On Mon, Sep 09, 2024 at 04:25:40PM -0700, Dan Wing wrote:
> Adopting the technique from Matter, we might also consider suggesting vendors
> allow QR codes (or some similar fanciful way) to establish a shared secret or
> public key for more secure bootstrapping than TOFU. For guests and even
> family members, this could be similar to the QR code containing the guest
> network's SSID and password that is taped onto the refrigerator for parties;
> this new QR code could also be used to bootstrap that network's Certification
> Authority for that network's client devices.
We're getting a bit off-topic for add (i think, not sure), but hope this is
well in-scope for
anima/iotops:
I think there is still a lot of exploration and experience gaining needed to
come to
terms with the most easily deployed security mechanism for home and industrial
large-scale
IoT device bootstrap. QR codes can be a great tool, but my personal experience
has
rather been mixed:
In the home automation IoT device vendor that had the largest market share in
germany, you
could bootstrap devices
a) via QR code. I did that. So i had to use permanent marker to put some device
name onto
each of my 50 devices as well as the same device name on the fitting QR code
piece of paper.
and scan / stash-away those QR code. Over the past few years i had some
incidents where i
had to re-bootstrap some of the devices. It's grizzly to think about what
happens if my
home controller would fail and whether or not a full backup will actually
allow me to
restore all existing device associations.
b) Via the network to the vendors "trusted" servers. Which where known in the
past to be
often offline during weekends. Because its not a large company and employees
there tend
not to work during the weekend. Unlike people who do their at-home
installation.
Besides that, the security applied with this option is IMHO highly
questionable, but luckily
its proprietary, so nobody really knows for sure. But i think i'm a good
guesser.
The experience with a big vendor in the USA of similar equiment and the QR
codes there is
similarily hilarious
a) The vendor managed to put the QR codes ONLY onto their devices. Such as
in-wall light switches.
So, i simply have to shut off my mains power to remove such a light switch from
the wall would
it ever need to be re-bootstrapped.
b) During bootstrap for magical reasons, the mesh network connectivity (z-wave
in this case)
seems more picky as during operations. So i can actually not enroll some of the
devices from
their target deployment location. And/or have to take my RPI4 controller with
me, plug it into
a nearby wall-socket to enroll such a device. (For the QR-code free bootstrap
option).
So, all-in-all i think i would try to stay away from QR codes whenever i can,
home or
industrial - but to make that work, the whole network based solutions need a
lot more detail
improvement work.
Theoretically i think NFC would be a great option, but i have no actual
experience. But the
idea of having a box of 50 devices, and the reseller just has to type a button
on the smartphone
to register all 50 devices' NFC tags - that just sounds like an intriguing
option. Would also
have solved my QR code experiences. But not sure if it would be cheap enough
for typical
home automatin IOT devices.
Cheers
Toerless
> -d
>
>
> > Would you like to be able to shush your multi-room surround-sound music
> > so that you can hear: the door bell, the coffee is ready, or the oven has
> > preheated, waiting for the next tray of ordeuves?
> >
> > --
> > Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
> > Sandelman Software Works Inc, Ottawa and Worldwide
> >
> >
> >
> >
> > --
> > Add mailing list -- [email protected]
> > To unsubscribe send an email to [email protected]
>
--
---
[email protected]
_______________________________________________
Anima mailing list -- [email protected]
To unsubscribe send an email to [email protected]
