Security Services for the IoT
This website lists information for the 2024/2025 course Security Services for the IoT (SSI) at the University of Twente.
Last updated at 16 May 2025.
Overview
| Course code | 201700083 |
| Prerequisites | Good understanding of network systems, for instance through courses such as Network Systems (202001026), Internet Security (201700074), or Mobile and Wireless Networking (192620010) |
| Coordinator | Antonia Affinito (University of Twente) (a.affinito@utwente.nl) |
| Credits | 5EC (140 hours) |
| Lecturers | prof.dr. Cristian Hesselman (SIDN Labs and University of
Twente) dr. Antonia Affinito (University of Twente)dr. Savvas Kastanakis (University of Twente) |
| Teaching Assistants | Etienne Khan (University of Twente) Ting-Han Chen (University of Twente) Pascal Huppert (University of Twente) |
| Academic year | 2024-2025 |
| Quartile | 2B: Apri 21 to July 6, 2025 |
| Language | English |
Goal of this site
The goal of this webpage is to provide you with a one-stop shop for everything you need to know about SSI. It does however only focus on more static information, such as the course schedule, evaluation criteria, and learning goals. We point to the UT’s well-known teaching services for more dynamic information, such as Time Table for information on lecture rooms and Canvas for the SSI message board. Canvas is also the official archive for uploading deliverables, such as the SSI group assignment (more details below).
We use a separate public website because we’d like to share SSI’s format with other universities and students so they can potentially learn from it. Also, the UT is a public institution, which we believe means it should share its education design and material with the Dutch society and beyond as much as possible. Finally, at SIDN Labs we’re proud of our contribution to courses like SSI and we’d like to underscore the importance of companies helping to educate the next generation of engineers and researchers, such as in IoT security.
Prerequisites
You must have a good understanding of network systems prior to taking SSI, for example by having successfully finished the course Network Systems (202001026), Internet Security (201700074), Internet of Things (201700075), or Mobile and Wireless Networking (192620010). You may need to read up on your networking skills if you are unfamiliar with terms and tools such as Wireshark, PCAP files and tcpdump.
If you’re an Embedded Systems student and you don’t have a background in computer networking, then make sure to consult with your Study Advisor on what computer networking courses to take prior to following SSI. We provide a brief overview of the field in the first lecture as a refresher, but it’s not a replacement of a full-blown course on computer networks.
In all cases, you as a student are responsible for acquiring the background for SSI. This is not a responsibility of the SSI teaching team.
Enrollment
We urge you to scan SSI’s study material before you sign up, so you know what to expect. In particular, we recommend browsing the list of papers, which can be quite advanced.
You can only sign up for SSI through OSIRIS. We do not accept registrations via email or other channels. Registration closes the Friday before the first lecture, so make sure you sign up in time. We cannot approve new enrollments once the course is in progress because that would derail the allocation and planning of lab projects.
If you want to unsubscribe from SSI, then please do so via OSIRIS/Canvas. In this case, we appreciate it if you share your feedback as to why you unregistered with the SSI coordinator so we can use it to further improve SSI.
Lectures
SSI is an overview course (see Background). This means that SSI lectures will introduce you to a wide range of IoT security topics, such as botnets and security systems for edge networks. Each SSI lecture focuses on discussing two scientific papers (see Schedule). We also offer one lecture on generic IoT concepts and a refersher on networking.
The goal of the lectures is to enable you to learn from your teachers and from each other to be better prepared for the written exam (see Assessment). At each lecture, your teachers will present a summary of the two papers of that lecture, which we will discuss with you. Your teachers may ask you to share your opinion on a particular paper, such as on relations to previously discussed papers, the pros/cons of a solution, or its limitations. This might be a bit uncomfortable for some of you initially, but it’s core to Dutch academic culture to stimulate discussion and independent thinking.
SSI consists of a total of 9 lectures: 7 regular lectures and 2 guest lectures. All lectures are on-campus only at the UT. Remote participation is not possible to stimulate interaction in class. For that same reason, we will not record the regular lectures. Also, we’d like to incentivize everyone to attend the lectures to maximize group learning. We will record the guest lectures, which are typically somewhat less interactive than the regular lectures.
Two teachers will be present at each lecture so you can ask questions. We provide a Q&A slot to help you with the SSI lab assignment at one of the lectures.
Study material
To give you an overview of the field of IoT security, we selected 2 chapters of the book “Practical Internet of Things Security” and 9 scientific papers. The papers (1) analyze the security properties of IoT deployments or attack infrastructures based on (large-scale) measurements or (2) discuss the design of new systems that improve IoT security. In many cases, the latter require the former, showing the importance of the combination of analysis and design. We strive for a 50-50 division of analysis and design papers as course material.
We selected papers that are about IoT attacks that have occurred in real life as well as systems that researchers have actually prototyped. This is because SSI has both a scientific and a practical focus. The main practical component of the course is the lab assignment (see further down this page), which you will need to carry out in groups of 4.
You can find the pdf of the book here:Practical Internet of Things Security (PDF)
Schedule
Table 1 shows SSI’s schedule, where the lectures marked R1 through R7 are regular lectures and G1 and G2 are the guest lectures. Note that your authoritative source for lecture rooms is the Time Table site. The room numbers in Table 1 are the ones that the Time Table folk provided at the beginning of SSI. They may change them last minute, so make sure to use the Time Table site to find the lecture rooms.
| Lecture | Date | Contents |
|---|---|---|
| R1 | Apr 25 08:45-10:30 OH 113 |
Lecture: Course Introduction - SSI assessment, schedule, and background - Admin matters, such as signing up for the group assignment - Refresh of basic networking concepts Lecturer: Savvas Kastanakis Lecture slides (pdf) |
| G1 | Apr 30 08:45-10:30 RA 1501 |
Guest lecture: How the core of the Internet
works. Lecturer: Marco Davids (SIDN Labs) The guest lecture is open to everyone Host: Antonia Affinito Lecture slides (pdf) |
| R2 | May 9 08:45-10:30 SP 6 |
Lecture: Principles of IoT security Lecturers: Antonia Affinito Study material: [IoTsec] Lecture slides (pdf) |
| R3 | May 16 08:45-10:30 SP 6 |
Lecture: Internet Core Protocols Study material: [DNSIoT] [IPv6] Lecturers: Ting-Han Chen and Etienne Khan Lecture slides (pdf) |
| R4 | May 23 08:45-10:30 OH 113 |
Lecture: IoT Botnet Measurement Study material: [Mirai] [Hajime] Lecturers: Antonia Affinito and Etienne Khan |
| R5 | May 27 15:45-17:30 SP 6 |
Lecture: IoT TLS Study material: [IoTLS] and 1-hour Q&A session on the group assignment Lecturers: Savvas Kastanakis and Antonia Affinito |
| G2 | Jun 6 13:45-15:30 SP 6 |
Guest lecture: Lecturer: Dr. Bor de Kock (TNO) Abstract: PQC in IoT Host: Antonia Affinito |
| R6 | Jun 13 08:45-10:30 RA 2504 |
Lecture: IoT Security Vulnerabilities Study material: [LoraWAN] [CVD] Lecturer: Cristian Hesselman and Ting-Han Chen |
| R7 | Jun 20 15:45-17:30 SP 6 |
Lecture: IoT Forensic Study material: [RioTman] [Honware] This lecture ends with a 10-minute discussion to get your feedback on SSI, in addition to the official survey that the UT’s Quality Assurance folks will distribute. Lecturers: Cristian Hesselman and Savvas Kastanakis |
Assessment and deliverables
We asses to what extent you attained SSI’s learning outcomes (see Background) based on your 4 deliverables for SSI: 9 paper summaries, a written exam, a group presentation and Q&A on your lab work, and the files with captures of network traffic.
Paper summaries. You’ll need to hand in one summary for each paper we will discuss in a particular lecture. The summaries help you study the paper and will enable you to ask focused questions in class. This is important because papers are usually more challenging to study than a textbook. Also, you can reuse the summaries for the 1 page with notes you can bring to the written exam (see below). Each summary can be at most 250 words. You can add figures and graphs from the paper or add your own if you like, but everything has to fit on a single-sided A4 paper. We do not grade the summaries, but we do check that you submitted them.
The deadline for the summaries is 7AM CEST before every lecture (no exceptions).
Written exam. The written exam covers Chapters 1 and 2 of the book “Practical Internet of Things Security” and the 9 papers that you will need to study. You can bring a single-side printed A4 with notes to the exam, for instance based on the summaries you submitted. The written exam consists of a number of multiple-choice and open questions about the book chapter and the papers we discussed in the lectures. We take the exams using Remindo.
The written exam will take place on Mon June 23, 2025.
Group presentation. In the group presentation, you and 3 fellow students present the results of your lab project, which involves measuring the network traffic of 2 IoT devices. The presentation will take place on campus and everyone in your lab team must attend in-person (no exceptions). You can use up to 25 minutes for your talk. In addition to your presentation, two teachers will conduct a Q&A with you and your team about your lab project for 15 minutes immediately following your talk. More details on the group presentation are in the corresponding section down this page.
Your group presentation will take place on Fri, June 27, from 8:45 to 12:30 in NH 115 and NH 124 and on Mon, June 30, from 8:45 to 12:30 in NH 115 and NH 124.
Traffic capture files. You are also required to submit your network measurements in the form of PCAP files, MUD files, and README files through Canvas. We will not grade them, but we will review them to assess how you carried out your lab assignment. See the submission guidelines under Lab Assignment for details.
The submission deadline for the PCAP, MUD, README files and the presentations is Wed Jun 25, 2025, 9AM CEST.
All listed deadlines are hard and non-negotiable.
Grading
To pass SSI, your score will need to be 5.5 or higher, which we calculate as follows:
Grade G = (score of written exam) × 50% + (score of the lab assignment) × 50%
Where G is between 10 (Excellent) and 1 (Poor).
Both the score of the written exam and of your group assignment MUST be a 5.5 or higher. The reason is that both deliverables are equally important because SSI combines science with practice. By setting a lower bound on the grades of both deliverables, we avoid situations where people accept an insufficient score for one of the two.
While we don’t grade the summaries, you MUST submit summaries for all 9 papers in time to pass SSI. The reason is that the summaries are essential for the group discussions in class and also enable you to prepare for the written exam in an incremental way.
Rounding grades
As per the UT’s grading policy, we will round your grade G as follows:
If G ≥ 5,00 and G < 5,50 then G := 5,00
If G ≥ 5,50 and G
<6,00 then G := 6,00
For n ≠5:
If G ≥ n,00 and G < n,25 then G := n,00
If G ≥ n,25 and G <n,75 then G:= n,50
If G ≥ n,75
and G <(n+1),00 then G:= (n+1),00
Lab Assignment
You will need to carry out a lab assignment in teams of 4. You can create the groups on Canvas after the first lecture. To ensure that everyone in the group can contribute effectively and that the workload is distributed evenly, we suggest that you form groups with members who have similar skills. You can do this by asking each other about your backgrounds and what other network or IoT-related classes you have taken. This will allow you to leverage each other’s strengths and work collaboratively towards your project goals.
The goal of the lab assignment is for you to gain hands-on experience with measuring and analyzing the network behavior of IoT devices and capturing this behavior in a device profile. In SSI, we’ll be using the Manufacturer Usage Description (MUD) standard [RFC8520,mud] for this purpose. The measurements will enable you to learn how an IoT device behaves on the network, for instance how it handles security, how it responds to external triggers and what services on the Internet it uses.
You will need to use open source tools like WireShark or TCPdump to carry out the traffic measurements. You can contact one of the teachers if you need help with installing or using the tools. If you want, you can also use a SPIN device for capturing network traffic. Note though that we developed it as part of a past project and that we no longer actively support it.
Every group must analyze at least two IoT devices, which you will need to arrange yourselves. IoT devices must not have a browser-like interface. Examples of suitable devices are light bulbs, audio speakers, doorbells, and light switches. These types of devices interact with people’s physical world (e.g., by adjusting light levels), operate autonomously, and often a have a limited number of tasks, which is typical for IoT devices (see Background). Devices like tablets and smart phone, on the other hand, focus on enabling human users to interact with content and services, which is typical for “traditional” Internet applications.
Contact your teaching team if you have questions about the types of devices you would like to use for the lab assignment.
Group Presentation
Your output for the lab assignment consists of a group presentation of at most 25 minutes. You need to discuss why IoT security is a challenge, your methodology, the results of your measurements, and your analysis and insights of both the measurements. We also ask you to analyze the MUD specifications you generated for your devices and your proposal on novel usages or extensions of MUD for IoT security. You may use text, graphs, and tables in your presentation. Following the presentation, two teachers will conduct a 15-minute Q&A with you and your teammates. The goal of the Q&A is for teachers to verify your understanding of the lab project, such as in terms of your methodology and results. It’s also to assess whether any eventual use of Large Language models (LLMs) supported your learning rather than replaced it.
Your presentation and the Q&A will take place on campus and everyone in your lab team must attend in-person (no exceptions). You may delegate the talk to a subset of your teammates, but you will all need to answer questions during the Q&A. The SSI teachers decide who to ask a question.
As for grading, everyone in the group will get the same grade, which is based on your performance as a team. This means that everyone in your team is equally responsible for the work that you carried out and that we do not assess performance of individuals in a lab group.
To help you manage your work efficiently and effectively, we suggest that you create a summary of your group meetings that includes who attended, key action points discussed, who is responsible for each task, and when it’s due. Such a summary will help ensure that everyone in your group is on the same page and that you together make progress towards your goals.
You need to end you presentation with a slide in which you (1) each individually reflect on your collaboration in the team and (2) explain who carried out which parts of the assignment. Please be specific: focus on your project/team and avoid generic chatter such as “the work was both challenging and rewarding”.
At the end of your talk, you must also include a slide that states how you used LLMs and other tools, if any. See “Use of ChatGPT and other tools” for more details.
Submission of your lab assigment
You must submit your slides through Canvas before your presentation, which your teachers will check.
You also will also need to deliver your measurement results of the IoT device through Canvas in the form of 3 files:
PCAP file. A capture of the network traffic your
group recorded during the experiments you conducted (e.g., using TCPdump
or Wireshark). The name of the PCAP file must be of the form
<team-ID>-<device-name>.pcap.
README file. A README file lists the IP and MAC
addresses of the IoT device and gateway you used and an explanation of
where in the PCAP you interacted with the device in what way (use the
PCAPs’ timestamps). The name of the README must be of the form
<team-ID>-README.txt
MUD profile. The device’s MUD profile. The name of
the MUD file must be of the form
<team-ID>-<device-name>.mud. If you decide to
use mudgee for creating MUD
profiles, then please include the ip flow information (or as separate
file <team-ID>-<device-name>.ipflow).
The team IDs are equal to your group number on Canvas.
Evaluation of your group assignment
We will evaluate your presentation as if it was a talk at an academic conference. Prof. Aiko Pras made an excellent excellent 30 minute video on how to write a paper a few years ago, which might help you structuring your presentation. But there’s also plenty of other resources on the Internett with guidance on how to do that.
The table below lists the criteria we’ll be using to assess your group presentation. NOTE WELL: we consider your presentation a work of the entire group, which means that everybody is equally responsible for it.
| Criteria | Points | To what extent did you… |
|---|---|---|
| Introduction & Objectives | 0–2 | Clearly explanation of the project goals, context, and what your group aimed to achieve. |
| Methodology | 0–2 | Detail and justify the measurement setup, tools, and process. |
| Results & Analysis | 0–2 | Explain and analyze the network interactions of the devices you analyzed. Present data with appropriate interpretation, using tables/graphs effectively. |
| MUD Specification & Proposal | 0–2 | Clearly explanation the MUD spec or extension and link to observed behavior. Demonstrate originality and relevance to IoT security. |
| Structure, Clarity & Visual Support | 0–1 | Structure your presentation logically, clearly, and easy to follow. |
| Q&A Performance & Reflection | 0–1 | Confidently and insightfully provide answers that reflect understanding. |
| Total | 1–10 | Total points for the presentation based on the criteria above. |