This paper proposes a solution for low-cost consumer IoT devices to employ end-to-end security without requiring additional hardware. Manufacturers of consumer IoT devices often sacrifice security in favour of features, user-friendliness, time to market or cost, in order to stay ahead of their competitors. However, this is unwise, as demonstrated by recent hacks on consumer IoT devices. Low-cost embedded devices struggle to create suitable entropy for key generation; on the other hand, smartphones are both abundant and have multiple sources of entropy for strong key generation. The proposed architecture takes advantage of these properties and offloads key generation and transfer to the user's smartphone, removing the need for constrained IoT devices to perform public key infrastructure and generate symmetric keys. The authors implemented the design on a \$1 general-purpose microcontroller and then analysed the performance. The design allows all communication to and from the device to be encrypted while being simple to setup, low-cost and responsive without any additional manufacturing cost. The architecture presents a general solution, which could be implemented on any microcontroller. Since the architecture does not require any additional hardware, it can be retroactively applied to deployed devices through a firmware update.
- internet of things
- wireless communication