Most large enterprises run remarkably secure WLANs. They minimize open-authentication access points – and those use captive portals – and implement WPA2-enterprise authentication and encryption protocols, which are very difficult to crack.
However, well-configured access points inhibit the growth of the Internet of Things (IoT) over Wi-Fi. The emerging IoT model (from the residential world) connects headless sensors over wireless connections to a cloud service that manages them and collects traffic. This service then offers a portal for analytics and smartphone-based user-control.
Enterprise lighting, energy management and other sensors are moving to this architecture where the device hitches a ride on the Wi-Fi network, but only to connect to its service in the cloud: the WLAN is essentially transparent in the architecture. The sensor later needs to authenticate to its cloud service, but only after it has a path through the WLAN.
While Wi-Fi is a uniform standard, security is implemented per-network. An IoT sensor must be configured to connect to the WLAN using three parameters: network discovery, authentication credentials and device identity.
Wi-Fi networks are discovered by their SSID. The sensor needs to know, out of the many SSIDs it scans, which one it should connect to. Connecting to random networks carries a risk that the sensor or its cloud service could be compromised.
Credentials – usually passwords – are also specific to the network. They must be configured whether the network uses a pre-shared key (PSK) or proper WPA2-enterprise authentication.
Meanwhile, the WLAN should be protected against intruders impersonating IoT sensors, and real sensors infected with malware: this means sensors should follow the same security regime as enterprise smartphones and PCs. Especially where PSKs are used, the sensor’s identity should be established so the WLAN knows what it is, where it needs to connect, and permitted traffic patterns. Identity can be a user id, MAC address or X.509 certificate.
But hooking each sensor in turn up to a PC, for instance, and configuring it with SSID, credentials and identity is incredibly time-consuming. IoT vendors are applying their creativity to the problem, and we are beginning to see proprietary solutions; but we would prefer vendor-independent standards.
Garage door openers, home thermostats and the like are often configured by making a point-to-point Wi-Fi connection from a smartphone and entering information on the screen. This model is also applicable to enterprise deployments where an employee is able to stand next to each sensor and configure it. But if credentials are entered on the smartphone screen, they are visible to the employee and prone to error.
The Wi-Fi Alliance is working to improve this method. The Device Provisioning Protocol (DPP) will allow an already-authenticated user’s smartphone to bring a new device onto the network, similar to a visitor given guest access by a sponsoring employee. The key feature is to maintain security, keeping the new device’s unique credentials hidden from the sponsor and encrypted over the air.
DPP promises a standard, vendor-independent method to configure IoT sensors when the sponsor is nearby, but is not appropriate for all situations. Sometimes we would prefer an out-of-box solution where a sensor will discover the appropriate network, then identify and authenticate itself. The Wi-Fi Alliance Passpoint certification enables these functions: it is currently being fine-tuned for IoT use.
Passpoint offers network discovery and federated authentication features. Instead of identifying itself by SSID, an access point publishes a list of service providers which it represents. This list is available pre-authentication, so a scanning IoT sensor could match “joes-iot” with a pre-configured service set, and know this was a good access point to connect to. Then an X.509 certificate could be used for identification and to authenticate to a designated remote authentication server, maintained by the sensor vendor.
This system is nearly zero-touch: if the sensor vendor could burn a service-provider list and an X.509 certificate in the factory, and WLAN managers configured Passpoint on their APs with a RADIUS (or RadSec) connection to the vendor’s authentication server, the enterprise would retain control over network access while avoiding reconfiguration of the sensors.
But DPP is not yet a certification, and Passpoint is not widely deployed: The obstacles to connecting IoT sensors via Wi-Fi networks remain.
This contrasts with the other wireless enabler of IoT, the cellular network. The information on a SIM card neatly provides all necessary configuration information: network selection, device identity and passwords. For this aspect of IoT, the Wi-Fi industry needs to unite around a standard and catch up with the cellular networks.
This article is published as part of the IDG Contributor Network. Want to Join?