Re: [Iot-onboarding] Thinking through onboarding

Mohit Sethi M <> Wed, 11 September 2019 19:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 40CB0120C8E for <>; Wed, 11 Sep 2019 12:41:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yEzyynQmMGPK for <>; Wed, 11 Sep 2019 12:41:49 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E17F3120C90 for <>; Wed, 11 Sep 2019 12:41:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=TQd1rwftEJe2FX1GNZ0O4H8sT47yTxHjQEOs1b0YIYhZgdlzvfEWOd3C1Da5FACExwtYf+44xUzPxVu/SlbGWqTkKJqRpIsndtrB93mfobL/u6/wZM3m/a8QW3dEvUyO8gtyNcj2JftMd8BwWBJsN13Dfb79JhQyqb3gj0Irzm69s19uAQLryFHPzaqExANUY4oylNcC33LEnpam6iRbfcgBIwIJ3sC4mglw1HekJUKo7hLH3ue+V9mDrI+VB6/jXJFAxcaM9JzmjuxyHaHgKGIrhytPRWG2gh8PEiux7Tx7RulmcvTSVjROvW3rFPaFyUwJGEo8j+cAUTPRDl3Z0g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fQ4W5lm/xmEePNEGWjz7Ib83tazbPtawlPwCDO1192E=; b=Drmckrp4DoXsjwOecbm5tzm/NJrtt/5YWS9TKKUnaA/+HWE6r5mzY4uOKH9ZR4jms4i0DMLPzoPghoybPedLZvQ/u+TScQHM2rQsIWCdec/LAQJSOBl9K3JCj3VitkY2CcXwUKG/081ReU5nMeHdZrzfPKQ1c8XhMJ0wloF8iEPyJoPC0KhHESp5za5OyAt7g15URsElpAWGwNDNtUMOTYVeQa0DfIGEWa2p+HGOsNErT/DvKQ2lUwwD13N5wAmXCD0SRZlWKE6D7LXH4ELq6NLNd/5yb18MKuD4MBys8SaTG49Jdp5Wq2N8Sxj3ebOGVxdToKnl1z7cvCOka9nYSg==
ARC-Authentication-Results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fQ4W5lm/xmEePNEGWjz7Ib83tazbPtawlPwCDO1192E=; b=DE79UordhN8kuJ9f90VVzYXGouqBIWpoJYcoNtlOosfq1aGu6IwQUxxeTt8a6Bc7tHPc0AlHeZ0/flaK++5UVHwa3NbZxSAJR4t1LKTS6pfG13tvn+3zVsTmXsrl1lU5sV8eXxfSC8bvpokcLEfD7HbtV3L4sEUz4tCZ6prAu0E=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.11; Wed, 11 Sep 2019 19:41:46 +0000
Received: from ([fe80::758a:12ec:c6d:e8a9]) by ([fe80::758a:12ec:c6d:e8a9%10]) with mapi id 15.20.2263.015; Wed, 11 Sep 2019 19:41:46 +0000
From: Mohit Sethi M <>
To: Scott Jenson <>, "" <>
Thread-Topic: [Iot-onboarding] Thinking through onboarding
Thread-Index: AQHVaNjywCYMNh+JTEWWWX3skvGpPQ==
Date: Wed, 11 Sep 2019 19:41:46 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 974e90e4-271f-4878-85ca-08d736f014e3
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1PR0701MB2618;
x-ms-traffictypediagnostic: HE1PR0701MB2618:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0157DEB61B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(136003)(396003)(346002)(39860400002)(376002)(189003)(199004)(66556008)(66476007)(65806001)(53936002)(6246003)(71200400001)(65956001)(6506007)(71190400001)(53546011)(102836004)(486006)(5070765005)(66946007)(66446008)(31686004)(476003)(2616005)(11346002)(64756008)(186003)(26005)(446003)(58126008)(110136005)(316002)(25786009)(5660300002)(36756003)(7736002)(2501003)(14454004)(2906002)(478600001)(66066001)(966005)(81156014)(606006)(517774005)(8936002)(81166006)(3846002)(6116002)(76176011)(31696002)(54896002)(6306002)(86362001)(6512007)(6486002)(14444005)(256004)(6436002)(229853002)(99286004)(236005)(76116006)(8676002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0701MB2618;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: hgz9kt+rNydlFomXmyv57navD8LW4YHMmz0YYwrIg2TThtJG6b54FDw6GP0Q2dzsyCFOpitjP94QWZSwci9YL8PIshRsk2TpnfWPsdE+HWsupH9eRWfy3ufthUK6nPfh7Pp+trgQH7IbSB7lDoJRdZptAL+Oy7U+t/bGzuQRMCGSmCKDgUNjoMQkgobu9abdhZpPMcRkCgeag7lUx3GGR3fbcdUUPG1/bC8woWMC6sAyxB0vFa9Sk1DWE5uc0cPrWy2gbkoTCNPR1ysxwEYKeYq3sH+XCTHQoC6DPfQg72TDPEOJWbD/qXVmOmLduf3sUZTdHa/JRAD7j0yMDVxI2ybLa+2bGXI7nY7oKjK8fVglqHBjUyF01pgLTJLFuIUthgIvO6NcFzL5zm/ZPYBV3DghQ48MKNuoutESQq7Ebw4=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_4a622887822fabb37bf7c8edd6952eeeericssoncom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 974e90e4-271f-4878-85ca-08d736f014e3
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Sep 2019 19:41:46.4961 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: GUwGckVmwc4kpho2AUHXZhXJ0QS+FaFo+b5DBHR8Mhdqs25VOwYgqefcW3Vqdf1AQDuPWqQMmrvGtvoaPSlkKKWl8gRqg8wirlFPo6jLT8M=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2618
Archived-At: <>
Subject: Re: [Iot-onboarding] Thinking through onboarding
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 11 Sep 2019 19:41:59 -0000

Hi Scott,

Welcome to the list. It is always nice to get new perspective. :)

I agree with your comment about configuration vs. fleet management. And I strongly agree with your comment that manufacturer installed certs make the system very fragile. We have taken an eternity for manufacturers to not put default passwords. I am sure some manufacturers are better than others. And I am happy if devices could provide certificates to prove that they are authentic. But that would still not solve all our problems. Besides, active involvement of the manufacturer to track devices between owners is something that most privacy conscious people would frown upon.

I recommend you to have a look at EAP-NOOB slides here:

It's security relies on an OOB channel. Whether that OOB channel is a QR code, NFC, blinking lights, or audio, it doesn't matter for EAP-NOOB. And it supports both directions. So if you are configuring a new TV, you can scan a QR code. On the other hand, if you are configuring a new home camera, you can show it a QR code. And it does not require yet another app. The OOB message is a URL. Therefore, any standard camera application or NFC enabled phone would do the job without requiring custom applications for each device.

Configuration of the Wi-Fi network is only a secondary bonus. The main use-case is to register a new device on the server and associate it with a user account. I know it uses EAP and a server. But I also think that it is time for us to move away from network-wide shared secrets.


PS: The spec is here: Open source implementation (with formal security proofs) is here:

On 9/11/19 7:55 PM, Scott Jenson wrote:
Michael Richardson introduced me to this mailing list. I'm working through the onboarding issue from and UX point of view, trying to make it 'just work' and my (likely naive) starting point is that when you turn on a device (or 20...) in your home they should 'just work' and auto connect.
Clearly there are a lot of reasons this is hard and I've been working through specificis of how to safely onboard a large number of devices (e.g. light switches and electrical sockets) . However, as I've worked through the entire customer journey, it's clear this is a very deep problem:

  1.  Correct Installation
Is each device correctly installed, especially for deployments with multiple people involved for industrial deployments. Are all devices powered up and ready to be onboarded? How do can you confirm? If you've installed X devices and only see X-1 devices, how do you find the missing one?

  2.  Mapping
What room is this in? What does it control?

  3.  Maintenance
Why isn't switch#27 responding? Where is switch #27? Can I replace switch#27?

It's the realization that it is more than just 'configuration' but really more 'fleet management'. I've come to the conclusion that to solve *just* the onboarding problem, isn't enough. The fleet management issue isn't something to put into the 'app layer' and not worry about it. It's something important for the onboarding issue as well.

What started my towards this list are my concerns with BRSKI. While having a company installed cert to connect to your specific WiFi can be fairly automatic and even magical, that seems like a very fragile system.. Most devices are bought through resellers so a bespoke cert is out of the question. Less urgent but still important are changes to your WiFi and reselling. All of these solutions point to the likely friction of a factory cert.

The only solution I've found so far is the Nest solution (I know, I'm from Google but I'm not selling it, I promise...) which has a QRcode on the device and an app. It's a pain to have an app in the loop but it allows: generic purchase (e.g. home depot) so anyone can setup anything (or move to a new Wifi AP)

I don't this this solution is good enough but it works and it's fairly secure. My goal in posting this to this list is to kick start a better solution.

To summarize: I feel that if we really believe in the potential of smart devices, we need to onboard dozens of devices at once. But doing so feels incredibly hard. One way forward would be to work on additional protocols, likely involving a location service (e.g. Wifi RTT) and a heartbeat service to kickstart some rudimentary fleet management to help troubleshoot any onboarding issues.. This may be longer term thinking but I assume this crowd is the one that would appreciate this issue.