Security Services for the IoT

This website lists information for the 2024/2025 course Security Services for the IoT (SSI) at the University of Twente.

Last updated at 24 Apr 2025.

Under construction

This page is under construction and will change often until the first lecture.

Overview

   
Course code 201700083
Prerequisites Good understanding of network systems, for instance through courses such as Network Systems (202001026), Internet Security (201700074), or Mobile and Wireless Networking (192620010)
Coordinator Antonia Affinito (University of Twente) (a.affinito@utwente.nl)
Credits 5EC (140 hours)
Lecturers prof.dr. Cristian Hesselman (SIDN Labs and University of Twente)
dr. Antonia Affinito (University of Twente)
dr. Savvas Kastanakis (University of Twente)
Teaching Assistants Etienne Khan (University of Twente)
Ting-Han Chen (University of Twente)
Pascal Huppert (University of Twente)
Academic year 2024-2025
Quartile 2B: Apri 21 to July 6, 2025
Language English


Goal of this site

The goal of this webpage is to provide you with a one-stop shop for everything you need to know about SSI. It does however only focus on more static information, such as the course schedule, evaluation criteria, and learning goals. We point to the UT’s well-known teaching services for more dynamic information, such as Time Table for information on lecture rooms and Canvas for the SSI message board. Canvas is also the official archive for uploading deliverables, such as the SSI group assignment (more details below).

We use a separate public website because we’d like to share SSI’s format with other universities and students so they can potentially learn from it. Also, the UT is a public institution, which we believe means it should share its education design and material with the Dutch society and beyond as much as possible. Finally, at SIDN Labs we’re proud of our contribution to courses like SSI and we’d like to underscore the importance of companies helping to educate the next generation of engineers and researchers, such as in IoT security.

Prerequisites

You must have a good understanding of network systems prior to taking SSI, for example by having successfully finished the course Network Systems (202001026), Internet Security (201700074), Internet of Things (201700075), or Mobile and Wireless Networking (192620010). You may need to read up on your networking skills if you are unfamiliar with terms and tools such as Wireshark, PCAP files and tcpdump.

If you’re an Embedded Systems student and you don’t have a background in computer networking, then make sure to consult with your Study Advisor on what computer networking courses to take prior to following SSI. We provide a brief overview of the field in the first lecture as a refresher, but it’s not a replacement of a full-blown course on computer networks.

In all cases, you as a student are responsible for acquiring the background for SSI. This is not a responsibility of the teaching team.

Enrollment

We urge you to scan SSI’s material before you sign up, so you know what to expect. In particular, we recommend browsing the list of papers, which can be quite advanced.

You can only sign up for SSI through OSIRIS. We do not accept registrations via email or other channels. Registration closes the Friday before the first lecture, so make sure you sign up in time. We cannot approve new enrollments once the course is in progress because that would derail the allocation and planning of lab projects.

If you want to unsubscribe from SSI, then please do so via OSIRIS/Canvas. In this case, we appreciate it if you share your feedback as to why you unregistered with the SSI coordinator so we can use it to further improve SSI.

Lectures

SSI is an overview course (see Background). This means that SSI lectures will introduce you to a wide range of IoT security topics, such as botnets and security systems for edge networks. Each SSI lecture focuses on discussing two papers (see Schedule). We also offer one lecture on generic IoT concepts and a lecture with a networking 101.

The goal of the lectures is to enable you to learn and from your teachers and from each other to be better prepared for the written exam (see Assessment). At each lecture, your teachers will present a summary of the two papers of that lecture, which we will discuss with you. Your teachers might ask you to share your opinion on a particular paper, such as on relations to previously discussed papers, the pros/cons of a solution, or its limitations. This might be a bit uncomfortable for some of you initially, but it’s core to Dutch academic culture to stimulate independent thinking.

SSI consists of a total of 9 lectures: 7 regular lectures and 2 guest lectures. The lectures are on-campus only at the UT. Remote participation is not possible to stimulate interaction in class. For that same reason, we will not record the regular lectures. Also, we’d like to incentivize everyone to attend the lectures to maximize group learning. We will record the guest lectures, which are typically somewhat less interactive than the regular lectures.

Two teachers will be present at each lecture so you can ask questions. We provide a Q&A slot to help you with the SSI lab assignment at one of the lectures.

Selected papers

To give you an overview of the field of IoT security, we selected a book chapter that discusses the key concepts of the IoT and 9 scientific papers. The papers (1) analyze the security properties of IoT deployments or attack infrastructures based on (large-scale) measurements or (2) discuss the design of new systems that improve IoT security. In many cases, the latter require the former, showing the important of the combination of analysis and design. We strive for a 50-50 division of analysis and design papers as course material.

We selected papers that are about IoT attacks that have occurred in real life as well as systems that researchers have actually prototyped. This is because SSI has both a scientific and a practical focus. The main practical component of the course is the lab assignment (see further down this page), which you will need to carry out in groups of 4.

Schedule

Table 1 shows SSI’s schedule, where the lectures marked R1 through R7 are regular lectures and G1 and G2 are the guest lectures. Note that your authoritative source for lecture rooms is the Time Table site. The room numbers in Table 1 are the ones that the Time Table folk provided at the beginning of SSI. They may change them last minute, so make sure to use the Time Table site to find the lecture rooms.

Table 1: Schedule for SSI 2024/2025.
Lecture Date                 Contents
R1 Apr 25
08:45-10:30
OH 113		 Lecture: Course Introduction
- SSI assessment, schedule, and background
- Admin matters, such as signing up for the group assignment
- Refresh of basic networking concepts
Lecturer: Savvas Kastanakis
G1 Apr 30
08:45-10:30
OH 113		 Guest lecture: How the core of the Internet works.
Lecturer: Marco Davids (SIDN Labs)
The guest lecture is open to everyone
Host: Antonia Affinito
R2 May 9
08:45-10:30
SP 6		 Lecture: Principles of IoT security
Lecturers: Antonia Affinito
Study material: book bio
R3 May 16
08:45-10:30
SP 6		 Lecture: Internet Core Protocols
Study material: [DNSIoT] [IPv6]
Lecturers: Ting-Han Chen
R4 May 23
08:45-10:30
OH 113		 Lecture: IoT Botnet Measurement
Study material: [Mirai] [Hajime]
Lecturers: Antonia Affinito and Etienne Khan
R5 May 27
15:45-17:30
SP 6		 Lecture: IoT TLS
Study material: [IoTLS] and 1-hour Q&A session on the group assignment
Lecturers:
G2 Jun 6
13:45-15:30
SP 6		 Guest lecture:
Lecturer: Dr. Bor de Kock (TNO)
Abstract: PQC in IoT
Host: Antonia Affinito
R6 Jun 13
08:45-10:30
RA 2504		 Lecture: IoT Security in Non-Carpeted Areas
Study material: [LoraWAN] [Industrial IoT]
Lecturer: Cristian Hesselman and Ting-Han Chen
R7 Jun 20
15:45-17:30
SP 6		 Lecture: IoT Forensic
Study material: [RioTman] [Honware]
This lecture ends with a 10-minute discussion to get your feedback on SSI, in addition to the official survey that the UT’s Quality Assurance folks will distribute.
Lecturers: Cristian Hesselman and Savvas Kastanakis


Assessment and deliverables

We asses to what extent you attained SSI’s learning outcomes (see Background) based on Chapter 1 of the book “Practical Internet of Things Security”, a total of 9 papers that you will need to study and a lab assignment you will need to carry out in groups.

Your individual assessment will be based on your 4 deliverables for SSI, which are 7 paper summaries, a written exam, a group presentation and Q&A on your lab work, and the files with captures of network traffic.

The deadline for the summaries is 7AM CEST before every lecture (no exceptions).

Grading

To pass SSI, your score will need to be 5.5 or higher, which we calculate as follows:

       Grade G = (score of written exam) × 50% + (score of the lab assignment) × 50%

Where G is between 10 (Excellent) and 1 (Poor).

Both the score of the written exam and of your group assignment MUST be a 5.5 or higher, which is a constraint we introduced this year. The reason is that both deliverables are equally important because SSI combines science with practice. By setting a lower bound on the grades of both deliverables, we avoid situations where people accept an insufficient score for one of the two.

While we don’t grade the summaries, you MUST submit summaries for all 12 papers in time to pass SSI. The reason is that the summaries are essential for the group discussions in class and also enable you to prepare for the written exam in an incremental way.

Rounding grades

As per the UT’s grading policy, we will round your grade G as follows:

If G ≥ 5,00 and G < 5,50 then G := 5,00
If G ≥ 5,50 and G <6,00 then G := 6,00

For n ≠5:
       If G ≥ n,00 and G < n,25 then G := n,00
       If G ≥ n,25 and G <n,75 then G:= n,50
       If G ≥ n,75 and G <(n+1),00 then G:= (n+1),00

Lab Assignment

You will need to carry out a lab assignment in teams of 4. You can create the groups on Canvas after the first lecture. To ensure that everyone in the group can contribute effectively and that the workload is distributed evenly, we suggest that you form groups with members who have similar skills. You can do this by asking each other about your backgrounds and what other network or IoT-related classes you have taken. This will allow you to leverage each other’s strengths and work collaboratively towards your project goals.

The goal of the lab assignment is for you to gain hands-on experience with measuring and analyzing the network behavior of IoT devices and capturing this behavior in a device profile. In SSI, we’ll be using the Manufacturer Usage Description (MUD) standard [RFC8520,mud] for this purpose. The measurements will enable you to learn how an IoT device behaves on the network, for instance how it handles security, how it responds to external triggers and what services on the Internet it uses.

You will need to use open source tools like WireShark or TCPdump to carry out the traffic measurements. You can contact one of the teachers if you need help with installing or using the tools. If you want, you can also use a SPIN device for capturing network traffic. Note though that we developed it as part of a past project and that we no longer actively support it.

Every group must analyze at least two IoT devices, which you will need to arrange yourselves. IoT devices lack a browser-like interface, so make sure you select those kinds of devices. Examples of suitable devices are light bulbs, audio speakers, doorbells, and light switches. These types of devices interact with people’s physical world (e.g., by adjusting light levels), operate autonomously, and often a have a limited number of tasks, which is typical for IoT devices (see Background). Devices like tablets and smart phone, on the other hand, focus on enabling human users to interact with content and services, which is typical for “traditional” Internet applications.

Group Presentation

Your output for the lab assignment consists of a group presentation of at most 25 minutes. You need to discuss why IoT security is a challenge, your methodology, the results of your measurements, and your analysis and insights of both the measurements. We also ask you to analyze the MUD specifications you generated for your devices and your proposal on novel usages or extensions of MUD for IoT security. You may use text, graphs, and tables in your presentation. Following the presentation, two teachers will conduct a 15-minute Q&A with you and your teammates. The goal of the Q&A is for teachers to verify your understanding of the lab project, such as in terms of your methodology and results. It’s also to assess whether any eventual use of Large Language models (LLMs) supported your learning rather than replaced it.

Your presentation and the Q&A will take place on campus and everyone in your lab team must attend in-person (no exceptions). You may delegate the talk to a subset of your teammates, but you will all be asked to answer questions during the Q&A. The SSI teachers decide who to ask a question.

As for grading, everyone in the group will get the same grade, which is based on your performance as a team. This means that everyone in your team is equally responsible for the work that you carried out and that we do not assess performance of individuals in a lab group.

To help you manage your work efficiently and effectively, we suggest that you create a summary of your group meetings that includes who attended, key action points discussed, who is responsible for each task, and when it’s due. Such a summary will help ensure that everyone in your group is on the same page and that you together make progress towards your goals.

You need to end you presentation with a slide in which you (1) each individually reflect on your collaboration in the team and (2) explain who carried out which parts of the assignment. Please be specific: focus on your project/team and avoid generic chatter such as “the work was both challenging and rewarding”.

At the end of your talk, you must also include a slide that states how you used LLMs and other tools, if any. See “Use of ChatGPT and other tools” for more details.

Submission of your lab assigment

You must submit your slides through Canvas before your presentation, which your teachers will check.

You also will also need to deliver your measurement results of the IoT device through Canvas.

For each device, we need: 1. A capture of its network traffic (e.g., using TCPdump or Wireshark), 2. Lits MUD profile, and 3. A README file with the IP and MAC addresses of the IoT device and gateway and an explanation of where in the PCAP you interacted with the device in what way (use the PCAPs’ timestamps).

The name of a PCAP file must be of the form <team-ID>-<device-name>.pcap, MUD files <team-ID>-<device-name>.mud, and README files of the form <team-ID>-README.txt. If you decide to use mudgee for creating MUD profiles, then please include the ip flow information (or as separate file <team-ID>-<device-name>.ipflow). The team IDs are equal to your group number on Canvas.

Evaluation of your group assignment

We will evaluate your report based on SSI’s learning goals, as well as on the following criteria:

We will evaluate your report as if it was a submitted paper to an academic conference. This means that your research has to be thorough in terms of methodology and description. Prof. Aiko Pras made an excellent 30 minute video on how to write a paper a few years ago, which we highly recommend you watch.

The teaching team will evaluate your presentation as follows.

<!DOCTYPE html> Presentation Rubric

Presentation Rubric

Section Points Description
Introduction & Objectives 0–2 Clearly explanation of the project goals, context, and what your group aimed to achieve.
Methodology 0–2 Detail and justify the measurement setup, tools, and process.
Results & Analysis 0–2 Present data with appropriate interpretation, use tables/graphs effectively and enhance understanding.
MUD Specification & Proposal 0–2 Clearly explanation the MUD spec or extension and link to observed behavior. Demonstrate originality and relevance to IoT security.
Structure, Clarity & Visual Support 0–1 Structure your presentation logically, clearly, and easy to follow.
Q&A Performance & Reflection 0–1 Confidently and insightfully provide answers that reflect understanding.
Total 0–10 Total points for the presentation based on the criteria above.

NOTE WELL: we consider your report a work of the entire group, which means that everybody is equally responsible for it.

Plagiarism

As per the university’s policy on academic misconduct, no forms of plagiarism are tolerated. This means that if you want to literally include sentences from other sources, you MUST reference and quote them. This includes sources where you are an author (self-plagiarism). At the first lecture, we will briefly discuss the differences between citing, quoting, and copying. Please contact us if you have questions.

Use of ChatGPT and other tools

You may use ChaptGPT, Grammarly or other tools to help you improve the language of your group presentation. The original content MUST however be written by you and your lab group.

You must include this statement in your presentation if you used ChatGPT or other tools:

“AUTHOR DECLARATION: During the preparation of this work the authors used [NAME TOOL/SERVICE] ONLY to improve the language of their presentation. The authors confirm that they alone wrote the original text in full and that they then reviewed and edited the content using [NAME TOOL/SERVICE]. The authors jointly take full responsibility for the content of the work.”

If you did not use such tools, then include a statement that no AI was used:

“AUTHOR DECLARATION: During the preparation of this work the authors used no artificial intelligence tools.”

Your report MUST include either of these two statements or otherwise we will not take it into consideration.

The statements are based on the UT’s policy on the use of AI in education, adapted for the specific case of SSI.

As per the same policy, we will consider suspicion of unpermitted or unreported use of AI as potential acadmic misconduct. We will report such cases to the Examination Board and they may result in you having to take an oral exam on your assignment, amongst others.

Study material

We’ll be using a total of 9 papers (and sometimes IETF RFCs) on IoT security for the regular lectures (not the guest lectures). [RFC8520] and [MUD] are about the Manufacturer Usage Description (MUD), which you’ll need for the lab assignment.

Lecture R3: Internet Core Protocols

[DNSIoT] C. Hesselman, M. Kaeo, L. Chapin, kc claffy, M. Seiden, D. McPherson, D. Piscitello, A. McConachie, T. April, J. Latour, and R. Rasmussen, “The DNS in IoT: Opportunities, Risks, and Challenges”, IEEE Internet Computing, 2020. https://www.sidnlabs.nl/downloads/49DguF5OpLVw5HCXfROdzW/9c7126fce8ddc80b0850d85f04d64139/The-DNS-in-IoT-Authors-Version-2020-SIDN-Labs.pdf

[IPv6] P. Richter, O. Gasser, and A. Berger, “Illuminating large-scale IPv6 scanning in the internet”, In Proceedings of the 22nd ACM Internet Measurement Conference (IMC ’22), Association for Computing Machinery, New York, NY, USA, 410–418, 2022, https://doi.org/10.1145/3517745.3561452.

Lecture R4: IoT Botnet Measurements

[Mirai] M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran, Z. Durumeric, J. A. Halderman, L. Invernizzi, M. Kallitsis, D. Kumar, C. Lever, Z. Ma, J. Mason, D. Menscher, C. Seaman, N. Sullivan, K. Thomas, and Y. Zhou, “Understanding the Mirai Botnet”, in: 26th USENIX Security Symposium, 2017, https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf

[Hajime] S. Herwig, K. Harvey, G. Hughey, R. Roberts, and D. Levin, “Measurement and Analysis of Hajime, a Peer-to-peer IoT Botnet”, Network and Distributed Systems Security (NDSS) Symposium 2019, San Diego, CA, USA, February 2019, https://www.ndss-symposium.org/ndss-paper/measurement-and-analysis-of-hajime-a-peer-to-peer-iot-botnet/

Lecture R5: IoT TLS

[IoTLS] M.T. Paracha, D.J. Dubois, N. Vallina-Rodriguez, D. Choffnes, “IoTLS: understanding TLS usage in consumer IoT devices”, 21st ACM Internet Measurement Conference (IMC 2021), November 2021, https://doi.org/10.1145/3487552.3487830

Lecture R6: IoT Security in Non-Carpeted Areas

[IIoT Security] M. Serror, S. Hack, M. Henze, M. Schuba, and K. Wehrle, “Challenges and opportunities in securing the Industrial Internet of Things,” IEEE Transactions on Industrial Informatics, vol. 17, no. 5, pp. 2985–2996, 2020, https://ieeexplore.ieee.org/document/8976937

[Haystack] S.J. Saidi, A.M. Mandalari, R. Kolcun, H. Haddadi, D.J. Dubois, D. Choffnes, G. Smaragdakis, and A. Feldmann, “A Haystack Full of Needles: Scalable Detection of IoT Devices in the Wild”, 20st ACM Internet Measurement Conference (IMC 2020), October 2020, https://dl.acm.org/doi/pdf/10.1145/3419394.3423650

Lecture R7: IoT Foresncis

[RIoTMAN] A. Darki, and M. Faloutsos, “RIoTMAN: a systematic analysis of IoT malware behavior”, CoNEXT ’20: Proceedings of the 16th International Conference on emerging Networking EXperiments and Technologies, November 2020, https://doi.org/10.1145/3386367.3431317 [Honware] Vetterl, Alexander, and Richard Clayton. “Honware: A virtual honeypot framework for capturing CPE and IoT zero days.” Symposium on Electronic Crime Research (eCrime). IEEE. 2019. https://www.cl.cam.ac.uk/~amv42/papers/vetterl-clayton-honware-virtual-honeypot-framework-ecrime-19.pdf

Group Assignment

[RFC8520] E. Lear, R. Droms, and D. Romascanu, “Manufacturer Usage Description Specification”, RFC 8520, March 2019, https://tools.ietf.org/html/rfc8520

[MUD] Ayyoob Hamza, Dinesha Ranathunga, H. Habibi Gharakheili, Matthew Roughan, Vijay Sivaraman, “Clear as MUD: Generating, Validating and Applying IoT Behaviorial Profiles” (Technical Report), April 2018, https://arxiv.org/abs/1804.04358

[SPIN] Lastdrager, E.E.H. and Hesselman, C.E.W. and Jansen, J. and Davids, M., “Protecting Home Networks From Insecure IoT Devices,” Proceedings of the 2020 IEEE/IFIP Network Operations and Management Symposium (NOMS 2020). Bugapest, Hungary, 20-24 April 2020, https://www.sidnlabs.nl/downloads/7FokYsWdEqs3rC3I9d0xOb/89b5f986185bb15d4e57bd22824c882f/Protecting_Home_Networks_From_Insecure_IoT_Devices.pdf and https://spin.sidnlabs.nl/en/

Additional Reading

[Castle] Noah Apthorpe, Dillon Reisman, Nick Feamster, “A Smart Home is No Castle: Privacy Vulnerabilities of Encrypted IoT Traffic”, Workshop on Data and Algorithmic Transparency (DAT ’16), New York University Law School, November 2016, https://arxiv.org/abs/1705.06805

[WEIS] E. Leverett, R. Clayton, and R. Anderson, “Standardisation and Certification of the `Internet of Things’”, 16th Annual Workshop on the Economics of Information Security (WEIS2017), USA, June 2017, https://www.cl.cam.ac.uk/~rja14/Papers/weis2017.pdf

[IMC] J. Ren, D. J. Dubois, D. Choffnes, A. M. Mandalari, R. Kolcun, and H. Haddadi, “Information Exposure from Consumer IoT Devices: A Multidimensional, Network-Informed Measurement Approach”, Internet Measurement Conference (IMC2019), Amsterdam, Netherlands, Oct 2019, https://moniotrlab.ccis.neu.edu/wp-content/uploads/2019/09/ren-imc19.pdf

[5G] B. Hubert, “5G: The outsourced elephant in the room”, blog, Jan 2019, https://berthub.eu/articles/posts/5g-elephant-in-the-room/

[Merkel] Opening Speech Internet Governance Forum, Bundes Chancellor Merkel, Nov 2019, https://www.youtube.com/watch?v=4f2w9Ri_XPw&t=1598s (as of 26:00)

Background

Motivation

The “Internet of Things” (IoT) is an emerging Internet application that promises to make our society smarter, safer, and more sustainable. Analysist expect the IoT will connect 20-30 billion everyday objects to the Internet, such as cars, drones, robots, traffic lights, door locks, and light bulbs.

The key potential of the IoT is its pervasive and passive nature: it’ll be all around us through (tiny) sensors and actuators, operating passively and invisibly “in the background” of our daily lives [WEIS]. Conceptually, the IoT continually interprets and updates a distributed online representation of people’s physical environments based on data from a wide range of sensors and then uses this model to act upon the real world through actuators, all typically without human involvement or awareness.

While the extraordinary high expectations that folks have of the of the IoT may come true, we believe there is a need to complement such optimism with a recognition of the also extraordinary safety and privacy risks to society that the IoT brings. For example, adversaries can exploit vulnerabilities in insecure IoT devices to launch massive DDoS attacks on Internet infrastructure, such as the DDoS attacks on DNS provider Dyn of late 2016 [Mirai], which led to large-scale outages of popular services such as Spotify and Twitter. In addition, it may also jeopardize the privacy and safety of users, for example because insecure IoT devices enable adversaries to remotely capture the video feed of online cameras or remotely open doors or change room temperatures.

Another concern is that the IoT is opaque to users: their IoT devices often interact with remote services on the Internet to perform their tasks [Castle, IMC], but users will typically be unaware of this “backend” of the IoT. For example, they will usually not know the companies that operate these services and that process users’ data (e.g., hypergiants such as Google) and the legal jurisdiction that applies. The societal risk is that we lose view of and control over the infrastructure on which the IoT builds and the public values that we find important in the Netherlands and Europe (“strategic digital autonomy”) [Merkel].

Synopsis

SSI provides you with an overview of IoT security challenges and technical solutions to address them, for instance using profiles that describe the behavior of IoT devices, measurement systems, and security systems for home networks that automatically block outgoing DDoS traffic.

The study material for SSI consists of 12 scientific papers that you will need to study. In addition, you will need to carry out a hands-on lab assignment in groups of 3 to measure the behavior of IoT devices and describe it through a device profile. We take a paper-based approach compared to the traditional approach of using textbooks because the dynamic nature of IoT security concept requires current teaching material, making recently published papers at high reputation academic venues more suitable for our goal. At the same time, we also include older “milestone” papers such as [Lora]

Learning Outcomes

After successful completion of SSI you will:

SSI also contributes to your skills to independently carry out research projects and to develop new services and systems.

Contents

Organization

SSI is a collaboration of the University of Twente and SIDN Labs (www.sidnlabs.nl), the research team of the operator of the Netherlands’ top-level domain, .nl. SIDN Labs’ goal is to increase the security of the Internet infrastructure for our society, for instance through SPIN [SPIN], an open source security system that protects the Internet and end-users from compromised IoT devices.

Study Material

The study material of SSI consists of academic papers, (draft) IETF standards (RFCs), and the MUD RFC.