Enterprise security for the internet of things (IOT): Lightweight bootstrapping with EAP-NOOB

Aleksi Peltonen*, Eduardo Inglés, Sampsa Latvala, Dan Garcia-Carrillo, Mohit Sethi, Tuomas Aura

*Corresponding author for this work

Research output: Contribution to journalArticleScientificpeer-review

3 Citations (Scopus)
175 Downloads (Pure)


The emergence of radio technologies, such as Zigbee, Z-Wave, and Bluetooth Mesh, has transformed simple physical devices into smart objects that can understand and react to their environment. Devices, such as light bulbs, door locks, and window blinds, can now be connected to, and remotely controlled from, the Internet. Given the resource-constrained nature of many of these devices, they have typically relied on the use of universal global shared secrets for the initial bootstrapping and commissioning phase. Such a scheme has obvious security weaknesses and it also creates undesirable walled-gardens where devices of one ecosystem do not inter-operate with the other. In this paper, we investigate whether the standard Extensible Authentication Protocol (EAP) framework can be used for secure bootstrapping of resource-constrained devices. EAP naturally provides the benefits of per-device individual credentials, straightforward revocation, and isolation of devices. In particular, we look at the Nimble out-of-band authentication for EAP (EAP-NOOB) as a candidate EAP authentication method. EAP-NOOB greatly simplifies deployment of such devices as it does not require them to be pre-provisioned with credentials of any sort. Based on our implementation experience on off-the-shelf hardware, we demonstrate that lightweight EAP-NOOB is indeed a way forward to securely bootstrap such devices.

Original languageEnglish
Article number6101
Pages (from-to)1-23
Number of pages23
JournalSensors (Switzerland)
Issue number21
Publication statusPublished - 1 Nov 2020
MoE publication typeA1 Journal article-refereed


  • Bootstrapping
  • Contiki
  • IoT
  • Security


Dive into the research topics of 'Enterprise security for the internet of things (IOT): Lightweight bootstrapping with EAP-NOOB'. Together they form a unique fingerprint.

Cite this