Updated 19 October 2019 - Revision History HERE
** Infrequent updates from this point on. Lots of research, progress and chatter over the past 5 years - STILL somewhat of an unsettled topic **
A collection of IoT Security and Privacy resources (2014-present).
Recent Changes
April 2019 - October 2019 Finds/Changes ( Revision History)
Running Collection
Gov Observations/Directives
US Government
- President
- Senate/Congress
- Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk by Sen Ed Markey (15p PDF, Feb 2015)
- Senate Resolution 110 on the Internet of Things by Sen Deb Fischer (3p PDF, Mar 2015, Press Release)
- House Resolution 195 on Internet of Things by Rep Lance Leonard (4p PDF, Apr 2015)
- US Dept of Intelligence 2016 Worldwide Thread Assessment (33p PDF, Feb 2016)
- H.R.1224 - NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017, March 2017
- H.R.1324 - Securing IoT Act of 2017, March 2017
- US Congress S.J.Res.34, Remove Broadband Privacy Protection, April 2017
- Children’s Connected Toys: Data Security and Privacy Concerns, Rep Bill Nelson Committee on Science, Commerce and Transportation, Office of Oversight and Investigations, Dec 2016, 17p PDF
- Bruce Schneier Testimony before Congress' subcommittee on Commerce, MFG & Trade (Role of connected devices in recent cyberattacks), 6p PDF, Nov 2016
- Senate Bill introduced: S.1691 - Internet of Things (IoT) Cybersecurity Improvement Act of 2017, 20p PDF, August 2017
- S.2234 - The Internet of Things Consumer Tips to Improve Personal Security Act introduced Dec 2017
- US House drafted proposed "Smart IoT Act", 4p PDF, May 2018. Related Article
- S.734 - IoT Cybersecurity Improvement Act of 2019, Introduced Mar 2019
- Department of Commerce
- DOE - Energy focused, but potential overlap - see www.smartgrid.gov
- FCC - Spectrum Focused
- FTC - Consumer focused
- Internet of Things Privacy & Security in a Connected World - (70p PDF, Jan 2015)
- Interesting Dissenting Statement by FTC Commissioner!?! (4p PDF, Jan 2015)
- Start with Security - A Guide for Business. Lessons Learned from FTC Cases - (June 2015, 20p)
- PrivacyCon 2016 - Agenda, session videos, papers and other artifacts (Jan 14, 2016)
- Careful Connections: Building Security into the Internet of Things (10p PDF, Jan 2015)
- DMCA security research exemption for consumer devices, Nov 2016
- PrivacyCon 2017 - Agenda, session videos, papers and other artifacts (Jan 12, 2016)
- COPPA compliance to include internet-connected toys and devides for kids, June 2017
- IoT Home Inspector Challenge, Winners announced Aug 2017
- Uber Settles FTC Allegations that It Made Deceptive Privacy and Data Security Claims, Aug 2017
- Consumer Product Safety Commission request for comments IoT safety issues and Hazards, May 2018
- FDA - Medical
- NIST - A LOT! - Search for "Cybersecrity Publications"
- SP-800-160: An Integrated Approach to Building Trustworthy Resilient Systems (20+p PDF, May 2014)
- Cyber Security Framework (est Feb 2013)
- SP-800-82: Guide to Industrial Control Systems (ICS) Security (170p PDF, May 2013)
- Paper: A Cybersecurity Testbed for Industrial Control Systems (16p PDF, Oct 2014)
- Interagency Report 7628 Revision 1, (600+p PDF, Sep 2014)
Guidelines for Smart Grid Cybersecurity [3 volumes in one GIANT PDF]:
- Vol. 1, Smart Grid Cybersecurity Strategy, Architecture, and High-Level Requirements;
-
Vol. 2, Privacy and the Smart Grid [Approx pg 291 in PDF];
- Vol. 3, Supportive Analyses and References. [Approx pg 474 in PDF]
- Special Publication 1108R2, (225+p PDF, Feb 2012)
NIST Framework and Roadmap for Smart Grid Interoperability
- Cyber-Physical Systems Public Working Group (CPS
PWG)
- SP-800-183: Networks of Things (30p PDF, July 2016)
- SP-800-160: Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems (257p PDF, Nov 2016)
- NIST Cybersecurity for IoT Program, initiated in November 2016
- Draft SP800-53: Security/Privacy Controls for Information Systems and Organizations (495p PDF, Aug 2017)
- Why Security and Privacy Matter in a Digital World, Sept 2017
- NISTIR 8222 (Draft) - Internet of Things (IoT) Trust Concerns, Sept 2018
- NISTIR 8228 (Final) - Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, (44p PDF, June 2019)
- NISTIR 8259 (Draft) - Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers (July 2019, 38p PDF)
- NSA
- DOJ
- Department of Homeland Security
- GAO
European Commission
Guidance
- IEEE IoT!
- BuilditSecure.ly
- I Am The Cavalry
- Stanford Secure Internet of Things Project
- OWASP Internet of Things Project (previously IoT Top 10 project)
- Industrial Internet Consortium - Specifically, their Security Working Group
- Consumer Report's Policy & Action Group - Driver Safety and Privacy Worries
- The Digital Standard Initiative (Consumer Reports)
- The Internet Society (ISOC) - IoT Coverage (PKA Online Trust Alliance Internet of Things Initiative)
- IoT Security & Privacy Checklist (1p PDF, Oct 2016)
- Draft IoT Trustworthy Framework released (5p PDF, Jun 2015)
- IoT category added to Annual Online Trust Privacy Audit & Honor Roll (38p PDF, Jun 2015)
- Consumer Oriented Smart Device Purchase and Setup Checklist (1p PDF, Dec 2015)
- IoT Trust Framework v2.5 (6p PDF, June 2017)
- The Internet of Things Overview - Understanding the Issues and Challenges ... of a More Connected World
(50p PDF, Oct 2015)
- Cyber Incident &Breach Trends Report, (11p PDF, Jan 2018)
- The Trust Opportunity: Exploring Consumer Attitudes to the Internet of Things (May 2019, 17p PDF)
- Policy Brief: IoT Privacy for Policymakers (Sep 2019, 14p PDF)
- Symantec's IoT area including IoT Security Reference Architecture (Reg Req'd. 20p PDF, 1q2015?)
- NCC Group - Implementers Guide to Cyber Security for the Internet of Things (40p PDF, April 2014)
- Cloud Security Alliance Mobile Working Group now has an IoT Activity spun-up (interesting taxonomy in there)
- International Internet of Things Security Foundation (IoTSF)
- Consumer Electronics Association (CEA)
- GSM Association (GSMA) - IoT Security Guidelines, Feb 2016 - Zip File with Full Set
- prpl Foundation: Security Guidance for Critical Areas of Embedded Computing (58p PDF, Jan 2016)
- The Thread Group
- ISO
- oneM2M.org's Standards Initiative -
- European Telecommunications Standards Institute (ETSI) - Also part of oneM2M
- International Telecommunications Union - Internet of Things Global Standards Initiative
- International Society for Automation (ISA)
- Internet of Things Activity/Cluster
includes M2M & IoT security Activities - Whitepaper lists security activities (95p PDF, Jun 2015)
- Open Connectivity Foundation (PKA Open Interconnect Foundation
- Center for Internet Security (CIS)
- IOTA Project (www.iotatoken.com)
- IETF IoT Security Related - more to weed through
- IoT Alliance Austrailia (IOTAA), July 2016
- W3C
- Petras Internet of Things Research Hub
- TOR Project
- Onvif - IP-based Security Standard
- AUTO-ASAC - Automotive Information Sharing and Analysis Center
- Smart Card Alliance
- Broadband Internet Technology Advisory Group (BITAG)
- Open Mobility Alliance
- IPSO Alliance - Charter Here
- IoT Design Manifesto from iotmanifesto.com, 1p PDF May 2015
- www.IoTiap.com - Principles, Practices and a Prescription for Responsible IoT Embedded Systems Development, Nov 2016
- Microsoft
- Google
- IoT Privacy Forum - nonprofit think/do tank promoting privacy in world of connected devices
- IoT M2M Council - The International Journal of IoT Law & Public Policy, April 2018 PR
"Keep up with government action affecting IoT, worldwide!"
- AT&T - The CEO's Guide to Securing the Internet of Things (24p PDF, Sept 2017)
- BSI UK IoT Committee "Focusing Privacy, Security, Trustworthiness and Protection"
- Center for Long-Term Cyber Security (CLTC @ UC Berkeley)
- AgeLight - IoT Safety Architecture & Risk Toolkit (v3.1, Mar 2019, 8p PDF)
- Council for Securing the Digital Economy (CSDE) - 2018 International Anti-Botnet Guide (48p PDF, Nov 2018)
Training
Certification
CTIA Cybersecurity Certification Test Plan for IoT Devices v1, 33p PDF, Aug 2018
IoT Security Foundation’s Champion Award
UL - Cyber Security Assurance Program - Announced in April 2016
Products/Vendors
- F-Secure Sense - Security WiFi Router and Mobile App. Device+Subscription Availabile in late 2016
- Bastille Networks, Inc
- CSS - VerdeTTo IoT Security Platform
- BullGuard - Previously known as Dojo Labs (Seems like home IDS) Device+subscription
- Gemalto - IoT Security - Device, Cloud and Security lifecycle management
- Bitdefender BOX - Home Device Security
- Samsung ARTIK Cloud (IoT Development Environment) - Overview. Device Security Accommodations Here
- Mocana - Software Development Platform (Embeddable)
- UL - Cyber Security Assurance Program - Announced in April 2016
- Senrio Sensor - IoT Cybersecurity Sensor - June 2016 Launch
- Nokia IMPACT IoT Platform - Securely manage devices
- Claroty Platform - Industrial Controls/Operational Technology
- Intel
- Microsoft
- Arxan
- SIDN Labs - opensource project called SPIN on Github focusing on Security for in-home Networks
- FireFX - Network Guardian Internet of Things (IoT) Cyber-Security Router and Intrusion Prevention System
- Neuromesh, interesting IoT Security and Intelligence Platform
- Zingbox, Inc - IoT Guardian "Internet of Trusted Things" - Feb 2017 Press Release
- Icon Labs (saw security framework a while ago - added here too)
- ADI Engineering - MicroFirewall IoT Security Appliance
- Cloudflare Orbit (IoT VPN) added, April 2017 Press Release
- Shodan IoT Search Engine
- Zvelo IoT Security Sensor, June 2017 Press Release
- SecureRF - Security for embedded devices. Sensors, toolkits and applications
- Cisco IoT Threat Defense
- Norton Core - Secure WiFi Router for connected home
- Avira SafeThings - Router-based Home/Biz IoT Intrusion Prevention - Nov 2017 Press Release
- ForeScout - CounterAct - dynamically identifies and evaluates devices and applications as they connect
- Indegy - ICS Security and Control solutions
- MagicCube - Software Trusted Execution Environment
- Centri IoTAS - Standards-based IoT security platform
- Trustonic - Device Security and Authentication - Trusted Identities
- Ericsson's IoT Security Offering
- Rambus' CryptoManager IoT Security Service
- VDOO - IoT Security Platform
- Zuul Technology - Industrial IoT Security
- Device Authority (PKA Cryptosoft) IoT Security Blueprint. April 2018 Press Release
- ForceShield
- Trustonic Solutions for IoT - application class processors as well as resource constrained microcontrollers
- Armis See Everything Solution - Agentless device security that instantly protects businesses
- Xage - blockchain-protected security platform for Industrial IoT.
- Extreme Networks Extreme Defender for IoT - secure medical and connected devices
- VisualThreat Added - Connected Car Security Solutions
- Karumba Security - Automotive Security
- KudeIski IoT Security Platform - End-to-End Device & Data Protection
- SecureThingz - Secure Programming Services, Embedded Trust, Guardian Product & Secure Deployment
- Project Alias - Interesting security for smart speakers, open source
- Sentryo (now part of Cisco) - Threat Detection
Research/Publications
- Independent Security Evaluators
- MIT Technology Review
- O'Reilly
- Governing the IoT - Free (registration required) e-book, (19p epub, mobi or pdf, Feb 2016)
- Pew Research
- Beecham Research
- Embedded Security for Internet of Things (Ukil, Sen and Koilakonda)
- Adventures in Automotive Networks and Control Units (Miller and Valasek)
- Security Challenges of IP-Based Internet of Things (Heer, Garcia-Morchon, Hummen, Keoh, Kumar and Wehrle)
- Industry Self Regulation of Consumer Data Privacy and Security (Listokin)
- Privacy Mediators: Helping IoT Cross the Chasm (Davies, Taft, Satyanarayanan, Clinch, Amos) Feb 2016
- BitDefender Research Paper - The Internet of Things: Risk in the Connected Home (16p PDF, Feb 2016)
- Trend Micro Study: Privacy and Security in Connected Life (50p PDF, March 2016)
- Intel Security's Study: Smart Homes and the Internet of Things (12p PDF by Atlantic Council, March 2016)
- Berkman Center's Don't Panic report on 'going dark', (37p PDF)
- IoT Privacy and Security Challenges for Smart Home Environments, Lin & Bergmanb, July 2016
- Challenges and Opportunities for SecuringIntelligent Transportation System, Zha, Walker & Wang, Feb 2013
- IoT Goes Nuclear: Creating a ZigBee Chain Reaction, Ronen. O'Flynn, Shamir & Weingarten (17p PDF)
- Mozilla's internethealthreport.org
- isaca.org
- Ponemon Institute
- University of Michigan IoT Security Research
- Security Analysis of Emerging Smart Home Applications
Earlence Fernandes, Jaeyeon Jung, and Atul Prakash
Security Analysis of Emerging Smart Home Applications (19p PDF)
In Proceedings of 37th IEEE Symposium on Security and Privacy, May 2016
- FlowFence: Practical Data Protection for Emerging IoT Application Frameworks
Earlence Fernandes, Justin Paupore, Amir Rahmati, Daniel Simionato, Mauro Conti, and Atul Prakash
FlowFence: Practical Data Protection for Emerging IoT Application Frameworks (19p PDF)
In Proceedings of the 25th USENIX Security Symposium, August 2016
- ContexIoT: Towards Providing Contextual Integrity to Appified IoT Platforms
Yunhan Jack Jia, Qi Alfred Chen, Shiqi Wang, Amir Rahmati, Earlence Fernandes, Z. Morley Mao, and Atul Prakash
ContexIoT: Towards Providing Contextual Integrity to Appified IoT Platforms
21st Network and Distributed Security Symposium (NDSS 2017), Feb 2017
- Institute for Critical Infrastructure Technology (ICIT)
- Security and Privacy Consideration for Internet of Things in Smart Home Environments, Desai & Upadhyay, (11p PDF, Nov 2014)
- Industroyer: Biggest threat to industrial control systems since Stuxnet, June 2017
- Duo Labs' Bug Hunting, Drilling into the Internet of Things, June 2017 (31p PDF)
- Internet of Things Security Research:A Rehash of Old Ideas or New Intellectual Challenges?, Fernandes, Rahmati, Eykholt and Prakash, (5p PDF) July 2017
- Spying on the Smart Home: Privacy Attacksand Defenses on Encrypted IoT Traffic, Apthorpe, Reisman, Sundaresan, Narayanan & Feamster, (16p PDF, Aug 2017)
- University of South Wales School of Electrical Engineering: Inside job - Security and privacy threats for smart-home IoT devices (40p PDF, May 2017)
- KRACK: Vanhoef & Piessens: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 (16p PDF, Oct 2017)
- The Internet of Things:Implications for Consumer Privacy under Canadian Law, Trosow, Taylor & Hanam (97p PDF, Oct 2017)
- Blockchain for IoT Security and Privacy: The Case Study of a Smart Home, Dorri, Jurdak, Kanhere & Gauravaram (7p PDF, Oct 2017)
- Altman Vilandrie & Co. Whitepaper - Are your company’s IoT devices secure?Internet of Things Breaches are Common, Costly for U.S Firms (7p PDF, June 2017)
- Forrester - The State of IoT Security 2018 ($$$, Jan 2018)
- ESET Report - IoT AND PRIVACY BYDESIGN IN THE SMARTHOME (19p PDF, Feb 2018)
- Cyber Security Research Institute - Pinning down the IoT (24p PDF, Jan 2018, sponsored by F-Secure)
- Vodafone - IoT Barometer 2017/18 (36p PDF, Sept 2017)
- DÏoT: A Self-learning System for Detecting Compromised IoT Devices, May 2018
- Princeton's' Center for Information Technology Policy added. Interesting IoT Inspector project
- BlackIoT: IoT Botnet of High Wattage DevicesCan Disrupt the Power Grid, Princeton. 19p PDF, Aug 2018
- Personalized Privacy Assistants for the Internet of Things, 2018 IEEE Pervasive Computing: Special Issue - Securing the IoT, Apr 2018, 11p PDF
- Added PrivacyAssistant.org project, focused on user-oriented machine learning techniques
- Ponemon's Second Annual Study on the Internet of Things (IoT): A New Era of Third-Party Risk, March 2018 42p PDF
- Zingbox 2018 Annual Threat Report Medial Devices, 16p PDF
- Web-based Attacks to Discover and Control Local IoT Devices, Aug 2018, 7p PDF
- Infoblox report: What is Lurking on your Network, exposing the threat of shadow devices, May 2018, 7p PDF
- ACM Proceedings of 2018 Workshop on IoT Security and Privacy
- HighIoT - Token Launch Whitepaper on decentralized storage of IoT behavior profiles for protecting devices, 30p PDF, June 2018
- State of IoT Security Report, DigiCert (8p PDF, Nov 2018)
- Nokia Threat Intelligence Report 2019 (Reg Req'd, 22p PDF, Nov 2018)
- Darkcubed - The State of IoT Security Report (Reg Req'd, Feb 2019)
- Securing the Modern Economy:Transforming CybersecurityThrough Sustainability, Stifel, Public Knowledge (22p PDF, Apr 2018)
- BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid, Soltan, Mittal, and Poor, Princeton University (19p PDF, Aug 2018)
- Standardisation and Certification of the ‘Internet of Things’. Leverett, Clayton, Anderson (20p PDF, May 2017)
- Gemalto - The State of IoT Security – Global Survey Report – Oct. 2017 (16p PDF reg req'd)
- Synopsys - State of Fuzzing 2017 (32p PDF, Aug 2017)
- Kharlamov, Alexander & Jaiswal, Aakanksha & Parry, Glenn & Pogrebna, Ganna. (2018). A CYBER DOMAIN-SPECIFIC RISK ATTITUDES SCALE TO ADDRESS SECURITY ISSUES IN THE DIGITAL SPACE. 10.13140/RG.2.2.31408.05122/2. (May 2018, 42p PDF)
- Cyber ITL Study: Binary Hardening in IoT Products, Aug 2019
- Ren, Dubois, Choffnes, Mandalari, Kolcun & Haddadi. Information Exposure From Consumer IoT Devices:A Multidimensional, Network-Informed Measurement Approach (Oct 2019, 13p PDF)
Analysis, Advisories & Alerts
- Gartner: The Connected Home: Impact on CIOs and Buisness Leaders
- Rapid7 - Hacking Iot: A Case Study on Baby Monitor Exposures and Vulnerabilities (17p PDF, Sept 2015)
- ITU & Cisco's Report: Harnessing the Internet of Things for Global Development (60p+ PDF, Jan 2016)
Relevant discussion beginning on pg 41 - Challenges to the Deployment in Developing Countries
- Symantec's Insecurity in the Internet of Things (20p PDF, Mar 2015)
- TRAPX Anatomy of an Attack - Internet of Things (20+p PDF, Mar 2015)
- Vericode Internet of Things Research Study - household IoT Devices (Reg req'd 12p PDF, Apr 2015)
- HP IoT Security Study - Widely shared: 10 popular devices tested, 70% vulnerable (6p PDF, July 2014)
- Intel/McAfee - 2017 Threats Predictions Report (57p PDF) Nov 2016
- Medical Device Vulnerability Intelligence Program for Evaluation and Response (MD-VIPER) added
- Cisco Warns of Actively Exploited DoS Flaw in Security Appliances
- IoT Related Advisories (Still digging here - need to find a better way!)
- IC3/FBI
- Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
- Cert Vulnerability Note 656302: Belkin Wemo Home Automation Devices (Orig Feb 2014)
- Cert Vulnerability Note 796883: HomeSeer HS2 Web Interface (Orig 2011)
- Cert Vulnerability Note 525132: Foscam IP camera authentication bypass (Orig Mar 2014)
- Cert Vulnerability Note 265532: Multi-vendor IP camera web interface authentication bypass (Orig Oct 2012)
- IOActive: Petcube Remote Wireless Pet Camera Vulnerabilities (2p PDF, Apr 2015)
- Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems
- Cert Vulnerability Note VU#719736: Fisher-Price Smart Toy platform unauthenticated web API commands
- Cert Alert IR-ALERT-H-16-056-01 - Cyber Attack Against Ukrainian Critical Infrastructure, Feb 2016
- New York City Consumer Affairs Warns Parents to Secure Video Baby Monitors, Jan 2016
- CERT Advisory ICSMA-16-196-01 - Philips Xper-IM Medical Monitoring System, July 2016
- CERT Advisory ICSMA-16-089-01 - Carefusion Pyxis SupplyStation System . March 2016
- CERT Advisory ICSMA-16-279-01 - Animas OneTouch Ping Insulin Pump Vulnerabilities, Oct 2016
- CERT/NIST Vulnerability Summary for CVE-2016-6452 - Cisco Prime Home Authentication Bypass
- CERT/NIST Vunerability Summary for CVE-2016-6408 - Cisco Prime Home Web-Based User Interface
- CERT Advisory ICSMA-17-009-01 - St. Jude Merlin@home Transmitter Vulnerability, Jan 2017
- CERT ICS-ALERT-17-102-01A - BrickerBot Permanent Denial-of-Service Attack, April 2017
- CERT Alert (TA17-293A) - Persistent Threat Activity Targeting Energy & Critical Infrastructure Sectors, Oct 2017
- CERT/NIST Vulnerability Summary for CVE-2018-10987 - Dongguan Diqee Diqee360 vacuum cleaner remote code execution vulnerability, July 2018
- CERT/NIST Vulnerability Summary for CVE-2018-10988 - Diqee Diqee360 devices execute code, without a digital signature, as root, July 2018
-------
Collection of IoT Security and Privacy Newsfeeds and Article Archive from this project now on Separate Page
|
|