The use of the ESP8266 in the world of IoT

User avatar
By monkeytronics
#79628 Of the various options available to allow a user to configure the Wifi credentials on their ESP8266, I've failed to find a suitable method for my use case.

1) It's got to be secure. Whether through RSA key exchange; hosting a secure server and passing info that way.
2) It's got to fit on an ESP8266 (obviously)!
3) Crypto is hard. In my opinion, unless you are not 100% of your crypto capabilities, you shouldn't code your own solution. I'm looking at a commercial product, so I need something tried and tested.
4) I need to code the GUI side into a mobile or web app, so ideally it should not rely on a third party app that you download and run separately. That would just look a bit rubbish! So, a cordova plugin or javascript lib would do it for example.

What's available right now. How are other people doing it? Or do I just have to sick it up and put a few weeks aside to code it up myself? Rather not. Too busy baking loaves to stop and grind my own flour.
User avatar
By quackmore
#79904 Checkout what a chromecast does for some inspiration ...

I trust WPA2PSK and do it this way:

Run some kind of webserver on the ESP8266 that allows you to set the wifi credential.

Disable WPS.

The first time the ESP turns up won't obviously find anything and will switch to SOFTAP.
Configure SOFTAP to WPA2PSK and provide a good password so that you can securely set the wifi credentials.
Eventually set the SOFTAP maximun number of clients to 1.

Avoid any code to read back the wifi credentials.

Once it switch to station and connect to wifi:
+ if you trust the wifi security then you can leave the service active
+ if your don't trust that network security you can disable the specific service and just allow for deleting the wifi credentials.

This way you can only set them when ESP in working as a secure SOFTAP.
User avatar
By monkeytronics
#80517 Hey @quackmore .

That's really interesting. My original plan was to be able to ship devices with a non-unique sticker on them, hence opportunity for a preshared key as you suggest. But on the balance, I think it might be easier to factor in an extra few seconds in the productin process to generate the individual passwords and code them into the firmware.

Your idea is exactly the kind of pragmatic approach I wasn't able to see. Thank you for pointing it out to me.

I owe you beer!