A running collection of IoT Security and Privacy resources (2014-present).
Ongoing work-in-process - will remain rough as I stumble around the interweb.
Have a change, suggestion or link to add? Please Send it!
Recent Changes
Nov 2017 - Feb 2018 Finds/Changes (complete r evision history @ end)
- Interesting Articles
- Don’t Feed Them After Midnight: Reverse-Engineering the Furby Connect, Context IS, Nov 2017
- Abilify IoT-enabled digital pills approved amid privacy concerns, Internet of Business, Nov 2017
- Consumers are holding off on buying smart-home gadgets thanks to security and privacy fears, Business Insider, Nov 2017
- The State of IoT (In)Security, Security Boulevard, Jan 2018
- FTC Enforcement of COPPA for Internet of Things Reaches Flashpoint, Lexology, Jan 2018
- Strava storm: why everyone should check their smart gear security settings before going for a jog, Phys.org, Feb 2018
- France mulls manufacturer liability & open-sourcing, IoT industry on edge, SC Feb 2018
- Products/Vendor Adds
- Gov Observations/Directives
- Guidance Added
- Research/Publications
- Advisories
- Upcoming Events/Conferences
Running Collection
Gov Observations/Directives
US Government
- President - Executive Order 13636: Improving Critical Infrastructure Cybersecurity (Feb 2013)
- Senate/Congress
- Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk by Sen Ed Markey (15p PDF, Feb 2015)
- Senate Resolution 110 on the Internet of Things by Sen Deb Fischer (3p PDF, Mar 2015, Press Release)
- House Resolution 195 on Internet of Things by Rep Lance Leonard (4p PDF, Apr 2015)
- US Dept of Intelligence 2016 Worldwide Thread Assessment (33p PDF, Feb 2016)
- H.R.1224 - NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017, March 2017
- H.R.1324 - Securing IoT Act of 2017, March 2017
- US Congress S.J.Res.34, Remove Broadband Privacy Protection, April 2017
- Children’s Connected Toys: Data Security and Privacy Concerns, Rep Bill Nelson Committee on Science, Commerce and Transportation, Office of Oversight and Investigations, Dec 2016, 17p PDF
- Bruce Schneier Testimony before Congress' subcommittee on Commerce, MFG & Trade (Role of connected devices in recent cyberattacks), 6p PDF, Nov 2016
- Senate Bill introduced: S.1691 - Internet of Things (IoT) Cybersecurity Improvement Act of 2017, 20p PDF, August 2017
- S.2234 - The Internet of Things Consumer Tips to Improve Personal Security Act introduced Dec 2017
- Department of Commerce
- DOE - Energy focused, but potential overlap - see www.smartgrid.gov
- FCC - Spectrum Focused
- FTC - Consumer focused
- Internet of Things Privacy & Security in a Connected World - (70p PDF, Jan 2015)
- Interesting Dissenting Statement by FTC Commissioner!?! (4p PDF, Jan 2015)
- Start with Security - A Guide for Business. Lessons Learned from FTC Cases - (June 2015, 20p)
- PrivacyCon 2016 - Agenda, session videos, papers and other artifacts (Jan 14, 2016)
- Careful Connections: Building Security into the Internet of Things (10p PDF, Jan 2015)
- DMCA security research exemption for consumer devices, Nov 2016
- PrivacyCon 2017 - Agenda, session videos, papers and other artifacts (Jan 12, 2016)
- COPPA compliance to include internet-connected toys and devides for kids, June 2017
- IoT Home Inspector Challenge, Winners announced Aug 2017
- Uber Settles FTC Allegations that It Made Deceptive Privacy and Data Security Claims, Aug 2017
- FDA - Medical
- NIST - A LOT! - Search for "Cybersecrity Publications"
- SP-800-160: An Integrated Approach to Building Trustworthy Resilient Systems (20+p PDF, May 2014)
- Cyber Security Framework (est Feb 2013)
- SP-800-82: Guide to Industrial Control Systems (ICS) Security (170p PDF, May 2013)
- Paper: A Cybersecurity Testbed for Industrial Control Systems (16p PDF, Oct 2014)
- Interagency Report 7628 Revision 1, (600+p PDF, Sep 2014)
Guidelines for Smart Grid Cybersecurity [3 volumes in one GIANT PDF]:
- Vol. 1, Smart Grid Cybersecurity Strategy, Architecture, and High-Level Requirements;
-
Vol. 2, Privacy and the Smart Grid [Approx pg 291 in PDF];
- Vol. 3, Supportive Analyses and References. [Approx pg 474 in PDF]
- Special Publication 1108R2, (225+p PDF, Feb 2012)
NIST Framework and Roadmap for Smart Grid Interoperability
- Cyber-Physical Systems Public Working Group (CPS
PWG)
- SP-800-183: Networks of Things (30p PDF, July 2016)
- SP-800-160: Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems (257p PDF, Nov 2016)
- NIST Cybersecurity for IoT Program, initiated in November 2016
- Draft SP800-53: Security and Privacy Controls for Information Systems and Organizations (495p PDF, Aug 2017)
- Why Security and Privacy Matter in a Digital World, Sept 2017
- NSA
- Department of Homeland Security
- GAO
European Commission
Guidance
- IEEE IoT!
- BuilditSecure.ly
- I Am The Cavalry
- Stanford Secure Internet of Things Project
- OWASP Internet of Things Project (previously IoT Top 10 project)
- Industrial Internet Consortium - Specifically, their Security Working Group
- Consumer Report's Policy & Action Group - Driver Safety and Privacy Worries
- Online Trust Alliance Internet of Things Initiative & The Internet Society (ISOC) - IoT Coverage
- Symantec's IoT area including IoT Security Reference Architecture (Reg Req'd. 20p PDF, 1q2015?)
- NCC Group - Implementers Guide to Cyber Security for the Internet of Things (40p PDF, April 2014)
- Cloud Security Alliance Mobile Working Group now has an IoT Activity spun-up (interesting taxonomy in there)
- International Internet of Things Security Foundation (IoTSF)
- Consumer Electronics Association (CEA)
- GSM Association (GSMA) - IoT Security Guidelines, Feb 2016 - Zip File with Full Set
- prpl Foundation: Security Guidance for Critical Areas of Embedded Computing (58p PDF, Jan 2016)
- GSM Association (GSMA) - IoT Security Guidelines, Feb 2016 - Zip File with Full Set
- The Thread Group
- ISO/IEC JTC 1/SWG 5 - Preliminary Report on IoT (17p PDF, Sep 2014)
- oneM2M.org's Standards Initiative -
- International Telecommunications Union - Internet of Things Global Standards Initiative
- International Society for Automation (ISA)
- European Telecommunications Standards Institute (ETSI) - Also part of oneM2M
- Internet of Things Activity/Cluster
includes M2M & IoT security Activities - Whitepaper lists security activities (95p PDF, Jun 2015)
- Open Interconnect Foundation
- Center for Internet Security (CIS)
- IOTA Project (www.iotatoken.com)
- IETF IoT Security Related - more to weed through
- IoT Alliance Austrailia (IOTAA), July 2016
- W3C
- Petras Internet of Things Research Hub
- TOR Project
- Onvif - IP-based Security Standard
- AUTO-ASAC - Automotive Information Sharing and Analysis Center
- Smart Card Alliance
- Broadband Internet Technology Advisory Group (BITAG)
- Open Mobility Alliance
- IPSO Alliance - Charter Here
- IoT Design Manifesto from iotmanifesto.com, 1p PDF May 2015
- www.IoTiap.com - Principles, Practices and a Prescription for Responsible IoT Embedded Systems Development, Nov 2016
- The Digital Standard Initiative (Consumer Reports)
- Microsoft
- Google
- IoT Privacy Forum - nonprofit think/do tank promoting privacy in world of connected devices
- Gemalto - The State of IoT Security – Global Survey Report – Oct. 2017 (16p PDF reg req'd)
- Synopsys - State of Fuzzing 2017 (32p PDF, Aug 2017)
- AT&T - The CEO's Guide to Securing the Internet of Things (24p PDF, Sept 2017)
Training
Products/Vendors
Research/Publications
- Independent Security Evaluators
- MIT Technology Review
- O'Reilly
- Governing the IoT - Free (registration required) e-book, (19p epub, mobi or pdf, Feb 2016)
- Pew Research
- Beecham Research
- Embedded Security for Internet of Things (Ukil, Sen and Koilakonda)
- Adventures in Automotive Networks and Control Units (Miller and Valasek)
- Security Challenges of IP-Based Internet of Things (Heer, Garcia-Morchon, Hummen, Keoh, Kumar and Wehrle)
- Industry Self Regulation of Consumer Data Privacy and Security (Listokin)
- Privacy Mediators: Helping IoT Cross the Chasm (Davies, Taft, Satyanarayanan, Clinch, Amos) Feb 2016
- BitDefender Research Paper - The Internet of Things: Risk in the Connected Home (16p PDF, Feb 2016)
- Trend Micro Study: Privacy and Security in Connected Life (50p PDF, March 2016)
- Intel Security's Study: Smart Homes and the Internet of Things (12p PDF by Atlantic Council, March 2016)
- Berkman Center's Don't Panic report on 'going dark', (37p PDF)
- IoT Privacy and Security Challenges for Smart Home Environments, Lin & Bergmanb, July 2016
- Challenges and Opportunities for SecuringIntelligent Transportation System, Zha, Walker & Wang, Feb 2013
- IoT Goes Nuclear: Creating a ZigBee Chain Reaction, Ronen. O'Flynn, Shamir & Weingarten (17p PDF)
- Mozilla's internethealthreport.org
- isaca.org
- Ponemon Institute
- University of Michigan IoT Security Research
- Security Analysis of Emerging Smart Home Applications
Earlence Fernandes, Jaeyeon Jung, and Atul Prakash
Security Analysis of Emerging Smart Home Applications (19p PDF)
In Proceedings of 37th IEEE Symposium on Security and Privacy, May 2016
- FlowFence: Practical Data Protection for Emerging IoT Application Frameworks
Earlence Fernandes, Justin Paupore, Amir Rahmati, Daniel Simionato, Mauro Conti, and Atul Prakash
FlowFence: Practical Data Protection for Emerging IoT Application Frameworks (19p PDF)
In Proceedings of the 25th USENIX Security Symposium, August 2016
- ContexIoT: Towards Providing Contextual Integrity to Appified IoT Platforms
Yunhan Jack Jia, Qi Alfred Chen, Shiqi Wang, Amir Rahmati, Earlence Fernandes, Z. Morley Mao, and Atul Prakash
ContexIoT: Towards Providing Contextual Integrity to Appified IoT Platforms
21st Network and Distributed Security Symposium (NDSS 2017), Feb 2017
- Institute for Critical Infrastructure Technology (ICIT)
- Security and Privacy Consideration for Internet of Things in Smart Home Environments, Desai & Upadhyay, (11p PDF, Nov 2014)
- Industroyer: Biggest threat to industrial control systems since Stuxnet, June 2017
- Duo Labs' Bug Hunting, Drilling into the Internet of Things, June 2017 (31p PDF)
- Internet of Things Security Research:A Rehash of Old Ideas or New Intellectual Challenges?, Fernandes, Rahmati, Eykholt and Prakash, (5p PDF) July 2017
- Spying on the Smart Home: Privacy Attacksand Defenses on Encrypted IoT Traffic, Apthorpe, Reisman, Sundaresan, Narayanan & Feamster, (16p PDF, Aug 2017)
- University of South Wales School of Electrical Engineering: Inside job - Security and privacy threats for smart-home IoT devices (40p PDF, May 2017)
- KRACK: Vanhoef & Piessens: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 (16p PDF, Oct 2017)
- The Internet of Things:Implications for Consumer Privacy under Canadian Law, Trosow, Taylor & Hanam (97p PDF, Oct 2017)
- Blockchain for IoT Security and Privacy: The Case Study of a Smart Home, Dorri, Jurdak, Kanhere & Gauravaram (7p PDF, Oct 2017)
- Altman Vilandrie & Co. Whitepaper - Are your company’s IoT devices secure?Internet of Things Breaches are Common, Costly for U.S Firms (7p PDF, June 2017)
- Forrester - The State of IoT Security 2018 ($$$, Jan 2018)
- ESET Report - IoT AND PRIVACY BYDESIGN IN THE SMARTHOME (19p PDF, Feb 2018)
- Cyber Security Research Institute - Pinning down the IoT (24p PDF, Jan 2018, sponsored by F-Secure)
- Vodafone - IoT Barometer 2017/18 (36p PDF, Sept 2017)
Analysis, Advisories & Alerts
-------
Collection of IoT Security and Privacy Newsfeeds and Article Archive from this project now on Separate Page
Revision History
Original - 4Q 2014
1 Feb 2015
- Added Open Interconnect Consortium and related IoTivity to Standards area
- This Revision History - because there is A LOT!
- US FTC's recent revelations & FTC Commissioner's Dissenting Statements on very same revelations
- US DOE's Voluntary Code of Conduct
- Removed the Privacy Section of this page because IoT Privacy and Security seem to be blending (rightfully so!)
6 Feb 2015
9 Feb 2015
- Fixed Dates - it's 2015!
16 March
- Had to add Creepy Barbie
- also Samsung's Rebuttal on Eavesdropping TV
20 April 2015
- CSA's IoT Paper/Press release
- IEEE Ecosystem Study - Not *exactly* security, but does highlight Security gaps
- Added NIST SP-800-160 and related "indefensible" article from FCW
- ToDo - IoT Directories(?) Cert Advisories
29 April 2015
- Italian Privacy Consultation press release
12 May 2015
- Added Online Trust Alliance IoT Working group/framework activity
- Added link to NSTAC Report to the President on the Internet of Things
- Symantec's Insecurity in the Internet of Things Report
20 May 2015
- Added Airplane Hack (creepy)
- Added Alerts, advisories and warnings associated with Hospira Infusion Pumps
31 May 2015
- Added ISO Standards activity added
- Added link to US Sen Markey's Security and Privacy report
- Stanford IoT Security Project
05 July 2015
- Added US Senate and House Resolutions on IoT (H Res 195 and S Res 110) from Mar/April 2015
- OTA's 2015 Online Trust Audit and Honor Roll report added (now contains IoT companies)
- Fortune article on Washington's IoT understanding
08 July 2015
- Keep forgetting to add Symantec's IoT 'Reference Architecture'
- Consumer reports IoT Article
- Ofcom Report added (UK)
10 August 2015
- Flurry of EU Activity June 2015-July 2015
- Computerworld Article
- Added Entry for European Data Protection Supervisor and related activity
- Added link to CERT industrial controls Alert/Advisories
- Wired Article/Video on Recent Jeep Hack
22 August 2015
- Can't believe I forgot AllSeen Alliance - Security appears to be baked in AND advanced (ECC)
26 August 2015
- IoT-A's Privacy and Security Concepts
- HP found 100% of smartwatches vulnerable!
18 Sept 2015
- FBI Alert Added
23 October 2015
- Slight reorg ... Recent finds/changes moved to top of page to callout new stuff, will move/archive here later
21 January 2016
January/February 2016 Finds & Changes
- Interesting IoT Security Threat Map from Beecham Research. Mar 2016
- Whitepaper: Privacy Mediators: Helping IoT Cross the Chasm. Feb 2016
- Cert Vulnerability Note #719736: Fisher-Price Smart Toy Platform, Feb 2016
- Whitepaper from Rapid7: A Case Study on Baby Monitor Exposures and Vulnerabilities Sept 2015
- GSMA Released IoT Security Guidelines Document Set, Feb 2016
- prpl Foundation's Security Guidance for Embedded Computing, Jan 2016
- Lots of IoT in the US Dept of Intelligence 2016 Worldwide Thread Assessment, Feb 2016
- OIC Standards Overview - Presentation/Overview (PDF), Jan 2016
- ICON Labs: Floodgate Security Framework (Draft) May 2015 Article
- Singapore Infocomm Development Authority (IDA) IoT Standards, Jan 2016
- PEW Report on Privacy and Information Sharing, Jan 2016
- Cert Alert IR-ALERT-H-16-056-01 - Cyber Attack Against Ukrainian Critical Infrastructure, Feb 2016
- New York City Consumer Affairs Warns Parents to Secure Video Baby Monitors, Jan 2016
- Free e-book looks interesting/related: Governing the IoT from O'Rielly, Feb 2016
- MIT Research Cyber Survival Report includes IoT Insecurity section, Feb 2016
- Interesting Securing Hospitals report from Independent Security Evaluators - Article Here, Feb 2016
March/April 2016 Finds & Changes
- Smartcard Alliance spins up Security Council to Address Security and Privacy (IoT) - Article, Executive Director's Letter, May 2016
- CIS Critical Security Controls - IoT Security Companion Guide, Oct 2015
- IOTA project added - Interesting decentralized token for micropayments
- Added "Products/Vendors" category for Security related products - no endorsements!
- FCC's Consumer Privacy Proposal
- US Department of Commerce, National Telecommunications & Information Administration - Request for Public comment: "The Benefits, Challenges, and Potential Risks for the Government Fostering the Advancement of the Internet of Things" (15p PDF, April 2016)
- Canada Office of Privacy Commissioner: Privacy Research Paper, (Feb 2016)
- IC3/FBI Public Service Announcement on Remote Exploit Vulnerabilities in Motor Vehicles - Alert I-301716-PSA
- BitDefender Research Paper - The Internet of Things: Risk in the Connected Home (16p PDF, Feb 2016)
- Trend Micro Study: Privacy and Security in Connected Life (50p PDF, March 2016)
- IEEE Study - WearFit: Security Design of a Wearable Fitness Tracker (24p PDF, Feb 2016)
- Intel Security's Study: Smart Homes and the Internet of Things (12p PDF by Atlantic Council, March 2016)
May/June 2016
July/August 2016 Finds & Changes
Sept/Oct 2016 Finds/Changes
November 2016 Finds/Changes
Dec - Jan 2017 Finds/Changes
- News/Articles archived to seperate page
- Products/Vendors
- Gov Observations/Directives
- Guidance
- Research/Publications
- Mozilla Internet Health Report - Privacy and Security Section for sure (v1 online, Jan 2017)
Added isaca.org
- Ponemon Institute
- University of Michigan IoT Security Research
- Security Analysis of Emerging Smart Home Applications
Earlence Fernandes, Jaeyeon Jung, and Atul Prakash
Security Analysis of Emerging Smart Home Applications (19p PDF)
In Proceedings of 37th IEEE Symposium on Security and Privacy, May 2016
- FlowFence: Practical Data Protection for Emerging IoT Application Frameworks
Earlence Fernandes, Justin Paupore, Amir Rahmati, Daniel Simionato, Mauro Conti, and Atul Prakash
FlowFence: Practical Data Protection for Emerging IoT Application Frameworks (19p PDF)
In Proceedings of the 25th USENIX Security Symposium, August 2016
- ContexIoT: Towards Providing Contextual Integrity to Appified IoT Platforms
Yunhan Jack Jia, Qi Alfred Chen, Shiqi Wang, Amir Rahmati, Earlence Fernandes, Z. Morley Mao, and Atul Prakash
ContexIoT: Towards Providing Contextual Integrity to Appified IoT Platforms
21st Network and Distributed Security Symposium (NDSS 2017), Feb 2017
- Institute for Critical Infrastructure Technology (ICIT)
- Advisories
February - April 2017 Finds/Changes
- Interesting Articles
- EU Privacy Rules Can Cloud Your IoT Future, EE Times, Feb 2017
- Whit Diffie on IoT Privacy and Security, TechTarget.com, Feb 2017
- Congress Votes To Roll Back FCC's Internet Privacy Protections, Mar 2017
- CIA Documents Highlight Privacy Issues of the 'Internet of Things', ACLU Blog, March 2017
- Consumer Reports, ex-Google Cybersecurity Expert Join to Rate IoT Security, CSO, Mar 2017
- Three Major Challenges Facing IoT, IEE IoT, March 2017
- This Bitcoin Botnet is Vying to Be Future of Secure IoT, CoinDesk, March 2017
- Brickerbot: and You will know It by the Trail of Linux Devices, Security Ledger, April 2017
- Products/Vendor Adds
- Gov Observations/Directives
- US Gov Activity added
- H.R.1224 - NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017, March 2017
- H.R.1324 - Securing IoT Act of 2017, March 2017
- Worth noting - US Congress S.J.Res.34, Remove Broadband Privacy Protection, April 2017 & FTC's Response/Objection, March 2017
- Children’s Connected Toys: Data Security and Privacy Concerns, Rep Bill Nelson Committee on Science, Commerce and Transportation, Office of Oversight and Investigations, Dec 2016, 17p PDF
- Department of Commerce, NTIA initiative - Internet of Things (IoT) Security Upgradability and Patching & initial report Jan 2017
- Guidance Added
- Research/Publications
- Advisories
- Upcoming Events/Conferences
May - July 2017 Finds/Changes
- Interesting Articles
- Hack of Dallas Sirens Not the First or Last on Emergency Systems, Experts Warn, Security Ledger, April 2017
- A Clever Plan To Secure The Internet of Things Could Still Have Big Drawbacks, Wired, April 2017
- California Bill Mandates Privacy By Design For IoT Devices, National Law Review, April 2017
- The New EU Privacy Rules Will Radically Change the Landscape for IoT Devices in the US as Well, IoT Business News, May 2017
- IoT facing huge challenges from GDPR, Business Post, July 2017
- Everyone is working on their own ways to secure IoT, Cyberscoop, July 2017
- A vigilante is putting a huge amount of work into infecting IoT devices, Ars Technica, April 2017
- Products/Vendor Adds
- Gov Observations/Directives
- Guidance Added
- Research/Publications
- Advisories
- Training (new category)
- Upcoming Events/Conferences
Aug - Oct 2017 Finds/Changes
- Interesting Articles
- WHY THE KRACK WI-FI MESS WILL TAKE DECADES TO CLEAN UP, Wired October 2017
- ROCA Crypto Flaw could have big Impact on Internet of Things, SecurityLedger Oct 2017
- FBI and Homeland Security dish Dirt on Critical Infrastructure Attacks, SecurityLedger, Oct 2017
- IoT Security Fail: Hacked Vacuum Cleaner Becomes Spy Cam, Bank Info Sec, Oct 2017
- If Consumer Privacy Isn't Already Dead, IoT Could Kill It, Forbes Sept 2017
- TELNET CREDENTIAL LEAK REINFORCES BLEAK STATE OF IOT SECURITY, Threatpost, Aug 2017
- Sonos: Accept new privacy policy or devices 'may cease to function', CSO Online, Aug 2017
- Your Roomba May Be Mapping Your Home, Collecting Data That Could Be Shared, NY Times, July 2017
- India's
- U.S. senators to introduce bill to secure 'internet of things', Reuters, Aug 2017
- When home appliances attack: Why the enterprise IoT defence starts in the home, CSO, July 2017
- Home gadgets open to hackers, The Telegraph, July 2017
- Products/Vendor Adds
- Gov Observations/Directives
- Guidance Added
- Research/Publications
- Vanhoef & Piessens: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 (16p PDF, Oct 2017)
- Apthorpe, Reisman, Sundaresan, Narayanan & Feamster: Spying on the Smart Home: Privacy Attacks and Defenses on Encrypted IoT Traffic, 16p PDF, Aug 2017. Related Article
- University of South Wales School of Electrical Engineering: Inside job - Security and privacy threats for smart-home IoT devices (40p PDF, May 2017)
- The Internet of Things:Implications for Consumer Privacy under Canadian Law, Trosow, Taylor & Hanam (97p PDF, Oct 2017)
- Blockchain for IoT Security and Privacy: The Case Study of a Smart Home, Dorri, Jurdak, Kanhere & Gauravaram (7p PDF, Oct 2017)
- Advisories
- Training (new category)
- Upcoming Events/Conferences
|
|
