How to Securely Commission Your IoT Device

If you’re planning to grow your IoT business, you’ll eventually have to add new devices to your existing IoT project. This process is referred to as “commissioning” and, to be successful, you must get it right. Why? Well, if a new IoT device is introduced to a project without taking the necessary precautions, the security of that project could be significantly compromised. 

Hackers can take advantage of any vulnerabilities that can come up while commissioning, and get access to your project and its data. Open ports or data that are not encrypted can be exploited to get access to your network. Therefore, you need to take it seriously.

To help your business guarantee security when commissioning, we’ll go over some of the options for the secure commissioning of WiFi in IoT devices, how they work, and their pros and cons.

The Current Problem

When we’re looking to add a new IoT device to a project, we run into a problem.

When a new IoT system is introduced, it will be able to see all of the WiFi networks that are within reach. What’s more, for it to be able to connect to the correct network, it will need its SSID, or Service Network Identifier, and, of course, the network password.

However, if an IoT device does not have any Input/Output method, like a screen or a keyboard, how can you tell your device which WiFi network to use (identified by its SSID) and what password to use to connect?

Solution 1: Use a Temporary Open Network to Initialize the IoT Device

A WiFi module used for IoT devices can work as a client (station mode, STA) or as an Access Point. As a client, the WiFi module can work as a station (STA), and allow for computer communication utilizing the 802.11 protocol. As an access point, it allows other WiFi devices (clients) to connect to a wired network. Some advanced modules, like the ESP32, can even do both at the same time.

The idea is to leave the IoT device on “Open Mode” when it’s first turned on. This makes the new IoT device an Access Point without a password, working like “thermostat commissioning”. 

However, keep in mind that this will expose information like the vendor’s name and other data.

How Do You Do This?

First off, you are going to want to download the app designed for the IoT device. After this, configure your phone and use the app to connect to the IoT device. Since the IoT device is currently operating in Open Mode, it won’t ask for a password and connecting can be straightforward.

Use the app to ask the IoT device to scan the vicinity for other WiFi networks it can see. Keep in mind that when working with simple modules that cannot be Access Point and STA at the same time, you will need to make the IoT device shut down the open Access Point, scan, and then open the Access Point again. 

Once the IoT device has scanned for networks, use the app to select the desired network and commission the device with a password. This process is made by normal client-server technology, and it’s all handled by the app, so completing it is straightforward.

Now you have a new IoT device on the WiFi network and it has access to the internet! The only thing left to do now is to log off the “commissioning network” and go back to the real in-house WiFi network.

Pros:

• The whole process can be accomplished if the new IoT device is equipped with WiFi modules and some programming of both the IoT device and app

• There is favorable simplicity in using the app to connect to the right network

Cons:

• The end-user has to connect to a new WiFi network and back, which can be complicated and amount to errors

• Since the network is open, security is something you have to guarantee yourself

Solution 2: Use Bluetooth Low Energy (BLE)

Bluetooth Low Energy is a technology for wireless personal area networks. WiFi modules are equipped with both Bluetooth Low Energy (BLE) and WiFi Radio. Since those two use the same frequencies, it’s mostly a matter of coding and decoding the data from and onto the radio.

Bluetooth Low Energy operates at a specific security mode for guaranteeing basic security measures. It uses pairing, encryption, and authentication, and it can be expanded at the application layer by the user.

Therefore, you can ask the end-user to install your IoT app, and then connect it to the IoT device via BLE. While this process would require a lot of explanation to know how it works, the end-user will only have to “scan” and then “connect” through the app. Once this channel is established, you can do all the commissioning needed.

Pros:

• BLE is very secure

• Since it’s on another channel, you don’t need to ask the end-user to do anything

Cons:

• WiFi module prices can be high

• It is necessary to understand both BLE and WiFi

• You need to program it yourself

Solution 3: Proprietary Solutions

Multiple proprietary solutions have come up for solving this problem, so reading up on how they work and seeing if it fits your needs might be a good idea.

One solution uses a Visible Light Communication (VLC) to commission and configures IoT devices. This system uses a smartphone as a modulated light source and a simple photodetector, and it showed fast completion times and low error rates on an experiment conducted on 32 participants.

For camera solutions, a QR code can be created and displayed by using the app. This QR code can contain data for the network SSID and its password. This will make it so that the QR can just be shown to the camera and this will then use the data to connect to the correct WiFi network.

Other solutions use a USB cable to connect the IoT device and a mobile phone for communication and give it data this way. Some solutions have even used a speaker and microphone to communicate with the smartphone via sound.

The Bottom Line

There you have it. These are three options for commissioning new devices in an IoT project using WiFi.

While each one has its different pros and cons, commissioning for IoT devices is an important aspect of any IoT project, so choosing the right one for your project should be an informed decision.