Many computing devices are equipped for communication over one or more types of computer networks, including wireless networks. Before a computing device is able to connect to a particular wireless computer network, the device typically may undergo some form of device provisioning. In this context, provisioning a device for wireless network connectivity may refer to any processes related to configuring the device for connectivity with one or more particular wireless device networks. For example, a customer-provided equipment (CPE) device (e.g., laptop, desktop, mobile device, etc.) may be provisioned with certain network settings that enable the device to connect and communicate with a particular wireless (or wired) network. In addition, network components (including access points, wireless routers, etc.) may be added to existing networks or may establish their own network, and may also need to be provisioned. In other examples, networks or devices, including sensors and home monitoring, security, and/or entertainment devices, may be provisioned with network settings that enable the devices (e.g., wireless sensors, cameras, etc.) to connect and communicate with other wireless sensors and with each other. With the Bluetooth protocol, some aspects of provisioning may be performed automatically using a wireless messaging dialog known as pairing. With Wi-Fi, provisioning may involve identifying an access point by name and providing security credentials.
As described herein, there may be particular difficulties, and benefits to connecting one or more wireless networks (and some or all of the devices connected to each “local” network) to a remote, e.g., cloud, server (“the cloud”). In particular, although the additional layer of the cloud server may make provisioning easier, in some variations, the potential for security risks is greater, in particular risk due to remote disruption (e.g., “spoofing”), which is even more serious when attacks may allow the tremendous amount of control over the network and individual devices via provisioning.
For some device use cases, appropriate network settings may be unknown to a manufacturer or service provider associated with a wireless device and provisioning the wireless device before it is provided to an end user may not be feasible for those uses. Further, provisional may also include specifying which network, and which geographic location, the device will be placed. For example, a particular wireless device may be intended for connectivity with a user's personal wireless network at the user's home, where the home network is connected to particular access point and gateway, and the network is connected to a cloud server.
In general, provisioning may refer to the process of preparing and equipping a device or network to allow it to provide new services to its users, and includes altering the state of an existing priority service or capability. For example, device provisioning may refer to authenticating a network device, such as an access point, to verify that a user can connect and operate through the device. In some variations, a device may be provisioned in order that it may communicate and/or be controlled and/or monitored by a cloud server (or software/hardware/firmware operating on a remote, e.g., cloud, server).
Provisioning may configure a system/network to provide a verified user with access to data and technology resources. For example, provisioning may give a user's access based on a unique user identity, and appropriate resources for the user. The provisioning process may monitor access rights and privileges to ensure the security of a resource and user privacy, and may also ensure compliance and minimize the vulnerability of systems to penetration and abuse. Provisioning may also reduce the amount of custom configuration.
Provisioning of “new” devices (e.g., factory-new) device may be relatively straightforward, as the first installer/user of the device is likely to be legitimately adding it to a network (and/or cloud layer). However, provisioning of existing device (e.g., devices that have been previously operated, e.g., as part of an existing network either in communication with a cloud computing environment or as part of an existing network that was not yet in communication with the cloud computing environment. Such existing device may pose an enhanced risk because potential security attacks (e.g., spoofing) may resemble legitimate new provisioning of the devices (e.g., when they change networks, locations or users).
Current techniques for authenticating a network device, including CPEs and access points, may not address the problems identified above. For example, current authentication typically relies on digital tokens (e.g., exchanged between a device and a remote server), or require a user to provide only the address (e.g., MAC address) and/or a passcode to authenticate the network device and may be vulnerable to fraud. The apparatuses (including system and/or devices) and method described herein may address these problems.