This website lists information for the 2017/2018 course Security Services for the IoT (SSI) at the University of Twente. # Overview  |  ----|----- Course code|201700083 Coordinator | Cristian Hesselman (SIDN Labs) ( Credits | 5EC (140 hours) Lecturers| - dr. Cristian Hesselman (SIDN Labs)
- dr. Jair Santanna (University of Twente)
- dr. Elmer Lastdrager (SIDN Labs)
- prof. dr. Aiko Pras (University of Twente)
Room|Hal B room 2B Mailing list| Quartile | Q4: 23 April to 6 July 2018 # Assessment SSI uses a total of 18 papers and (draft) IETF [RFCs]( in combination with a lab assignment to assess to what extend participants attained the course's learning outcomes (see Background section). Your individual assessment will be based on your deliverables for SSI, which are: - A presentation based on an in-depth study of one of the papers/RFCs - Review 9 other papers/RFCs with optional short summaries - A four-page report on your lab assignment - An oral exam about all 10 papers and the lab assignment To pass SSI, your score will need to be 5.5 or higher, which we calculate as follows: (score presentation) $\times$ 30% + (score lab assignment) $\times$ 40% + (score oral exam) $\times$ 30% Where each of the scores is between 1 (worst) and 10 (best). ## Presentation SSI involves 6 interactive technical lectures (see Schedule section), in one of which you'll need to present a paper or an IETF (draft) RFC (see Papers and RFCs section) on IoT security, with a particular focus on home networks. You'll need to study the paper/RFC in depth and present it in 30 minutes, including 10 minutes of questions and discussion. Please use slides to explain what the paper is about and include your observations and critique. RFCs are typically longer than papers, but also contain a lot of detail you can skip, while the information density in papers is typically much higher than in RFCs. Both your fellow students and your lecturer will score your presentation (50-50), for instance based on clarity and mastery of the document's technical content. We'll hand out evaluation forms at the beginning of each lecture and you must return them before leaving the room. ## Review Papers You will need to review 10 papers/RFCs that we'll discuss in the interactive lectures (lecture 2 through 7) and that you'd like to focus on. One paper/RFC you will present yourself (see Presentation section). The other 9 papers you will review and discuss in-class. If you want, you may hand in a short summary of these 9 papers, which you can use during the oral exam (see Examination section). The short summaries merely act as a study aid and we won't evaluate them directly (but indirectly as part of the oral exam). If you want to submit short summaries, please use at most 200 words per paper/RFC (or 1 A4 with diagrams) and submit them to by Tuesday 19:00 CEST before the lecture in which the paper will be discussed. Please prefix the subject line with "[ssi]" (without the quotes). ## Lab Assignment The goal of the lab assignment is for you to gain hands-on experience with measuring and analyzing the network behavior of IoT devices and capturing this behavior in a device profile. In SSI, we'll be using the emerging Manufacturer Usage Description (MUD) [#19] [#20] for this purpose. We will provide you with a GLiNet mini-router to carry out traffic measurements, which is yours to keep. The mini-routers run OpenWRT and [SIDN Labs' software module for IoT security in homenets]( We'll be handing out the mini-routers at the first lecture, which is also when you can register for the lab assignment (in teams of two). Your output for the lab assignment consists of: 1. A four-page report in the [standard two-column IEEE format]( that discusses the results of your measurements and your proposal on how to use or extend the MUD specification to describe the behavior you measured (an actual MUD spec). You may use text, graphs, tables, or a combination thereof. 2. A capture of the IoT device's network traffic (e.g., using TCPdump), which you will need to send to using a service like You will need to carry out the lab assignment in teams of two. The deadline for submitting the report is Wednesday June 20, 2018, 23:59 CET. We'll be evaluating your report on parameters such as clarity and soundness of the methodology you used. Elmer Lastdrager from SIDN Labs will be on site after lectures 3 and 4 (see Schedule section) to answer any practical questions you may have on the lab assignment. If we consider your work a suitable short-term input for the draft MUD specification [#19], then we'll be in touch to discuss how to proceed. Team | Members -----|-------- 1 | Calvin & Kasper 2 | Rick & Etienne 3 | Stiliyan & Nazish 4 | Ivan & Metin 5 | Leonidas & Filip 6 | Liza & Kimberly 7 | Melcher & Michael 8 | Christiaan & Gijs 9 | Rien & Andrea [Table [labs]: Lab teams.] ## Examination The exam consists of a 20 minute interview with one of the SSI lecturers. We'll evaluate to what extend you attained SSI's learning goals (see Background section) based on the paper you presented, the other 9 papers you reviewed, and the MUD papers ([#19] and [#20]). We'll be asking in-depth questions about the paper/RFC you presented and more high-level ones about the other 9 papers/RFCs (and the two MUD-papers) you reviewed on and for which you may provide a short summary (see the Review Papers section). # Schedule Table [schedule] shows SSI's schedule, which consists of a total of 9 lectures: an introduction, 6 interactive technical sessions with presentations on papers and RFCs, and two examination sessions (you'll be in one of them). We also provide two Q&A slots to help you with the SSI lab assignment. You must attend all lectures because of their interactive nature and because you'll need to provide feedback on the presentations of your fellow students (see the Presentation section). Lecture | Date | Contents | Presentation #1 | Presentation #2 | Presentation #3 -------|-------------|--------|------------|----------------|------|------ 1 | April 25 | **Course introduction**
Lecturer: Cristian Hesselman (SIDN Labs)
- SSI assessment, schedule, and background
- Admin matters, such as signing up for the lab assignment
- Collect your GLiNET mini-router
[Lecture slides (pdf)](./slides/lecture1-intro.pdf)

**Guest lecture**: IoT and DDoS attacks
Lecturer: dr. Jair Santanna (University of Twente)
[Lecture slides (pdf)](./slides/lecture1-ddos-iot.pdf) - | May 2 | **No Lecture** 2 | May 9 | **Interactive lecture**: IoT concepts and applications
Papers/RFCs: [#1] [#2] [#3]
Lecturer: Cristian Hesselman
[Intro slides](./slides/lecture2-intro.pdf) | Rien [#1]
[Slides](./slides/lecture2a-rien.pdf) | Leon [#2]
[Slides](./slides/lecture2b-leon.pdf) | Calvin [#3]
[Slides](./slides/lecture2c-calvin.pdf) 3 | May 16 | **Interactive lecture**: IoT-powered attacks Papers/RFCs: [#4] [#5] [#6]
Q&A lab assignment (12.45-13:30)
Lecturer: Cristian Hesselman
[Intro slides](./slides/lecture3-intro.pdf) | Christiaan [#4]
[Slides](./slides/lecture3a-christiaan.pdf) | Rick [#5]
[Slides](./slides/lecture3b-rick.pdf) | Michael [#6]
[Slides](./slides/lecture3c-michael.pdf) 4 | May 23 | **Interactive lecture**: IoT security measurements Papers/RFCs: [#7] [#8] [#9]
Q&A lab assignment (12.45-13:30)
Lecturer: Elmer Lastdrager | Kimberly [#7]
[Slides](./slides/lecture4a-kimberly.pdf) | Gijs [#8]
[Slides](./slides/lecture4b-gijs.pdf) | Etienne [#9]
[Slides](./slides/lecture4c-etienne.pdf) 5 | May 30 | **Interactive lecture**: security systems for homenets Papers/RFCs: [#10] [#11] [#12]
Lecturer: Cristian Hesselman | Metin [#10]
[Slides](./slides/lecture5a-metin.pdf) | Kasper [#11]
[Slides](./slides/lecture5b-kasper.pdf) | Filip [#12]
[Slides](./slides/lecture5c-filip.pdf) 6 | Jun 6 | **Interactive lecture**: IoT protocol standards Papers/RFCs: [#13] [#14] [#15]
Lecturer: Cristian Hesselman | Nazish [#13]
[Slides](./slides/lecture6a-nazish.pdf) | Stiliyan [#14]
[Slides](./slides/lecture6b-stiliyan.pdf) | Melcher [#15]
[Slides](./slides/lecture6c-melcher.pdf) 7 | Jun 13 | **Interactive lecture**: IoT intrusion detection and sharing Papers/RFCs: [#16] [#17] [#18]
Lecturer: Cristian Hesselman | Andrea [#16]
[Slides](./slides/lecture7a-andrea.pdf) | Ivan [#17]
[Slides](./slides/lecture7b-ivan.pdf) | Liza [#18]
[Slides](./slides/lecture7c-liza.pdf) 8 | Jun 20 | Oral exam, first 9 candidates (in **HB 2B**)
Students: Filip, Ivan, Nazish, Stiliyan, Leon, Calvin, Kimberly, Rien, Andrea
Examiners: Cristian & Elmer - | June 27 | **No Lecture** Extra | June 28 | **Extra lecture about DNS**
13:45 - 15:30 @ CR 2G
Lecturer: Marco Davids (SIDN)
[Slides](./slides/lecture-extra.pdf) 9 | Jul 4 | Oral exam, remaining 9 candidates (in **HB 2B**)
Students: Metin, Christiaan, Rick, Michael, Gijs, Etienne, Kasper, Melcher, Liza
Examiners: Cristian & Elmer [Table [schedule]: Schedule for SSI 2017/2018.] All lectures take place on **Wednesdays from 10:45 until 12:30** (third and fourth hour). The Q&A sessions for the lab assignment are from 12:45 until 13:30 (fifth hour) after lectures 3 and 4. Lectures and Q&A sessions take place in room **HB 2B**. We scheduled an **extra lecture** about DNS and registry operations, which will take place Thu June 28 between 13:45 and 15:30 **in CR-2G**. Note that there are **no lectures** on Wed May 2 and Wed Jun 27. # Staying up to date Please check the SSI homepage at for the latest schedule and other information. We'll also keep you posted of any changes through the SSI mailing list, which is at You can also use the mailing list for discussing technical and administrative matters with your fellow students and with SSI lecturers. **Note**: sending a message to the list means that you send it to everyone on the list, both students and lecturers. I subscribed everyone on the list on Thu Apr 12, 2018. Send an email to if you're not getting messages from the list. # Papers and RFCs We'll be using 18 papers and IETF RFCs on IoT security for the interactive sessions of lectures 2 through 7, with a particular focus on homenets. Papers 19 and 20 are about the Manufacturer Usage Description (MUD), which you'll need for the lab assignment. ## IoT Concepts and Applications [#1]: K. Rose, S. Eldridge, L. Chapin, "The Internet of Things: An Overview – Understanding the Issues and Challenges of a More Connected World", ISOC Whitepaper, October 2015, [#2]: H. Tschofenig, J. Arkko, and D. McPherson, "Architectural Considerations in Smart Object Networking", RFC7452, March 2015, [#3]: R. Want, B. N. Schilit, and S. Jenson, "Enabling the Internet of Things," Computer, no. 1, pp. 28–35, January 2015, ## IoT-powered Threats [#4]: M. Antonakakis, et al., Understanding the Mirai Botnet, in: 26th USENIX Security Symposium, 2017, [#5]: Tianlong Yuy, Vyas Sekary, Srinivasan Seshany, Yuvraj Agarwaly, Chenren Xuz, "Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the Internet-of-Things", HotNets '15, November 2015, Philadelphia, USA [#6]: O. Garcia-Morchon, S. Kumar, and M. Sethi, "State-of-the-Art and Challenges for the Internet of Things Security", IRTF Internet Draft, April 2018, ## IoT Security Measurements [#7]: Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, Christian Rossow. "IoTPOT: Analysing the Rise of IoT Compromises". 9th USENIX Workshop on Offensive Technologies (co-located with USENIX Sec '15), WOOT '15, Washington, DC, [#8]: Noah Apthorpe, Dillon Reisman, Nick Feamster, "A Smart Home is No Castle: Privacy Vulnerabilities of Encrypted IoT Traffic", Workshop on Data and Algorithmic Transparency (DAT '16), New York University Law School, November 2016, [#9]: Shin-Ming Cheng, Pin-Yu Chen, Ching-Chao Lin, and Hsu-Chun Hsiao, "Traffic-Aware Patching for Cyber Security in Mobile IoT", IEEE Communications Magazine, Vol. 55, Issue 7, 2017, ## Security Systems for Homenets [#10]: A. K. Simpson, F. Roesner, and T. Kohno, "Securing vulnerable home iot devices with an in-hub security manager," First International Workshop on Pervasive Smart Living Spaces (PerLS 2017) — in conjunction with IEEE PerCom 2017, March 2017, [#11]: Vijay Sivaraman, Hassan Habibi Gharakheili, Arun Vishwanath, Roksana Boreli, Olivier Mehani, "Network-level security and privacy control for smart-home IoT devices", IEEE 11th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob), Abu Dhabi, United Arab Emirates, Oct 2015, [#12]: Javid Habibi, Daniele Midi, Anand Mudgerikar, and Elisa Bertino, "Heimdall: Mitigating the Internet of Insecure Things", IEEE Internet of Things Journal, Vol. 4, No. 4, Aug 2017 ## IoT Protocol Standards [#13]: Ala Al-Fuqaha, Abdallah Khreishah, Mohsen Guizani, Ammar Rayes, and Mehdi Mohammadi , "Toward Better Horizontal Integration Among IoT Services," IEEE Communications Magazine, Communications Standards Supplement, September 2015, [#14]: S. Keoh, S. Kumar, and H. Tschofenig, "Securing the Internet of Things: A Standardization Perspective," IEEE Internet of Things Journal, June 2014, S. Keoh, S. Kumar, and H. Tschofenig, "Securing the Internet of Things: A Standardization Perspective," IEEE Internet of Things Journal, June 2014, [#15]: Eireann Leverett, Richard Clayton & Ross Anderson, "Standardisation and Certification of the `Internet of Things'", 16th Annual Workshop on the Economics of Information Security (WEIS2017), USA, June 2017, ## IoT Intrusion Detection and Sharing [#16]: R. Bortolameotti, T. van Ede, M. Caselli, M. H. Everts, P. Hartel, R. Hofstede, W. Jonker, and A. Peter, "DECANTeR: DEteCtion of Anomalous outbouNd HTTP TRaffic by Passive Application Fingerprinting", 33rd Annual Computer Security Applications Conference (ACSAC 2017), December 2017, Orlando, USA, [#17]: P. Kasinathan, C. Pastrone, M. A. Spirito, M. Vinkovits. "Denial-of-Service detection in 6LoWPAN based internet of things.", 9th IEEE International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob), October 2013, [#18]: Chase E. Steward, Anne Maria Vasu, Eric Keller, "CommunityGuard: A Crowdsourced Home Cyber-Security System", ACM International Workshop on Security in Software Defined Networks and Network Function Virtualization (SDN-NFV Security), March 2017, ## Lab Assignment [#19]: E. Lear, R. Droms, and D. Romascanu, "Manufacturer Usage Description Specification", IETF Internet Draft, April 2018, [#20]: Ayyoob Hamza, Dinesha Ranathunga, H. Habibi Gharakheili, Matthew Roughan, Vijay Sivaraman, "Clear as MUD: Generating, Validating and Applying IoT Behaviorial Profiles" (Technical Report), April 2018, # Background ## Motivation The "Internet of Things" (IoT) is expected to connect trillions of everyday objects to the Internet, such as cars, traffic lights, door locks, and light bulbs. While the IoT promises us to save time and effort in our daily lives, it also poses a large-scale security threat because many IoT devices are insecure. Adversaries for instance exploit these vulnerabilities to launch DDoS massive attacks, such as the 1 Tbps+ DDoS attacks on GitHub and DNS provider Dyn, of which the latter led to large-scale outages of popular services such as Spotify and Twitter. Insecure devices also jeopardize the privacy and safety of users, for instance because they enable adversaries to capture the video feed of online baby monitors or stealthily open doors and windows. SSI is a course on IoT security, with a particular focus on home networks, which are typically the least secure. Security Services for the IoT (SSI) is a course on IoT security, with a particular focus on home networks, which are typically the least secure. ## Synopsis SSI provides you with an overview of current IoT security challenges and technical solutions to address them, for instance using profiles that describe the behavior of IoT devices, measurement systems, and "reverse firewalls" that block outgoing DDoS traffic. SSI will test your ability to understand, apply, and modify a few of these solutions. SIDN Labs will provide the study material for SSI, which will consist of (1) a set of scientific papers and (draft) IETF RFCs for everyone to study and present and (2) a hands-on exercise to measure the behavior of IoT devices and describe it in a device profile. SIDN Labs will be providing a mini-router with experimental software to use, which is yours to keep. ## Learning Outcomes After successful completion of SSI you will: - Understand IoT concepts and applications, security threats, technical solutions, and a few relevant standardization efforts in the IETF - Be able to analyze network traffic of IoT devices and create device profiles that describe this behavior - Understand the operational business of DNS operators and the impact the IoT may have on them (industry perspective) SSI also contributes to your skills to independently carry out research projects and to develop services and systems. ## Contents - Overview of IoT concepts and applications IoT security threats - Device description languages - IoT and threat measurement systems - Mitigation functions - IoT standardization in the IETF ## Interaction SSI is a highly interactive course in which students for instance report on papers they have studied and engage in technical discussions with their peers. The number of students is therefore limited to 18 and they will need to attend all lectures in person at the University of Twente (remote participation will not be available). A few seats will be available for students from Delft University of Technology. ## Organization SSI is a collaboration between the University of Twente and [SIDN Labs](, the research department of the domain name registry for the Netherlands' top-level domain, .nl. SIDN Labs' goal is to increase the security and resilience of the Internet, for instance by developing an open platform that protects the Internet and end-users from compromised IoT devices. ## Study Material The study material of SSI consists of a combination of 18 peer-reviewed academic papers and (draft) IETF standards (RFCs), the MUD Internet Draft, and a GLiNet mini-router. ## Prerequisites Network Security (ET4397IN) or Internet Security (192654000) ## Related Courses 4TU Cyber Security: - Cyber Data Analytics, - Internet Security, - Software Security, - Language-based Software Security, - Applied Security Analysis "Hacking Lab", - Privacy-Enhancing Technologies,