[AlyssaRowan]

It does indeed seem to be DRAGONFLY (I'd heard rumours indicating such in advance): a surprising choice for an interactive protocol with attacker-observable timings, I felt, given its already chequered reputation?

I couldn't possibly speculate as to why, but one does feel inclined to agree that the people behind wireless LAN security haven't always generally chosen high quality methods in the past, and this feels to me like it could well be a continuation of that pattern.

[amluto]

I tried to read the device provisioning protocol. To read it, I would need to fill out a form to ask for permission and to agree to some contract. No thanks.

Given that “easy connect” seems to require no UI at all on the IoT device, I suspect it’s vulnerable to fairly trivial to reassociate a victim device to a rogue network, and it may be impossible to defend against at attacker who has ever seen the QR code without replacing the device outright.

The right way to do this is probably to arrange for IoT wireless clients to each get its own private VLAN and to have no ability to engage in any communication other than bandwidth-limited device-initiated traffic to the public Internet.