US010776080B2

( 12 ) Britt
United States Patent ( 10) Patent No .: US 10,776,080 B2
(45) Date of Patent : Sep. 15, 2020
( 54 ) INTEGRATED DEVELOPMENT TOOL FOR ( 56 ) References Cited
AN INTERNET OF THINGS (IOT) SYSTEM U.S. PATENT DOCUMENTS
( 71 ) Applicant: AFERO , INC . , Los Altos , CA (US) 9,888,337 B1 * 2/2018 Zalewski HO4L 67/10
2006/0208066 Al 9/2006 Finn et al .
2013/0080898 A1 * 3/2013 Lavian G06F 3/16
(72) Inventor: Joe Britt , Los Altos , CA (US ) 715/728
(Continued )
( 73 ) Assignee : Afero, Inc. , Los Altos , CA (US)
OTHER PUBLICATIONS
( * ) Notice : Subject to any disclaimer, the term of this International Search Report and Written Opinion for Application
patent is extended or adjusted under 35 No. PCT/US2016 / 066434, dated Mar. 8 , 2017 , 8 pages .
U.S.C. 154 ( b ) by 0 days. (Continued )
( 21 ) Appl. No .: 14 /967,623 Primary Examiner Lewis A Bullock, Jr.
Assistant Examiner Mohammad H Kabir
(74 ) Attorney, Agent, or Firm — Nicholson De Vos
(22) Filed : Dec. 14 , 2015 Webster & Elliott LLP
( 57 ) ABSTRACT
(65 ) Prior Publication Data A system and method are described for an IoT integrated
US 2017/0168777 A1 Jun . 15 , 2017 development tool . For example, one embodiment of an
apparatus comprises : an Internet of Things (IoT ) develop
ment application comprising a GUI through which a devel
(51 ) Int. Cl. oper is to specify a configuration for a new IoT device; a
G06F 8/20 ( 2018.01 ) development database comprising configuration data related
H04L 29/08 ( 2006.01 ) to different IoT device configurations , the IoT development
H04W 4/70 ( 2018.01 ) application to utilize the data in the development database
H04W 4/50 ( 2018.01 ) based on the configuration specified by the developer for the
G06F 111/16 ( 2020.01 ) new IoT device ; an IoT device engine to generate an IoT
( 52 ) U.S. CI . device profile responsive to the development application
CPC G06F 8/20 ( 2013.01 ) ; H04L 671303
specifying input/output functions to be performed by the
new loT device; a client app engine to generate a user
( 2013.01 ) ; H04L 67/34 (2013.01 ) ; H04W 4/50 experience (UX ) profile responsive to the development
(2018.02 ) ; H04W 4/70 (2018.02 ) ; G06F application specifying features of a client app or application
2111/16 (2020.01 ) ; H04L 67/12 (2013.01 ) related to operation of the new IoT device; and an IoT
( 58 ) Field of Classification Search service engine to generate a cloud application programming
CPC G06F 8/20 ; H04L 67/12 ; G06N 20/00 ; interface ( API) profile responsive to the development appli
H04W 72/0453 ; H04W 72/00446 ; H04W cation specifying features of an IoT service related to
84/18 operation of the new IoT device .
See application file for complete search history . 11 Claims, 35 Drawing Sheets
Developer

Integrated
GUI Development
Development 2721 Tool
Database Development Application Platform
2710 2720 2702

lot Device Client App 1oT Service

Engine Engine Engine
2730 2731 2732

Tot Device
102 TOT Device Cloud API
SCM Profile Profile Profile
2402 2740 2741 2742

lot Device 101 Client TOT

2407 Device Service
1/0 MCU SCM VO 611 120
2408 1401 2402 2407
 US 10,776,080 B2
Page 2

( 56 ) References Cited
U.S. PATENT DOCUMENTS
2015/0019714 Al 1/2015 Shaashua et al .
2016/0105501 A1 * 4/2016 Choi H04W 4/70
709/225
2016/0135241 A1 * 5/2016 Gujral H04W 4/70
370/328
2016/0143361 A1 * 5/2016 Juster A24F 47/008
392/404
2016/0255420 A1 * 9/2016 McCleland HO4W 4/70
340/ 870.07
2016/0357524 A1 * 12/2016 Maluf GO6F 8/34
2016/0371074 A1 * 12/2016 Vyas G06F 8/654
2017/0031333 A1 * 2/2017 Luff G06F 3/0484

OTHER PUBLICATIONS
International Preliminary Report on Patentability for Application
No. PCT /US2016 / 066434, dated Jun. 28 , 2018 , 7 pages .
* cited by examiner
U.S. Patent Sep. 15, 2020 Sheet 1 of 35 US 10,776,080 B2

DUWeisvtechr IAppnorstal ed Browser 135

Website 130 Datbse
EndUser 131

| |

Inter 220 SIeroviTce 120 Datbse

EndUser 122

Å
ISP 116
/
WiFi
Service
Cel 115
1A
.
FIG
IoT Device 105
$ ? ? 3

V TOTHub 110
Chanels 130
Local

Local Chan els 130

lot 104Device
Local Chan els 130 Local Chan els 130
Device
TOT 101
TOT Device 103
Device
TOT 102
U.S. Patent Sep. 15, 2020 Sheet 2 of 35 US 10,776,080 B2

WDUeisvtechr InApporstal ed Browser 135

Website 130 Datbse
EndUser 131
1B
.
FIG

Inter t 220 SIeroviTce 120 Datbse

EndUser 122

1 3 5 5 1

5 1 ! } 1 + ? 1 ?

HubTOT 110
+
Local Chanels 130
1
!
TOTHub 190
HubIoT 111

Device
Local Chanels 130 Local Chanels 130
TOT 101
TOT 102Device
TOT Device 103 Local Chanels 130
Device
TOT 191 IoT 192 Device
loT Device 104 10T Device 105
UPrsemires 180 PUresmirs 181
1 5 1 5 1 1 1 } ! 1 1

3 f E f E $ E $ S S E E S } 1
U.S. Patent Sep. 15, 2020 Sheet 3 of 35 US 10,776,080 B2

Hub 110
>>
Wakeup Signal
O1/0ther D/Sevniscoers 250
1 1 | 1 1 1 1
Local Com
1 1 1 1 1 1
Chanel
1 1
130
1 1 1 1 1 1
LED 209
1

WW o
? Q

Ante a W a k eu
207 p R ec i v er 207
1

1 1 1

101TOTDevice CAppode 203 CLiobrdaey 202 SCtoamck 201 PLower ?? 200 Devices
SI/enpsourts 210 FIG
.
2

$ 2 1

1 1 1 1 1 1 1 1

M2emory 210
? 1 5 5 ? { 5 ? } 2 5
| ?
o ? 1 $ 5 ? ? 5 3 ?

Barcode Reader 206 Speakr 205 Bat ery 208

U.S. Patent Sep. 15 , 2020 Sheet 4 of 35 US 10,776,080 B2

} } $ { 2 $ ? ? ? ? $ { ? 1 $ { ? 1 3
--- Service Cell 115
$ } 1 $ { $ 2 3 ? } 5 1

Ante a 310
WAN Interfac 302
Power 390
D&CPraotgdraem 305 Com Stack 308
1 1
uc
/ 301
Logic
TOTHub110 3
.
FIG

I
Device Pair ng 306
11

Memory 317 Local Com Interfac 303 WWW DWeavkicuep Transmiter 307
5 2 5 ! $ 5 5 ? } $ { ? 1
Antena 311
2 { $ 1 $ ? 3 1

Local Com Chan el 130 Wakeup Signal

TOT Device 101
U.S. Patent Sep. 15, 2020 Sheet 5 of 35 US 10,776,080 B2

STerOviTce 120 Control 421 C,ondtreosl UserC/onfig

Pref ncs N ot
422i f ca ns Corand/ontrol

DUWeisvtechr IAppnorstal ed Browser 135

Hublot 110 Control 412 1

Control andCodes UserC/onfig Pref ncs Notifcans
413 Corand/ontrol

3 4A
.
FIG
$
1

Sensor
)
s
( )
s
(
Sensor Sensor
)
s
(
101IOTDevice RF
/
IR
Blaster 401 404 1DTe0vOi2cTe RF
/
IR
Blaster 402 405 103lotDevice RF
/
IR
Blaster 403 406

T,empratue H,etcumidity Brightnes V/olume /Brightnes

Tempratu
CH/onedaitoenr 430 Lights 431
Audiovsal Equipment
Air
432
U.S. Patent Sep. 15 , 2020 Sheet 6 of 35 US 10,776,080 B2

SIoTervice 120 CRoenmtrole ,UserCodes P/Creofnreficgs 422

Equipment ID
Control Codes
CRoenmtrole 495
iIR/RFnterface
490 Remote Control Code Learnig 491 Equipment
4B
.
FIG

Remote Control Codes 413

HubIOT 110
Control 412 Sensor Fedback

DTevOicTe 101 DIeOviTce 102

U.S. Patent Sep. 15, 2020 Sheet 7 of 35 US 10,776,080 B2

SIeroviTce 120 Control 421

Pref ncs
UserC/onfig 422

DUWeisvtechr IAppnorstal ed Browser 135

Notifcans
HubloT 110 Control 512
Pref ncs
UserC/onfig 413

5
.
FIG

)
s
(
Sensor
104lotDevice Control OFF
,
e.g.
(
) 501 Temp )
s
(
Sensor
503 105TOTDevice Moti n 504

Stove 530 W/Darsyher 531

U.S. Patent Sep. 15, 2020 Sheet 8 of 35 US 10,776,080 B2

TtoloTransmit Sand/orervice DUesviecrs Data 413 Repositry TOTHub 110

and
or
/
comunia technolgy
lStaoinTary Dmeovices wrofIoTiatnhgien toloTconects udhisfuiernbgt c;phraonvidels todcolaetcad lothub
hub

Temporay Data Repositry 605 MDoebvilce 611 6

.
FIG

wDlStehavoicntahery isoutofrangeloThub, pdtoroavtidbeals dwIethvoceiTnd

writahnige
Temporay Data Repositry 615 MDeovbicle 611
Data Sources OutofRange DTeOviTce 601 Colectd Data 605
U.S. Patent Sep. 15, 2020 Sheet 9 of 35 US 10,776,080 B2

App
/
Logic
Configurat
IntermdiayConecti Repositry
Logic
App 721
/ Data 413 HubTOT 110

FIG
7
.

OutofRlotange 6Dev0ic1e
Colectd Data 605 IntermdiayConecti App 701
/
Logic
IntermdiayConecti DTeampotrayRepositry DMeovbicle
App 711
/
Logic 615 611

App
/
Logic
Configuraton App
/
Logic
Configurat
U.S. Patent Sep. 15, 2020 Sheet 10 of 35 US 10,776,080 B2

START IOTDOUT-OFREAVNIGCE
DCPEORIALTSY CFPOENRHIDTVALKY
801 802 CTONEOTIN ?DMEOVBICLE 802 VY DMTCORELAVBNIOSFCTAERD 803 TDMREOAVBNSIOFCLARE ,AND/ORUIOTHUBSESRVEICRE 804 FIG
8
.

N
U.S. Patent Sep. 15, 2020 Sheet 11 of 35 US 10,776,080 B2

App
/
Logic
Configuraton
IntermdiayConecti Logic
App 721
/
DTeOviTce CProdgream Updates 901 HubIoT 110

9A
.
FIG

OutofRlotange 6De0vi1ce DIeOviTce CProgdream 902 IntermdiayConecti App 701

/
Logic
IntermdiayConecti TemporayCProgdreamRepositry MDoebvilce
App 711
/
Logic 615 611

App
/
Logic
Configurat Logic/App
Configuraton
U.S. Patent Sep. 15, 2020 Sheet 12 of 35 US 10,776,080 B2

START OCPNUDRAEGRTWM SDONIAORVEROLIACBTE 900 CPRDMEOVBGICLAEMS DIOFONBUEPVOHAITCLEFS 901 CFPOENRHIDTVALKY 902 TCONEOTIN ?DMEOVBICLE 903 Y
DIOUATRPNESVNTAFCDELSR 904 9B
.
FIG
U.S. Patent Sep. 15, 2020 Sheet 13 of 35 US 10,776,080 B2

Security
STerOviTce 120 1013 SKeyecure Storage 1021

HubTOT 110 Security1012 SKeyecure Storage 101 10

.
FIG

101TOTDevice Security 10 2 SKeyecure Storage 10 1 102TOTDevice Security 10 4 SKeyecure Storage 10 3

U.S. Patent Sep. 15, 2020 Sheet 14 of 35 US 10,776,080 B2

STerOviTce 120 1013 Security & Device

Hub
Key
s
(
) Key
)
s
(
1021

HubTOT 110 Security Progamin

1012 Logic 1 25 &Device
Hub
Key
)
s
( Key
)
s
(
101 11
.
FIG

SIM Progamin Interfac 1 02

Security
DTeOviTce 101 10 2 Progamble key s)
SIM
for
( torage 1 01

ISntIerfMace 1 0
U.S. Patent Sep. 15 , 2020 Sheet 15 of 35 US 10,776,080 B2

STerOviTce 120 1013 Security I

& Device
Hub
Key
)
s
( Key
s
(
)
1021

Security 1012 & Device

Hub
Key
(
)
s Key
)
s
(
101
Secure Conecti )
SSL
,
e.g.
(

HubTOT 110
12A
.
FIG

Barcode Reader 206

WDUeisvtechr IAppnorstal ed Browser 135 1 } 1 1 B/QRarcode 1C2o0d1e
PRODUCT 2345678901 a(sociated SIMwith orlotand/ D)evice

101lotDevice Security 10 2 Key

/
SIM
)
s
(
10 1
U.S. Patent Sep. 15, 2020 Sheet 16 of 35 US 10,776,080 B2

HubTOT 110

Barcode Readr 1205 Local

Comunicat BTLE
,
e.g.
(
)
1280 DPairtang 1285
12B
.
FIG

/QRBarcode C1o2d0e1
MILE2345678902 DIoT101evice Local
Comunicat )
BTLE
,
e.g.
( 1290 DPairtang 1295
U.S. Patent Sep. 15, 2020 Sheet 17 of 35 US 10,776,080 B2

BWDINRelicvoatncTwhke SIMCard 1301 HubISIMCBloTnlastrenodkt 1302 CtoSIMBPrlaogrndakm 1303 StoloTTKeyeracnvusrimeclty 1304 END 13
START IaSetofEKeysncrlyputdieon .
Fig
U.S. Patent Sep. 15, 2020 Sheet 18 of 35 US 10,776,080 B2

START NewloTRWDKeyeicvticvhe 1401 DKeytoloTHubPSercovuirecdlyWSinKtheyoicsruteohs 1402 SloTKeytoTeracnuvsrimeclty WSinKtehyocisrutehs 1403 END 14

.
Fig
U.S. Patent Sep. 15, 2020 Sheet 19 of 35 US 10,776,080 B2

START PlotDU/CEloTSKeytooneusmcarvbiytlnpcdageslotandEPDCUnaerscvikaynpectgsloTHubPKeytoCarucebkaletic 1501 loTHubIoTPTtoracnskmeit 1502 PlotHubUloTTOTDreasicrvkyanpetgs 1503 lPDTtoraeocvnskimTet Device 1504 DUPloTloteascvriyknpcetgs C/DKeytoGPoermanivtrandes 1505 END 15
DPGlotKeytoeancvkiraect CDPl/roeamvcitsnade 1506 .
Fig
U.S. Patent Sep. 15, 2020 Sheet 20 of 35 US 10,776,080 B2

KSGM 1641
101TOTDevice
HSM 1631
Keys 1651 Encryption 1En6gin1e 1 1 1 1 1 1

BTLE
1En6cr0ypt3ed 1En6cry0pt4ed
HubTOT 110 1 1 I I 5 1 $ 3 1 I ! 1 1 I I

SSL 16A
.
Fig
1Enc6ry0pt2ed 1En6cry0pt5ed
Client Device 611 1 1 1 1 1 1 1 1 | 1 1 1 1

SSL 1Cl6e0a1r 1Cl6e0a6r

1 |

KSGM 1640
1STer2Ovi0Tce
HSM 1630 1
Keys 1650
1 1
Encryption1En6gin0e
1 1 | 1
?
U.S. Patent Sep. 15, 2020 Sheet 21 of 35 US 10,776,080 B2

KSGM 1641
101TOTDevice
HSM 1631
Keys 1651 Encryption 1En6gin1e 1 1 1 1 1 1 1 1 1 1

1En6cry1pt3ed 1En6cry1pt4ed
BTLE

16B
.
Fig

Client Device 611 1 1 1 1 1 1 1 1 1 1 1 1

SSL C1l6e1ar 1En6cry1pt2ed 1En6cry1pt5ed 1Cl6e1a6r

I I I | |

KSGM 1640
120SToTervice
HSM 1630 1
Keys 1650
1 1 1
Encryption1En6gin0e
1 1 | 1
?
U.S. Patent Sep. 15, 2020 Sheet 22 of 35 US 10,776,080 B2

andUseSecret SKeytream 1706

Genrate Secret 1704 Gto1Ceonurtaer
1 1

KSGM 1641
1DTev0Oic1Te
HSM 1631
Keys 1651
1 1 1 1
Encryption
1 1
1En6gin1e
1 1
5 ? 1
1

Key1PSloTeu7srbv0lioc1ne SlotDPKey1eus7vbil0co2en 17
.
Fig

1 1 1 1 | 1 1 1 1

KSGM 1640
120TOTService
HSM 1630
Keys 1650 Encryption 1En6gin0e 1 1 1 1 I I } 1 I 1 5

3 ? 5

Genrate Secret 1703 aSUenscrdet GCtoeonurtae SKeytream 1705

U.S. Patent Sep. 15, 2020 Sheet 23 of 35 US 10,776,080 B2

6bytes Tag 1802

Nbytes DEnacrtypaed 1801 18

.
Fig

bytes
4 Counter 180
U.S. Patent Sep. 15, 2020 Sheet 24 of 35 US 10,776,080 B2

Aplicaton
IoTDevice Logic 1902

1410TDevice >
data
write <
< data
read
>
TOTD101evice Value writeneg< data> readneg< data>

1MCBom9udniT0calt1eo Descripton Name WMsgrite RMsgead Negotia n Write Negotia n Read 19

.
Fig

Charcteis 10752
ID
0x2A00
(
) 65534>< 65533
< ><65 32
> >
<65533

1BTDe9vi1c0e BT

Comunicat Module 1903

U.S. Patent Sep. 15, 2020 Sheet 25 of 35 US 10,776,080 B2

UPDATE Packet 20 3
PSacEkeTt 20 2
bytes
n Value Data
bytes
n Value Data 2bytes Value Length

PGacEkeTt 20 1
bytes Value Length
2 byte
1 UpdateState 20
.
Fig

2
bytes

1
byte

1
byte
RequstArib
Ox10
ID 2bytes

byte
1

1
byte
ARterqiubtse
Ox1
ID

ID
2bytes

1
byte

1
byte
ARterqiubste
Ox12
ID

ID
U.S. Patent Sep. 15, 2020 Sheet 26 of 35 US 10,776,080 B2

$ 2 5 1 ? ? 1 5 }

LowPower MCU 200 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

1DTe0Ovi1Tce
P2S1E0T3 erfom 2Op1er0ati4on
2UP1D0AT5E
BT

Comunicat Module 1901

SetDVSeaslirutelid rue21d0G2
G

VAScaetlutael 2106
Fig
21
.

SET2101 2UP1D0AT7E

SleroviTce 120 ? 5 ? 5 ? ? 1 1 1 $ & 1 $ $ 1 I 1

.
1
U.S. Patent Sep. 15, 2020 Sheet 27 of 35 US 10,776,080 B2

T
I
H
U
E
COL
MS R
NPIV
TC
E
B A
HG 2 0 1 2 0 2 2 0 3 T
W
D
I
,
H
P EAC R
S
O
U Y
H P TE
BI N
S G
START TCEASINHROVYNPTIECLSD )(EASDCLIRGTONFSCUAHRELM DINI/CESPONAMRVKTYIENPCDAS DECTSAUPNARVIYOKPNECTGD DETSINRCAVOYPMTIEDS OHTOIPCNAVURYEKPNBTRLD TOIPDENACVORIKYETP 2 04 TSUDIECVORYIETPSN PDENACRVYKITED 2 05 /CDPIROEMAVTSNCDE PDFAERCVKIOMTE 2 06
W END 22
.
Fig
U.S. Patent Sep. 15 , 2020 Sheet 28 of 35 US 10,776,080 B2

23B
.
FIG
TO

HITCUNEAUORYNPBTELD 2308
OPSDIAEVCNKIDETRS TOIPFHOAROCUWKTEBDS CEOSNHVARYPITECLD 2309 OSVIEGRNAFTIUCES PACKET 2310 SGIKENROVAIYTCENS PAIR 231 PGSIEANRCOVKIETS PSCKOEUNTBALIYONCG 2312 PSIWEATRCOGHVKINETS KPSREIVAYTCE 2313 TOHPSIEARCUONVKIDEBTS
CEONHVARYPTELD 2314
23A
.
Fig

E
C
I
TO
H N A
R
O
U Y P T
B
E L
D
START PCSIREAOVKTIECS SOFIKPEURBOEVLITYCE 2301 UPSIEAROCGVKINTES 2302 PSIOEAVRCNKIDETRS 2303 TOIPFHOAROCUWKTBDS UODCNHEVARIYPCTLD 2304 SVDIOEGRNAFTIUCRES PACKET 2305 GDTPEANOCVRKITES ANSCOUETMRIBDANLG DOFIKPEUVBOILCTYE 2306 PSDIUAEOCVGKINTES KPFRAICEVTOYR 2307
C
S
N
A OE
UTR
MIB A
DNLG K
F
PA
R C
I
E T
VOYR
U.S. Patent Sep. 15 , 2020 Sheet 29 of 35 US 10,776,080 B2

230
.
FIG
TO

OSVIEGRNAFTIUCERS PACKET 232 PSIUEROVEITCS DIAKUREBONVLIATDYCE STOGKENCIROAYENTS 2323 VPDIURESVOEIACTS TOKPSIAEURBEONVLIYTDCE SGENCRIAOTE 2324 NARGIEUAMOBDETR SISUEANCRIYNPDOTGS SECR T 2325 vESTNCROVYPIDTES EOHTOIPNACVURYEKPBTRD CHANEL 2326 EFHINOCRUWYAPTBDES ODTOIPEAVCOIKETR CUNHEARYPTLD 2327 PDIUEASCOVRYKPNTEG SECRIOTN 2328
23B
.
Fig

CUODNHEVARIYPTLD OIVDSEGRNAFITUCERS PACKET

TOIPFHOAROUCWKTBEDS 2315 2316 KSGDIENVORAIYCTENS PAIR 2317 ICPDOAENTVTKCINEG KPSDEUBVLICYOEN 2318 IWPSDAECOVGKITNHSE KPDREIVACYTE 2319 HTOIPSDAEUOCVNKIDBTES 2320 TOIPFHOARCOUWKETBDS 2321
CEONHVARYPTELD CEOSNHVARYPITECLD

FR O M 23A
.
FIG
U.S. Patent Sep. 15, 2020 Sheet 30 of 35 US 10,776,080 B2

TOIPESDNACVORYKIPDECTS SINRMAUETCNTBDHORMS 23 3 IPCOAMRLSIENTG 23 4 SECRIOTN 23 5 [Link]

PRE-EDIUNASCVORKIYNPECTGS SECRIOTN 2329
CUOHNEVARYPBTLD 23 0 TPEFHINOACRUWYKOPBTEDS CEOSINHVARYEPTCLD PDSIUEACROVYKINPTEG SECRIOTN
23 1 23 2
NRTVSIEUAHMOBDFIETCRS IPSNEARDCOVKITSNEG EAMFUNSCTRLIYPNGE

FROM FIG.23B
U.S. Patent Sep. 15, 2020 Sheet 31 of 35 US 10,776,080 B2

TOTHub 110

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1

Comunicat
Secure Module )
Slave
(
2402
Fig
24
.

101TOTDevice ISntePrfIace 2410 SCK CS MOSI MISO C2o4nt1ro0l

> $ $ } $ ? ?

{ ? 5 }

App 2403 MCU Master)( 2401

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
U.S. Patent Sep. 15, 2020 Sheet 32 of 35 US 10,776,080 B2

STerOviTce 120 HubTOT 110

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

M(
Slave
)odule
Buf er 2561 5 { 5

CSomeucniatro 2402 1 1 1

Interfac
1 1

2560
}

1
}

1
$

Control 2562
GND
LG
2 1 S

2501 2502 25
.
Fig

101TOTDevice SCK CK MOSI MISO

1 1 1 1

C2o4nt1ro0l 2503
$ ? } 5
Interfac
2
25 0
1 {
?
} 5
I

GND
App 2403 MCU(M)aster 2401
5 5 > 3

Control 25 2
Buf er 25 1 I 1

1 1 1 1 1 1 1 + 1 + 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 + 1 1 1
U.S. Patent Sep. 15, 2020 Sheet 33 of 35 US 10,776,080 B2

9
Byte

3
Byte

26
.
Fig
2
Byte

1
Byte
2603
001,0.n h
2601
2602
o
Byte
Checksum
U.S. Patent Sep. 15, 2020 Sheet 34 of 35 US 10,776,080 B2

Integra dDevlopmnt Platform

To l 2701
STerOviTce Engine 2732
CAPIloud Profile 2742 TOT
Service 120

Devloper GUI 2721 ADpevlicoatmn 2720 CApplient Engine 2731 UX Profile 2741 Client Device 611 27
.
Fig
110 2407
DTeOviTce Engine 2730 SCM 2402
DevlopmntDatbse 2710 DIoTevice Profile 2740 1DTev0Oic1Te
MCU 2401
2408
DTevOicTe 102 SCM 240HHH
2 1/0 2407
U.S. Patent Sep. 15, 2020 Sheet 35 of 35 US 10,776,080 B2

START FPEDANRSOTIMGRE 2801 ,IADFUPEVSRLOCTANMIEG DIEPRNOVGFAITCLES 2802 DTOIPAREOVPFILTCYE 2803 ADFU,PEVSRLICOTNMEAG UXPEACRNLOGPFIANTLES 2804 CUXPATORLOIPFELNYT 2805 ,IADFUPEVSRLOCTANMIEG PACESRNLOGFVIAUTCEDS 2806 TOIPACSERLOPVFIUTCLDYE 2805 END 28
.
Fig
ADINPEVLOCNTMWIE
 US 10,776,080 B2
1 2
INTEGRATED DEVELOPMENT TOOL FOR FIG . 9A illustrates an embodiment in which program code
AN INTERNET OF THINGS ( IOT) SYSTEM and data updates are provided to the IoT device;
FIG . 9B illustrates an embodiment of a method in which
BACKGROUND program code and data updates are provided to the IoT
5 device;
Field of the Invention FIG . 10 illustrates a high level view of one embodiment
This invention relates generally to the field of computer of a security architecture;
systems . More particularly, the invention relates to an inte FIG . 11 illustrates one embodiment of an architecture in
grated development tool for an Internet of Things ( IoT ) which a subscriber identity module ( SIM ) is used to store
system . 10 keys on IoT devices;
Description of the Related Art FIG . 12A illustrates one embodiment in which IoT
The “ Internet of Things ” refers to the interconnection of devices are registered using barcodes or QR codes ;
uniquely - identifiable embedded devices within the Internet FIG . 12B illustrates one embodiment in which pairing is
infrastructure . Ultimately, IoT is expected to result in new , performed using barcodes or QR codes ;
wide -ranging types of applications in which virtually any 15 FIG . 13 illustrates one embodiment of a method for
type of physical thing may provide information about itself programming a SIM using an IoT hub ;
or its surroundings and / or may be controlled remotely via FIG . 14 illustrates one embodiment of a method for
client devices over the Internet. registering an IoT device with an IoT hub and IoT service;
IoT development and adoption has been slow due to and
issues related to connectivity, power, and a lack of standard- 20 FIG . 15 illustrates one embodiment of a method for
ization . For example, one obstacle to IoT development and encrypting data to be transmitted to an IoT device;
adoption is that no standard platform exists to allow devel FIGS . 16A - B illustrate different embodiments of the
opers to design and offer new IoT devices and services . In invention for encrypting data between an IoT service and an
order enter into the IoT market, a developer must design the IoT device;
entire IoT platform from the ground up , including the 25 FIG . 17 illustrates embodiments of the invention for
network protocols and infrastructure, hardware, software performing a secure key exchange, generating a common
and services required to support the desired IoT implemen secret, and using the secret to generate a key stream ;
tation . As a result, each provider of IoT devices uses FIG . 18 illustrates a packet structure in accordance with
proprietary techniques for designing and connecting the IoT one embodiment of the invention ;
devices, making the adoption of multiple types of IoT 30 FIG . 19 illustrates techniques employed in one embodi
devices burdensome for end users . Another obstacle to IoT ment for writing and reading data to / from an IoT device
adoption is the difficulty associated with connecting and without formally pairing with the IoT device ;
powering IoT devices. Connecting appliances such as refrig FIG . 20 illustrates an exemplary set of command packets
erators, garage door openers, environmental sensors, home employed in one embodiment of the invention ;
security sensors /controllers, etc , for example, requires an 35 FIG . 21 illustrates an exemplary sequence of transactions
electrical source to power each connected IoT device, and using command packets ;
such an electrical source is often not conveniently located. FIG . 22 illustrates a method in accordance with one
In addition , IoT development has been slow due to the embodiment of the invention ; and
lack of integrated development tools . For example, devel FIG . 23A - C illustrates a method for secure pairing in
opers must independently design code and hardware for 40 accordance with one embodiment of the invention ;
each individual IoT device and for each IoT service, result FIG . 24 illustrates one embodiment of an interface
ing in inefficiencies in the design process. between a microcontroller unit and a secure communication
module ;
BRIEF DESCRIPTION OF THE DRAWINGS FIG . 25 illustrates additional details for an embodiment of
45 an interface between a microcontroller unit and a secure
A better understanding of the present invention can be communication module ; and
obtained from the following detailed description in conjunc FIG . 26 illustrates a communication format employed in
tion with the following drawings, in which : one embodiment of the invention .
FIGS . 1A - B illustrates different embodiments of an IoT FIG . 27 illustrates one embodiment of an integrated
system architecture; 50 development tool
FIG . 2 illustrates an IoT device in accordance with one FIG . 28 illustrates one embodiment of a method imple
embodiment of the invention ; mented by an integrated development tool .
FIG . 3 illustrates an IoT hub in accordance with one
embodiment of the invention ; DETAILED DESCRIPTION
FIG . 4A - B illustrate embodiments of the invention for 55
controlling and collecting data from IoT devices, and gen In the following description, for the purposes of expla
erating notifications; nation, numerous specific details are set forth in order to
FIG . 5 illustrates embodiments of the invention for col provide a thorough understanding of the embodiments of the
lecting data from IoT devices and generating notifications invention described below. It will be apparent, however, to
from an IoT hub and /or IoT service ; 60 one skilled in the art that the embodiments of the invention
FIG . 6 illustrates one embodiment of a system in which an may be practiced without some of these specific details. In
intermediary mobile device collects data from a stationary other instances, well -known structures and devices are
IoT device and provides the data to an IoT hub; shown in block diagram form to avoid obscuring the under
FIG . 7 illustrates intermediary connection logic imple lying principles of the embodiments of the invention .
mented in one embodiment of the invention ; 65 One embodiment of the invention comprises an Internet
FIG . 8 illustrates a method in accordance with one of Things ( IoT ) platform which may be utilized by devel
embodiment of the invention ; opers to design and build new IoT devices and applications .
 US 10,776,080 B2
3 4
In particular, one embodiment includes a base hardware / As mentioned , in one embodiment, the IoT platform
software platform for IoT devices including a predefined includes an IoT app or Web application executed on user
networking protocol stack and an IoT hub through which the devices 135 to allow users to access and configure the
IoT devices are coupled to the Internet. In addition , one connected IoT devices 101-105 , IoT hub 110 , and / or IoT
embodiment includes an IoT service through which the IoT 5 service 120. In one embodiment, the app or web application
hubs and connected IoT devices may be accessed and may be designed by the operator of a Website 130 to provide
managed as described below . In addition, one embodiment IoT functionality to its user base . As illustrated, the Website
of the IoT platform includes an IoT app or Web application may maintain a user database 131 containing account
( e.g. , executed on a client device) to access and configured records related to each user.
the IoT service, hub and connected devices . Existing online 10 FIG . 1B illustrates additional connection options for a
retailers and other Website operators may leverage the IoT plurality of IoT hubs 110-111 , 190 In this embodiment a
platform described herein to readily provide unique IoT single user may have multiple hubs 110-111 installed onsite
functionality to existing user bases . at a single user premises 180 ( e.g. , the user's home or
FIG . 1A illustrates an overview of an architectural plat business ) . This may be done , for example, to extend the
form on which embodiments of the invention may be 15 wireless range needed to connect all of the IoT devices
implemented . In particular, the illustrated embodiment 101-105 . As indicated , if a user has multiple hubs 110 , 111
includes a plurality of IoT devices 101-105 communica they may be connected via a local communication channel
tively coupled over local communication channels 130 to a (e.g. , Wifi, Ethernet, Power Line Networking, etc ) . In one
central IoT hub 110 which is itself communicatively coupled embodiment, each of the hubs 110-111 may establish a direct
to an IoT service 120 over the Internet 220. Each of the IoT 20 connection to the IoT service 120 through a cellular 115 or
devices 101-105 may initially be paired to the IoT hub 110 WiFi 116 connection (not explicitly shown in FIG . 1B ) .
( e.g. , using the pairing techniques described below ) in order Alternatively, or in addition , one of the IoT hubs such as IoT
to enable each of the local communication channels 130. In hub 110 may act as a “ master” hub which provides connec
one embodiment, the IoT service 120 includes an end user tivity and / or local services to all of the other IoT hubs on the
database 122 for maintaining user account information and 25 user premises 180 , such as IoT hub 111 (as indicated by the
data collected from each user's IoT devices . For example , if dotted line connecting IoT hub 110 and IoT hub 111 ) . For
the IoT devices include sensors (e.g. , temperature sensors , example , the master IoT hub 110 may be the only IoT hub
accelerometers, heat sensors , motion detectore, etc ) , the to establish a direct connection to the IoT service 120. In one
database 122 may be continually updated to store the data embodiment, only the “ master ” IoT hub 110 is equipped
collected by the IoT devices 101-105 . The data stored in the 30 with a cellular communication interface to establish the
database 122 may then be made accessible to the end user connection to the IoT service 120. As such , all communi
via the IoT app or browser installed on the user's device 135 cation between the IoT service 120 and the other IoT hubs
( or via a desktop or other client computer system) and to 111 will flow through the master IoT hub 110. In this role ,
web clients ( e.g. , such as websites 130 subscribing to the IoT the master IoT hub 110 may be provided with additional
service 120) . 35 program code to perform filtering operations on the data
The IoT devices 101-105 may be equipped with various exchanged between the other IoT hubs 111 and IoT service
types of sensors to collect information about themselves and 120 (e.g. , servicing some data requests locally when pos
rroundings and provide the collected information to sible )
their surro
the IoT service 120 , user devices 135 and / or external Web Regardless of how the IoT hubs 110-111 are connected , in
sites 130 via the IoT hub 110. Some of the IoT devices 40 one embodiment, the IoT service 120 will logically associate
101-105 may perform a specified function in response to the hubs with the user and combine all of the attached IoT
control commands sent through the IoT hub 110. Various devices 101-105 under a single comprehensive user inter
specific examples of information collected by the IoT face, accessible via a user device with the installed app 135
devices 101-105 and control commands are provided below . ( and / or a browser - based interface ).
In one embodiment described below, the IoT device 101 is 45 In this embodiment, the master IoT hub 110 and one or
a user input device designed to record user selections and more slave IoT hubs 111 may connect over a local network
send the user selections to the loT service 120 and / or which may be a WiFi network 116 , an Ethernet network ,
Website . and / or a using power- line communications ( PLC ) network
In one embodiment, the IoT hub 110 includes a cellular ing ( e.g. , where all or portions of the network are run
radio to establish a connection to the Internet 220 via a 50 through the user's power lines ) . In addition, to the IoT hubs
cellular service 115 such as a 4G ( e.g. , Mobile WiMAX , 110-111 , each of the IoT devices 101-105 may be intercon
LTE ) or 5G cellular data service. Alternatively, or in addi nected with the IoT hubs 110-111 using any type of local
tion, the IoT hub 110 may include a WiFi radio to establish network channel such as WiFi, Ethernet, PLC , or Bluetooth
a WiFi connection through a WiFi access point or router 116 LE , to name a few .
which couples the IoT hub 110 to the Internet (e.g. , via an 55 FIG . 1B also shows an IoT hub 190 installed at a second
Internet Service Provider providing Internet service to the user premises 181. A virtually unlimited number of such IoT
end user) . Of course , it should be noted that the underlying hubs 190 may be installed and configured to collect data
principles of the invention are not limited to any particular from IoT devices 191-192 at user premises around the
type of communication channel or protocol. world . In one embodiment, the two user premises 180-181
In one embodiment, the IoT devices 101-105 are ultra 60 may be configured for the same user. For example, one user
low - power devices capable of operating for extended peri premises 180 may be the user's primary home and the other
ods of time on battery power ( e.g. , years ). To conserve user premises 181 may be the user's vacation home . In such
power, the local communication channels 130 may be imple a case , the IoT service 120 will logically associate the IoT
mented using a low - power wireless communication tech hubs 110-111 , 190 with the user and combine all of the
nology such as Bluetooth Low Energy ( LE) . In this embodi- 65 attached IoT devices 101-105 , 191-192 under a single com
ment, each of the IoT devices 101-105 and the IoT hub 110 prehensive user interface , accessible via a user device with
are equipped with Bluetooth LE radios and protocol stacks . the installed app 135 ( and /or a browser -based interface ).
 US 10,776,080 B2
5 6
As illustrated in FIG . 2 , an exemplary embodiment of an code 203 and new I/O devices 250 to interface with the low
IoT device 101 includes a memory 210 for storing program power microcontroller for virtually any type of IoT appli
code and data 201-203 and a low power microcontroller 200 cation .
for executing the program code and processing the data . The In one embodiment, the low power microcontroller 200
memory 210 may be a volatile memory such as dynamic 5 also includes a secure key store for storing encryption keys
random access memory ( DRAM ) or may be a non - volatile for encrypting communications and /or generating signa
memory such as Flash memory . In one embodiment, a tures . Alternatively, the keys may be secured in a subscriber
non- volatile memory may be used for persistent storage and identify module ( SIM) .
a volatile memory may be used for execution of the program A wakeup receiver 207 is included in one embodiment to
code and data at runtime. Moreover, the memory 210 may 10 wake the IoT device from an ultra low power state in which
be integrated within the low power microcontroller 200 or it is consuming virtually no power . In one embodiment, the
may be coupled to the low power microcontroller 200 via a wakeup receiver 207 is configured to cause the IoT device
bus or communication fabric . The underlying principles of 101 to exit this low power state in response to a wakeup
the invention are not limited to any particular implementa signal received from a wakeup transmitter 307 configured on
tion of the memory 210 . 15 the IoT hub 110 as shown in FIG . 3. In particular, in one
As illustrated , the program code may include application embodiment, the transmitter 307 and receiver 207 together
program code 203 defining an application - specific set of form an electrical resonant transformer circuit such as a
functions to be performed by the IoT device 201 and library Tesla coil . In operation , energy is transmitted via radio
code 202 comprising a set of predefined building blocks frequency signals from the transmitter 307 to the receiver
which may be utilized by the application developer of the 20 207 when the hub 110 needs to wake the IoT device 101
IoT device 101. In one embodiment, the library code 202 from a very low power state . Because of the energy transfer,
comprises a set of basic functions required to implement an the IoT device 101 may be configured to consume virtually
IoT device such as a communication protocol stack 201 for no power when it is in its low power state because it does not
enabling communication between each IoT device 101 and need to continually “ listen ” for a signal from the hub ( as is
the IoT hub 110. As mentioned , in one embodiment, the 25 the case with network protocols which allow devices to be
communication protocol stack 201 comprises a Bluetooth awakened via a network signal ) . Rather, the microcontroller
LE protocol stack . In this embodiment, Bluetooth LE radio 200 of the IoT device 101 may be configured to wake up
and antenna 207 may be integrated within the low power after being effectively powered down by using the energy
microcontroller 200. However, the underlying principles of electrically transmitted from the transmitter 307 to the
the invention are not limited to any particular communica- 30 receiver 207 .
tion protocol. As illustrated in FIG . 3 , the IoT hub 110 also includes a
The particular embodiment shown in FIG . 2 also includes memory 317 for storing program code and data 305 and
a plurality of input devices or sensors 210 to receive user hardware logic 301 such as a microcontroller for executing
input and provide the user input to the low power micro the program code and processing the data . A wide area
controller, which processes the user input in accordance with 35 network (WAN ) interface 302 and antenna 310 couple the
the application code 203 and library code 202. In one IoT hub 110 to the cellular service 115. Alternatively , as
embodiment, each of the input devices include an LED 209 mentioned above , the IoT hub 110 may also include a local
to provide feedback to the end user. network interface ( not shown) such as a WiFi interface ( and
In addition, the illustrated embodiment includes a battery WiFi antenna ) or Ethernet interface for establishing a local
208 for supplying power to the low power microcontroller. 40 area network communication channel. In one embodiment,
In one embodiment, a non -chargeable coin cell battery is the hardware logic 301 also includes a secure key store for
used . However, in an alternate embodiment, an integrated storing encryption keys for encrypting communications and
rechargeable battery may be used ( e.g. , rechargeable by generating/verifying signatures. Alternatively, the keys may
connecting the IoT device to an AC power supply (not be secured in a subscriber identify module ( SIM) .
shown ) ). 45 A local communication interface 303 and antenna 311
A speaker 205 is also provided for generating audio . In establishes local communication channels with each of the
one embodiment, the low power microcontroller 299 IoT devices 101-105 . As mentioned above , in one embodi
includes audio decoding logic for decoding a compressed ment, the local communication interface 303 / antenna 311
audio stream (e.g. , such as an MPEG - 4 / Advanced Audio implements the Bluetooth LE standard . However, the under
Coding ( AAC ) stream ) to generate audio on the speaker 205. 50 lying principles of the invention are not limited to any
Alternatively, the low power microcontroller 200 and / or the particular protocols for establishing the local communica
application code /data 203 may include digitally sampled tion channels with the IoT devices 101-105 . Although illus
snippets of audio to provide verbal feedback to the end user trated as separate units in FIG . 3 , the WAN interface 302
as the user enters selections via the input devices 210 . and / or local communication interface 303 may be embedded
In one embodiment, one or more other / alternate I /O 55 within the same chip as the hardware logic 301 .
devices or sensors 250 may be included on the IoT device In one embodiment, the program code and data includes
101 based on the particular application for which the IoT a communication protocol stack 308 which may include
device 101 is designed. For example, an environmental separate stacks for communicating over the local commu
sensor may be included to measure temperature , pressure , nication interface 303 and the WAN interface 302. In
humidity, etc. A security sensor and / or door lock opener may 60 addition , device pairing program code and data 306 may be
be included if the IoT device is used as a security device. Of stored in the memory to allow the IoT hub to pair with new
course , these examples are provided merely for the purposes IoT devices . In one embodiment, each new IoT device
of illustration . The underlying principles of the invention are 101-105 is assigned a unique code which is communicated
not limited to any particular type of IoT device . In fact, given to the IoT hub 110 during the pairing process. For example,
the highly programmable nature of the low power micro- 65 the unique code may be embedded in a barcode on the IoT
controller 200 equipped with the library code 202 , an device and may be read by the barcode reader 106 or may
application developer may readily develop new application be communicated over the local communication channel
 US 10,776,080 B2
7 8
130. In an alternate embodiment, the unique ID code is each IoT device ( e.g. , so that it may continue to check for
embedded magnetically on the IoT device and the IoT hub new updates for each IoT device ).
has a magnetic sensor such as an radio frequency ID ( RFID ) In one embodiment, the IoT hub 110 is powered via A / C
or near field communication (NFC ) sensor to detect the code power. In particular, the IoT hub 110 may include a power
when the IoT device 101 is moved within a few inches of the 5 unit 390 with a transformer for transforming A / C voltage
IoT hub 110 . supplied via an A / C power cord to a lower DC voltage .
In one embodiment, once the unique ID has been com FIG . 4A illustrates one embodiment of the invention for
municated , the IoT hub 110 may verify the unique ID by performing
IoT system .
universal remote control operations using the
In particular, in this embodiment, a set of IoT
querying a local database (not shown ), performing a hash to devices 101-103
verify that the code is acceptable , and / or communicating 10 radio are equipped with infrared (IR) and / or
with the IoT service 120 , user device 135 and / or Website transmitting remoteRFcontrol
frequency ( ) blasters 401-403 , respectively, for
codes to control various differ
130 to validate the ID code . Once validated, in one embodi ent types of electronics equipment
ment, the IoT hub 110 pairs the IoT device 101 and stores the ers /heaters 430 , lighting systems including air condition
431 , and audiovisual
pairing data in memory 317 (which, as mentioned, may 15 equipment 432 (to name just a few ). In the embodiment
include non - volatile memory ). Once pairing is complete , the shown in FIG . 4A , the IoT devices 101-103 are also
IoT hub 110 may connect with the IoT device 101 to perform equipped with sensors 404-406 , respectively, for detecting
the various IoT functions described herein . the operation of the devices which they control, as described
In one embodiment, the organization running the IoT below .
service 120 may provide the IoT hub 110 and a basic 20 For example, sensor 404 in IoT device 101 may be a
hardware / software platform to allow developers to easily temperature and / or humidity sensor for sensing the current
design new IoT services . In particular, in addition to the IoT temperature /humidity and responsively controlling the air
hub 110 , developers may be provided with a software conditioner /heater 430 based on a current desired tempera
development kit ( SDK) to update the program code and data ture . In this embodiment, the air conditioner /heater 430 is
305 executed within the hub 110. In addition, for IoT devices 25 one which is designed to be controlled via a remote control
101 , the SDK may include an extensive set of library code device ( typically a remote control which itself has a tem
202 designed for the base IoT hardware ( e.g. , the low power perature sensor embedded therein ). In one embodiment, the
microcontroller 200 and other components shown in FIG . 2 ) user provides the desired temperature to the IoT hub 110 via
to facilitate the design of various different types of applica an app or browser installed on a user device 135. Control
tions 101. In one embodiment, the SDK includes a graphical 30 logic 412 executed on the IoT hub 110 receives the current
design interface in which the developer needs only to temperature /humidity data from the sensor 404 and respon
specify input and outputs for the IoT device . All of the sively transmits commands to the IoT device 101 to control
networking ode, including the communication stack 201 the IR /RF blaster 401 in accordance with the desired tem
that allows the IoT device 101 to connect to the hub 110 and perature /humidity. For example, if the temperature is below
the service 120 , is already in place for the developer. In 35 the desired temperature , then the control logic 412 may
addition , in one embodiment, the SDK also includes a transmit a command to the air conditioner /heater via the
library code base to facilitate the design of apps for mobile IR /RF blaster 401 to increase the temperature ( e.g. , either by
devices (e.g. , iPhone and Android devices ). turning off the air conditioner or turning on the heater ). The
In one embodiment, the IoT hub 110 manages a continu command may include the necessary remote control code
ous bi - directional stream of data between the IoT devices 40 stored in a database 413 on the IoT hub 110. Alternatively,
101-105 and the IoT service 120. In circumstances where or in addition, the IoT service 421 may implement control
updates to / from the IoT devices 101-105 are required in real logic 421 to control the electronics equipment 430-432
time ( e.g. , where a user needs to view the current status of based on specified user preferences and stored control codes
security devices or environmental readings ), the IoT hub 422 .
may maintain an open TCP socket to provide regular updates 45 IoT device 102 in the illustrated example is used to
to the user device 135 and / or external Websites 130. The control lighting 431. In particular, sensor 405 in IoT device
specific networking protocol used to provide updates may be 102 may photosensor or photodetector configured to detect
tweaked based on the needs of the underlying application. the current brightness of the light being produced by a light
For example , in some cases , where may not make sense to fixture 431 ( or other lighting apparatus ). The user may
have a continuous bi - directional stream , a simple request/ 50 specify a desired lighting level ( including an indication of
response protocol may be used to gather information when ON or OFF ) to the IoT hub 110 via the user device 135. In
needed . response , the control logic 412 will transmit commands to
In one embodiment, both the IoT hub 110 and the IoT the IR /RF blaster 402 to control the current brightness level
devices 101-105 are automatically upgradeable over the of the lights 431 ( e.g. , increasing the lighting if the current
network . In particular, when a new update is available for the 55 brightness is too low or decreasing the lighting if the current
IoT hub 110 it may automatically download and install the brightness is too high ; or simply turning the lights ON or
update from the IoT service 120. It may first copy the OFF ) .
updated code into a local memory , run and verify the update IoT device 103 in the illustrated example is configured to
before swapping out the older program code . Similarly, control audiovisual equipment 432 ( e.g. , a television , AN
when updates are available for each of the IoT devices 60 receiver, cable/satellite receiver, AppleTVTM , etc ) . Sensor
101-105 , they may initially be downloaded by the IoT hub 406 in IoT device 103 may be an audio sensor ( e.g. , a
110 and pushed out to each of the IoT devices 101-105 . Each microphone and associated logic ) for detecting a current
IoT device 101-105 may then apply the update in a similar ambient volume level and / or a photosensor to detect whether
manner as described above for the IoT hub and report back a television is on or off based on the light generated by the
the results of the update to the IoT hub 110. If the update is 65 television (e.g. , by measuring the light within a specified
successful, then the IoT hub 110 may delete the update from spectrum ). Alternatively , sensor 406 may include a tempera
its memory and record the latest version of code installed on ture sensor connected to the audiovisual equipment to detect
 US 10,776,080 B2
9 10
whether the audio equipment is on or off based on the of the user's mobile device 135. For example, if the user's
detected temperature. Once again , in response to user input air conditioner has been on for an extended period of time
via the user device 135 , the control logic 412 may transmit but the temperature has not changed, the IoT hub 110 and /or
commands to the audiovisual equipment via the IR blaster IoT service 120 may send the user a notification that the air
403 of the IoT device 103 . 5 conditioner is not functioning properly. If the user is not
It should be noted that the foregoing are merely illustra home (which may be detected via motion sensors or based
tive examples of one embodiment of the invention . The on the user's current detected location) , and the sensors 406
underlying principles of the invention are not limited to any indicate that audiovisual equipment 430 is on or sensors 405
particular type of sensors or equipment to be controlled by indicate that the lights are on , then a notification may be sent
IoT devices . 10 to the user, asking if the user would like to turn off the
In an embodiment in which the IoT devices 101-103 are audiovisual equipment 432 and / or lights 431. The same type
coupled to the IoT hub 110 via a Bluetooth LE connection, of notification may be sent for any equipment type.
the sensor data and commands are sent over the Bluetooth Once the user receives a notification , he /she may remotely
LE channel. However, the underlying principles of the control the electronics equipment 430-432 via the app or
invention are not limited to Bluetooth LE or any other 15 browser on the user device 135. In one embodiment, the user
communication standard . device 135 is a touchscreen device and the app or browser
In one embodiment, the control codes required to control displays an image of a remote control with user - selectable
each of the pieces of electronics equipment are stored in a buttons for controlling the equipment 430-432 . Upon receiv
database 413 on the IoT hub 110 and / or a database 422 on ing a notification, the user may open the graphical remote
the IoT service 120. As illustrated in FIG . 4B , the control 20 control and turn off or adjust the various different pieces of
codes may be provided to the IoT hub 110 from a master equipment. If connected via the IoT service 120 , the user's
database of control codes 422 for different pieces of equip selections may be forwarded from the IoT service 120 to the
ment maintained on the IoT service 120. The end user may IoT hub 110 which will then control the equipment via the
specify the types of electronic (or other) equipment to be control logic 412. Alternatively, the user input may be sent
controlled via the app or browser executed on the user 25 directly to the IoT hub 110 from the user device 135 .
device 135 and, in response , a remote control code learning In one embodiment, the user may program the control
module 491 on the IoT hub may retrieve the required IR / RF logic 412 on the IoT hub 110 to perform various automatic
codes from the remote control code database 492 on the IoT control functions with respect to the electronics equipment
service 120 (e.g. , identifying each piece of electronic equip 430-432 . In addition to maintaining a desired temperature,
ment with a unique ID ) . 30 brightness level , and volume level as described above, the
In addition , in one embodiment, the IoT hub 110 is control logic 412 may automatically turn off the electronics
equipped with an IR /RF interface 490 to allow the remote equipment if certain conditions are detected . For example, if
control code learning module 491 " learn ” new remote the control logic 412 detects that the user is not home and
control codes directly from the original remote control 495 that the air conditioner is not functioning, it may automati
provided with the electronic equipment. For example, if 35 cally turn off the air conditioner. Similarly, if the user is not
control codes for the original remote control provided with home , and the sensors 406 indicate that audiovisual equip
the air conditioner 430 is not included in the remote control ment 430 is on or sensors 405 indicate that the lights are on ,
database , the user may interact with the IoT hub 110 via the then the control logic 412 may automatically transmit com
app /browser on the user device 135 to teach the IoT hub 110 mands via the IR /RF blasters 403 and 402 , to turn off the
the various control codes generated by the original remote 40 audiovisual equipment and lights, respectively.
control (e.g. , increase temperature , decrease temperature , FIG . 5 illustrates additional embodiments of IoT devices
etc ) . Once the remote control codes are learned they may be 104-105 equipped with sensors 503-504 for monitoring
stored in the control code database 413 on the IoT hub 110 electronic equipment 530-531 . In particular, the IoT device
and / or sent back to the IoT service 120 to be included in the 104 of this embodiment includes a temperature sensor 503
central remote control code database 492 ( and subsequently 45 which may be placed on or near a stove 530 to detect when
used by other users with the same air conditioner unit 430 ) . the stove has been left on . In one embodiment, the IoT
In one embodiment, each of the IoT devices 101-103 have device 104 transmits the current temperature measured by
an extremely small form factor and may be affixed on or near the temperature sensor 503 to the IoT hub 110 and /or the IoT
their respective electronics equipment 430-432 using service 120. If the stove is detected to be on for more than
double - sided tape , a small nail, a magnetic attachment, etc. 50 a threshold time period ( e.g. , based on the measured tem
For control of a piece of equipment such as the air condi perature ), then control logic 512 may transmit a notification
tioner 430 , it would be desirable to place the IoT device 101 to the end user's device 135 informing the user that the stove
sufficiently far away so that the sensor 404 can accurately 530 is on . In addition , in one embodiment, the IoT device
measure the ambient temperature in the home (e.g. , placing 104 may include a control module 501 to turn off the stove ,
the IoT device directly on the air conditioner would result in 55 either in response to receiving an instruction from the user
a temperature measurement which would be too low when or automatically ( if the control logic 512 is programmed to
the air conditioner was running or too high when the heater do so by the user ). In one embodiment, the control logic 501
was running ). In contrast, the IoT device 102 used for comprises a switch to cut off electricity or gas to the stove
controlling lighting may be placed on or near the lighting 530. However, in other embodiments , the control logic 501
fixture 431 for the sensor 405 to detect the current lighting 60 may be integrated within the stove itself.
level . FIG . 5 also illustrates an IoT device 105 with a motion
In addition to providing general control functions as sensor 504 for detecting the motion of certain types of
described , one embodiment of the IoT hub 110 and / or IoT electronics equipment such as a washer and / or dryer.
service 120 transmits notifications to the end user related to Another sensor that may be used is an audio sensor ( e.g. ,
the current status of each piece of electronics equipment. 65 microphone and logic ) for detecting an ambient volume
The notifications, which may be text messages and / or app level . As with the other embodiments described above , this
specific notifications, may then be displayed on the display embodiment may transmit notifications to the end user if
 US 10,776,080 B2
11 12
certain specified conditions are met (e.g. , if motion is token affixed to a neckless or bracelet, a smartwatch or a
detected for an extended period of time , indicating that the fitness device . The wearable token may be particularly
washer/ dryer are not turning off ). Although not shown in useful for elderly users or other users who do not own a
FIG . 5 , IoT device 105 may also be equipped with a control smartphone device.
module to turn off the washer /dryer 531 ( e.g. , by switching 5 In operation, the out of range IoT device 601 may
off electric /gas ), automatically, and / or in response to user periodically or continually check for connectivity with a
input. mobile device 611. Upon establishing a connection (e.g. , as
In one embodiment, a first IoT device with control logic the result of the user moving within the vicinity of the
and a switch may be configured to turn off all power in the refrigerator) any collected data 605 on the IoT device 601 is
user's home and a second IoT device with control logic and 10 automatically transmitted to a temporary data repository 615
a switch may be configured to turn off all gas in the user's on the mobile device 611. In one embodiment, the IoT
home . IoT devices with sensors may then be positioned on device 601 and mobile device 611 establish a local wireless
or near electronic or gas -powered equipment in the user's communication channel using a low power wireless standard
home . If the user is notified that a particular piece of such as BTLE . In such a case , the mobile device 611 may
equipment has been left on (e.g. , the stove 530 ) , the user 15 initially be paired with the IoT device 601 using known
may then send a command to turn off all electricity or gas in pairing techniques.
the home to prevent damage. Alternatively, the control logic One the data has been transferred to the temporary data
512 in the IoT hub 110 and / or the IoT service 120 may be repository, the mobile device 611 will transmit the data once
configured to automatically turn off electricity or gas in such communication is established with the IoT hub 110 ( e.g. ,
situations. 20 when the user walks within the range of the IoT hub 110 ) .
In one embodiment, the IoT hub 110 and IoT service 120 The IoT hub may then store the data in a central data
communicate at periodic intervals. If the IoT service 120 repository 413 and / or send the data over the Internet to one
detects that the connection to the IoT hub 110 has been lost or more services and /or other user devices . In one embodi
( e.g. , by failing to receive a request or response from the IoT ment, the mobile device 611 may use a different type of
hub for a specified duration ), it will communicate this 25 communication channel to provide the data to the IoT hub
information to the end user's device 135 ( e.g. , by sending a 110 (potentially a higher power communication channel
text message or app - specific notification ). such as WiFi).
The out of range IoT device 601 , the mobile device 611 ,
Apparatus and Method for Communicating Data and the IoT hub may all be configured with program code
Through an Intermediary Device 30 and / or logic to implement the techniques described herein .
As illustrated in FIG . 7 , for example, the IoT device 601 may
As mentioned above , because the wireless technologies be configured with intermediary connection logic and / or
used to interconnect IoT devices such as Bluetooth LE are application, the mobile device 611 may be configured with
generally short range technologies, if the hub for an IoT an intermediary connection logic /application, and the IoT
implementation is outside the range of an IoT device, the IoT 35 hub 110 may be configured with an intermediary connection
device will not be able to transmit data to the IoT hub (and logic /application 721 to perform the operations described
vice versa ). herein . The intermediary connection logic / application on
To address this deficiency, one embodiment of the inven each device may be implemented in hardware , software, or
tion provides a mechanism for an IoT device which is any combination thereof. In one embodiment, the interme
outside of the wireless range of the IoT hub to periodically 40 diary connection logic /application 701 of the IoT device 601
connect with one or more mobile devices when the mobile searches and establishes a connection with the intermediary
devices are within range . Once connected, the IoT device connection logic /application 711 on the mobile device
can transmit any data which needs to be provided to the IoT ( which may be implemented as a device app ) to transfer the
hub to the mobile device which then forwards the data to the data to the temporary data repository 615. The intermediary
IoT hub . 45 connection logic /application 701 on the mobile device 611
As illustrated in FIG . 6 one embodiment includes an IoT then forwards the data to the intermediary connection logic /
hub 110 , an IoT device 601 which is out of range of the IoT application on the IoT hub , which stores the data in the
hub 110 and a mobile device 611. The out of range IoT central data repository 413 .
device 601 may include any form of IoT device capable of As illustrated in FIG . 7 , the intermediary connection
collecting and communicating data . For example, the IoT 50 logic /applications 701 , 711 , 721 , on each device may be
device 601 may comprise a data collection device config configured based on the application at hand . For example,
ured within a refrigerator to monitor the food items available for a refrigerator, the connection logic / application 701 may
in the refrigerator, the users who consume the food items, only need to transmit a few packets on a periodic basis . For
and the current temperature . Of course , the underlying other applications (e.g. , temperature sensors ), the connec
principles of the invention are not limited to any particular 55 tion logic / application 701 may need to transmit more fre
type of IoT device . The techniques described herein may be quent updates.
implemented using any type of IoT device including those Rather than a mobile device 611 , in one embodiment, the
used to collect and transmit data for smart meters, stoves ,IoT device 601 may be configured to establish a wireless
washers , dryers, lighting systems, HVAC systems, and connection with one or more intermediary IoT devices ,
audiovisual equipment, to name just a few . 60 which are located within range of the IoT hub 110. In this
Moreover, the mobile device In operation, the IoT device embodiment, any IoT devices 601 out of range of the IoT
611 illustrated in FIG . 6 may be any form of mobile device hub may be linked to the hub by forming a “ chain " using
capable of communicating and storing data . For example , in other IoT devices.
one embodiment, the mobile device 611 is a smartphone In addition , while only a single mobile device 611 is
with an app installed thereon to facilitate the techniques 65 illustrated in FIGS . 6-7 for simplicity, in one embodiment,
described herein . In another embodiment, the mobile device multiple such mobile devices of different users may be
611 comprises a wearable device such as a communication configured to communicate with the IoT device 601. More
 US 10,776,080 B2
13 14
over, the same techniques may be implemented for multiple service and / or a user. As mentioned, the mobile device may
other IoT devices, thereby forming an intermediary device transmit the data immediately if it is already connected ( e.g. ,
data collection system across the entire home . via a WiFi link ).
Moreover, in one embodiment, the techniques described In addition to collecting data from IoT devices, in one
herein may be used to collect various different types of 5 embodiment, the techniques described herein may be used to
pertinent data . For example, in one embodiment, each time update or otherwise provide data to IoT devices. One
the mobile device 611 connects with the IoT device 601 , the example is shown in FIG . 9A , which shows an IoT hub 110
identity of the user may be included with the collected data with program code updates 901 that need to be installed on
605. In this manner, the IoT system may be used to track the an IoT device 601 (or a group of such IoT devices ). The
behavior of different users within the home. For example, if 10 program code updates may include system updates , patches ,
used within a refrigerator, the collected data 605 may then configuration data and any other data needed for the IoT
device to operate as desired by the user. In one embodiment,
include the identify of each user who passes by fridge, each the
user who opens the fridge, and the specific food items 601user via
may specify configuration options for the IoT device
a mobile device or computer which are then stored
consumed by each user . Different types of data may 15 on the IoT
be
collected from other types of IoT devices . Using this data the techniques hub 110 and provided to the IoT device using the
system is able to determine, for example, which user washes ment, the intermediaryherein
described . Specifically, in one embodi
connection logic / application 721 on
clothes, which user watches TV on a given day, the times at the IoT hub 110 communicates with the intermediary con
which each user goes to sleep and wakes up , etc. All of this nection logic /application 711 on the mobile device 611 to
crowd - sourced data may then be compiled within the data 20 store the program code updates within a temporary storage
repository 413 of the IoT hub and / or forwarded to an 615. When the mobile device 611 enters the range of the IoT
external service or user. device 601 , the intermediary connection logic / application
Another beneficial application of the techniques described 711 on the mobile device 611 connects with the intermedi
herein is for monitoring elderly users who may need assis ary /connection logic / application 701 on the IoT device 601
tance . For this application, the mobile device 611 may be a 25 to provide the program code updates to the device. In one
very small token worn by the elderly user to collect the embodiment, the IoT device 601 may then enter into an
information in different rooms of the user's home . Each time automated update process to install the new program code
the user opens the refrigerator, for example, this data will be updates and / or data .
included with the collected data 605 and transferred to the A method for updating an IoT device is shown in FIG.9B .
IoT hub 110 via the token. The IoT hub may then provide the 30 The method may be implemented within the context of the
system architectures described above , but is not limited to
data to one or more external users ( e.g. , the children or other any particular system architectures.
individuals who care for the elderly user ). If data has not At 900 new program code or data updates are made
been collected for a specified period of time (e.g. , 12 hours ) , available on the IoT hub and / or an external service ( e.g. ,
then this means that the elderly user has not been moving 35 coupled
around the home and / or has not been opening the refrigera mobile device to the mobile device over the Internet ). At 901, the
tor. The IoT hub 110 or an external service connected to the receives and stores the program code or data
updates on behalf of the IoT device . The IoT device and /or
IoT hub may then transmit an alert notification to these other
individuals, informing them that they should check on the mobile device periodically check to determine whether a
connection has been established at 902. If a connection is
elderly user. In addition, the collected data 605 may include 40 established , determined at 903 , then at 904 the updates are
other pertinent information such as the food being consumed transferred to the IoT device and installed .
by the user and whether a trip to the grocery store is needed ,
whether and how frequently the elderly user is watching TV, Embodiments for Improved Security
the frequency with which the elderly user washes clothes ,
etc. 45 In one embodiment, the low power microcontroller 200 of
In another implementation, the if there is a problem with each IoT device 101 and the low power logic /microcon
an electronic device such as a washer, refrigerator, HVAC troller 301 of the IoT hub 110 include a secure key store for
system , etc , the collected data may include an indication of storing encryption keys used by the embodiments described
a part that needs to be replaced. In such a case , a notification below ( see , e.g. , FIGS . 10-15 and associated text ). Alterna
may be sent to a technician with a request to fix the problem . 50 tively, the keys may be secured in a subscriber identify
The technician may then arrive at the home with the needed module ( SIM ) as discussed below .
replacement part. FIG . 10 illustrates a high level architecture which uses
A method in accordance with one embodiment of the public key infrastructure ( PKI ) techniques and / or symmetric
invention is illustrated in FIG . 8. The method may be key exchange /encryption techniques to encrypt communi
implemented within the context of the architectures 55 cations between the IoT Service 120 , the IoT hub 110 and
described above , but is not limited to any particular archi the IoT devices 101-102 .
tecture . Embodiments which use public / private key pairs will first
At 801 , an IoT device which is out of range of the IoT hub be described , followed by embodiments which use symmet
periodically collects data (e.g. , opening of the refrigerator ric key exchange /encryption techniques. In particular, in an
door, food items used, etc ) . At 802 the IoT device periodi- 60 embodiment which uses PKI , a unique public / private key
cally or continually checks for connectivity with a mobile pair is associated with each IoT device 101-102 , each IoT
device (e.g. , using standard local wireless techniques for hub 110 and the IoT service 120. In one embodiment, when
establishing a connection such as those specified by the a new IoT hub 110 is set up , its public key is provided to the
BTLE standard ). If the connection to the mobile device is IoT service 120 and when a new loT device 101 is set up ,
established , determined at 802 , then at 803 , the collected 65 it's public key is provided to both the IoT hub 110 and the
data is transferred to the mobile device at 803. At 804 , the IoT service 120. Various techniques for securely exchanging
mobile device transfers the data to the IoT hub, an external the public keys between devices are described below . In one
 US 10,776,080 B2
15 16
embodiment, all public keys are signed by a master key between the hub 110 and the IoT service 120. In one
known to all of the receiving devices ( i.e. , a form of embodiment, a new symmetric key is exchanged with each
certificate) so that any receiving device can verify the new communication session between the devices 101 , the
validity of the public keys by validating the signatures. Thus, hub 110 , and the service 120 ( e.g. , a new key is generated
these certificates would be exchanged rather than merely 5 and securely exchanged for each communication session) . In
exchanging the raw public keys. one embodiment, if the security module 1012 in the IoT hub
As illustrated , in one embodiment, each IoT device 101 , is trusted, the service 120 could negotiate a session key with
102 includes a secure key storage 1001 , 1003 , respectively, the hub security module 1312 and then the security module
for security storing each device's private key . Security logic 1012 would negotiate a session key with each device 120 .
1002 , 1304 then utilizes the securely stored private keys to 10 Messages from the service 120 would then be decrypted and
perform the encryption /decryption operations described verified in the hub security module 1012 before being
herein . Similarly, the IoT hub 110 includes a secure storage re -encrypted for transmission to the device 101 .
1011 for storing the IoT hub private key and the public keys In one embodiment, to prevent a compromise on the hub
of the IoT devices 101-102 and the IoT service 120 ; as well security module 1012 a one -time (permanent) installation
as security logic 1012 for using the keys to perform encryp- 15 key may be negotiated between the device 101 and service
tion /decryption operations. Finally, the IoT service 120 may 120 at installation time. When sending a message to a device
include a secure storage 1021 for security storing its own 101 the service 120 could first encrypt/MAC with this
private key, the public keys of various IoT devices and IoT device installation key, then encrypt/MAC that with the
hubs, and a security logic 1013 for using the keys to hub's session key. The hub 110 would then verify and extract
encrypt/decrypt communication with IoT hubs and devices . 20 the encrypted device blob and send that to the device .
In one embodiment, when the IoT hub 110 receives a public In one embodiment of the invention , a counter mechanism
key certificate from an IoT device it can verify it ( e.g. , by is implemented to prevent replay attacks. For example, each
validating the signature using the master key as described successive communication from the device 101 to the hub
above) , and then extract the public key from within it and 110 (or vice versa) may be assigned a continually increasing
store that public key in it's secure key store 1011 . 25 counter value . Both the hub 110 and device 101 will track
By way of example, in one embodiment, when the IoT this value and verify that the value is correct in each
service 120 needs to transmit a command or data to an IoT successive communication between the devices . The same
device 101 (e.g. , a command to unlock a door, a request to techniques may be implemented between the hub 110 and
read a sensor , data to be processed /displayed by the IoT the service 120. Using a counter in this manner would make
device, etc ) the security logic 1013 encrypts the data / 30 it more difficult to spoof the communication between each of
command using the public key of the IoT device 101 to the devices (because the counter value would be incorrect ).
generate an encrypted IoT device packet. In one embodi However, even without this a shared installation key
ment, it then encrypts the IoT device packet using the public between the service and device would prevent network (hub )
key of the IoT hub 110 to generate an IoT hub packet and wide attacks to all devices .
transmits the IoT hub packet to the IoT hub 110. In one 35 In one embodiment, when using public /private key
embodiment, the service 120 signs the encrypted message encryption, the IoT hub 110 uses its private key to decrypt
with it's private key or the master key mentioned above so the IoT hub packet and generate the encrypted IoT device
that the device 101 can verify it is receiving an unaltered packet, which it transmits to the associated IoT device 101 .
message from a trusted source . The device 101 may then The IoT device 101 then uses its private key to decrypt the
validate the signature using the public key corresponding to 40 IoT device packet to generate the command / data originated
the private key and / or the master key. As mentioned above, from the IoT service 120. It may then process the data and / or
symmetric key exchange /encryption techniques may be used execute the command . Using symmetric encryption, each
instead of public /private key encryption. In these embodi device would encrypt and decrypt with the shared symmetric
ments , rather than privately storing one key and providing a key . If either case , each transmitting device may also sign
corresponding public key to other devices, the devices may 45 the message with it's private key so that the receiving device
each be provided with a copy of the same symmetric key to can verify it's authenticity.
be used for encryption and to validate signatures. One A different set of keys may be used to encrypt commu
example of a symmetric key algorithm is the Advanced nication from the IoT device 101 to the IoT hub 110 and to
Encryption Standard ( AES ) , although the underlying prin the IoT service 120. For example, using a public /private key
ciples of the invention are not limited to any type of specific 50 arrangement, in one embodiment, the security logic 1002 on
symmetric keys. the IoT device 101 uses the public key of the IoT hub 110
Using a symmetric key implementation , each device 101 to encrypt data packets sent to the IoT hub 110. The security
enters into a secure key exchange protocol to exchange a logic 1012 on the IoT hub 110 may then decrypt the data
symmetric key with the IoT hub 110. A secure key provi packets using the IoT hub's private key. Similarly, the
sioning protocol such as the Dynamic Symmetric Key 55 security logic 1002 on the IoT device 101 and / or the security
Provisioning Protocol ( DSKPP ) may be used to exchange logic 1012 on the IoT hub 110 may encrypt data packets sent
the keys over a secure communication channel ( see , e.g. , to the IoT service 120 using the public key of the IoT service
Request for Comments (RFC ) 6063 ) . However, the under 120 (which may then be decrypted by the security logic 1013
lying principles of the invention are not limited to any on the IoT service 120 using the service's private key) .
particular key provisioning protocol. 60 Using symmetric keys , the device 101 and hub 110 may
Once the symmetric keys have been exchanged, they may share a symmetric key while the hub and service 120 may
be used by each device 101 and the IoT hub 110 to encrypt share a different symmetric key.
communications. Similarly, the IoT hub 110 and IoT service While certain specific details are set forth above in the
120 may perform a secure symmetric key exchange and then description above , it should be noted that the underlying
use the exchanged symmetric keys to encrypt communica- 65 principles of the invention may be implemented using
tions . In one embodiment a new symmetric key is exchanged various different encryption techniques. For example, while
periodically between the devices 101 and the hub 110 and some embodiments discussed above use asymmetric public /
 US 10,776,080 B2
17 18
private key pairs , an alternate embodiment may use sym 1001. In one embodiment, the barcode or QR code 1201
metric keys securely exchanged between the various IoT comprises an encoded representation of the public key for
devices 101-102 , IoT hubs 110 , and the IoT service 120 . the IoT device 101 or SIM 1001. Alternatively, the barcode
Moreover, in some embodiments, the data / command itself is or QR code 1201 may be used by the IoT hub 110 and / or IoT
not encrypted, but a key is used to generate a signature over 5 service 120 to identify or generate the public key ( e.g. , used
the data /command ( or other data structure ). The recipient as a pointer to the public key which is already stored in
may then use its key to validate the signature. secure storage ) . The barcode or QR code 601 may be printed
As illustrated in FIG . 11 , in one embodiment, the secure on a separate card ( as shown in FIG . 12A) or may be printed
key storage on each IoT device 101 is implemented using a directly on the IoT device itself. Regardless of where the
programmable subscriber identity module ( SIM) 1101. In 10 barcode is printed, in one embodiment, the IoT hub 110 is
this embodiment, the IoT device 101 may initially be equipped with a barcode reader 206 for reading the barcode
provided to the end user with an un -programmed SIM card and providing the resulting data to the security logic 1012 on
1101 seated within a SIM interface 1100 on the IoT device the IoT hub 110 and /or the security logic 1013 on the IoT
101. In order to program the SIM with a set of one or more service 120. The security logic 1012 on the IoT hub 110 may
encryption keys , the user takes the programmable SIM card 15 then store the public key for the IoT device within its secure
1101 out of the SIM interface 500 and inserts it into a SIM key storage 1011 and the security logic 1013 on the IoT
programming interface 1102 on the IoT hub 110. Program service 120 may store the public key within its secure
ming logic 1125 on the IoT hub then securely programs the storage 1021 ( to be used for subsequent encrypted commu
SIM card 1101 to register /pair the IoT device 101 with the nication ).
IoT hub 110 and IoT service 120. In one embodiment, a 20 In one embodiment, the data contained in the barcode or
public /private key pair may be randomly generated by the QR code 1201 may also be captured via a user device 135
programming logic 1125 and the public key of the pair may (e.g. , such as an iPhone or Android device ) with an installed
then be stored in the IoT hub's secure storage device 411 IoT app or browser - based applet designed by the IoT service
while the private key may be stored within the program provider. Once captured , the barcode data may be securely
mable SIM 1101. In addition, the programming logic 525 25 communicated to the IoT service 120 over a secure connec
may store the public keys of the IoT hub 110 , the IoT service tion ( e.g. , such as a secure sockets layer ( SSL) connection ).
120 , and / or any other IoT devices 101 on the SIM card 1401 The barcode data may also be provided from the client
(to be used by the security logic 1302 on the IoT device 101 device 135 to the IoT hub 110 over a secure local connection
to encrypt outgoing data ) . Once the SIM 1101 is pro (e.g. , over a local WiFi or Bluetooth LE connection ).
grammed, the new IoT device 101 may be provisioned with 30 The security logic 1002 on the IoT device 101 and the
the IoT Service 120 using the SIM as a secure identifier ( e.g. , security logic 1012 on the IoT hub 110 may be implemented
using existing techniques for registering a device using a using hardware, software, firmware or any combination
SIM ) . Following provisioning , both the IoT hub 110 and the thereof. For example, in one embodiment, the security logic
IoT service 120 will securely store a copy of the IoT device's 1002 , 1012 is implemented within the chips used for estab
public key to be used when encrypting communication with 35 lishing the local communication channel 130 between the
the IoT device 101 . IoT device 101 and the IoT hub 110 ( e.g. , the Bluetooth LE
The techniques described above with respect to FIG . 11 chip if the local channel 130 is Bluetooth LE ) . Regardless of
provide enormous flexibility when providing new IoT the specific location of the security logic 1002 , 1012 , in one
devices to end users . Rather than requiring a user to directly embodiment, the security logic 1002 , 1012 is designed to
register each SIM with a particular service provider upon 40 establish a secure execution environment for executing
sale /purchase ( as is currently done) , the SIM may be pro certain types of program code. This may be implemented ,
grammed directly by the end user via the IoT hub 110 and for example , by using TrustZone technology ( available on
the results of the programming may be securely communi some ARM processors) and / or Trusted Execution Technol
cated to the IoT service 120. Consequently, new IoT devices ogy ( designed by Intel ). Of course , the underlying principles
101 may be sold to end users from online or local retailers 45 of the invention are not limited to any particular type of
and later securely provisioned with the IoT service 120 . secure execution technology .
While the registration and encryption techniques are In one embodiment, the barcode or QR code 1501 may be
described above within the specific context of a SIM (Sub used to pair each IoT device 101 with the IoT hub 110. For
scriber Identity Module ), the underlying principles of the example, rather than using the standard wireless pairing
invention are not limited to a “ SIM ” device . Rather, the 50 process currently used to pair Bluetooth LE devices , a
underlying principles of the invention may be implemented pairing code embedded within the barcode or QR code 1501
using any type of device having secure storage for storing a may be provided to the IoT hub 110 to pair the IoT hub with
set of encryption keys . Moreover, while the embodiments the corresponding IoT device .
above include a removable SIM device, in one embodiment, FIG . 12B illustrates one embodiment in which the bar
the SIM device is not removable but the loT device itself 55 code reader 206 on the IoT hub 110 captures the barcode/ QR
may be inserted within the programming interface 1102 of code 1201 associated with the IoT device 101. As men
the IoT hub 110 . tioned, the barcode / QR code 1201 may be printed directly
In one embodiment, rather than requiring the user to on the IoT device 101 or may be printed on a separate card
program the SIM ( or other device ) , the SIM is pre -pro provided with the IoT device 101. In either case , the barcode
grammed into the IoT device 101 , prior to distribution to the 60 reader 206 reads the pairing code from the barcode / QR code
end user. In this embodiment, when the user sets up the IoT 1201 and provides the pairing code to the local communi
device 101 , various techniques described herein may be cation module 1280. In one embodiment, the local commu
used to securely exchange encryption keys between the IoT nication module 1280 is a Bluetooth LE chip and associated
hub 110 /IoT service 120 and the new IoT device 101 . software , although the underlying principles of the invention
For example, as illustrated in FIG . 12A each IoT device 65 are not limited to any particular protocol standard . Once the
101 or SIM 401 may be packaged with a barcode or QR code pairing code is received, it is stored in a secure storage
1501 uniquely identifying the IoT device 101 and /or SIM containing pairing data 1285 and the IoT device 101 and IoT
 US 10,776,080 B2
19 20
hub 110 are automatically paired . Each time the loT hub is key to encrypt communication with the loT device . One
paired with a new IoT device in this manner , the pairing data again , the exchange may be implemented using a certificate /
for that pairing is stored within the secure storage 685. In signed key. Within the hub 110 it is particularly important to
one embodiment, once the local communication module prevent modification /addition / removal of the stored keys.
1280 of the IoT hub 110 receives the pairing code , it may use5 A method for securely communicating commands/ data to
the code as a key to encrypt communications over the local an IoT device using public /private keys is illustrated in FIG .
wireless channel with the IoT device 101 . 15. The method may be implemented within the system
Similarly, on the IoT device 101 side , the local commu architecture described above , but is not limited to any
nication module 1590 stores pairing data within a local particular system architecture.
secure storage device 1595 indicating the pairing with the 10 At 1501 , the IoT service encrypts the data / commands
IoT hub . The pairing data 1295 may include the pre using the IoT device public key to create an IoT device
programmed pairing code identified in the barcode/ QR code packet. It then encrypts the IoT device packet using IoT
1201. The pairing data 1295 may also include pairing data hub's public key to create the IoT hub packet (e.g. , creating
received from the local communication module 1280 on the an IoT hub wrapper around the IoT device packet ). At 1502 ,
IoT hub 110 required for establishing a secure local com- 15 the loT service transmits the IoT hub packet to the IoT hub .
munication channel (e.g. , an additional key to encrypt com At 1503 , the IoT hub decrypts the IoT hub packet using the
munication with the IoT hub 110 ) . IoT hub's private key to generate the IoT device packet. At
Thus, the barcode /QR code 1201 may be used to perform 1504 it then transmits the IoT device packet to the IoT
local pairing in a far more secure manner than current device which , at 1505 , decrypts the IoT device packet using
wireless pairing protocols because the pairing code is not 20 the IoT device private key to generate the data /commands.
transmitted over the air. In addition , in one embodiment, the At 1506 , the IoT device processes the data / commands.
same barcode / QR code 1201 used for pairing may be used In an embodiment which uses symmetric keys, a sym
to identify encryption keys to build a secure connection from metric key exchange may be negotiated between each of the
the IoT device 101 to the IoT hub 110 and from the IoT hub devices (e.g. , each device and the hub and between the hub
110 to the IoT service 120 . 25 and the service ). Once the key exchange is complete, each
A method for programming a SIM card in accordance transmitting device encrypts and / or signs each transmission
with one embodiment of the invention is illustrated in FIG . using the symmetric key before transmitting data to the
13. The method may be implemented within the system receiving device.
architecture described above, but is not limited to any
particular system architecture. 30 Apparatus and Method for Establishing Secure
At 1301 , a user receives a new loT device with a blank Communication Channels in an Internet of Things
SIM card and , at 1602 , the user inserts the blank SIM card ( IoT ) System
into an IoT hub . At 303 , the user programs the blank SIM
card with a set of one or more encryption keys. For example, In one embodiment of the invention , encryption and
as mentioned above , in one embodiment, the IoT hub may 35 decryption of data is performed between the IoT service 120
randomly generate a public / private key pair and store the and each IoT device 101 , regardless of the intermediate
private key on the SIM card and the public key in its local devices used to support the communication channel ( e.g. ,
secure storage. In addition, at 1304 , at least the public key such as the user's mobile device 611 and / or the IoT hub
is transmitted to the IoT service so that it may be used to 110 ) . One embodiment which communicates via an IoT hub
identify the IoT device and establish encrypted communi- 40 110 is illustrated in FIG . 16A and another embodiment
cation with the IoT device . As mentioned above , in one which does not require an IoT hub is illustrated in FIG . 16B .
embodiment, a programmable device other than a “ SIM ” Turning first to FIG . 16A , the IoT service 120 includes an
card may be used to perform the same functions as the SIM encryption engine 1660 which manages a set of “ service
card in the method shown in FIG . 13 . session keys ” 1650 and each IoT device 101 includes an
A method for integrating a new IoT device into a network 45 encryption engine 1661 which manages a set of “ device
is illustrated in FIG . 14. The method may be implemented session keys ” 1651 for encrypting/decrypting communica
within the system architecture described above , but is not tion between the IoT device 101 and IoT service 120. The
limited to any particular system architecture. encryption engines may rely on different hardware modules
At 1401 , a user receives a new IoT device to which an when performing the security / encryption techniques
encryption key has been pre -assigned. At 1402 , the key is 50 described herein including a hardware security module
securely provided to the IoT hub . As mentioned above , in 1630-1631 for ( among other things ) generating a session
one embodiment, this involves reading a barcode associated public /private key pair and preventing access to the private
with the IoT device to identify the public key of a public / session key of the pair and a key stream generation module
private key pair assigned to the device . The barcode may be 1640-1641 for generating a key stream using a derived
read directly by the IoT hub or captured via a mobile device 55 secret. In one embodiment, the service session keys 1650
via an app or browser. In an alternate embodiment, a secure and the device session keys 1651 comprise related public /
communication channel such as a Bluetooth LE channel, a private key pairs . For example, in one embodiment, the
near field communication (NFC ) channel or a secure WiFi device session keys 1651 on the IoT device 101 include a
channel may be established between the IoT device and the public key of the IoT service 120 and a private key of the IoT
IoT hub to exchange the key. Regardless of how the key is 60 device 101. As discussed in detail below , in one embodi
transmitted , once received , it is stored in the secure keystore ment, to establish a secure communication session, the
of the IoT hub device . As mentioned above , various secure public /private session key pairs , 1650 and 1651 , are used by
execution technologies may be used on the IoT hub to store each encryption engine, 1660 and 1661 , respectively, to
and protect the key such as Secure Enclaves, Trusted Execu generate the same secret which is then used by the SKGMs
tion Technology (TXT ) , and /or Trustzone. In addition , at 65 1640-1641 to generate a key stream to encrypt and decrypt
803 , the key is securely transmitted to the IoT service which communication between the IoT service 120 and the IoT
stores the key in its own secure keystore. It may then use the device 101. Additional details associated with generation
 US 10,776,080 B2
21 22
and use of the secret in accordance with one embodiment of forwards the encrypted response to the IoT service 120 at
the invention are provided below . 1615. The encryption engine 1660 then decrypts the
In FIG . 16A , once the secret has been generated using the response and transmits the decrypted response to the client
keys 1650-1651 , the client will always send messages to the device 611 at 1616 .
IoT device 101 through the IoT service 120 , as indicated by 5 FIG . 17 illustrates a key exchange and key stream gen
Clear transaction 1611. “ Clear " as used herein is meant to eration which may initially be performed between the IoT
indicate that the underlying message is not encrypted using service 120 and the IoT device 101. In one embodiment, this
the encryption techniques described herein . However , as key exchange may be performed each time the IoT service
illustrated , in one embodiment, a secure sockets layer ( SSL ) 120 and IoT device 101 establish a new communication
channel or other secure channel (e.g. , an Internet Protocol 10 session . Alternatively, the key exchange may be performed
Security ( IPSEC ) channel ) is established between the client and the exchanged session keys may be used for a specified
device 611 and IoT service 120 to protect the communica period of time (e.g. , a day, a week , etc ) . While no interme
tion . The encryption engine 1660 on the IoT service 120 then diate devices are shown in FIG . 17 for simplicity, commu
encrypts the message using the generated secret and trans nicationmay occur through the IoT hub 110 and /or the client
mits the encrypted message to the IoT hub 110 at 1602. 15 device 611.
Rather than using the secret to encrypt the message directly, In one embodiment, the encryption engine 1660 of the IoT
in one embodiment, the secret and a counter value are used service 120 sends a command to the HSM 1630 (e.g. , which
to generate a key stream , which is used to encrypt each may be such as a CloudHSM offered by Amazon® ) to
message packet. Details of this embodiment are described generate a session public /private key pair. The HSM 1630
below with respect to FIG . 17 . 20 may subsequently prevent access to the private session key
As illustrated, an SSL connection or other secure channel of the pair. Similarly, the encryption engine on the IoT
may be established between the IoT service 120 and the IoT device 101 may transmit a command to the HSM 1631 ( e.g. ,
hub 110. The IoT hub 110 (which does not have the ability such as an Atecc508 HSM from Atmel Corporation® ) which
to decrypt the message in one embodiment) transmits the generates a session public /private key pair and prevents
encrypted message to the IoT device at 1603 (e.g. , over a 25 access to the session private key of the pair. Of course , the
Bluetooth Low Energy (BTLE ) communication channel ). underlying principles of the invention are not limited to any
The encryption engine 1661 on the IoT device 101 may then specific type of encryption engine or manufacturer.
decrypt the message using the secret and process the mes In one embodiment, the IoT service 120 transmits its
sage contents . In an embodiment which uses the secret to session public key generated using the HSM 1630 to the IoT
generate a key stream , the encryption engine 1661 may 30 device 101 at 1701. The IoT device uses its HSM 1631 to
generate the key stream using the secret and a counter value generate its own session public /private key pair and, at 1702 ,
and then use the key stream for decryption of the message transmits its public key of the pair to the IoT service 120. In
packet. one embodiment, the encryption engines 1660-1661 use an
The message itself may comprise any form of communi Elliptic curve Diffie -Hellman (ECDH ) protocol, which is an
cation between the IoT service 120 and IoT device 101. For 35 anonymous key agreement that allows two parties with an
example , the message may comprise a command packet elliptic curve public - private key pair, to establish a shared
instructing the IoT device 101 to perform a particular secret. In one embodiment, using these techniques, at 1703 ,
function such as taking a measurement and reporting the the encryption engine 1660 of the IoT service 120 generates
result back to the client device 611 or may include configu the secret using the IoT device session public key and its
ration data to configure the operation of the IoT device 101. 40 own session private key. Similarly, at 1704 , the encryption
If a response is required, the encryption engine 1661 on engine 1661 of the IoT device 101 independently generates
the IoT device 101 uses the secret or a derived key stream the same secret using the IoT service 120 session public key
to encrypt the response and transmits the encrypted response and its own session private key. More specifically, in one
to the IoT hub 110 at 1604 , which forwards the response to embodiment, the encryption engine 1660 on the IoT service
the IoT service 120 at 1605. The encryption engine 1660 on 45 120 generates the secret according to the formula secret = IoT
the IoT service 120 then decrypts the response using the device session pub key * IoT service session private key,
secret or a derived key stream and transmits the decrypted where “ * ” means that the IoT device session public key is
response to the client device 611 at 1606 (e.g. , over the SSL point -multiplied by the IoT service session private key. The
or other secure communication channel ). encryption engine 1661 on the IoT device 101 generates the
FIG . 16B illustrates an embodiment which does not 50 secret according to the formula secret = IoT service session
require an IoT hub . Rather, in this embodiment, communi pub key * IoT device session private key , where the IoT
cation between the IoT device 101 and IoT service 120 service session public key is point multiplied by the IoT
occurs through the client device 611 (e.g. , as in the embodi device session private key. In the end, the IoT service 120
ments described above with respect to FIGS . 6-9B ) . In this and IoT device 101 have both generated the same secret to
embodiment, to transmit a message to the IoT device 101 the 55 be used to encrypt communication as described below. In
client device 611 transmits an unencrypted version of the one embodiment, the encryption engines 1660-1661 rely on
message to the IoT service 120 at 1611. The encryption a hardware module such as the KSGMs 1640-1641 respec
engine 1660 encrypts the message using the secret or the tively to perform the above operations for generating the
derived key stream and transmits the encrypted message secret.
back to the client device 611 at 1612. The client device 611 60 Once the secret has been determined, it may be used by
then forwards the encrypted message to the IoT device 101 the encryption engines 1660 and 1661 to encrypt and
at 1613 , and the encryption engine 1661 decrypts the mes decrypt data directly. Alternatively, in one embodiment, the
sage using the secret or the derived key stream . The IoT encryption engines 1660-1661 send commands to the
device 101 may then process the message as described KSGMs 1640-1641 to generate a new key stream using the
herein . If a response is required , the encryption engine 1661 65 secret to encrypt /decrypt each data packet ( i.e. , a new key
encrypts the response using the secret and transmits the stream data structure is generated for each packet ). In
encrypted response to the client device 611 at 1614 , which particular, one embodiment of the key stream generation
 US 10,776,080 B2
23 24
module 1640-1641 implements a Galois /Counter Mode The master private key may be used to generate signatures
( GCM) in which a counter value is incremented for each over ( and thereby authenticate) various other key pairs such
data packet and is used in combination with the secret to as the factory key pairs . The signatures may then be verified
generate the key stream . Thus, to transmit a data packet to using the master public key. In one embodiment, each
the IoT service 120 , the encryption engine 1661 of the IoT 5 factory which manufactures IoT devices is assigned its own
device 101 uses the secret and the current counter value to factory key pair which may then be used to authenticate IoT
cause the KSGMs 1640-1641 to generate a new key stream service keys and IoT device keys. For example , in one
and increment the counter value for generating the next key embodiment, a factory private key is used to generate a
stream . The newly - generated key stream is then used to signature over IoT service public keys and IoT device public
encrypt the data packet prior to transmission to the IoT 10 keys. These signature may then be verified using the corre
service 120. In one embodiment, the key stream is XORed sponding factory public key. Note that these IoT service /
with the data to generate the encrypted data packet. In one device public keys are not the same as the " session " public /
embodiment, the IoT device 101 transmits the counter value private keys described above with respect to FIGS . 16A - B .
with the encrypted data packet to the IoT service 120. The The session public /private keys described above are tempo
encryption engine 1660 on the IoT service then communi- 15 rary (i.e. , generated for a service /device session) while the
cates with the KSGM 1640 which uses the received counter
value and the secret to generate the key stream (which IoT service /device key pairs are permanent ( i.e. , generated at
should be the same key stream because the same secret and the factory ).
counter value are used ) and uses the generated key stream to With the foregoing relationships between master keys ,
decrypt the data packet. 20 factory keys, service / device keys in mind, one embodiment
In one embodiment, data packets transmitted from the IoT of the invention performs the following operations to pro
service 120 to the IoT device 101 are encrypted in the same vide additional layers of authentication and security between
manner. Specifically, a counter is incremented for each data the IoT service 120 and IoT device 101 :
packet and used along with the secret to generate a new key A. In one embodiment, the IoT service 120 initially
stream . The key stream is then used to encrypt the data (e.g. , 25 generates a message containing the following:
performing an XOR of the data and the key stream ) and the 1. The IoT service's unique ID :
encrypted data packet is transmitted with the counter value The IoT service's serial number;
to the IoT device 101. The encryption engine 1661 on the a Timestamp;
IoT device 101 then communicates with the KSGM 1641 The ID of the factory key used to sign this unique ID ;
which uses the counter value and the secret to generate the 30 a Class of the unique ID ( i.e. , a service );
same key stream which is used to decrypt the data packet . IoT service's public key
Thus, in this embodiment, the encryption engines 1660 The signature over the unique ID .
1661 use their own counter values to generate a key stream 2. The Factory Certificate including:
to encrypt data and use the counter values received with the A timestamp
encrypted data packets to generate a key stream to decrypt 35 The ID of the master key used to sign the certificate
the data . The factory public key
In one embodiment, each encryption engine 1660-1661 The signature of the Factory Certificate
keeps track of the last counter value it received from the 3. IoT service session public key ( as described above with
other and includes sequencing logic to detect whether a respect to FIGS . 16A - B)
counter value is received out of sequence or if the same 40 4. IoT service session public key signature ( e.g. , signed
counter value is received more than once . If a counter value with the IoT service's private key )
is received out of sequence , or if the same counter value is B. In one embodiment, the message is sent to the IoT
received more than once , this may indicate that a replay device on the negotiation channel ( described below ) . The
attack is being attempted . In response , the encryption IoT device parses the message and :
engines 1660-1661 may disconnect from the communication 45 1. Verifies the signature of the factory certificate (only if
channel and / or may generate a security alert. present in the message payload)
FIG . 18 illustrates an exemplary encrypted data packet 2. Verifies the signature of the unique ID using the key
employed in one embodiment of the invention comprising a identified by the unique ID
4 -byte counter value 1800 , a variable -sized encrypted data 3. Verifies the IoT service session public key signature
field 1801 , and a 6 -byte tag 1802. In one embodiment, the 50 using the IoT service's public key from the unique ID
tag 1802 comprises a checksum value to validate the 4. Saves the IoT service's public key as well as the IoT
decrypted data (once it has been decrypted ). service's session public key
As mentioned, in one embodiment, the session public / 5. Generates the IoT device session key pair
private key pairs 1650-1651 exchanged between the IoT C. The IoT device then generates a message containing
service 120 and IoT device 101 may be generated periodi- 55 the following:
cally and / or in response to the initiation of each new 1. IoT device's unique ID
communication session . IoT device serial number
One embodiment of the invention implements additional Timestamp
techniques for authenticating sessions between the IoT ser ID of factory key used to sign this unique ID
vice 120 and IoT device 101. In particular, in one embodi- 60 Class of unique ID ( i.e. , IoT device )
ment, hierarchy of public / private key pairs is used including IoT device's public key
a master key pair, a set of factory key pairs , and a set of IoT Signature of unique ID
service key pairs , and a set of IoT device key pairs . In one 2. IoT device's session public key
embodiment, the master key pair comprises a root of trust 3. Signature of ( IoT device session public key + IoT ser
for all of the other key pairs and is maintained in a single , 65 vice session public key ) signed with IoT device's key
highly secure location ( e.g. , under the control of the orga D. This message is sent back to the IoT service . The IoT
nization implementing the IoT systems described herein ). service parses the message and:
 US 10,776,080 B2
25 26
1. Verifies the signature of the unique ID using the factory ing the “ Name ” characteristic published by those other
public key Bluetooth devices using GATT. Thus, Bluetooth device have
2. Verifies the signature of the session public keys using the inherent ability to exchange data without formally pair
the IoT device's public key ing/bonding the devices ( note that "paring " and " bonding "
3. Saves the IoT device's session public key 5 are sometimes used interchangeably ; the remainder of this
E. The IoT service then generates a message containing a discussion will use the term “ pairing ” ) .
signature of (IoT device session public key + IoT service One embodiment of the invention takes advantage of this
session public key ) signed with the IoT service's key. capability to communicate with BTLE -enabled IoT devices
F. The IoT device parses the message and : without formally pairing with these devices . Pairing with
1. Verifies the signature of the session public keys using 10 each individual IoT device would extremely inefficient
the IoT service's public key because of the amount of time required to pair with each
2. Generates the key stream from the IoT device session device and because only one paired connection may be
private key and the IoT service's session public key established at a time .
3. The IoT device then sends a “ messaging available ” FIG . 19 illustrates one particular embodiment in which a
message . 15 Bluetooth ( BT ) device 1910 establishes a network socket
G. The IoT service then does the following: abstraction with a BT communication module 1901 of an
1. Generates the key stream from the IoT service session IoT device 101 without formally establishing a paired BT
private key and the IoT device's session public key connection . The BT device 1910 may be included in an IoT
2. Creates a new message on the messaging channel hub 110 and / or a client device 611 such as shown in FIG .
which contains the following: 20 16A . As illustrated, the BT communication module 1901
Generates and stores a random 2 byte value maintains a data structure containing a list of characteristic
Set attribute message with the boomerang attribute Id IDs , names associated with those characteristic IDs and
( discussed below ) and the random value values for those characteristic IDs . The value for each
H. The IoT device receives the message and: characteristic may be stored within a 20 -byte buffer identi
1. Attempts to decrypt the message 25 fied by the characteristic ID in accordance with the current
2. Emits an Update with the same value on the indicated BT standard . However, the underlying principles of the
attribute Id invention are not limited to any particular buffer size .
I. The IoT service recognizes the message payload con In the example in FIG . 19 , the “ Name ” characteristic is a
tains a boomerang attribute update and : BT-defined characteristic which is assigned a specific value
1. Sets its paired state to true 30 of “ IoT Device 14.” One embodiment of the invention
2. Sends a pairing complete message on the negotiator specifies a first set of additional characteristics to be used for
channel negotiating a secure communication channel with the BT
J. IoT device receives the message and sets his paired state device 1910 and a second set of additional characteristics to
to true be used for encrypted communication with the BT device
While the above techniques are described with respect to 35 1910. In particular, a “ negotiation write ” characteristic,
an “ IoT service ” and an “ IoT device ,” the underlying prin identified by characteristic ID < 65532 > in the illustrated
ciples of the invention may be implemented to establish a example , may be used to transmit outgoing negotiation
secure communication channel between any two devices messages and the “ negotiation read ” characteristic, identi
including user client devices, servers, and Internet services . fied by characteristic ID < 65533 > may be used to receive
The above techniques are highly secure because the 40 incoming negotiation messages . The “ negotiation messages ”
private keys are never shared over the air (in contrast to may include messages used by the BT device 1910 and the
current Bluetooth pairing techniques in which a secret is BT communication module 1901 to establish a secure com
transmitted from one party to the other ). An attacker listen munication channel as described herein . By way of example,
ing to the entire conversation will only have the public keys , in FIG . 17 , the IoT device 101 may receive the IoT service
which are insufficient to generate the shared secret. These 45 session public key 1701 via the “ negotiation read ” charac
techniques also prevent a man - in -the -middle attack by teristic < 65533 > . The key 1701 may be transmitted from the
exchanging signed public keys. In addition, because GCM IoT service 120 to a BTLE - enabled IoT hub 110 or client
and separate counters are used on each device , any kind of device 611 which may then use GATT to write the key 1701
“ replay attack ” (where a man in the middle captures the data to the negotiation read value buffer identified by character
and sends it again) is prevented . Some embodiments also 50 istic ID <65533 > . IoT device application logic 1902 may
prevent replay attacks by using asymmetrical counters. then read the key 1701 from the value buffer identified by
characteristic ID < 65533 > and process it as described above
Techniques for Exchanging Data and Commands ( e.g. , using it to generate a secret and using the secret to
without Formally Pairing Devices generate a key stream , etc ) .
55 If the key 1701 is greater than 20 bytes (the maximum
GATT is an acronym for the Generic Attribute Profile, and buffer size in some current implementations), then it may be
it defines the way that two Bluetooth Low Energy (BTLE ) written in 20 -byte portions. For example, the first 20 bytes
devices transfer data back and forth . It makes use of a may be written by the BT communication module 1903 to
generic data protocol called the Attribute Protocol ( ATT ), characteristic ID < 65533 > and read by the IoT device
which is used to store Services , Characteristics and related 60 application logic 1902 , which may then write an acknowl
data in a simple lookup table using 16 - bit Characteristic IDs edgement message to the negotiation write value buffer
for each entry in the table . Note that while the “ character identified by characteristic ID < 65532 > . Using GATT, the
istics ” are sometimes referred to as " attributes . " BT communication module 1903 may read this acknowl
On Bluetooth devices, the most commonly used charac edgement from characteristic ID < 65532 > and responsively
teristic is the devices " name " (having characteristic ID 65 write the next 20 bytes of the key 1701 to the negotiation
10752 ( 0x2A00 ) ). For example, a Bluetooth device may read value buffer identified by characteristic ID < 65533 > . In
identify other Bluetooth devices within its vicinity by read this manner, a network socket abstraction defined by char
 US 10,776,080 B2
27 28
acteristic IDs < 65532 > and < 65533 > is established for current status of the door ( e.g. , 1 = opened, O =closed) . In
exchanging negotiation messages used to establish a secure response to the GET command, a response may be trans
communication channel. mitting containing the current value identified by the attri
In one embodiment, once the secure communication bute ID .
channel is established , a second network socket abstraction 5 The SET packet 2002 and UPDATE packet 2003 illus
is established using characteristic ID < 65534 > ( for trans trated in FIG . 20 also include a first 1 - byte field identifying
mitting encrypted data packets from IoT device 101 ) and the type of packet ( i.e. , SET and UPDATE ), a second 1 - byte
characteristic ID < 65533 > ( for receiving encrypted data field containing a request ID , and a 2 -byte attribute ID field
packets by IoT device ) . That is , when BT communication identifying an application -defined attribute. In addition, the
module 1903 has an encrypted data packet to transmit ( e.g. , 10 SET packet includes a 2 - byte length value identifying the
such as encrypted message 1603 in FIG . 16A) , it starts length of data contained in an n -byte value data field . The
writing the encrypted data packet, 20 bytes at a time , using value data field may include a command to be executed on
the message read value buffer identified by characteristic ID the IoT device and /or configuration data to configure the
< 65533 > . The IoT device application logic 1902 will then operation of the IoT device in some manner ( e.g. , to set a
read the encrypted data packet , 20 bytes at a time , from the 15 desired parameter, to power down the IoT device, etc ) . For
read value buffer, sending acknowledgement messages to example, if the IoT device 101 controls the speed of a fan ,
the BT communication module 1903 as needed via the write the value field may reflect the current fan speed .
value buffer identified by characteristic ID < 65532 > . The UPDATE packet 2003 may be transmitted to provide
In one embodiment, the commands of GET, SET, and an update of the results of the SET command . The UPDATE
UPDATE described below are used to exchange data and 20 packet 2003 includes a 2 -byte length value field to identify
commands between the two BT communication modules the length of the n -byte value data field which may include
1901 and 1903. For example , the BT communication mod data related to the results of the SET command . In addition ,
ule 1903 may send a packet identifying characteristic ID a 1 - byte update state field may identify the current state of
< 65533 > and containing the SET command to write into the the variable being updated . For example, if the SET com
value field / buffer identified by characteristic ID < 65533 > 25 mand attempted to turn off a light controlled by the IoT
which may then be read by the IoT device application logic device, the update state field may indicate whether the light
1902. To retrieve data from the IoT device 101 , the BT was successfully turned off.
communication module 1903 may transmit a GET command FIG . 21 illustrates an exemplary sequence of transactions
directed to the value field /buffer identified by characteristic between the IoT service 120 and an IoT device 101 involv
ID < 65534 > . In response to the GET command , the BT 30 ing the SET and UPDATE commands. Intermediary devices
communication module 1901 may transmit an UPDATE such as the IoT hub and the user's mobile device are not
packet to the BT communication module 1903 containing shown to avoid obscuring the underlying principles of the
the data from the value field / buffer identified by character invention . At 101 , the SET command 2101 is transmitted
istic ID < 65534 > . In addition , UPDATE packets may be form the IoT service to the IoT device 101 and received by
transmitted automatically, in response to changes in a par- 35 the BT communication module 1901 which responsively
ticular attribute on the IoT device 101. For example, if the updates the GATT value buffer identified by the character
IoT device is associated with a lighting system and the user istic ID at 2102. The SET command is read from the value
turns on the lights, then an UPDATE packet may be sent to buffer by the low power microcontroller (MCU ) 200 at 2103
reflect the change to the on / off attribute associated with the ( or by program code being executed on the low power MCU
lighting application . 40 such as IoT device application logic 1902 shown in FIG . 19 ) .
FIG . 20 illustrates exemplary packet formats used for At 2104 , the MCU 200 or program code performs an
GET, SET, and UPDATE in accordance with one embodi operation in response to the SET command . For example,
ment of the invention . In one embodiment, these packets are the SET command may include an attribute ID specifying a
transmitted over the message write < 65534 > and message new configuration parameter such as a new temperature or
read < 65533 > channels following negotiation . In the GET 45 may include a state value such as on /off (to cause the IoT
packet 2001 , a first 1 -byte field includes a value ( 0X10 ) device to enter into an “ on ” or a low power state ). Thus , at
which identifies the packet as a GET packet. A second 1 -byte 2104 , the new value is set in the IoT device and an UPDATE
field includes a request ID , which uniquely identifies the command is returned at 2105 and the actual value is updated
current GET command (i.e. , identifies the current transac in a GATT value field at 2106. In some cases , the actual
tion with which the GET command is associated ). For 50 value will be equal to the desired value . In other cases , the
example , each instance of a GET command transmitted from updated value may be different (i.e. , because it may take
a service or device may be assigned a different request ID . time for the IoT device 101 to update certain types of
This may be done , for example, by incrementing a counter values ) . Finally, at 2107 , the UPDATE command is trans
and using the counter value as the request ID . However, the mitted back to the IoT service 120 containing the actual
underlying principles of the invention are not limited to any 55 value from the GATT value field .
particular manner for setting the request ID . FIG . 22 illustrates a method for implementing a secure
A 2 -byte attribute ID identifies the application - specific communication channel between an IoT service and an IoT
attribute to which the packet is directed . For example, if the device in accordance with one embodiment of the invention .
GET command is being sent to IoT device 101 illustrated in The method may be implemented within the context of the
FIG . 19 , the attribute ID may be used to identify the 60 network architectures described above but is not limited to
particular application -specific value being requested . any specific architecture.
Returning to the above example, the GET command may be At 2201 , the IoT service creates an encrypted channel to
directed to an application -specific attribute ID such as power communicate with the IoT hub using elliptic curve digital
status of a lighting system , which comprises a value iden signature algorithm (ECDSA ) certificates . At 2202 , the IoT
tifying whether the lights are powered on or off (e.g. , 1 = on , 65 service encrypts data / commands in IoT device packets using
0 = off ). If the IoT device 101 is a security apparatus asso the a session secret to create an encrypted device packet. As
ciated with a door, then the value field may identify the mentioned above, the session secret may be independently
 US 10,776,080 B2
29 30
generated by the IoT device and the IoT service . At 2203 , the 2327 , the IoT hub forwards the encrypted packet to the IoT
IoT service transmits the encrypted device packet to the IoT device over the unencrypted channel. At 2328 , the IoT
hub over the encrypted channel . At 2204 , without decrypt device decrypts the packet using the session secret.
ing , the IoT hub passes the encrypted device packet to the Turning to FIG . 23C , the IoT device re - encrypts the
IoT device. At 2205 , the IoT device uses the session secret 5 packet using the session secret at 2329 and , at 2330, the IoT
to decrypt the encrypted device packet. As mentioned , in one device sends the encrypted packet to the IoT hub over the
embodiment this may be accomplished by using the secret unencrypted channel. At 2331 , the IoT hub forwards the
and a counter value (provided with the encrypted device encrypted packet to the IoT service over the encrypted
packet) to generate a key stream and then using the key channel. The IoT service decrypts the packet using the
stream to decrypt the packet . At 2206 , the IoT device then 10 session secret at 2332. At 2333 the IoT service verifies that
extracts and processes the data and /or commands contained the random number matches the random number it sent. The
within the device packet . IoT service then sends a packet indicating that pairing is
Thus, using the above techniques, bi - directional, secure complete at 2334 and all subsequent messages are encrypted
network socket abstractions may be established between two using the session secret at 2335 .
BT- enabled devices without formally pairing the BT devices 15 While a dedicated IoT hub 110 is illustrated in many
using standard pairing techniques . While these techniques embodiments above , a dedicated IoT hub hardware platform
are described above with respect to an IoT device 101 is not required for complying with the underlying principles
communicating with an IoT service 120 , the underlying of the invention . For example, the various IoT hubs
principles of the invention may be implemented to negotiate described above may be implemented as software executed
and establish a secure communication channel between any 20 within various other networking devices such as iPhones®
two BT - enabled devices . and Android devices (e.g. , an IoT device App ). In fact, the
FIGS . 23A - C illustrate a detailed method for pairing IoT hubs described herein may be implemented on any
devices in accordance with one embodiment of the inven device capable of communicating with IoT devices ( e.g. ,
tion . The method may be implemented within the context of using BTLE or other local wireless protocol) and establish
the system architectures described above, but is not limited
to any specific system architectures.
25 ing a connection over the Internet (e.g. , to an IoT service
using a WiFi or cellular data connection ).
At 2301 , the IoT Service creates a packet containing serial
number and public key of the IoT Service. At 2302 , the IoT Interface and Method for Efficient Communication
Service signs the packet using the factory private key. At Between a Microcontroller and a Communication
2303 , the IoT Service sends the packet over an encrypted 30 Module
channel to the IoT hub and at 2304 the IoT hub forwards the
packet to IoT device over an unencrypted channel. At 2305 , As mentioned , in one embodiment, each IoT device
the IoT device verifies the signature of packet at 2306 , includes a secure communication module for establishing a
the IoT device generates a packet containing the serial secure communication channel with an IoT service and a
number and public key of the IoT Device . At 2307 , the IoT 35 microcontroller unit ( MCU) which executes program code
device signs the packet using the factory private key and at to perform application -specific functions (e.g. , in accor
2308 , the IoT device sends the packet over the unencrypted dance with the specific functions to be performed by the IoT
channel to the IoT hub . device ). In one embodiment, a serial communication inter
At 2309 , the IoT hub forwards the packet to the IoT face is communicatively coupled between the MCU and the
service over an encrypted channel and at 2310 , the IoT 40 secure communication module .
Service verifies the signature of the packet . At 2311 , the IoT FIG . 24 illustrates one particular embodiment in which a
Service generates a session key pair, and at 2312 the IoT serial peripheral interface ( SPI ) 2410 is used to provide
Service generates a packet containing the session public key. bi - directional communication between the MCU 2401 and
The IoT Service then signs the packet with IoT Service secure communication module 2402. An SPI interface 2410
private key at 2313 and , at 2314 , the IoT Service sends the 45 is a synchronous serial communication interface specifica
packet to the IoT hub over the encrypted channel. tion used for short distance communication , primarily in
Turning to FIG . 23B , the IoT hub forwards the packet to embedded systems . In one embodiment, the MCU 2401
the IoT device over the unencrypted channel at 2315 and, at operates as the Master and the secure communication mod
2316 , the IoT device verifies the signature [Link] 2317 ule 2402 operates as a Slave in accordance with the SPI
the IoT device generates session key pair ( e.g. , using the 50 communication protocol. Accordingly, in some embodi
techniques described above ) , and, at 2318 , an IoT device ments described below , the MCU will simply be referred to
packet is generated containing the IoT device session public as the “ Master ” and the secure communication module will
key. At 2319 , the IoT device signs the IoT device packet with be referred to as the “ Slave ."
IoT device private key. At 2320 , the IoT device sends the As used herein the SPI interface 2410 refers to both the
packet to the IoT hub over the unencrypted channel and, at 55 SPI bus lines connecting the Master 2401 with the Slave
2321 , the IoT hub forwards the packet to the IoT service 2402 and the SPI interface circuitry on the Master and Slave
over an encrypted channel. ( described in greater detail below ) . The communication bus
At 2322 , the IoT service verifies the signature of the lines of the SPI interface 2410 include a system clock ( SCK)
packet (e.g. , using the IoT device public key ) and, at 2323 , generated by the Master 2401 , a chip select ( CS ) controlled
the IoT service uses the IoT service private key and the IoT 60 by the Master 2401 , a Master -out- Slave - In (MOSI ) commu
device public key to generate the session secret (as described nication line for transmitting data from the Master 2401 to
in detail above) . At 2324 , the IoT device uses the IoT device the Slave 2402 and a Master- in- Slave - out (MISO ) commu
private key and IoT service public key to generate the nication line for transmitting data from the Slave 2402 to the
session secret ( again , as described above ) and, at 2325 , the Master 2041 .
IoT device generates a random number and encrypts it using 65 The standard SPI protocol requires the Master to initiate
the session secret. At 2326 , the IoT service sends the all communication with the Slave. Thus, to receive data from
encrypted packet to IoT hub over the encrypted channel. At the Slave, the Master must control the chip select ( CS ) line
 US 10,776,080 B2
31 32
and indicate to the slave that it needs data or needs to Master and the Slave , the control line 2410 may be pulled
transmit data . After a period of time (which may be as much and maintained low by the party initiating the transaction to
as 2 ms ) , when the Slave is ready to respond, it will send the ensure that the other party does not attempt to take control
data . Because of the amount of handshaking and waiting of the interface before the transaction is complete . For
time in order to coordinate the communication between the 5 example, if the Slave 2402 has 100 Bytes to transmit to the
Master and Slave, the current SPI protocol is inefficient, Master 2401 , it may take control by pulling the control line
particularly when large amounts of data need to be streamed 2410 low, transmit the first 10 Bytes , and keep the control
between the Master and the Slave. line low 2410 while the Master receives the first 10 Bytes .
As such , in one embodiment, a control line 2410 is added When the Master indicates that it can accept more data, the
to improve the speed at which the SPI interface can be run 10 Slave 2402 transmits the next 10 Bytes . After the entire 100
between the Master 2401 and the Slave 2402. In particular, Bytes of data has been provided to the Master 2401 in 10
when either the Master 2401 or the Slave 2402 has data that Byte increments, the Slave 2402 releases the control line
needs to be transmitted to the other, it pulls the control line 2410 ( allowing it to be pulled high ) to indicate that the
2410 low, informing the other that it is ready to send data . Master may take control. The Master may also keep the
This coordinates all of the transactions on the SPI interface 15 control line 2410 low while it is receiving and processing
2410 in a more efficient manner because if the Slave 2402 each 10 Byte buffer of data . Once it has completed receiving
wants to send data , it pulls the control line 2401 low and , and processing the data , it will release the control line 2410 .
upon seeing that the line is low, the Master 2401 initiates the In one embodiment, general purpose input /output
transaction using the SPI interface 2410. The Slave 2402 (GPIO ) line may be shared between the Master 2401 and
then transmits the data . In one embodiment, the transaction 20 Slave 2402 to enable this communication . The GPIO line
is bi - directional so data can be streamed concurrently in both may operate in substantially the same manner as described
directions . When the transaction is complete, bother the above i.e., when one party wants to enter into a transac
Master 2401 and the Slave 2402 release the control line tion , it pulls the GPIO line low informing the other party that
2410 , which goes high again, indicating to both the Master a transaction is in process .
and Slave that either party may initiate a new transaction . 25 One embodiment of the invention utilizes a special
FIG . 25 illustrates additional details of one embodiment arrangement of bytes to enable bi - direction communication
of the invention including interface circuitry 2550 on the and signaling between the Master 2401 and the Slave 2402 .
Master 2401 and interface circuitry 2560 on the Slave 2402 FIG . 26 illustrates an exemplary 10 Byte segment, identified
which include components such as bus drivers to transmit as Bytes 0-9 , in which Bytes 0 and 1 are used for error
and receive digital data over the MOSI and MISO bus lines . 30 correction and control and Bytes 2-9 are used for data . In
Control logic 2552 , 2562 controls the communication as particular, Byte 0 comprises a checksum over the Bytes 1-9 ,
described above by pulling the control line 2410 low when which may be used by the receiving party to detect trans
either the Master 2401 or the Slave 2402 needs initiate a mission errors . For example, the receiving party may cal
new transaction . In the illustrated embodiment, the control culate its own checksum over Bytes 1-9 and compare the
logic 2562 of the Slave is electrically coupled to the base of 35 result with the checksum in Byte 0. If the result is the same ,
a first transistor 2402 and the control logic 2552 of the then it may be assumed that no errors were introduced . If the
Master 2401 is electrically coupled to the base of a second checksum is not the same, then the receiving party may
transistor 2503. The drain of each transistor is connected to request retransmission of the 10 Byte segment.
ground (GND ) and the source of each transistor is coupled In one embodiment, Byte 1 is arranged into a predeter
to a pull up resistor 2501 on a line to which a voltage is 40 mined sequence of bits 2601 ( e.g. , 001 in the example) used
supplied ( V ). The transistors 2502-2503 may be any type of by the receiving party to identify the beginning of the data
transistors including bipolar junction transistors (BJTs) or sequence . In one embodiment, the fourth bit 2602 is used to
field -effect transistors (FETs ). indicate whether the transmission is the end of a data packet.
In operation, when neither the Master nor the Slave need For example , in as discussed above for a data packet of 100
to initiate a transaction , the control logic 2552 and 2562 45 Bytes , the value 2602 may be set to 1 when the last 10 Bytes
keeps the transistors 2503 and 2502 , respectively, in an off is transmitted . The receiving party will then know when the
state , thereby pulling the control line 2410 high ( i.e. , pulled packet transmission is complete. In one embodiment, the
up to a voltage V) . When either the Master or the Slave need next four bytes 2603 ( identified as nnnn ) are set to indicate
to initiate a transaction , the control logic 2552 , 2562 applies the number of Bytes of valid data stored in Bytes 2-9 . For
a voltage to the base of a respective transistor 2503 , 2502 , 50 example , if only Byte 2 includes valid data , then the value
which allows current to flow through the transistor, thereby of 2603 may be 0001 ; if both Bytes 2 and 3 include valid
pulling the control line 2410 to ground. data, then the value of 2603 may be 0010 , and so on . The
Thus, either the Master 2401 or the Slave 2402 may pull receiving side will then process only the valid data and
the control line low, indicating that a transaction is in ignore the rest . In one embodiment, whenever a transaction
progress . In addition, in one embodiment, neither the Master 55 occurs between the Master and the Slave , the 10 Byte
nor the slave will attempt to initiate a transaction when the segment is transmitted in both directions (i.e. , one from the
control line is pulled low , thereby ensuring coordination Master to the Slave and one from the Slave to the Master ).
between the Master 2401 and Slave 2402 . However, if a party has no data to send , it will simply set the
In one embodiment, this coordination is used to establish nnnn value 2603 equal to 0000. If both parties have data to
a bi- directional streaming interface between the Master 2401 60 send then they will each send the data concurrently, and
and the Slave 2402 operating at a significantly greater speed indicate the number of valid Bytes by adjusting the nnnn
than current SPI interfaces . In one embodiment, the Master value 2603 .
2401 and Slave 2402 include small (e.g. , 10 Byte ) data The above techniques significantly increase the speed at
buffers, 2551 and 2561 , respectively, to buffer data streamed which current SPI interfaces are capable of running, estab
between the Master 2401 and the Slave 2402. Consequently, 65 lishing a bi- directional streaming protocol over standard SPI
when an amount of data greater than the size of the data bus lines. Using these techniques, an application 2503
buffers 2551 , 2561 needs to be transmitted between the running on the MCU 2401 can efficiently stream data to the
 US 10,776,080 B2
33 34
IoT service 120 and, at the same time , the IoT service can stand - alone mode , the IoT device profile 2740 configures the
efficiently stream data to the application 2403. In addition , various I /O lines 2407 of the secure communication module
in one embodiment, the secure communication module 2402 2402 to perform the functions required by the IoT device
establishes a secure communication channel with the IoT 102. If used with an MCU 2401 , the IoT device profile 2740
service 120 using the various techniques described above s may
with respect to FIGS . 16A - 23C .
configure the I/ O lines 2407 of the secure communi
cation module 2402 and the I /O lines 2408 of the MCU and
may also specify how the secure communication module
Integrated Development Tool for an Internet of 2402 is to interact with the MCU 2401 (e.g. , communicating
Things ( IoT) System over an SPI bus to exchange data and commands with the
10 application executed on the MCU as described above ) .
One embodiment of the invention includes an integrated In one embodiment, the IoT device profile 2740 may be
development tool to allow IoT developers to readily design loaded into a non -volatile memory on the secure commu
new IoT devices, services, and client apps for end users . In nication module 2402 (e.g. , Flash memory ) to implement the
particular, in one embodiment, the integrated development IoT functions ( see , e.g. , FIG . 2 showing app code 203 ,
tool allows the developer to indicate the input /output func- 15 library code 202 , and communication stack code 201
tions to be performed by each IoT device , the GUI features executed by the low power uC 200 ) . In alternate embodi
to be available to end users , and the back - end functions to ments, the IoT device profile 2740 may be used to configure
be performed by the IoT service. In response , the integrated an application - specific integrated circuit or field -program
development tool generates a first profile for the IoT device , mable gate array (FPGA ). The underlying principles of the
a second profile for a client device app , and a third profile 20 invention are not limited to any particular configuration for
for the IoT service to realize an end- to - end, fully - functional secure communication module 2402 .
IoT implementation with limited effort. In addition to configuring the IoT device, in one embodi
FIG . 27 illustrates one embodiment of an integrated ment, once the developer has specified the particular I /O
development tool platform 2701 which includes a develop functions to be performed by an IoT device via the devel
ment application 2720 with a graphical user interface 2721 25 opment application 2720 , an IoT device engine 2730 uses
usable by a developer to design new IoT implementations. In the configuration data from the development application to
one embodiment, the integrated development tool (IDT ) generate a user experience (UX ) profile 2741 to be used to
platform 2701 comprises a computer system with a storage implement the IoT app or application on the client device
device and memory for storing program code of the devel 611. The UX profile, for example, may specify various
opment application 2720 and a processor for processing the 30 graphical I/O elements to be displayed within the GUI of the
program code during runtime. In addition , the various other IoT app or application and the configurations to be used for
modules illustrated in FIG . 27 ( e.g. , 2730-2732 ) may be those graphical I/ O elements . For example, if the IoT device
implemented as program code executed by the processor. 102 is a light switch (or other simple on /off device such as
A development database 2710 is loaded and continually a door lock) , then the UX profile may include a simple on /off
updated with data related to different IoT device configura- 35 switch to control the IoT device 102. If the IoT device 101
tions , user interface features for client - side apps, and IoT is a video capture device then the UX profile may specify a
service configurations. For example, the development data graphical element to cause video to be displayed on the
base 2710 may include data related to different types of client 611 and the specific parameters for displaying the
input/output (I /O ) functions to be performed by each of the video (e.g. , scaling to be used, location on the client display,
IoT devices 101-102 including, but not limited to analog- 40 etc ) . A virtually unlimited number of different user interface
to -digital ( A / D ) functions (e.g. , capturing an analog voltage features may be specified by the UX profile while still
level ) , digital -to - analog ( D / A ) functions ( e.g. , providing an complying with the underlying principles of the invention .
analog voltage output ), binary on / off functions (e.g. , unlock In addition , in one embodiment, an IoT service engine
ing a door, triggering an alarm , turning on a light, etc ) , and 2732 generates a cloud API profile 2742 to accommodate the
various General Purpose I/O (GPIO ) functions. 45 service - side requirements of the new IoT devices 101-102 .
In addition , as discussed below , the developer may This may include, for example, the manner in which the IoT
specify whether the IoT device 102 is to be designed with a service 120 is to exchange commands and data with the new
stand - alone secure communication module 2402 or whether IoT devices and / or notifications to be sent to the user's client
the IoT device 101 is to be designed with both a secure device 611 in response to data received from the IoT devices.
communication nodule 2402 and MCU 2401 ( e.g. , intercon- 50 For example, if the IoT device is a door lock , then the cloud
nected via an SPI interface as discussed above) . A stand API profile may specify that a notification is to be sent to the
alone implementation may be used for relatively simpler IoT client device 611 whenever the door is opened and the user
implementations such as those which perform simple on /off is not home . In addition, the cloud API profile 2742 may
functions ( e.g. , a switch integrated on a lightbulb ) whereas specify the commands to be used to control the new IoT
the MCU implementation may be used for more complex 55 devices. In one embodiment, the cloud API profile 2742
data collection and monitoring (e.g. , a remotely - controllable specifies the manner in which the IoT service 120 is to
video camera triggered by a motion sensor ). communicate with external IoT services such as the IoT
In one embodiment, once the developer has specified the services run by the designer of the new IoT devices 101-102
particular I /O functions to be performed by an IoT device via ( e.g. , exposing an API to the external IoT services ).
the development application 2720 , an IoT device engine 60 A method implemented by an integrated development tool
2730 uses the configuration data provided from the devel for an IoT system is illustrated in FIG . 28. The method may
opment application to generate an IoT device profile 2740 , be implemented within the context of the system architec
specifying the configuration parameters for the secure com tures described above , but is not limited to any particular
munication module 2402. This may include, for example, system architecture.
the mode that the secure communication module is in , 65 At 2801 , the designer enters parameters for the new IoT
including whether the secure communication module 2402 device via the GUI of the development application . This
is in a stand - alone mode or coupled to an MCU 2401. If in may include, for example , the I /O functions to be performed
 US 10,776,080 B2
35 36
by the IoT device and the manner in which the IoT device device typically stores code and / or data for execution on the
is to interact with the IoT service . At 2802 , using data from set of one or more processors of that electronic device . Of
the development application , the IoT device engine gener course , one or more parts of an embodiment of the invention
ates an IoT device profile . In addition to the I /O function may be implemented using different combinations of soft
specification, this may include an indication as to whether 5 ware , firmware , and / or hardware .
the secure communication module is in stand - alone mode or Throughout this detailed description , for the purposes of
used with an MCU . At 2803 , the IoT device profile is applied explanation , numerous specific details were set forth in
to the IoT device . In one embodiment, this involves copying order to provide a thorough understanding of the present
the program code to a non -volatile storage on the IoT device . invention . It will be apparent, however, to one skilled in the
At 2804 , using data from the development application, the 10 art that the invention may be practiced without some of these
client app engine generates a UX profile specifying (among specific details . In certain instances , well known structures
other things ) the user interface to be displayed on the client and functions were not described in elaborate detail in order
when interacting with the new IoT devices. At 2805 , the UX to avoid obscuring the subject matter of the present inven
profile is applied to the client. tion . Accordingly, the scope and spirit of the invention
At 2806 , using data from the development application , the 15 should be judged in terms of the claims which follow .
IoT service engine generates a cloud API profile specifying
the manner in which the IoT service is to interoperate with What is claimed is :
the new IoT devices, the client device and / or any external 1. A method comprising :
IoT services. For example, as described above , the IoT providing an Internet of Things (IoT ) integrated develop
service may expose an API to enable communication with 20 ment application comprising a graphical user interface
one or more external IoT services. At 2805 , the cloud API (GUI);
profile is applied to the IoT cloud service. providing a development database comprising configura
Thus, using the integrated development techniques tion data related to different IoT device configurations,
described herein , a developer can concurrently program a IoT service configurations, and client app/application
new IoT device , an IoT service , and a user app , thereby 25 configurations;
saving a significant amount of time and effort compared with specifying, by a developer, a configuration for a new IoT
current implementations in which each component must be device , utilizing the IoT integrated development appli
independently programmed and configured. cation, wherein the developer utilizes the data in the
Embodiments of the invention may include various steps , development database for the configuration for the new
which have been described above . The steps may be embod- 30 IoT device;
ied in machine - executable instructions which may be used to specifying, by the developer through the IoT integrated
cause a general -purpose or special-purpose processor to development application , input /output functions to be
perform the steps . Alternatively, these steps may be per performed by the new IoT device ;
formed by specific hardware components that contain hard responsive to the development application specifying
wired logic for performing the steps , or by any combination 35 input/output functions to be performed by the new IoT
of programmed computer components and custom hardware device, generating an IoT device profile to be applied to
components . the IoT device, wherein the IoT device profile is stored
As described herein , instructions may refer to specific in a non - volatile storage memory of the new IoT
configurations of hardware such as application specific device;
integrated circuits ( ASICs) configured to perform certain 40 applying the IoT device profile to the IoT device and
operations or having a predetermined functionality or soft thereby configure the IoT device to perform the input/
ware instructions stored in memory embodied in a non output functions;
transitory computer readable medium . Thus, the techniques based on the configuration of the new IoT device specified
shown in the figures can be implemented using code and by the developer, generating a user experience (UX )
data stored and executed on one or more electronic devices 45 profile specifying graphical user interface (GUI) fea
( e.g. , an end station , a network element, etc. ) . Such elec tures of a client app or application ;
tronic devices store and communicate ( internally and / or with configuring the client app or application by applying the
other electronic devices over a network ) code and data using UX profile to the client app or application to implement
computer machine - readable media , such as non - transitory the GUI features;
computer machine- readable storage media (e.g. , magnetic 50 specifying, by the developer through the integrated devel
disks ; optical disks ; random access memory ; read only opment application , IoT service features of an IoT
memory ; flash memory devices ; phase -change memory ) and service corresponding to the configuration of the new
transitory computer machine - readable communication IoT device;
media (e.g. , electrical, optical , acoustical or other form of responsive to specifying IoT service features of an IoT
propagated signals — such as carrier waves , infrared signals, 55 service based on the configuration of the new IoT
digital signals , etc. ) . In addition , such electronic devices device , generating a cloud application programming
typically include a set of one or more processors coupled to interface ( API) profile;
one or more other components, such as one or more storage applying the cloud API profile to the IoT service to
devices (non - transitory machine -readable storage media ) , configure the IoT service to implement the IoT service
user input/output devices ( e.g. , a keyboard , a touchscreen , 60 features, wherein configuring the features includes :
and / or a display) , and network connections. The coupling of configuring the IoT service to handle exchange of
the set of processors and other components is typically commands or data between the client app or appli
through one or more busses and bridges ( also termed as bus cation and the new IoT device ; and
controllers ). The storage device and signals carrying the configuring the IoT service to handle external invoca
network traffic respectively represent one or more machine- 65 tion of the features; and
readable storage media and machine- readable communica enabling communication between the client app or appli
tion media . Thus, the storage device of a given electronic cation and the new IoT device through the IoT service .
 US 10,776,080 B2
37 38
2. The method as in claim 1 wherein the IoT device 7. The method as in claim 6 wherein the serial commu
comprises a controller for executing program code to imple nication channel comprises a serial peripheral interconnect
ment the IoT device profile . (SPI) bus .
3. The method as in claim 1 wherein the input/ output 5 output 8. The method as in claim 1 wherein specifying input/
functions comprise at least one analog -to -digital function or comprises functions to be performed by the new IoT device
digital- to -analog function . specifying operation of input/output lines of the
IoT device.
4. The method as in claim 1 wherein the input/ output 9. The method as in claim 1 wherein the UX profile
functions comprise at least one on /off input or output func specifies a plurality of graphical 1/0 elements to be dis
tion .
10 played within a GUI of the IoT app or application and
5. The method as in claim 1 wherein the IoT device profile configurations to be used for those graphical 1/0 elements.
specifies whether the IoT device is to operate in a stand 10. The method as in claim 1 wherein the cloud API
alone mode in which the input /output functions are per profile is to specify IoT service -side requirements of the new
formed by a secure communication module or in a micro IoT device.
controller unit ( MCU) mode in which at least some input/ 15 11. The method as in claim 10 wherein the IoT service
output functions are performed by software executed on the side requirements comprise a manner in which the IoT
MCU . service is to exchange commands and data with the new IoT
6. The method as in claim 5 wherein the MCU and the devices or notifications to be sent to a client on which the
secure communication module are communicatively app or application is to be executed .
coupled over a serial communication channel. * *