Secure zero-touch device provisioning in Bluetooth mesh networks
Perustieteiden korkeakoulu | Master's thesis
Unless otherwise stated, all rights belong to the author. You may download, display and print this publication for Your own personal use. Commercial use is prohibited.
Security and Cloud Computing
Master’s Prorgamme in Security and Cloud Computing (SECCLO)
AbstractConnected devices in smart homes and offices promise benefits from energy conservation to enhanced user experience. Secure zero-touch provisioning, which requires no user interaction after the devices have arrived on-site, is essential to overcome the limitations posed by the scale of such networks and the minimal user interfaces on the devices. Bluetooth mesh profile v1.1 introduces certificate-based provisioning, which is a key enabler for zero-touch provisioning, but not sufficient by itself. This thesis analyzes the possible choices in each different aspect of implementing such a system and demonstrates a functional prototype. It makes concrete recommendations on how to assign device identities and bootstrap them during manufacturing, identifies two approaches to authorizing devices and delivering certificate status information, and argues against including secret values in device certificates. Reducing the cost of implementing security is determined to be essential for avoiding the security of the system being undermined by the users, and design choices in aspects such as physical device identifiers, certificate policies, device installation workflow and user interfaces are proposed to meet that goal. The presented prototype validates and demonstrates some of the recommendations using a Bluetooth development board as the device and an Android application as the provisioner. The documented implications of different alternatives and justified recommendations can help inform the design of future real-world implementations of zero-touch provisioning systems. Simplifying the process of securely provisioning devices can help avoid deployments opting for insecure networks, therefore preventing potentially devastating consequences and aiding faster adoption of these applications.
Thesis advisorMallat, Hannu
Bluetooth mesh, provisioning, PKI, IoT