COMP 5900H (fall 2019; CSI-5138-IHO):
Selected Topics in CS—Internet of Things (IoT) Security [E, T, S]

This page was updated on: 26 Nov 2019 (email: paulv insert@here
For the latest update see:

Description. The course explores security-related aspects of the Internet of Things (IoT), and what can go wrong due to software-related aspects of devices, platforms, and (communication and data) protocols. Many of the security issues resemble those in the ordinary (pre-IoT) Internet, but with broader implications; others are IoT-specific. The focus is on consumer, personal and home IoT devices (rather than industrial applications or smart cities). We mainly explore the technical design of IoT components from a software and configuration perspective, rather than focus on hardware or cyberphysical systems.

Here is a consumer-level overview of the problem this course explores:
We're Surrounded by Billions of Internet-connected Devices. Can We Trust Them? (Adam Piore, 24-Oct-2019,
Grading Scheme (dates are firm—please plan in advance): For details regarding the project components and requirements, click here.

Presentations. This is a graduate course involving "seminars". Students must actively participate in class discussions. Each student must lead one class that covers the designated reading(s). As discussion leader, the student uses slides (via data projector) to present the main ideas of the reading(s), and facilitates class discussion by having prepared a list of items and questions. The Participation component of the grading scheme includes involvement in these discussions throughout the term (thus mandatory attendance). Aside from leading one class discussion, each student will give an oral presentation related to their project in classes beginning Nov 20.

Class preparation and attendance. Prior to each class, students are expected to have read the paper(s) designated for that day, in order to contribute in an informed manner.

Intellectual Property and Copyrighted Material. All materials distributed as part of this course (including lecture content, notes, and tests) remain the intellectual property of the instructor. They are for personal, non-transferable use by students registered in the course only, and no part of them may be reposted, reproduced, forwarded or distributed without the written consent of the instructor. Violation is illegal and strictly prohibited.

References and Sources. Lectures will be drawn from research papers available online, plus material delivered in class and/or via cuLearn (below); students are expected to attend all classes. No specific access to computing labs should be required, but labs in the Herzberg Building require a Carleton University Campus Card, with access based on the courses you are registered in and the School's Lab Access Schedule.

cuLearn. Announcements, and some readings, may be distributed via the cuLearn course management system. Carleton students registered in this course should automatically have access to it; UofO students will need to fill out the form found here, or check with a University of Ottawa administrator.

University Policies. See the bottom of this page.

Detailed Topics. Content listed below is subject to change, but representative of material we expect to cover. Specific sources will be finalized as the term progresses.

  • Sept.4-10: Students must select one class (from Classes 4-19 below) to lead discussion on, by sending an email to the instructor; first-come first-served. "*" denotes already assigned.

  • Class 1 (Sept 4): Security background and principles.
    Reference: Chapter 1 of Computer Security and the Internet: Tools and Jewels.

    Class 2 (Sept 9): IoT overview.
    Cyber-Physical Systems and Internet of Things (Greer et al.) NIST Special Pub 1900-202, Mar 2019

    Class 3 (Sept 11): How IoT differs from IoC (Internet of Computers).
    Analysis, implications and challenges of an evolving consumer IoT security landscape (Bellman et al.) PST 2019
    and RFC 7228: Terminology for Constrained-Node Networks (Bormann et al.) IETF Editor

    *Class 4 (Sept 16): Botnets from IoT devices (Mirai).
    DDoS in the IoT: Mirai and Other Botnets (Kolias et al.) IEEE Computer 50(7):80-84 2017.
    Supplementary: Understanding the Mirai Botnet (Antonakakis et al.) USENIX Security 2017

    *Class 5 (Sept 18): Home smart locks (and what goes wrong).
    Smart Locks: Lessons for Securing Commodity Internet of Things Devices (Ho et al.) AsiaCCS 2016

    *Class 6 (Sept 23): Smart lightbulbs (and what goes wrong).
    IoT Goes Nuclear: Creating a ZigBee Chain Reaction (Ronen et al.) Oakland 2017
    Supplementary: Extended Functionality Attacks on IoT Devices: The Case of Smart Lights (Ronen, Shamir) 2016 IEEE EuroS&P

    *Class 7 (Sept 25): Smart home systems (e.g., Samsung SmartThings) and what goes wrong.
    Security analysis of emerging smart home applications (Fernandes et al.) Oakland 2016

    *Class 8 (Sept 30): Security analysis of IoT devices.
    SoK: Security Evaluation of Home-Based IoT Deployments (Alrawi et al.) Oakland 2019

    *Class 9 (Oct 2): TAP (trigger-action programming) security issues.
    Analyzing the security and privacy risks of IFTTT recipes (Surbatovich et al.) WWW 2017

    *Class 10 (Oct 7): Security features of IoT application platforms/architectures.
    Internet of Things: A survey on the security of IoT frameworks (Ammar et al.) J. Info. Security and Appl. 38 (Feb 2018) 8–27

    *Class 11 (Oct 9): Device lifecycle and transient device association.
    Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks (Stajano) 1999 Security Protocols
    and Fig.1 in RFC 8576: Internet of Things (IoT) Security: State of the Art and Challenges (Apr 2019) IETF.
    Supplementary: IoT Security: An End-to-End View and Case Study (Ling et al.) arXiv:1805.05853 version of GLOBECOM 2017

  • Oct 14: no class, statutory holiday (Thanksgiving).

  • *Class 12 (Oct 16): Device pairing: history and comparision.
    A comparative study of secure device pairing methods (Kumar et al.) Pervasive and Mobile Computing 5(6):734-749, 2009
    Supplementary: Ad-hoc key agreement: A brief history and the challenges ahead (Miettinen and Asokan) Computer Commns 131 (2018) 32-34

  • Oct 21-25: no classes, fall break. Students should complete their project proposal (10% of final grade).

  • *Class 13 (Oct 28): Embedded firmware and security.
    A large scale analysis of the security of embedded firmwares (Costin et al.) USENIX Security 2014

  • Project proposal due: Oct 30 (11:59pm, by email, PDF document).

    *Class 14 (Oct 30): IoT-specific OSs.
    Operating Systems for Low-End Devices in the Internet of Things: A Survey (Hahm et al.) IEEE Internet of Things J. 5(3):720--734, 2016

    *Class 15 (Nov 4): Best practices.
    Best Current Practices for Securing Internet of Things (IoT) Devices (Moore et al., July 2017) draft-moore-iot-security-bcp-01
    Supplementary (parts addressing IoT best practices, and motivation for them): Internet of Things (IoT) Security and Privacy Recommendations (BITAG, Nov 2016).

    *Class 16 (Nov 6): Towards IoT search engines (Censys, Shodan).
    A Search Engine Backed by Internet-Wide Scanning (Durumeric et al.) ACM CCS 2015
    and Sec.7-8 of Searching the Web of Things: State of the Art, Challenges, and Solutions (Tran et al.) ACM Comp. Sur. 50(4) art. 55:1-34 (Nov 2017)

    *Class 17 (Nov 11): Named Data Networking (an example of Information Centric Networking).
    Named Data Networking of Things (Shang et al.) 2016 IEEE IoTDI, 117-128

    Class 18 (Nov 13): In-class term test.

    *Class 19 (Nov 18): IoT device profiling with MUD files (manufacturer usage descriptions).
    Standardizing IoT Network Security Policy Enforcement (Barrera et al.) DISS 2018
    and: RFC 8520: Manufacturer Usage Description Specification.
    Supplementary: Clear as MUD: generating, validating and applying IoT behaviorial profiles (Hamza et al.) 2018 ACM workshop on IoT Sec. and Priv

    Classes 20-23: Student presentations.
    Nov 20: Chris Bennett, Hemant Gupta, Vathsan Morkonda
    Nov 25: Daniela Napoli, Ali Sadeghi Jahromi, Ooha Avula
    Nov 27: Cheldon Mahon, Shilpu Srivastava, Anusha Kankari
    Dec 2: Eben Laryea, Craig Campbell

    Class 24 (Dec 4): IETF IoT-related standards.
    A survey of the Internet Prococol suite for Internet of Things security (Tschofenig et al.) IEEE Security&Privacy (Sept/Oct 2019), 47-57.
    Supplementary: RFC 8576 (see Class 11, above).

    Class 25 (Fri Dec 6): Course lookback. This day runs on a Monday schedule to replace holiday Mon Oct.14.
    Each student will have five minutes (no slides) to give reflections on the course, their view of what IoT security is, and its main challenges.

  • Final project due: Dec.9 (5:00pm, by email, PDF document).

  • === University Policies (start) ===
    Student Academic Integrity Policy. Every student should be familiar with the Carleton University student academic integrity policy. A student found in violation of academic integrity standards may be awarded penalties which range from a reprimand to receiving a grade of F in the course or even being expelled from the program or University. Some examples of offences are: plagiarism and unauthorized co-operation or collaboration. Information on this policy may be found in the Undergraduate Calendar.
    Plagiarism. As defined by Senate, "plagiarism is presenting, whether intentional or not, the ideas, expression of ideas or work of others as one's own". Reported offences will be reviewed by the office of the Dean of Science.
    Unauthorized Co-operation or Collaboration. Senate policy states that "to ensure fairness and equity in assessment of term work, students shall not co-operate or collaborate in the completion of an academic assignment, in whole or in part, when the instructor has indicated that the assignment is to be completed on an individual basis". Please refer to the course outline statement or the instructor concerning this issue. COMP 5900H addendum: Beyond other university policies, any student submitting work including uncited portions originating from someone else, is subject to a mark of negative 100% on the entire work item. Thus if an assignment is worth 10%, the 10% is lost plus an additional 10% penalty, making the best possible course mark 80%. Both students may be penalized if the infraction involves copying from another student. Each student must write up submitted work individually unless explicitly allowed otherwise per instructions (e.g., in group-based assignments). For work that students may wish to eventually publish that is also submitted for grading in this course, including collaborative work with a supervisor, any part thereof must be submitted for grading prior to such collaborative input (i.e., must be the individual's own work), and must be distinct both from work already completed as part of another course, and from work completed as part of an in-progress thesis.
    Academic Accommodations for Students with Disabilities. The Paul Menton Centre for Students with Disabilities (PMC) provides services to students with Learning Disabilities (LD), psychiatric/mental health disabilities, Attention Deficit Hyperactivity Disorder (ADHD), Autism Spectrum Disorders (ASD), chronic medical conditions, and impairments in mobility, hearing, and vision. If you have a disability requiring academic accommodations in this course, please contact PMC at 613-520-6608 or for a formal evaluation. If you are already registered with the PMC, contact your PMC coordinator to send your course instructor your Letter of Accommodation at the beginning of the term, and no later than two weeks before the first in-class scheduled test or exam requiring accommodation (if applicable). After requesting accommodation from PMC, meet with your course instructor to ensure accommodation arrangements are made. Please consult the PMC website for the deadline to request accommodations for the formally-scheduled exam (if applicable) at
    Accommodation for Student Activities. Carleton University recognizes the substantial benefits, both to the individual student and for the university, that result from a student participating in activities beyond the classroom experience. Reasonable accommodation must be provided to students who compete or perform at the national or international level. Please contact your instructor with any requests for academic accommodation during the first two weeks of class, or as soon as possible after the need for accommodation is known to exist. More information can be found here.
    Survivors of Sexual Violence. As a community, Carleton University is committed to maintaining a positive learning, working and living environment where sexual violence will not be tolerated, and survivors are supported through academic accommodations as per Carleton's Sexual Violence Policy. For more information about the services available at the university and to obtain information about sexual violence and/or support, visit:
    Religious Obligation: Write to the course instructor with any requests for academic accommodation during the first two weeks of class, or as soon as possible after the need for accommodation is known to software and system developmest. For more details visit the Equity Services website:
    Pregnancy Obligation: Write to the course instructor with any requests for academic accommodation during the first two weeks of class, or as soon as possible after the need for accommodation is known to exist. For more details visit the Equity Services website:
    Medical Certificate: The official medical certificate (form) accepted by Carleton University for the deferral of final examinations or assignments in undergraduate courses can be accessed from:
    === University Policies (end) ===