BACKGROUND

[0001] Exemplary embodiments pertain to the art of security systems and more specifically to end user inclusion and access of devices.

[0002] Wi-Fi provisioning is the process of adding a wireless device to a network such as a home network or a business network. This process, typically, involves entering credential information (usernames, passwords, etc.) in to the wireless device and connecting to the network from the wireless device. Once connected to the network, any changes in the credentialing information for the network typically needs to be separately updated in the wireless device(s) connecting to the network.

BRIEF DESCRIPTION

[0003] Disclosed is a system. The system includes a gateway device comprising a processor and a transceiver, the gateway device configured to operate a virtual local area network (VLAN) having a first network partition and a second network partition and the gateway device further configured to selectively operate the VLAN in one of a plurality of modes, wherein the plurality of modes includes an operational mode and a provisioning mode.

[0004] In addition to one or more of the features described above, or as an alternative, further embodiments of the system may include that the gateway device is configured to, while in the provisioning mode activate the second network partition. Receive, from the wireless device, credential data. Establish a connection to the wireless device through the second network partition based at least in part on the credential data and transmit secured credentialing data associated with the first network partition to the wireless device.

[0005] In addition to one or more of the features described above, or as an alternative, further embodiments of the system may include that the credential data is preprogrammed in to the wireless device.

[0006] In addition to one or more of the features described above, or as an alternative, further embodiments of the system may include that the second network partition is activated for a period of time.

[0007] In addition to one or more of the features described above, or as an alternative, further embodiments of the system may include that the gateway device is configured to responsive to transmitting the secured credentialing data of the first network partition to the wireless device, operate the VLAN in operational mode and connect to the wireless device through the first network partition.

[0008] In addition to one or more of the features described above, or as an alternative, further embodiments of the system may include that the gateway device operates in provisioning mode responsive to an input from a user.

[0009] In addition to one or more of the features described above, or as an alternative, further embodiments of the system may include that the input of the user comprises login data associated with the user.

[0010] In addition to one or more of the features described above, or as an alternative, further embodiments of the system may include that the gateway device receives credential data through the second network partition from the wireless device responsive to an input from a user.

[0011] In addition to one or more of the features described above, or as an alternative, further embodiments of the system may include that the gateway device comprises a home security system panel.

[0012] Disclosed is a method for credential provisioning. The method includes receiving, by a gateway device, a request for provisioning for a wireless device, wherein the gateway device operates a virtual local area network (VLAN), the VLAN comprising a first network partition and a second network partition. Activing the second network partition responsive to the request. The credentialing data associated with the wireless device is received through the second network partition. A connection to the wireless device is established through the second network partition based at least in part on the credential data and secured credentialing data associated with the first network partition is transmitted to the wireless device.

[0013] In addition to one or more of the features described above, or as an alternative, further embodiments of the method may include that the credential data is preprogrammed in to the wireless device.

[0014] In addition to one or more of the features described above, or as an alternative, further embodiments of the method may include that the second network partition is activated for a period of time.

[0015] In addition to one or more of the features described above, or as an alternative, further embodiments of the method may include responsive to transmitting the secured credentialing data to the wireless device, connecting to the wireless device through the first network partition. [0016] In addition to one or more of the features described above, or as an alternative, further embodiments of the method may include that the request for provisioning is an input from a user.

[0017] In addition to one or more of the features described above, or as an alternative, further embodiments of the method may include that the input of the user comprises login data associated with the user.

[0018] In addition to one or more of the features described above, or as an alternative, further embodiments of the method may include that the gateway device comprises a home security system panel.

[0019] In addition to one or more of the features described above, or as an alternative, further embodiments of the method may include transmitting a reset command to the wireless device.

BRIEF DESCRIPTION OF THE DRAWINGS

[0020] The following descriptions should not be considered limiting in any way. With reference to the accompanying drawings, like elements are numbered alike:

[0021] FIG. 1 depicts a block diagram of a computer system for use in implementing one or more embodiments;

[0022] FIG. 2 depicts a system for credentialing a wireless device according to embodiments;

[0023] FIG. 3 depicts a system for credentialing a wireless device according to one or more embodiments; and

[0024] FIG. 4 depicts a flow diagram of a method for credential provisioning according to one or more embodiments.

[0025] The diagrams depicted herein are illustrative. There can be many variations to the diagram or the operations described therein without departing from the spirit of the disclosure. For instance, the actions can be performed in a differing order or actions can be added, deleted or modified. Also, the term“coupled” and variations thereof describes having a communications path between two elements and does not imply a direct connection between the elements with no intervening elements/connections between them. All of these variations are considered a part of the specification.

DETAILED DESCRIPTION [0026] Referring to FIG. 1, there is shown an embodiment of a processing system 100 for implementing the teachings herein. In this embodiment, the system 100 has one or more central processing units (processors) 101 a, 10 lb, 101 c, etc. (collectively or generically referred to as processor(s) 101). In one embodiment, each processor 101 may include a reduced instruction set computer (RISC) microprocessor. Processors 101 are coupled to system memory 114 and various other components via a system bus 113. Read only memory (ROM) 102 is coupled to the system bus 113 and may include a basic input/output system (BIOS), which controls certain basic functions of system 100.

[0027] FIG. 1 further depicts an input/output (I/O) adapter 107 and a network adapter 106 coupled to the system bus 113. I/O adapter 107 may be a small computer system interface (SCSI) adapter that communicates with a hard disk 103 and/or tape storage drive 105 or any other similar component. I/O adapter 107, hard disk 103, and tape storage device 105 are collectively referred to herein as mass storage 104. Operating system 120 for execution on the processing system 100 may be stored in mass storage 104. A network adapter 106 interconnects bus 113 with an outside network 116 enabling data processing system 100 to communicate with other such systems. A screen (e.g., a display monitor) 115 is connected to system bus 113 by display adaptor 112, which may include a graphics adapter to improve the performance of graphics intensive applications and a video controller. In one embodiment, adapters 107, 106, and 112 may be connected to one or more I/O busses that are connected to system bus 113 via an intermediate bus bridge (not shown). Suitable I/O buses for connecting peripheral devices such as hard disk controllers, network adapters, and graphics adapters typically include common protocols, such as the Peripheral Component Interconnect (PCI). Additional input/output devices are shown as connected to system bus 113 via user interface adapter 108 and display adapter 112. A keyboard 109, mouse 110, and speaker 111 all interconnected to bus 113 via user interface adapter 108, which may include, for example, a Super I/O chip integrating multiple device adapters into a single integrated circuit.

[0028] In exemplary embodiments, the processing system 100 includes a graphics processing unit 130. Graphics processing unit 130 is a specialized electronic circuit designed to manipulate and alter memory to accelerate the creation of images in a frame buffer intended for output to a display. In general, graphics processing unit 130 is very efficient at manipulating computer graphics and image processing, and has a highly parallel structure that makes it more effective than general-purpose CPUs for algorithms where processing of large blocks of data is done in parallel. [0029] Thus, as configured in FIG. 1, the system 100 includes processing capability in the form of processors 101, storage capability including system memory 114 and mass storage 104, input means such as keyboard 109 and mouse 110, and output capability including speaker 111 and display 115. In one embodiment, a portion of system memory 114 and mass storage 104 collectively store an operating system coordinate the functions of the various components shown in FIG. 1.

[0030] Turning now to an overview of technologies that are more specifically relevant to aspects of the disclosure, most security systems, fire detection systems, and home control system rely on multiple sensors setup within a home or business location. For example, a home security system may require an outdoor camera set up at or near an entry point for the home. Most sensors (e.g., cameras, light sensors, etc.) are wireless and include an addressable interface that can connect to a network. These sensors can sometimes be referred to as internet of things (IoT) devices. In most cases, connecting an IoT device to a wireless network involves the manual input of a passcode or a network name or a service set identifier (SSID). Also, this sometimes will need to be performed while the system (security, fire, etc.) is in a discovery mode. Home security systems, typically, include a security panel set up in the home which may allow for entry of information into the panel. However, the IoT devices such as cameras do not include input/output devices. Also, the IoT device may not be manufactured by the same company as the home security system (panel) manufacturer. A customer may wish to utilize certain types of sensors and pair them with the home security system.

[0031] The term Internet of Things (IoT) object is used herein to refer to any object (e.g., an appliance, a sensor, etc.) that has an addressable interface (e.g., an Internet protocol (IP) address, a Bluetooth identifier (ID), a near-field communication (NFC) ID, etc.) and can transmit information to one or more other objects over a wired or wireless connection. An IoT object may have a passive communication interface, such as a quick response (QR) code, a radio-frequency identification (RFID) tag, an NFC tag, or the like, or an active communication interface, such as a modem, a transceiver, a transmitter-receiver, or the like. An IoT object can have a particular set of attributes (e.g., a device state or status, such as whether the IoT object is on or off, open or closed, idle or active, available for task execution or busy, and so on, a cooling or heating function, an environmental monitoring or recording function, a light-emitting function, a sound-emitting function, etc.) that can be embedded in and/or controlled/monitored by a central processing unit (CPU), microprocessor, ASIC, or the like, and configured for connection to an IoT network such as a local ad-hoc network or the Internet. For example, IoT objects may include, but are not limited to, refrigerators, toasters, ovens, microwaves, freezers, dishwashers, dishes, hand tools, clothes washers, clothes dryers, furnaces, heating, ventilation, air conditioning & refrigeration (HVACR) systems, air conditioners, thermostats, fire alarm & protection system, fire, smoke & CO detectors, access / video security system, elevator and escalator systems, burner and boiler controls, building management controls, televisions, light fixtures, vacuum cleaners, sprinklers, electricity meters, gas meters, etc., so long as the devices are equipped with an addressable communications interface for communicating with the IoT network. IoT objects may also include cell phones, desktop computers, laptop computers, tablet computers, personal digital assistants (PDAs), etc. Accordingly, the IoT network can include a combination of“legacy” Internet-accessible devices (e.g., laptop or desktop computers, cell phones, etc.) in addition to devices that do not typically have Internet-connectivity (e.g., dishwashers, etc.).

[0032] Turning now to an overview of the aspects of the disclosure, one or more embodiments address the above-described shortcomings of the prior art by providing a system for provisioning of credential information to IoT devices seamlessly. The system can isolate wireless network partitions and utilize the partitions for different functions. This can be achieved by utilizing a virtual local area network (VLAN). A VLAN is any broadcast domain that is partitioned and isolated in a computer network at the data link layer. In this sense, the VLAN can partition a wireless network operating in a home or business location. The partition can include any number of network partitions. For example, a first network partition can be utilized for IoT devices that have been authenticated and have inputted credential data for connecting to the first network partition. A second network partition can be utilized for provisioning for IoT devices.

[0033] Turning now to a more detailed description of aspects of the present disclosure, FIG. 2 depicts a system for credentialing a wireless device according to embodiments. The system 200 includes a gateway device 202, connected IoT devices 204, a new IoT device 206, and two network partitions (secured network partition 220 and the provisioning network partition 230). In one or more embodiments, the gateway device 202 can be a home security panel installed at a customer’s home.

[0034] In one or more embodiments, the gateway device 202 can be implemented on the processing system 100 found in FIG. 1. Additionally, a cloud computing system can be in wired or wireless electronic communication with one or all of the elements of the system 200. Cloud can supplement, support or replace some or all of the functionality of the elements of the system 200. Additionally, some or all of the functionality of the elements of system 200 can be implemented as a node of a cloud. The cloud computing described herein is only one example of a suitable cloud computing environment and is not intended to suggest any limitation as to the scope of use or functionality of embodiments described herein.

[0035] In one or more embodiments, the gateway device 202 controls a virtual local area network (VLAN) that includes the secured network partition 220 and the provisioning network partition 230. In other embodiments, the gateway device 202 can control the VLAN through an intermediate device such as a modem or the like. The system 200 can be, for example, a home security system that has sensors and cameras (IoT devices) wirelessly set up through a home or building. The connected IoT devices 204 are connected to the secured network partition 220 as these devices have been authenticated and have entered a correct SSID or passcode to the connect to the secured network partition 220. When a new IoT device 206 needs to be connected, the gateway device 202 can be operated to provide access to the new IoT device 206. In one or more embodiments, for the new IoT device 206, the gateway device 202 can initiate a provisioning mode of operation. While in the provisioning mode, the gateway device 202 can activate the provisioning network partition 230. The provisioning mode can be activated by a user inputting a login to the gateway device 202 or by simply pressing a button on the gateway device 202 to active the provisioning mode. The provisioning mode can be activated for a set period of time either automatically or by the user based on number of new devices being connected and the like. In one or more embodiments, the new IoT device 206 can have the credentials for the provisioning network partition 230 preprogrammed in the new IoT device 206. For example, the manufacturer of an IoT device can preprogram specific provisioning credentials in the IoT device for use with a specific type of home security system. The home security system can use the same credentialing information for each provisioning network partition 230 across all system lines.

[0036] In one or more embodiments, while in provisioning mode, the new IoT device 206 can connect to the gateway device 202 through the provisioning network partition 230 utilizing the preprogrammed credential information (e.g., SSID and password). The new IoT device 206 can search for credential information from the gateway device 202 upon powering on the IOT device 206 or pressing a button on the IoT device 206 after powering on. Once connected, the gateway device 202 can authenticate the new IoT device 206 through a secure API exchange or the like. Once authenticated, the gateway device 202 can transmit credential information (SSID and password, etc.) for the secured network partition 220 to the new IoT device 206. This credential information is transmitted through the provisioning network partition 230. Once this credential information is received by the new IoT device 206, the device can then connect to the secured network partition 220 and thus operate with the system 200.

[0037] In one or more embodiments the new IoT device 206 can connect to the provisioning network partition 230 when a user activates the IoT device 206. For example, a user could press a button on the new IoT device 206 which would cause the IoT device 206 to automatically search for a programmed SSID (for the partition 230) and join it automatically. In another embodiment, the new IoT device 206 can connect to the provisioning network partition 230 when it is turned on for the first time.

[0038] In one or more embodiments, the system 200 can enter into provisioning mode based on a user pressing a Wi-Fi Protected Setup (WPS) button on the gateway device 202. After pressing the WPS button, the provisioning network partition 230 is broadcasted for a period of time. A WPS button on the new IoT device 206 can be pressed as well to allow for the new IoT device 206 to search for the pre-programmed SSID and connect through the provisioning network partition 230. In one or more embodiments, after pressing the WPS button, the gateway device 202 can require a login and password or some code to be entered to ensure that the user activating the WPS is authorized.

[0039] In one or more embodiments, the gateway device 202 can be a panel for a home security system or a home controlling system. For example, the panel can be used to operate IoT devices such as electronic locks, indoor and outdoor lighting, appliances, and the like. Each of the IoT devices can connect to the wireless network through the systems and methodology described herein.

[0040] In one or more embodiments, the new IoT device 206 can be, for example, a wireless camera for a home security system. During provisioning, to get the camera to search for the pre-programmed SSID, a user can hold up an image for the camera and utilizing image recognition for the image, the camera would search the required SSID and connect to the provisioning network partition 230. The image could be an image on a smart phone or tablet or a printed out image that can be included with the IoT device 206.

[0041] In one or more embodiments, if the credential information for the secured network partition changes, the gateway device 202 can pass along the updated information to the connected IoT device 204 before the credential information (e.g., password to the Wi-Fi) is changed. This can be performed through the first partition 220 before credential information is changed and applied to the first partition 220. In one or more embodiments, when changing the credential information of the first network partition 220, the user will be notified of any offline devices. [0042] FIG. 3 depicts a system for credentialing a wireless device according to one or more embodiments. The system 300 includes a control panel 302, a user device 304, and an IoT device 306. The control panel 302 can be a security panel for a home security system and can operate multiple IoT devices such as sensors and cameras connected through a network. The user device 304 can be any type of device such as, for example, a smart phone, a tablet, a smart watch, and the like. The system 300 can provide credential information for the IoT device 306 utilizing the user device 304. In one or more embodiments, the user device 304 can connect to the control panel 302 using near field communication (NFC). The user device 304 access the control panel 302 by utilizing a login or some other authentication process. Once accessed, the control panel 302 can transmit to the user device 304 credential data and any other data for the new IoT device 306 to access the network. The other data can include authentication data or identifier data so that the control panel 302 can discover the new IoT device 306 on the network once connected. The user device 304, after receiving the credential data and other data, can connect to the IoT device 306 using a NFC connection. Once connected and authenticated, the user device 306 can transmit the credential data and the other data to the IoT device 306 allowing for the IoT device 306 to connect to the network.

[0043] FIG. 4 depicts a flow diagram of a method for credential provisioning according to one or more embodiments. The method 400 includes receiving, by a gateway device, a request for provisioning for a wireless device, wherein the gateway device operates a virtual local area network (VLAN), the VLAN comprising a first network partition and a second network partition, as shown in block 402. At block 404, the method 400 includes responsive to the request, activating the second network partition. The method 400, at block 406, includes receiving, through the second network partition, credential data associated with the wireless device. At block 408, the method 400 includes establishing a connection to the wireless device through the second network partition based at least in part on the credential data. The method 400, at block 410, includes transmitting secured credentialing data associated with the first network partition to the wireless device and ask the wireless device to establish the connection to first network by rebooting or restarting. And at block 410, the method 400 includes accepting through the first network partition, the new wireless device.

[0044] Additional processes may also be included. It should be understood that the processes depicted in FIG. 4 represent illustrations and that other processes may be added or existing processes may be removed, modified, or rearranged without departing from the scope and spirit of the present disclosure. [0045] A detailed description of one or more embodiments of the disclosed apparatus and method are presented herein by way of exemplification and not limitation with reference to the Figures.

[0046] The term“about” is intended to include the degree of error associated with measurement of the particular quantity based upon the equipment available at the time of filing the application.

[0047] The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the present disclosure. As used herein, the singular forms“a”,“an” and“the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises” and/or“comprising,” when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, element components, and/or groups thereof.

[0048] While the present disclosure has been described with reference to an exemplary embodiment or embodiments, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted for elements thereof without departing from the scope of the present disclosure. In addition, many modifications may be made to adapt a particular situation or material to the teachings of the present disclosure without departing from the essential scope thereof. Therefore, it is intended that the present disclosure not be limited to the particular embodiment disclosed as the best mode contemplated for carrying out this present disclosure, but that the present disclosure will include all embodiments falling within the scope of the claims.