We address the problem of trust establishment between wireless devices that do not share any prior secrets. This includes the mutual authentication and agreement to a common key that can be used to further bootstrap essential cryptographic mechanisms. We propose SFIRE, a secret-free trust establishment protocol that allows the secure pairing of commercial off-the-shelf (COTS) wireless devices with a hub. Compared to the state-of-the-art, SFIRE does not require any out-of-band channels, special hardware, or firmware modification, but can be applied to any COTS device. Moreover, SFIRE is resistant to the most advanced active signal manipulations that include recently demonstrated signal nullification at an intended receiver. These security properties are achieved in-band with the assistance of a helper device such as a smartphone and by using the RSS fluctuation patterns to build a robust 'RSS authenticator'. We perform extensive experiments using COTS devices and USRP radios and verify the validity of the proposed protocol.