Internet of Things Security

The course “Internet of Things Security (IoT Security)” covers the following basic topics:

1. IoT Fundamentals: The course starts with an overview of typical IoT systems, including typical IoT Layers and Architectures, the distinction between IoT and IT, prominent attacks on IoT Devices, and current trends in industrial IoT security.
2. Threat Modelling: The course then introduces the required background knowledge to model typical IoT threats and assets. This topic comprises terminology, IoT Secure Software Development Life Cycle, ISO 21424, ISO/IEC 18045, Adversary Classification Schemes, Intel Threat Agent Library, Introduction to Asset Taxonomy, OCTAVE, Security Principles and Goals in the context of IoT, STRIDE, MITM attacks, and an introduction to possible Mitigations for typical attacks in the IoT context.
3. Cryptographic primitives in the context of IoT: As foundation for most defence mechanisms, the course covers the required theoretical background of the cryptographic primitives utilized in typical IoT systems, including Classic Ciphers (e.g. Mono-/Polyalphabetic, Substitution, Transposition), Perfect Forward Secrecy, Symmetric Cryptography (Prominent Examples of Block- and Stream-Ciphers) with focus on AES and it’s Operation Modes, Asymmetric Cryptography with focus on RSA, and Digital Signature Schemes (MAC, HMAC, RSA-based).
4. Cryptanalysis: The course also covers known limitations of the different cryptographic primitives in the context of IoT. This includes attacks such as padding oracle attack, adaptive chosen plain text attacks, integer factorization, among others. In addition, the course looks at some real-life examples of such attacks in different IoT domains including automotive systems.
5. IoT-Specific Communication and Security Patterns: After having covered the required theoretical background, the course covers the most prominent IoT communication patterns/protocols and highlights them in the context of cybersecurity. This topic area includes coverage of MQTT, XMPP, CoAP, HTTPS, Request/Response Pattern, Asynchronous Messaging, Message Queues, Publisher/Subscriber Pattern, Security Considerations and Limitations of the discussed protocols/patterns, and typical Authorization techniques.
6. Key Exchange Protocols: the course covers the topic of sharing/exchanging/negotiating cryptographic keys to ensure secure communication among different IoT devices. This will include topics such as Key Transport and Exchange mechanisms and their limitations, Concept of Key Distribution Centres, (Authenticated) Diffie Hellman Key Exchange, Certificates and corresponding PKI methodologies.
7. Web and Network Security in the context of IoT: As typical IoT systems are interconnected heavily, the course then covers both theoretical and practical security issues of networked systems. This topic area includes reconnaissance methods using nmap and related tools, Enumeration Techniques in typical web-based IoT devices, Vulnerability Assessment Methodologies, OWASP Top 10 and corresponding common exploit strategies (e.g. SQL injection, XSS) and corresponding toolchains to penetration test such applications.
8. Defence mechanisms: By then highlighting possible defence mechanisms of typical IoT systems, the course bridges the gap between the discussed security concerns and their practical remediation. This topic area includes Access Control methodologies and patterns for IoT, Authentication mechanisms in the context of typical IoT systems, as well as the limitations and challenges of these concepts.
9. Current Research, Gaps, and Directions: Throughout the course, attention is given to current scientific developments in both offensive, as well as defensive IoT security. Such literature review sessions are spread throughout the course, aiming to enhance students’ critical analysis skills in the context of current research trends.