IoT Privacy & Security Resources
Page Revision History - 2014-Present
2014
Original - 4Q 2014 for a IoT Security project we were exploring. Basically set up alerts to track IoT Security topic on the Interweb. Mostly simply an interest/hobby now.
2015
1 Feb 2015
- Added Open Interconnect Consortium and related IoTivity to Standards area
- This Revision History - because there is A LOT!
- US FTC's recent revelations & FTC Commissioner's Dissenting Statements on very same revelations
- US DOE's Voluntary Code of Conduct
- Removed the Privacy Section of this page because IoT Privacy and Security seem to be blending (rightfully so!)
6 Feb 2015
9 Feb 2015
- Fixed Dates - it's 2015!
16 March
- Had to add Creepy Barbie
- also Samsung's Rebuttal on Eavesdropping TV
20 April 2015
- CSA's IoT Paper/Press release
- IEEE Ecosystem Study - Not *exactly* security, but does highlight Security gaps
- Added NIST SP-800-160 and related "indefensible" article from FCW
- ToDo - IoT Directories(?) Cert Advisories
29 April 2015
- Italian Privacy Consultation press release
12 May 2015
- Added Online Trust Alliance IoT Working group/framework activity
- Added link to NSTAC Report to the President on the Internet of Things
- Symantec's Insecurity in the Internet of Things Report
20 May 2015
- Added Airplane Hack (creepy)
- Added Alerts, advisories and warnings associated with Hospira Infusion Pumps
31 May 2015
- Added ISO Standards activity added
- Added link to US Sen Markey's Security and Privacy report
- Stanford IoT Security Project
05 July 2015
- Added US Senate and House Resolutions on IoT (H Res 195 and S Res 110) from Mar/April 2015
- OTA's 2015 Online Trust Audit and Honor Roll report added (now contains IoT companies)
- Fortune article on Washington's IoT understanding
08 July 2015
- Keep forgetting to add Symantec's IoT 'Reference Architecture'
- Consumer reports IoT Article
- Ofcom Report added (UK)
10 August 2015
- Flurry of EU Activity June 2015-July 2015
- Computerworld Article
- Added Entry for European Data Protection Supervisor and related activity
- Added link to CERT industrial controls Alert/Advisories
- Wired Article/Video on Recent Jeep Hack
22 August 2015
- Can't believe I forgot AllSeen Alliance - Security appears to be baked in AND advanced ( ECC)
26 August 2015
- IoT-A's Privacy and Security Concepts
- HP found 100% of smartwatches vulnerable!
18 Sept 2015
- FBI Alert Added
23 October 2015
- Slight reorg ... Recent finds/changes moved to top of page to callout new stuff, will move/archive here later
2016
21 January 2016
January/February 2016 Finds & Changes
- Interesting IoT Security Threat Map from Beecham Research. Mar 2016
- Whitepaper: Privacy Mediators: Helping IoT Cross the Chasm. Feb 2016
- Cert Vulnerability Note #719736: Fisher-Price Smart Toy Platform, Feb 2016
- Whitepaper from Rapid7: A Case Study on Baby Monitor Exposures and Vulnerabilities Sept 2015
- GSMA Released IoT Security Guidelines Document Set, Feb 2016
- prpl Foundation's Security Guidance for Embedded Computing, Jan 2016
- Lots of IoT in the US Dept of Intelligence 2016 Worldwide Thread Assessment, Feb 2016
- OIC Standards Overview - Presentation/Overview (PDF), Jan 2016
- ICON Labs: Floodgate Security Framework (Draft) May 2015 Article
- Singapore Infocomm Development Authority (IDA) IoT Standards, Jan 2016
- PEW Report on Privacy and Information Sharing, Jan 2016
- Cert Alert IR-ALERT-H-16-056-01 - Cyber Attack Against Ukrainian Critical Infrastructure, Feb 2016
- New York City Consumer Affairs Warns Parents to Secure Video Baby Monitors, Jan 2016
- Free e-book looks interesting/related: Governing the IoT from O'Rielly, Feb 2016
- MIT Research Cyber Survival Report includes IoT Insecurity section, Feb 2016
- Interesting Securing Hospitals report from Independent Security Evaluators - Article Here, Feb 2016
March/April 2016 Finds & Changes
- Smartcard Alliance spins up Security Council to Address Security and Privacy (IoT) - Article, Executive Director's Letter, May 2016
- CIS Critical Security Controls - IoT Security Companion Guide, Oct 2015
- IOTA project added - Interesting decentralized token for micropayments
- Added "Products/Vendors" category for Security related products - no endorsements!
- FCC's Consumer Privacy Proposal
- US Department of Commerce, National Telecommunications & Information Administration - Request for Public comment: "The Benefits, Challenges, and Potential Risks for the Government Fostering the Advancement of the Internet of Things" (15p PDF, April 2016)
- Canada Office of Privacy Commissioner: Privacy Research Paper, (Feb 2016)
- IC3/FBI Public Service Announcement on Remote Exploit Vulnerabilities in Motor Vehicles - Alert I-301716-PSA
- BitDefender Research Paper - The Internet of Things: Risk in the Connected Home (16p PDF, Feb 2016)
- Trend Micro Study: Privacy and Security in Connected Life (50p PDF, March 2016)
- IEEE Study - WearFit: Security Design of a Wearable Fitness Tracker (24p PDF, Feb 2016)
- Intel Security's Study: Smart Homes and the Internet of Things (12p PDF by Atlantic Council, March 2016)
May/June 2016
July/August 2016 Finds & Changes
Sept/Oct 2016 Finds/Changes
November 2016 Finds/Changes
2017
Dec - Jan 2017 Finds/Changes
- News/Articles archived to seperate page
- Products/Vendors
- Gov Observations/Directives
- Guidance
- Research/Publications
- Mozilla Internet Health Report - Privacy and Security Section for sure (v1 online, Jan 2017)
Added isaca.org
- Ponemon Institute
- University of Michigan IoT Security Research
- Security Analysis of Emerging Smart Home Applications
Earlence Fernandes, Jaeyeon Jung, and Atul Prakash
Security Analysis of Emerging Smart Home Applications (19p PDF)
In Proceedings of 37th IEEE Symposium on Security and Privacy, May 2016
- FlowFence: Practical Data Protection for Emerging IoT Application Frameworks
Earlence Fernandes, Justin Paupore, Amir Rahmati, Daniel Simionato, Mauro Conti, and Atul Prakash
FlowFence: Practical Data Protection for Emerging IoT Application Frameworks (19p PDF)
In Proceedings of the 25th USENIX Security Symposium, August 2016
- ContexIoT: Towards Providing Contextual Integrity to Appified IoT Platforms
Yunhan Jack Jia, Qi Alfred Chen, Shiqi Wang, Amir Rahmati, Earlence Fernandes, Z. Morley Mao, and Atul Prakash
ContexIoT: Towards Providing Contextual Integrity to Appified IoT Platforms
21st Network and Distributed Security Symposium (NDSS 2017), Feb 2017
- Institute for Critical Infrastructure Technology (ICIT)
- Advisories
February - April 2017 Finds/Changes
- Interesting Articles
- EU Privacy Rules Can Cloud Your IoT Future, EE Times, Feb 2017
- Whit Diffie on IoT Privacy and Security, TechTarget.com, Feb 2017
- Congress Votes To Roll Back FCC's Internet Privacy Protections, Mar 2017
- CIA Documents Highlight Privacy Issues of the 'Internet of Things', ACLU Blog, March 2017
- Consumer Reports, ex-Google Cybersecurity Expert Join to Rate IoT Security, CSO, Mar 2017
- Three Major Challenges Facing IoT, IEE IoT, March 2017
- This Bitcoin Botnet is Vying to Be Future of Secure IoT, CoinDesk, March 2017
- Brickerbot: and You will know It by the Trail of Linux Devices, Security Ledger, April 2017
- Products/Vendor Adds
- Gov Observations/Directives
- US Gov Activity added
- H.R.1224 - NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017, March 2017
- H.R.1324 - Securing IoT Act of 2017, March 2017
- Worth noting - US Congress S.J.Res.34, Remove Broadband Privacy Protection, April 2017 & FTC's Response/Objection, March 2017
- Children’s Connected Toys: Data Security and Privacy Concerns, Rep Bill Nelson Committee on Science, Commerce and Transportation, Office of Oversight and Investigations, Dec 2016, 17p PDF
- Department of Commerce, NTIA initiative - Internet of Things (IoT) Security Upgradability and Patching & initial report Jan 2017
- Guidance Added
- Research/Publications
- Advisories
- Upcoming Events/Conferences
May - July 2017 Finds/Changes
- Interesting Articles
- Hack of Dallas Sirens Not the First or Last on Emergency Systems, Experts Warn, Security Ledger, April 2017
- A Clever Plan To Secure The Internet of Things Could Still Have Big Drawbacks, Wired, April 2017
- California Bill Mandates Privacy By Design For IoT Devices, National Law Review, April 2017
- The New EU Privacy Rules Will Radically Change the Landscape for IoT Devices in the US as Well, IoT Business News, May 2017
- IoT facing huge challenges from GDPR, Business Post, July 2017
- Everyone is working on their own ways to secure IoT, Cyberscoop, July 2017
- A vigilante is putting a huge amount of work into infecting IoT devices, Ars Technica, April 2017
- Products/Vendor Adds
- Gov Observations/Directives
- Guidance Added
- Research/Publications
- Advisories
- Training (new category)
- Upcoming Events/Conferences
Aug - Oct 2017 Finds/Changes
- Interesting Articles
- WHY THE KRACK WI-FI MESS WILL TAKE DECADES TO CLEAN UP, Wired October 2017
- ROCA Crypto Flaw could have big Impact on Internet of Things, SecurityLedger Oct 2017
- FBI and Homeland Security dish Dirt on Critical Infrastructure Attacks, SecurityLedger, Oct 2017
- IoT Security Fail: Hacked Vacuum Cleaner Becomes Spy Cam, Bank Info Sec, Oct 2017
- If Consumer Privacy Isn't Already Dead, IoT Could Kill It, Forbes Sept 2017
- TELNET CREDENTIAL LEAK REINFORCES BLEAK STATE OF IOT SECURITY, Threatpost, Aug 2017
- Sonos: Accept new privacy policy or devices 'may cease to function', CSO Online, Aug 2017
- Your Roomba May Be Mapping Your Home, Collecting Data That Could Be Shared, NY Times, July 2017
- India's
- U.S. senators to introduce bill to secure 'internet of things', Reuters, Aug 2017
- When home appliances attack: Why the enterprise IoT defence starts in the home, CSO, July 2017
- Home gadgets open to hackers, The Telegraph, July 2017
- Products/Vendor Adds
- Gov Observations/Directives
- Guidance Added
- Research/Publications
- Vanhoef & Piessens: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 (16p PDF, Oct 2017)
- Apthorpe, Reisman, Sundaresan, Narayanan & Feamster: Spying on the Smart Home: Privacy Attacks and Defenses on Encrypted IoT Traffic, 16p PDF, Aug 2017. Related Article
- University of South Wales School of Electrical Engineering: Inside job - Security and privacy threats for smart-home IoT devices (40p PDF, May 2017)
- The Internet of Things:Implications for Consumer Privacy under Canadian Law, Trosow, Taylor & Hanam (97p PDF, Oct 2017)
- Blockchain for IoT Security and Privacy: The Case Study of a Smart Home, Dorri, Jurdak, Kanhere & Gauravaram (7p PDF, Oct 2017)
- Advisories
- Training (new category)
- Upcoming Events/Conferences
2018
Nov 2017 - Feb 2018 Finds/Changes
- Interesting Articles
- Don’t Feed Them After Midnight: Reverse-Engineering the Furby Connect, Context IS, Nov 2017
- Abilify IoT-enabled digital pills approved amid privacy concerns, Internet of Business, Nov 2017
- Consumers are holding off on buying smart-home gadgets thanks to security and privacy fears, Business Insider, Nov 2017
- The State of IoT (In)Security, Security Boulevard, Jan 2018
- FTC Enforcement of COPPA for Internet of Things Reaches Flashpoint, Lexology, Jan 2018
- Strava storm: why everyone should check their smart gear security settings before going for a jog, Phys.org, Feb 2018
- France mulls manufacturer liability & open-sourcing, IoT industry on edge, SC Feb 2018
- Products/Vendor Adds
- Gov Observations/Directives
- Guidance Added
- Research/Publications
- Advisories
- Upcoming Events/Conferences
April - Sept 2018 Finds/Changes
- Find of the Month: Experfy - Interesting 'On-demand Consulting & Upskilling Platform for Companies of the Future'...Including IoT Security Training & Consulting,
- Interesting Articles
- Research projects to build trust, privacy and security in use of personal data and digital technology, EPSRC, April 2018
- Effective intrusion detection for the Internet of Things, helpnetsecurity, April 2018
- What does the GDPR mean for IoT?, Techtarget, May 2018
- Smart lock user? Z-wave pairing flaw lets attackers open your door from yards away, ZDNet, May 2018
- Google Home's data leak proves the IoT is still deeply flawed, Wired UK, June 2018
- Products/Vendor Adds
- Gov Observations/Directives
- US Consumer Product Safety Commission Protection Agency request for comments IoT safety issues and Hazards, May 2018
- UK Department for Digital, Cultural Media and Sport.
Secure by Design: Improving the cybersecurity of consumer Internet of ThingsReport, 37p PDF, Mar 2018
- US Department of Justice, Computer Crime & Intellectual Property Section Criminal Division.
Securing Your Internet of Things, 6p MSWord, July 2017
- US House drafted proposed "Smart IoT Act", 4p PDF, May 2018. Related Article
- Department of Commerce - Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and OtherAutomated, Distributed Threats, 51p PDF, May 2018
- NIST - NISTIR 8222 (Draft) - Internet of Things (IoT) Trust Concerns, Sept 2018
- Guidance Added
- Training
- Certification
(new categoty)
- Research/Publications
- DÏoT: A Self-learning System for Detecting Compromised IoT Devices, May 2018
- Princeton's' Center for Information Technology Policy added. Interesting IoT Inspector project
- BlackIoT: IoT Botnet of High Wattage DevicesCan Disrupt the Power Grid, Princeton. 19p PDF, Aug 2018
- Personalized Privacy Assistants for the Internet of Things, 2018 IEEE Pervasive Computing: Special Issue - Securing the IoT, Apr 2018, 11p PDF
- Added PrivacyAssistant.org project, focused on user-oriented machine learning techniques
- Ponemon's Second Annual Study on the Internet of Things (IoT): A New Era of Third-Party Risk, March 2018 42p PDF
- Zingbox 2018 Annual Threat Report Medial Devices, 16p PDF
- Web-based Attacks to Discover and Control Local IoT Devices, Aug 2018, 7p PDF
- Infoblox report: What is Lurking on your Network, exposing the threat of shadow devices, May 2018, 7p PDF
- ACM Proceedings of 2018 Workshop on IoT Security and Privacy
- HighIoT - Token Launch Whitepaper on decentralized storage of IoT behavior profiles for protecting devices, 30p PDF, June 2018
- Advisories
- Vacuum Cleaners!
- CVE-2018-10987 - Dongguan Diqee Diqee360 vacuum cleaner remote code execution vulnerability
- CVE-2018-10988 - Diqee Diqee360 devices execute code, without a digital signature, as root
- CVE-2018-6692 - Belkin Wemo Insight Smart Plug allows remote attackers to bypass local security
- I-080218-PSA - FBI Public Service Announcement - CYBER ACTORS USE INTERNET OF THINGS DEVICES AS PROXIES FOR ANONYMITY AND PURSUIT OF MALICIOUS CYBER ACTIVITIES, Aug 2018
- Upcoming Events/Conferences
- Connect Security World, Marseille, France, Sept 2018
- Connected World Summit, London, Sept 2018
- IoT DevCon Security Summit, Santa Clara, CA, Oct 2018
- IoT Security Summit, Dallas, TX, Oct 2018
- Internet of things Security conference ENSIA, The Hauge Netherlands, Oct 2018
- Secure IoT 2018, Reading UK, Nov 2018
- IoT Security Foundation Conference, London, December 2018
2019Oct 2018 - March 2019 Finds/Changes- Find of the Month: No standouts this go-round.
Google Trends interest for iot privacy & iot security by location and popularity
- Interesting Articles
- A Trustmark for IoT: separating the Internet of Shit from the Internet of Things, BoingBoing, Dec 2018
- Seven out of ten Americans are comfortable with IoT tech in the home, ZDNet, Mar 2019
- Top cybersecurity legislation of 2019, SCMagazine, Dec 2018
- Why We Need a Security and Privacy “Nutrition Label” for IoT Devices, Symantec Blog, Feb 2019
- See How Google’s Android Things Will Make IoT Devices More Secure, Analytics India, May 2018
- Products/Vendor Adds
- Gov Observations/Directives
- Guidance Added
- Training
- Certification
- Research/Publications
- State of IoT Security Report, DigiCert (8p PDF, Nov 2018)
- Nokia Threat Intelligence Report 2019 (Reg Req'd, 22p PDF, Nov 2018)
- Darkcubed - The State of IoT Security Report (Reg Req'd, Feb 2019)
- Securing the Modern Economy:Transforming CybersecurityThrough Sustainability, Stifel, Public Knowledge (22p PDF, Apr 2018)
- BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid, Soltan, Mittal, and Poor, Princeton University (19p PDF, Aug 2018)
- Standardisation and Certification of the ‘Internet of Things’. Leverett, Clayton, Anderson (20p PDF, May 2017)
- Advisories
|