The physical layer secret key generation scheme is a preferred solution designed for resource-constrained Internet of Things (IoT) devices. But it suffers from a severe attack, the signal manipulating attack, which aims at controlling the generated key. The existing solutions either cannot prevent all kinds of signal manipulation attacks or require working in full-duplex mode, which is not suitable for resource-constrained IoT devices. In this article, we introduce a secret key generation scheme with the help of an untrusted relay to address this dilemma. Also, our method can protect the privacy of legitimate users from the untrusted relay. We conclude a general signal manipulation attack model from existing practical signal manipulation attacks and analyze the security strength and privacy preserving ability of our scheme based on this model. Finally, we compare our method with existing signal manipulation attack solutions. The result shows that our method is the best solution for resource-constrained IoT systems.