using enterprise authentication using our https://robokind.atlassian.net/wiki/spaces/CSSD/pages/1171030061 and the robot's chest screen to enter authentication information, or if more than 10 robots need to be configured with the same settings, see our .
- Configuring a robot to authenticate using WPA2 Enterprise certificates on a USB drive. See our for details.

Advanced Support Needs:

Most organizations have incoming firewall ports blocked, meaning that RoboKind has no ability to connect to and support robots directly except as allowed by the organization.
In rare cases of advanced troubleshooting needs, RoboKind may request that a robot be connected to a network outside of the organizations network (like through a hotspot), or that firewall rules be temporarily adjusted to allow connections from the robot(s) to UDP port 1194 at cypress.robokind.us (72.249.182.162).

Legacy Applications:

The following two requirements apply to RoboKind STEM & RoboKind Controller standalone applications only.

For our STEM & RK Controller applications, RoboKind R25 Robot & iPad’s must be on the same WiFi SSID.
For our STEM & RK Controller applications, Port Isolation or AP isolation mode must be disabled on the network segment, otherwise this will prevent direct communication between the iPad’s and the robots.