Security Services for the IoT

This website lists information for the 2022/2023 course Security Services for the IoT (SSI) at the University of Twente.

Last updated at 19 Jun 2023.

Welcome new students!

A very warm welcome to all students. Feel free to browse around for more information.


Course code 201700083
Prerequisites Network Security (ET4397IN) or Internet Security (192654000) or equivalent; good understanding of network systems
Coordinator Cristian Hesselman (SIDN Labs and University of Twente) (
Credits 5EC (140 hours)
Lecturers prof.dr. Cristian Hesselman (SIDN Labs and University of Twente)
dr. Elmer Lastdrager (SIDN Labs)
Teaching assistants Ramin Yazdani (University of Twente)
Etienne Khan (University of Twente)
Ting-Han Chen (University of Twente)
Academic year 2022-2023
Quartile 2B: 24 April to 8 July 2023
Language English
Maximum students 32

Enrollment and course updates

You can only sign up for SSI through OSIRIS, we do not accept registrations via email or other channels. We urge you to scan SSI’s list of papers before you sign up, so you know what to expect. If you nonetheless end up unsubscribing from SSI, then please unregister through OSIRIS/CANVAS. In this case, we appreciate it if you share your feedback as to why you unregistered with the SSI coordinator so we can use it to further improve SSI.

The latest schedule and other information are available through this webpage. The reason we use a separate public website for SSI in addition to Canvas is that we’d like to share SSI’s format with other universities and students so they can potentially learn from it. The second reason is that at SIDN Labs we’re proud of our contribution to courses like SSI, plus we’d like to underscore the importance of companies helping to educate the next generation of engineers and researchers, for instance in the area of IoT security. Finally, the UT is a public institution, which we believe means it should share its output with the Dutch society and beyond as much as possible.

We have set the maximum number of students that can attend this edition of the course at 32. The reason for this is the format of the course: we have discussions in class with a lot of interaction, plus that we use oral exams as our assessment method.


We expect you to have a good understanding of network systems, for example by having followed the Network Systems, Network Security (ET4397IN) and/or Internet Security (192654000) course. You may need to read up on your networking skills if you are unfamiliar with terms and tools such as Wireshark, pcap files and tcpdump.

For the lab assignment, each group of 2-3 students needs to get their hands on at least two IoT devices.


SSI is an overview course (see Background). This means that SSI lectures will introduce you to a wide range of IoT security topics, such as botnets and security systems for edge networks. Each SSI lecture focuses on discussing two papers (see Schedule). The lectures will take place only physically at the UT. Remote participation is not possible due to the interactive nature of SSI lectures. Please refer to the schedule to find the classrooms.

You will not need to take a test at the lectures. Instead, the goal of the lectures is to able you to learn from each other and from your teachers so as to be better prepared for the oral exam (see Assessment). This is also why attending the technical lectures is mandatory. We provide a re-sit lecture in case you miss a technical lecture, for example due to illness.

During the lecture, your teachers will present a few slides that summarize the papers and include a few questions. We will review the answers together and allow for ample time for discussion. For each paper, the teachers will appoint a student at random to share their opinion on the paper, for example on the pros/cons of the solution, or its limitations.

To give you an overview of the field of IoT security, we selected scientific papers that are about (1) analyzing the security properties of IoT deployments or attack infrastructures based on (large-scale) measurements and (2) papers about the design of systems that actually improve IoT security. In many cases, the latter require on the former, showing the important of the combination of analysis and design. We strive for a 50-50 division of analysis and design papers as course material. We select specific papers that are about IoT attacks that have occurred in real life as well as systems that researchers have actually prototyped. This is important because SSI has both a scientific and a practical focus.


Table 2 shows SSI’s schedule, which consists of a total of 9 lectures: an introduction, 2 guest lectures, and 6 technical lectures. Both guest lectures will be open to everyone.

We also offer a “re-sit” on Wednesday 14 June in case you missed one of the technical lectures. The re-sit will follow the same format as the regular technical lectures.

Upon request, we can also provide a Q&A slot to help you with the SSI lab assignment following one of the lectures.

Table 2: Schedule for SSI 2022/2023.
Lecture Date                 Contents
1 April 26
RA 4237
Course Introduction
- SSI assessment, schedule, and background.
- Admin matters, such as signing up for the lab assignment
Lecture slides (pdf)
Lecturer: Elmer Lastdrager
2 May 3
RA 2231
Lecture: IoT and Internet Core Protocols
Papers: [DNSIoT] [IPv6]
Lecturer: Ting-Han Chen and Ramin Yazdani
Plus a few minutes to get your feedback on the first lecture
Lecture slides (pdf)
3 May 10
RA 3231
Lecture: IoT Botnet Measurements 1
Papers: [Mirai] [Hajime]
Lecturer: Elmer Lastdrager and Etienne Khan
Lecture slides (pdf)
4 May 17
VR 583
Lecture: IoT Edge Security Systems
Papers: [FIAT] [DBolt]
Lecturer: Ramin Yazdani and Cristian Hesselman
Lecture slides (pdf)
5 May 24
RA 2237
Lecture: IoT Device Security
Papers: [IoTLS] [Haystack]
Lecturer: Etienne Khan and Elmer Lastdrager
Lecture slides (pdf)
6 May 31
Lecture: IoT Botnet Measurements 2
Papers: [RIoTMAN] [OpenForHire]
Lecturer: Cristian Hesselman and Elmer Lastdrager
Lecture slides (pdf)
7 June 1
Guest lecture #1: Cyber security in defence mission systems
Lecturer: Dr. Sorin Iacob, Thales

Abstract: Defence Mission Systems include a number of capabilities for sensing, planning, and acting in various operational scenarios ranging from Search & Rescue to military combat. These capabilities are implemented by a set of interconnected IT and OT components. Although such systems are operated according to strict procedures, cyber-security threats cannot be ignored, so technical controls must be implemented as in any IT/OT system. But unlike other similar systems, DMSs require special attention for the protection of the confidentiality of classified information and the integrity and availability of the operational capabilities. In this lecture you will get a glimpse into the typical cyber-security challenges of DMS and how these are addressed at architecture level.
Lecture slides (pdf)

The guest lecture is open to everyone and is a collaboration with TUCCR

Host: Cristian Hesselman
8 Jun 5
RA 2502
Lecture: IoT Security in Non-Carpeted Areas
Papers: [Lora] [Traffic]
Lecturer: Ting-Han Chen and Ramin Yazdani
Lecture slides (pdf)
9 Jun 12
RA 3334
Guest lecture #2: Product Security for Bosch (IoT) products.
Lecturer: Stephan van Tienen (Bosch Security Systems)

Abstract: Bosch is present in many types of markets containing amongst others IoT types of devices. Product security is a key topic in the complete lifecycle of such devices. The presentation will explain about the Security Engineering Process used within Bosch which aims to cover all relevant aspects. In order to show typical types of issues encountered during the process a specific topic will be zoomed in on, which relates to moving to a certificate-based connection protocol in a platform used for audio communication on standard networks.
Lecture slides (pdf)

The guest lecture is open to everyone and is a collaboration with INTERSCT

Host: Cristian Hesselman
re-sit Jun 14
Lecture: IoT Honeypots (re-sit)
Papers: [IoTPot] [Honware]
Lecturer: Elmer Lastdrager and Etienne Khan
Lecture slides (pdf)

The last regular lecture (number 8, June 5) will also involve a 10-minute discussion to get your feedback on SSI, in addition to the official survey that the UT’s Quality Assurance folks will distribute.


We asses to what extent you attained SSI’s learning outcomes (see Background) based on a total of 12 papers you will need to study and a lab assignment you will need to carry out.

Your individual assessment will be based on your deliverables for SSI, which are:

We will not evaluate the third learning goal (operational business of DNS operators), which serves as a bonus to help you understand how the Internet works operationally.


To pass SSI, your score will need to be 5.5 or higher, which we calculate as follows:

       Grade = [ (score of oral exam) × 50% + (score of the lab assignment) × 50% ] × (all paper summaries submitted 0=no or 1=yes)

Where the total score is between 1 (worst) and 10 (best).

As per the UT’s grading policy, we will round your grade G as follows:

If G ≥ 5,00 and G < 5,50 then G := 5,00
If G ≥ 5,50 and G <6,00 then G := 6,00

For n ≠5:
       If G ≥ n,00 and G < n,25 then G := n,00
       If G ≥ n,25 and G <n,75 then G:= n,50
       If G ≥ n,75 and G <(n+1),00 then G:= (n+1),00

Deliverables and submission

Your first deliverable consists of a set of 12 paper summaries, one for each of the papers we’ll discuss during the lectures. Each summary can be at most 250 words. You can add figures and graphs from the paper or add your own if you like, but everything has to fit on a single-sided A4 paper. Please submit the summaries through Canvas latest 7AM on the day of the lecture in which the papers will be discussed.

Your second deliverable is the lab report (see Lab Assignment). Please submit it in PDF along with your network measurements (PCAP files, MUD files, and README files) through the SSI site on Canvas, following the submission guidelines described below. The firm deadline is Friday June 23, 2023, 23:59 CEST.

Oral Exam

The oral exam consists of an in-person Q&A with an SSI teacher and a Teaching Assistant as observer. It will focus on the 12 papers you studied.

The exam takes about 45 minutes and will take place in the last three weeks of Q4 (June 19 through July 7). You will be able to pick a time slot for the oral exam in the week before the exams start.

Your input for the oral exam consists of the summaries you wrote for each of the papers, which you can use during the exam. We do not grade the summaries themselves, they are just for your reference during the oral exam.

During the oral exam, you will be evaluated by two members of the teaching staff (the reviewers). Both will individually and independently assess your performance. The grading consists of four components:

  1. Context: how well you explained the context of a paper, such as the motivation of the work and why it is useful.
  2. Understanding: to what level you can explain the technical content of the paper. This goes further than basic reproducing of the paper.
  3. Relations amongst papers: the extent to which you are able to compare or relate two papers, such as regarding their key differences.
  4. Analysis: how well you are able to identify and motivate weak/strong points and are able to have a critical look at the paper, beyond everything the authors write (i.e., to what extend could you review this paper critically).

Afterwards, both reviewers will discuss your performance and finalize their grades. The average grade of both reviewers will be your final grade for the oral exam.

Lab Assignment

You will need to carry out a lab assignment in teams of two to four, depending on the number of SSI participants. At the first lecture, we’ll inform you of the exact number of participants per team. We’ll create the groups on Canvas after the first lecture. To ensure that everyone in the group can contribute effectively and that the workload is distributed evenly, we suggest that you form groups with members who have similar skills. You can do this by asking each other about your backgrounds and what other network or IoT-related classes you have taken. This will allow you to leverage each other’s strengths and work collaboratively towards your project goals.

The goal of the lab assignment is for you to gain hands-on experience with measuring and analyzing the network behavior of IoT devices and capturing this behavior in a device profile. In SSI, we’ll be using the Manufacturer Usage Description (MUD) standard [RFC8520,mud] for this purpose. The measurements will enable you to learn how an IoT device behaves on the network, for instance how it responds to external triggers and what services on the Internet it uses. MUD is an easy to understand language standardized by the IETF in RFC 8520.

Please use open source tools like WireShark or TCPdump to carry out the traffic measurements. If you want, you may also use a SPIN device for this purpose. You can contact one of the Teaching Assistants if you need help with installing or using the tools.

Every group should analyze at least two IoT devices, which you will need to arrange yourselves. Please use IoT devices without a browser-like interface. Examples of suitable devices are light bulbs, audio speakers, doorbells, and light switches. The reason is that these types of devices interact with people’s physical world (e.g., by adjusting light levels), operate autonomously, and often a have a limited number of tasks, which is typical for IoT devices (see Background). Multi-purpose devices like tablets, on the other hand, focus on enabling human users to interact with content and services, which is typical for “traditional” Internet applications.

Your output for the lab assignment consists of a lab report of at most 5 pages (excluding references and excluding the last section with your reflection) in two-column IEEE format that discusses your methodology, the results of your measurements, your analysis and observations of both the measurements and the MUD specification, and your proposal on novel usages of MUD for IoT security or extensions of the MUD specification to describe the behavior you measured (an actual MUD spec). You may use text, graphs, and tables in your report.

To help you manage your work efficiently and effectively, we suggest that you create a brief summary of your group meetings that includes who attended, the key action points discussed, and who is responsible for each task. This summary will help ensure that everyone is on the same page and that progress is being made towards your goals.

The last section in your report needs to be a short section in which you (1) each individually reflect on your collaboration in the team, (2) explain who carried out which parts of the assignment and (3) declare the use of any tools that were used to improve your paper, such as ChatGPT or Grammarly. Please be specific: focus on your project/team and avoid generic chatter such as “the work was both challenging and rewarding”. This last section does not count against your page limit. If you prefer, you may put this section as an appendix.

The lab report must be submitted as PDF file. As part of the report, you will also need to deliver your measurement results for each IoT device in the form of:

  1. a capture of its network traffic (e.g., using the SPIN traffic downloader [SPIN] or TCPdump),
  2. its MUD profile, and
  3. a README file with the IP and MAC addresses of the IoT device and gateway and an explanation of where in the PCAP you interacted with the device in what way (use the PCAPs’ timestamps).

The name of a PCAP file must be of the form <team-ID>-<device-name>.pcap, MUD files <team-ID>-<device-name>.mud, and README files of the form <team-ID>-README.txt. If you decide to use mudgee, please include the ip flow information in your report (or as separate file <team-ID>-<device-name>.ipflow). The team IDs are equal to your group number on Canvas.

We will evaluate your report based on SSI’s learning goals, as well as on the following criteria:

During delivery on Canvas, your report will be checked for plagiarism automatically. As per the university’s policy, no forms of plagiarism are tolerated. This means that if you want to literally include sentences from other sources, you need to reference and quote them. This includes sources where you are an author (self-plagiarism). During the first lecture, we will briefly discuss the differences between citing, quoting, and copying. Please contact us if you have questions.

The lab report is evaluated as if it was a submitted paper to an academic conference. The report is considered a work of the entire group: everybody is equally responsible for the report. This means that your research has to be thorough in terms of methodology and description. An excellent 30 minute video on how to write a paper was made by Aiko Pras, so we highly recommend you watch it.

The teaching team will evaluate your report as follows. First, one of us takes all reports and blinds them, that is remove all names and references to group numbers. This ensures a double-blinded reviewing process (you don’t know who reviews your report; the reviewer does not know that you wrote it). We then divide the reports into two sets and assign two reviewers to each set. They use the criteria listed above to grade the report. Once all reports are reviewed, the reviewers cross-review a few papers in the other set of reports to make sure that we review your reports in a consistent way. Finally, we unblind the reports and process the grades.

Papers and RFCs

We’ll be using a total of 12 papers (and sometimes IETF RFCs) on IoT security for the technical lectures (not the guest lectures). [RFC8520] and [MUD] are about the Manufacturer Usage Description (MUD), which you’ll need for the lab assignment. [SPIN] is about the SPIN tool, which you can optionally use for your lab assignment.

Lecture #2: IoT and Internet Core Protocols

[DNSIoT] C. Hesselman, M. Kaeo, L. Chapin, kc claffy, M. Seiden, D. McPherson, D. Piscitello, A. McConachie, T. April, J. Latour, and R. Rasmussen, “The DNS in IoT: Opportunities, Risks, and Challenges”, IEEE Internet Computing, 2020.

[IPv6] P. Richter, O. Gasser, and A. Berger, “Illuminating large-scale IPv6 scanning in the internet”, In Proceedings of the 22nd ACM Internet Measurement Conference (IMC ’22), Association for Computing Machinery, New York, NY, USA, 410–418, 2022,

Lecture #3: IoT Botnet Measurements 1

[Mirai] M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran, Z. Durumeric, J. A. Halderman, L. Invernizzi, M. Kallitsis, D. Kumar, C. Lever, Z. Ma, J. Mason, D. Menscher, C. Seaman, N. Sullivan, K. Thomas, and Y. Zhou, “Understanding the Mirai Botnet”, in: 26th USENIX Security Symposium, 2017,

[Hajime] S. Herwig, K. Harvey, G. Hughey, R. Roberts, and D. Levin, “Measurement and Analysis of Hajime, a Peer-to-peer IoT Botnet”, Network and Distributed Systems Security (NDSS) Symposium 2019, San Diego, CA, USA, February 2019,

Lecture #4: IoT Edge Security Systems

[FIAT] Y. Xiao and M. Varvello, “FIAT: Frictionless Authentication of IoT Traffic”, Proceedings of the 18th International Conference on Emerging Networking EXperiments and Technologies (CoNEXT ’22), 2022,

[DBolt] R. Ko and J. Mickens, “DeadBolt: Securing IoT Deployments”, Applied Networking Research Workshop, Montreal, QC, Canada, July 16, 2018 (ANRW ’18),

Lecture #6: IoT Device Security

[IoTLS] M.T. Paracha, D.J. Dubois, N. Vallina-Rodriguez, D. Choffnes, “IoTLS: understanding TLS usage in consumer IoT devices”, 21st ACM Internet Measurement Conference (IMC 2021), November 2021,

[Haystack] S.J. Saidi, A.M. Mandalari, R. Kolcun, H. Haddadi, D.J. Dubois, D. Choffnes, G. Smaragdakis, and A. Feldmann, “A Haystack Full of Needles: Scalable Detection of IoT Devices in the Wild”, 20st ACM Internet Measurement Conference (IMC 2020), October 2020,

Lecture #7: IoT Botnet Measurements 2

[RIoTMAN] A. Darki, and M. Faloutsos, “RIoTMAN: a systematic analysis of IoT malware behavior”, CoNEXT ’20: Proceedings of the 16th International Conference on emerging Networking EXperiments and Technologies, November 2020,

[OpenForHire] S. Srinivasa, J.M. Pedersen, E. Vasilomanolakis, “Open for hire: Attack trends and misconfiguration pitfalls of IoT devices”, 21st ACM Internet Measurement Conference (IMC 2021), November 2021,

Lecture #8: IoT Security in Non-Carpeted Areas

[Lora] X. Wang, E. Karampatzakis, C. Doerr, and F.A. Kuipers, “Security Vulnerabilities in LoRaWAN”, Proc. of the 3rd ACM/IEEE International Conference on Internet-of-Things Design and Implementation (IoTDI), Orlando, Florida, USA, April 17-20, 2018,

[Traffic] Chen, Qi Alfred, et al. “Exposing Congestion Attack on Emerging Connected Vehicle based Traffic Signal Control.” NDSS. 2018.

Lecture #10: IoT Honeypots (re-sit)

[IoTPOT] Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, Christian Rossow. “IoTPOT: Analysing the Rise of IoT Compromises”. 9th USENIX Workshop on Offensive Technologies (co-located with USENIX Sec ’15), WOOT ’15, Washington, DC,

[Honware] Vetterl, Alexander, and Richard Clayton. “Honware: A virtual honeypot framework for capturing CPE and IoT zero days.” Symposium on Electronic Crime Research (eCrime). IEEE. 2019.

Lab Assignment

[RFC8520] E. Lear, R. Droms, and D. Romascanu, “Manufacturer Usage Description Specification”, RFC 8520, March 2019,

[MUD] Ayyoob Hamza, Dinesha Ranathunga, H. Habibi Gharakheili, Matthew Roughan, Vijay Sivaraman, “Clear as MUD: Generating, Validating and Applying IoT Behaviorial Profiles” (Technical Report), April 2018,

[SPIN] Lastdrager, E.E.H. and Hesselman, C.E.W. and Jansen, J. and Davids, M., “Protecting Home Networks From Insecure IoT Devices,” Proceedings of the 2020 IEEE/IFIP Network Operations and Management Symposium (NOMS 2020). Bugapest, Hungary, 20-24 April 2020, and

Background and Additional Reading

[Castle] Noah Apthorpe, Dillon Reisman, Nick Feamster, “A Smart Home is No Castle: Privacy Vulnerabilities of Encrypted IoT Traffic”, Workshop on Data and Algorithmic Transparency (DAT ’16), New York University Law School, November 2016,

[5G] B. Hubert, “5G: The outsourced elephant in the room”, blog, Jan 2019,

[Merkel] Opening Speech Internet Governance Forum, Bundes Chancellor Merkel, Nov 2019, (as of 26:00)

[WEIS] E. Leverett, R. Clayton, and R. Anderson, “Standardisation and Certification of the `Internet of Things’”, 16th Annual Workshop on the Economics of Information Security (WEIS2017), USA, June 2017,

[IMC] J. Ren, D. J. Dubois, D. Choffnes, A. M. Mandalari, R. Kolcun, and H. Haddadi, “Information Exposure from Consumer IoT Devices: A Multidimensional, Network-Informed Measurement Approach”, Internet Measurement Conference (IMC2019), Amsterdam, Netherlands, Oct 2019,



The “Internet of Things” (IoT) is an emerging Internet application that promises to make our society smarter, safer, and more sustainable. Analysist expect the IoT will connect 20-30 billion everyday objects to the Internet, such as cars, drones, robots, traffic lights, door locks, and light bulbs.

The key potential of the IoT is its pervasive and passive nature: it’ll be all around us through (tiny) sensors and actuators, operating passively and invisibly “in the background” of our daily lives [WEIS]. Conceptually, the IoT continually interprets and updates a distributed online representation of people’s physical environments based on data from a wide range of sensors and then uses this model to act upon the real world through actuators, all typically without human involvement or awareness.

While the extraordinary high expectations that folks have of the of the IoT may come true, we believe there is a need to complement such optimism with a recognition of the also extraordinary safety and privacy risks to society that the IoT brings. For example, adversaries can exploit vulnerabilities in insecure IoT devices to launch massive DDoS attacks on Internet infrastructure, such as the DDoS attacks on DNS provider Dyn of late 2016 [Mirai], which led to large-scale outages of popular services such as Spotify and Twitter. In addition, it may also jeopardize the privacy and safety of users, for example because insecure IoT devices enable adversaries to remotely capture the video feed of online cameras or remotely open doors or change room temperatures.

Another concern is that the IoT is opaque to users: their IoT devices often interact with remote services on the Internet to perform their tasks [Castle, IMC], but users will typically be unaware of this “backend” of the IoT. For example, they will usually not know the companies that operate these services and that process users’ data (e.g., hyper giants such as Google) and the legal jurisdiction that applies. The societal risk is that we lose view of and control over the infrastructure on which the IoT builds and the public values that we find important in the Netherlands and Europe (“strategic digital autonomy”) [Merkel].


SSI provides you with an overview of current IoT security challenges and technical solutions to address them, for instance using profiles that describe the behavior of IoT devices, measurement systems, and security systems for home networks that automatically block outgoing DDoS traffic.

The study material for SSI consists of 12 scientific papers that you will need to study. In addition, you will need to carry out a hands-on lab assignment in groups of 2 to 3 to measure the behavior of IoT devices and describe it through a device profile. We take a paper-based approach compared to the traditional approach of using textbooks because the dynamic nature of IoT security concept requires current teaching material, making recently published papers at high reputation academic venues more suitable for our goal.

Learning Outcomes

After successful completion of SSI you will:

SSI also contributes to your skills to independently carry out research projects and to develop services and systems.



SSI is a collaboration of the University of Twente and SIDN Labs (, the research team of the operator of the Netherlands’ top-level domain, .nl. SIDN Labs’ goal is to increase the trustworthiness of the Internet infrastructure for our society, for instance through SPIN [SPIN], an open source security system that protects the Internet and end-users from compromised IoT devices.

Study Material

The study material of SSI consists of academic papers and (draft) IETF standards (RFCs), the MUD RFC.