Following are various ways in which a WiFi IoT (Internet of Things) device can be provisioned to connect with home network (Access Point/Router) in a secure way:
- Credentials like security mode and passphrase for WiFi network needs to be secured
- Enterprise security in WiFi network is not covered here
Micro-AP with WPA/2 Security
IoT device with micro-AP and WPA2 security mode can serve the purpose along with web/mobile application to provision device.
Pin Based Method (OPEN or Ad-hoc Mode AP)
IoT device will have some manufacturing pin printed on it and then user needs to enter this pin during provisioning on web/mobile application after associating with micro-AP started on device. Based on this pin, a common shared symmetric key will be derived which will be used to encrypt network credentials for selected scanned network list presented from device.
HTTPS Server on Device (OPEN or Ad-hoc Mode AP)
IoT device will start HTTPS server (port 443) with self signed certificate (can be modified by authentic one by OEM) and web/mobile application after associating with micro-AP started on device will provision the device from scanned network list. Since entire session is secured using TLS, no additional security is required.
WPS push-button or pin method to associate device with home router and in turn WiFi network.
IoT Device Sniffer Mode
Some custom protocols to sniff data from multicast packets and/or patterns over wireless channel from mobile clients to get network credentials. E.g. TI’s Smart Config
Apple Wireless Accessory Configuration
Apple custom protocol to MFI Licensees only, requires additional Authentication Coprocessor chip.
- Simultaneous provisioning of multiple devices
- Mobile and/or client connectivity with home network
- Ease-of-use for end-user
- Security (Authenticity + Privacy) (Known vulnerabilities in WPS etc.)
Reference: TI’s White Paper