Security Services for the IoT

This website lists information for the 2019/2020 course Security Services for the IoT (SSI) at the University of Twente.

Last updated at 1 Sep 2020.


As a result of the Corona pandemic, we are reorganizing SSI into an online course. This means we have put a maximum of 35 on the number of participants. We have currently reached the maximum number of signups and therefore signing up for the course is no longer possible. We apologize for any inconvenience and appreciate your understanding of the situation.


Course code 201700083
Coordinator Cristian Hesselman (SIDN Labs and University of Twente) (
Credits 5EC (140 hours)
Lecturers dr. Cristian Hesselman (SIDN Labs and University of Twente)
dr. Elmer Lastdrager (SIDN Labs)
Teaching assistant Ramin Yazdani (University of Twente)
Student assistant Etienne Khan
Room virtual
Mailing list
Quartile 2B: 20 April to 5 July 2020
Language English
Academic year 2019-2020


We asses to what extent you attained SSI’s learning outcomes (see Background) based on a total of 16 papers and IETF RFCs you will need to study and a lab assignment you will need to carry out.

Your individual assessment will be based on your deliverables for SSI, which are:

To pass SSI, your score will need to be 5.5 or higher, which we calculate as follows:

       total score = [ (score of oral exam) × 50% + (score of the lab assignment) × 50% ] × (all paper summaries submitted 0=no or 1=yes)

Where the total score is between 1 (worst) and 10 (best).

We will not evaluate the third learning goal (operational business of DNS operators), which serves as a bonus to help you understand how the Internet works operationally.

Oral Exam

The oral exam consists of an online Q&A with an SSI teacher and the Teaching Assistant or the Student Assistant as observers. It will focus on the 12 papers you studied. We will only discuss the papers of Lecture 3 at a high-over level, and go for a more in-depth discussion for the other papers. Your grade will be based on an evaluation form (yet to be made public).

The exam takes about 45 minutes and will take place in the Q4 exam weeks (June 22 through July 3). We’ll announce your timeslot and other details regarding the oral exam in the week before the exams start.

Your input for the oral exam consists of the summaries you wrote for each of the papers, which you can use during the exam.

We’ll take your oral exam through a video call. You must turn on your camera during the call or else we won’t be able to give you a grade. Please use a fixed Internet connection or sit close to your WiFi access point for optimal video and audio quality. We will pause the oral exam if we lose video.

Lab Assignment

The goal of the lab assignment is for you to gain hands-on experience with measuring and analyzing the network behavior of IoT devices and capturing this behavior in a device profile. In SSI, we’ll be using the Manufacturer Usage Description (MUD) standard [RFC8520,Hamza] for this purpose.

The measurements will enable you to learn how an IoT device behaves on the network, for instance how it responds to external triggers and what services on the Internet it uses. MUD is an easy to understand language standardized by the IETF in RFC 8520.

Please use open source tools like WireShark or TCPdump to carry out the traffic measurements. You can contact the Student Assistant if you need help with installing these or using these tools.

Every group should analyze at least two IoT devices, which you will need to arrange yourselves (we are unable to provide you with a SPIN device this year because of the Corona situation). Please use IoT devices without a browser-like interface. Examples of suitable devices are light bulbs, audio speakers, doorbells, and light switches. The reason is that these types of devices interact with people’s physical world (e.g., by adjusting light levels), operate autonomously, and often a have a limited number of tasks, which is typical for IoT devices (see Background). Multi-purpose devices like tablets, on the other hand, focus on enabling human users to interact with content and services, which is typical for “traditional” Internet applications.

Your output for the lab assignment consists of a lab report of at most 5 pages in two-column IEEE format that discusses the results of your measurements, your analysis and observations of both the measurements and the MUD specification, and your proposal on novel usages of MUD for IoT security or extensions of the MUD specification to describe the behavior you measured (an actual MUD spec). You may use text, graphs, and tables. The lab report must be submitted in PDF.

As part of the report, you will also need to deliver your measurement results for each IoT device in the form of:

  1. a capture of its network traffic (e.g., using the SPIN traffic downloader [SPIN] or TCPdump),
  2. its MUD profile, and
  3. a README file with the IP and MAC addresses of the IoT device and an explanation of where in the PCAP you interacted with the device in what way (use the PCAPs’ timestamps).

The name of a PCAP file must be of the form <team-ID>-<device-name>.pcap, MUD files <team-ID>-<device-name>.mud, and README files of the form <team-ID>-README.txt. The team IDs are equal to your group number on Canvas.

You will need to carry out the lab assignment in teams of two to four, depending on the number of SSI participants. At the first lecture, we’ll inform you of the exact number of participants per team. Please make sure to appoint a team coordinator who represents the team and whom your teachers can approach in case of questions or other requests. Groups are formed on Canvas.

In addition to checking SSI’s learning goals, we’ll also be evaluating your report in terms of clarity and soundness of the methodology you used.

Deliverables and submission

Your first deliverable consists of a set of 12 paper summaries, one for each of the papers we’ll discuss during the lectures. Each summary can be at most 250 words. You can add figures and graphs from the paper or add your own if you like, but everything has to fit on an A4 paper. Please submit the summaries through CANVAS on the Tuesday before the lecture in which the papers will be discussed.

Your second deliverable is the lab report (see Lab Assignment). Please submit it in PDF along with your network measurements (PCAP files, MUD files, and README files) through the SSI site on Canvas as a single zip file. The firm deadline is Sunday June 21, 2020, 23:59 CEST.


SSI lectures will take place online (see Online Tools) and will focus on discussing two papers (see Schedule). You will not need to take a test at the lectures, but you will be able to learn from each other so as to be better prepared for the oral exam (see Assessment).

Your teachers will present a few slides that summarize the papers and will then ask you a few questions. We will then review the answers together and allow time for discussion (audio only).

We will allocate about 30 minutes for each of the papers, so the online lecture will be shorter than the offline equivalent (no coffee break, for example ;-) )

Please note that the discussion part is experimental. We will therefore allocate a few minutes at the end of lectures 4 and 6 to get your feedback on the course so far so we can potentially somewhat tweak it.


Table 2 shows SSI’s schedule for 2019-2020, which consists of a total of 8 lectures: an introduction, 1 guest lecture, and 6 technical lectures. All lectures will take place online (see Online Tools).

We also offer a “re-sit” on Wednesday 17 June in case you missed one of the technical lectures. The re-sit will follow the same format as the regular technical lectures (two papers, two individual tests, two group tests). The guest lecture will be open to everyone.

Upon request, we can also provide a Q&A slot to help you with the SSI lab assignment following one of the lectures.

Table 2: Schedule for SSI 2019/2020.
Lecture Date Contents
1 April 22 Course Introduction (30 minutes)
Lecturer: Cristian Hesselman
- SSI assessment, schedule, and background.
- Admin matters, such as signing up for the lab assignment
Lecture slides (pdf)

Guest lecture #1: How the core of the internet is organized
Lecturer: Marco Davids (SIDN Labs)
The guest lecture is open to everyone
Lecture slides (pdf)
2 April 29 Guest lecture #2 Security in The Things Network
Lecturer: Johan Stokking, CTO of The Things Industries
Lecture slides (pdf)
The guest lecture is open to everyone
3 May 6 Lecture: IoT Concepts and Applications
Papers: [ISOC] [WEIS]
Lecturer: Cristian Hesselman and Elmer Lastdrager
Lecture slides (pdf)
4 May 13 Lecture: IoT Botnet Measurements
Papers: [Mirai] [Hajime]
Lecturer: Cristian Hesselman and Elmer Lastdrager
Plus a few minutes to get your feedback on the course so far
Lecture slides (pdf)
5 May 20 Lecture: IoT Honeypots
Papers: [IoTPOT] [Honware]
Lecturer: Cristian Hesselman and Elmer Lastdrager
Lecture slides (pdf)
6 May 27 Lecture: IoT Edge Security Systems
Papers: [CGuard] [DBolt]
Lecturer: Cristian Hesselman and Elmer Lastdrager
Plus a few minutes to get your feedback on the course so far
Lecture slides (pdf)
7 Jun 3 Lecture: IoT Device Behavior
Papers: [AuDI] [IMC]
Lecturer: Cristian Hesselman and Elmer Lastdrager
Lecture slides (pdf)
8 Jun 10 Lecture: IoT Network Security
Papers: [Lora] [PHY]
Lecturer: Cristian Hesselman and Elmer Lastdrager
Lecture slides (pdf)
9 Jun 17 Lecture: IoT Edge Security Systems (re-sit)
Papers: [Heimdall] [NOF]
Lecturer: Cristian Hesselman and Elmer Lastdrager
Lecture slides (pdf)

All lectures take place on Wednesdays from 10:45 until 12:30 (third and fourth hour). There will be no coffee break.

The last regular lecture (number 8, June 10) will also involve a 10-minute discussion to get your feedback on SSI, in addition to the official survey that the UT’s Quality Assurance folks will distribute.

Enrollment and course updates

You can only sign up for SSI through OSIRIS, we do not accept registrations via email or other channels. We urge you to scan SSI’s list of papers before you sign up, so you know what to expect. If you nonetheless end up unsubscribing from SSI, then please unregister through OSIRIS/CANVAS. In this case, we appreciate it if you share your feedback as to why you unregistered with the SSI coordinator so we can use it to further improve SSI.

The latest schedule and other information are available through the SSI homepage at The reason we use a separate public website for SSI instead of Canvas is that we’d like to share SSI’s format with other universities and students so they can potentially learn from it. The second reason is that at SIDN Labs we’re proud of our contribution to courses like SSI, plus we’d like to underscore the importance of companies helping to educate the next generation of engineers and researchers, for instance in the area of IoT security. Finally, the UT is a public institution, which we believe means it should share its output with the Dutch society and beyond as much as possible.

Online tools

We’ll use a video conferencing server for the lectures and the oral exams. We use the tooling within Canvas for this (called BigBlueButton). You can join the lectures by going to the SSI course page on Canvas. Then, browse to Conferences and join the lecture that has started. We aim to open the online lectures at least 10 minutes prior to the start of the lecture. Please join the lecture with your microphone muted.

Papers and RFCs

We’ll be using a total of 12 papers and IETF RFCs on IoT security for the sessions of lectures 3 through 8. Papers 19 and 20 are about the Manufacturer Usage Description (MUD), which you’ll need for the lab assignment. Papers [Heimdall] and [NOF] are the papers for the re-sit on Wed Jun 17, 2020.

The goal of the papers in lecture 3 (which are not very technical) is to provide you with a broad view on the concept of the IoT in addition to the more specific solutions and analyses in the other lectures.

Lecture #3: IoT Concepts and Applications

[ISOC] K. Rose, S. Eldridge, L. Chapin, “The Internet of Things: An Overview – Understanding the Issues and Challenges of a More Connected World”, ISOC Whitepaper, October 2015,

[WEIS] E. Leverett, R. Clayton, and R. Anderson, “Standardisation and Certification of the `Internet of Things’”, 16th Annual Workshop on the Economics of Information Security (WEIS2017), USA, June 2017,

Lecture #4: IoT Botnet Measurements

[Mirai] M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran, Z. Durumeric, J. A. Halderman, L. Invernizzi, M. Kallitsis, D. Kumar, C. Lever, Z. Ma, J. Mason, D. Menscher, C. Seaman, N. Sullivan, K. Thomas, and Y. Zhou, “Understanding the Mirai Botnet”, in: 26th USENIX Security Symposium, 2017,

[Hajime] S. Herwig, K. Harvey, G. Hughey, R. Roberts, and D. Levin, “Measurement and Analysis of Hajime, a Peer-to-peer IoT Botnet”, Network and Distributed Systems Security (NDSS) Symposium 2019, San Diego, CA, USA, February 2019,

Lecture #5: IoT Honeypots

[IoTPOT] Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, Christian Rossow. “IoTPOT: Analysing the Rise of IoT Compromises”. 9th USENIX Workshop on Offensive Technologies (co-located with USENIX Sec ’15), WOOT ’15, Washington, DC,

[Honware] Vetterl, Alexander, and Richard Clayton. “Honware: A virtual honeypot framework for capturing CPE and IoT zero days.” Symposium on Electronic Crime Research (eCrime). IEEE. 2019.

Lecture #6: IoT Edge Security Systems

[CGuard] Chase E. Steward, Anne Maria Vasu, Eric Keller, “CommunityGuard: A Crowdsourced Home Cyber-Security System”, ACM International Workshop on Security in Software Defined Networks and Network Function Virtualization (SDN-NFV Security), March 2017,

[DBolt] R. Ko and J. Mickens, “DeadBolt: Securing IoT Deployments”, Applied Networking Research Workshop, Montreal, QC, Canada, July 16, 2018 (ANRW ’18),

Lecture #7: IoT Device Behavior

[AuDI] Marchal, S., Miettinen, M., Nguyen, T. D., Sadeghi, A-R., & Asokan, N. (Accepted/In press). AuDI: Towards Autonomous IoT Device-Type Identification using Periodic Communication. IEEE Journal on Selected Areas in Communications,

[IMC] J. Ren, D. J. Dubois, D. Choffnes, A. M. Mandalari, R. Kolcun, and H. Haddadi, “Information Exposure from Consumer IoT Devices: A Multidimensional, Network-Informed Measurement Approach”, Internet Measurement Conference (IMC2019), Amsterdam, Netherlands, Oct 2019,

Lecture #8: IoT Network Security

[Lora] X. Wang, E. Karampatzakis, C. Doerr, and F.A. Kuipers, “Security Vulnerabilities in LoRaWAN”, Proc. of the 3rd ACM/IEEE International Conference on Internet-of-Things Design and Implementation (IoTDI), Orlando, Florida, USA, April 17-20, 2018,

[PHY] S. Naz Islam, Z. Baig, and S. Zeadally, “Physical Layer Security for the Smart Grid: Vulnerabilities, Threats, and Countermeasures”, IEEE Transactions on Industrial Informatics, Vol. 15, Issue 12, Dec. 2019,

Lecture #9: Edge Security Systems (re-sit)

[Heimdall] Javid Habibi, Daniele Midi, Anand Mudgerikar, and Elisa Bertino, “Heimdall: Mitigating the Internet of Insecure Things”, IEEE Internet of Things Journal, Vol. 4, No. 4, Aug 2017,

[NOF] C. Dietz, R. Labaca Castro, J. Steinberger, C. Wilczak, M. Antzek, A. Sperotto, and A. Pras, “IoT-Botnet Detection and Isolation by Access Routers,” 2018 9th International Conference on the Network of the Future (NOF), Poznan, 2018, pp. 88-95,

Lab Assignment

[RFC8520] E. Lear, R. Droms, and D. Romascanu, “Manufacturer Usage Description Specification”, RFC 8520, March 2019,

[MUD] Ayyoob Hamza, Dinesha Ranathunga, H. Habibi Gharakheili, Matthew Roughan, Vijay Sivaraman, “Clear as MUD: Generating, Validating and Applying IoT Behaviorial Profiles” (Technical Report), April 2018,

[SPIN] SPIN homepage,


[Castle] Noah Apthorpe, Dillon Reisman, Nick Feamster, “A Smart Home is No Castle: Privacy Vulnerabilities of Encrypted IoT Traffic”, Workshop on Data and Algorithmic Transparency (DAT ’16), New York University Law School, November 2016,

[5G] B. Hubert, “5G: The outsourced elephant in the room”, blog, Jan 2019,

[Merkel] Opening Speech Internet Governance Forum, Bundes Chancellor Merkel, Nov 2019, (as of 26:00)



The “Internet of Things” (IoT) is an emerging Internet application that promises to make our society smarter, safer, and more sustainable. Analysist expect the IoT will connect 20-30 billion everyday objects to the Internet, such as cars, drones, robots, traffic lights, door locks, and light bulbs.

The key potential of the IoT is its pervasive and passive nature: it’ll be all around us through (tiny) sensors and actuators, operating passively and invisibly “in the background” of our daily lives [ISOC,WEIS]. Conceptually, the IoT continually interprets and updates a distributed online representation of people’s physical environments based on data from a wide range of sensors and then uses this model to act upon the real world through actuators, all typically without human involvement or awareness.

While the extraordinary high expectations that folks have of the of the IoT may come true, we believe there is a need to complement such optimism with a recognition of the also extraordinary safety and privacy risks to society that the IoT brings. For example, adversaries can exploit vulnerabilities in insecure IoT devices to launch massive DDoS attacks on Internet infrastructure, such as the DDoS attacks on DNS provider Dyn of late 2016 [Mirai], which led to large-scale outages of popular services such as Spotify and Twitter. In addition, it may also jeopardize the privacy and safety of users, for example because insecure IoT devices enable adversaries to remotely capture the video feed of online baby monitors or remotely open doors or change room temperatures.

Another concern is that the IoT is opaque to users: their IoT devices often interact with remote services on the Internet to perform their tasks [Castle, IMC], but users will typically be unaware of this “backend” of the IoT. For example, they will usually not know the companies that operate these services and that process users’ data (e.g., hyper giants such as Google) and the legal jurisdiction that applies. The societal risk is that we lose view of and control over the infrastructure on which the IoT builds and the public values that we find important in the Netherlands and Europe (“digital sovereignty”) [Merkel].


SSI provides you with an overview of current IoT security challenges and technical solutions to address them, for instance using profiles that describe the behavior of IoT devices, measurement systems, and security systems for home networks that automatically block outgoing DDoS traffic. SSI will test your ability to understand, apply, and modify a few of these solutions.

The study material for SSI consists of (1) scientific papers and IETF RFCs and (2) a hands-on lab assignment to measure the behavior of IoT devices and describe it through a device profile.

Learning Outcomes

After successful completion of SSI you will:

SSI also contributes to your skills to independently carry out research projects and to develop services and systems.



SSI is a collaboration of the University of Twente and SIDN Labs (, the research team of the operator of the Netherlands’ top-level domain, .nl. SIDN Labs’ goal is to increase the trustworthiness of the Internet, for instance through SPIN [SPIN], an open source security system that protects the Internet and end-users from compromised IoT devices.

Study Material

The study material of SSI consists of academic papers and (draft) IETF standards (RFCs), the MUD RFC.


Network Security (ET4397IN) or Internet Security (192654000)