Intro to Wi-Fi Easy Connect
Configuring a Wi-Fi network involves recalling the Wi-Fi credentials - “network name” (SSID) and “password” (PSK) - and entering this information on every new connected product that a user wants to add to their network. As already discussed, this is a process fraught with complexity and prone to many points of failure. Wi-Fi Easy Connect addresses this by allowing a mobile app authorized for the network to introduce a new product onto the network. Wi-Fi Easy Connect aims to do this in a secure way and without disclosing the specific encryption keys of the new product to the mobile app.
There are two main roles in the protocol - the Configurator and the Enrollee. Both have been simplified to specifically illustrate the case of a mobile app working with a connected product.
This is the mobile app that already has capabilities - and authorization - to provision products on to a network. It may also delegate this role to another device/app, which can then also act as a Configurator. A Configurator can be used to provision both Access Points (APs) and Clients.
The Enrollee is the new product that needs to be provisioned on to a network. It receives authorization from a Configurator to join the network. Both the AP and the client can be an Enrollee.
As an example, the mobile app can be used to set up a new network by configuring the SSID, etc on a new AP. The app can then be used to add a new product - such as a camera - to the network.
Either the Configurator or the Enrollee can initiate the Wi-Fi Easy Connect protocol. The device initiating a protocol is called the Initiator and the device responding is similarly called the Responder. But there are security implications for this as described below.
Overall Protocol Summary
There are four steps in the Wi-Fi Easy Connect - bootstrapping, authentication, provisioning and connectivity. Here is a brief note on each step.
Wi-Fi Easy Connect relies heavily on the public-private key pair mechanism. Specifically, the public keys are used for both identification and authentication of all devices. Bootstrapping is the process of setting up the trust - by setting up the public keys - between the mobile app and the product prior to performing the Wi-Fi Easy Connect protocol. This is an out-of-band mechanism that is not mandated by the Wi-Fi Easy Connect specification. Suggestions include QR codes, NFC and even BLE.
As an example, a user can scan a QR code containing the public key of a camera with their mobile app. The mobile app thus can initiate authentication with the camera using this public key and be certain that it is provisioning the correct camera.
This step aims to authenticate the mobile app and the product to each other and prove possession of the private counterparts to the respective public keys. The connected product is always strongly authenticated because the mobile app is guaranteed to receive the product’s public key (e.g. via QR code). However, mutual authentication - providing the mobile app’s public key to the product - is optional.
This step is always initiated by the connected product and only takes place if authentication was successful. As part of this phase the mobile app provides a Connector to the connected product. This Connector is the credential information used by the connected product to establish connectivity. It is useful to note that the user’s AP can also be similarly provided a Connector by the mobile app when the user first sets up their AP (the mechanism is identical).
This is the final step during which the connected product can use the Connector information to prove to the user’s AP that it has been authorized to join the network. This is always initiated by the connected product. At the end of this step, both the AP and the connected product can successfully communicate with each other.
A Note on WPA3
WPA3 is the latest revision of the Wi-Fi Protected Access security protocol. Wi-Fi Easy Connect and WPA3 are intended to work in conjunction with each other to improve security and ease of use. Here are some important new features:
More secure public hotspots
Today, public hotspots typically do not use encryption and any Wi-Fi traffic over these networks is sent unprotected. Opportunistic Wireless Encryption (OWE) provides a mechanism to encrypt such traffic, improving Wi-Fi security at coffee shops, airports, etc.
More secure individual access
WPA2 uses a mechanism that generates the same encryption keys for all devices on the network. This allows any user on the network to sniff traffic for all devices. WPA3 encrypts traffic of each device with separate keys, preventing such snooping.
Some Security Considerations
While the Wi-Fi Easy Connect was designed to be secure, simply using Wi-Fi Easy Connect does not guarantee security. Here are some things to consider when using Wi-Fi Easy Connect:
Consider whether a public key can be trusted
Bootstrapping is the foundation on which all further authentication is based. So it is critical to have confidence that the public key from the transmitter is from the genuine transmitter. For example, a QR code (containing the public key) can be replaced by an overlaid sticker (with a different public key). BLE bootstrapping can also be similarly vulnerable.
Use mutual authentication where possible
With Wi-Fi Easy Connect, the connected product is always authenticated by the mobile app. But mutual authentication is optional and requires a mechanism to additionally convey the public key of the mobile app to the connected product. This additional step adds complexity but substantially improves security. Without this, the connected product can only weakly authenticate the mobile app.
In order to use Wi-Fi Easy Connect, both the mobile app and the connected product must support Wi-Fi Easy Connect. Products that support Wi-Fi Easy Connect are backwards-compatible with legacy devices (APs, clients). The mobile app is capable of passing legacy SSID and PSK information to the connected product - allowing it to join a legacy AP - as long as the mobile app has this information.
This raises some particularly tricky corner cases, and care must be taken not to leave the user stranded. ZipKey is compatible with both WPA3 and Easy Connect and provides an elegant way to cover the corner cases as well as a secure way to bootstrap Wi-Fi Easy Connect.