Using a wireless network you do not own—particularly an enterprise wireless network—to seamlessly integrate IoT devices is a major challenge for developers. In fact, provisioning is one of the most common challenges we hear about in regards to IoT application development.
Below is a crash course on WiFi and cellular provisioning that examines some of the common solutions and issues application developers face. Take a look.
WiFi is present in 80 to 90% of the places our customers intend for their applications to be used—but there are some challenges customers must face if they choose to run applications on WiFi networks.
First, you have to determine if you’re allowed to be on a network, as many enterprises won’t allow it. But for example’s sake, let’s assume the CIO of a particular company approves your application to run on their WiFi network. Now you have to determine how to provision the IoT endpoints on their network, which can be tricky.
There are a few challenges you’ll have to overcome before determining the best way to handle provisioning. It’s important to remember that IoT devices are usually “headless;” they don’t have a keyboard or user interface that allows for simple provisioning. Also, many enterprise-level WiFi networks have increased layers of security, so you’re dealing with both passwords and certificates. There are several ways to handle secure WiFi provisioning, which we’ve explained below.
DMZ / Guest Network
A DMZ, which stands for “demilitarized zone,” is a part of the WiFi network that doesn’t touch the LAN for security reasons. It is similar to a guest network. Using a DMZ solves the issue of security, but because most DMZ networks still require a password, the provisioning issue remains.
WiFi Protected Setup (WPS)
WiFi Protected Setup is the only industry standard for provisioning headless devices. But because you still typically have to enter a pin into a headless device, it doesn’t always solve the issue of complexity. It’s worth noting that WPS with pin functionalities are particularly susceptible to brute force attacks—WPS can fail in less than four hours if faced with this kind of attack. Thus, most access points have disabled the WPS via pin functionality.
Push-button Connect allows you push a button on your router to gain network access for a given period of time. It sounds simple, but many enterprises don’t support it because it’s fairly insecure, and reaching some access points can be cumbersome depending on the location.
Access Point (AP) Mode
The most common way headless IoT WiFi devices are provisioned is through access point mode, where a widget advertises itself as an access point and the end user can connect to it directly using a phone or computer as the interface.
For example, your customer could buy your widget, plug it in, and go to the WiFi settings on an iPhone and connect to “Widget.” From there, they would open an app or web browser and connect directly to the widget, which will then scan for WiFi and allow them to enter the password. This is easy enough for many direct-to-consumer applications—but if you have 1,000 temperature probes at a business, and each one has to be provisioned by hand, this will be time consuming and costly.
Out-of-band Provisioning & Smart Config
Out-of-band provisioning means using a non-WiFi medium—like USB, near field communication (NFC), or Bluetooth—to connect to the Internet and deliver network credentials. TI has found a way to successfully broadcast network credentials to unprovisioned TI WiFi devices, which they call Smart Config. This is great if you’re working with this particular vendor, but it is very solution-specific.
Most cellular provisioning is handled via SIM card, which is a unique identification method for the wireless network. If you want to get cellular service with AT&T, you would register your SIM card, and when the application hits the network it is provisioned. This still requires one-to-one provisioning, however, so some companies—like Jasper—try to make this experience as seamless as possible. They sell blocks of SIM cards that are all associated to one account and help you manage this process.
CDMA networks like Verizon often use International Mobile Equipment Identifier (IMEI) numbers instead of SIM cards. This is an embedded unique number that identifies an individual wireless device and handles provisioning. Like SIM cards, IMEI numbers still require one-to-one match with the cellular operator.
Keep in mind that you’re never going to get away from having to provision devices if using WiFi or cellular in an IoT device. But, with some research, you’ll likely be able to simplify this process for the end user. There are some low power, wide-area network solutions—like Symphony Link— that solve this problem by creating a wireless network with automatic provisioning. If you’re interested, or if you have questions about the information above, give us a shout.