Security and Privacy of Current and Emerging IoT Devices and Systems

The increasing human immersion in instrumented spaces, such as vehicles, homes, offices, and cities, prompts some new security and privacy challenges. Also, the proliferation of interconnected devices that collect, store, and transmit personal data creates a larger attack surface for and attacks. Furthermore, users may not be aware of the privacy implications of these devices and the data they generate. These issues are exacerbated by the current lack of standardization, which makes it difficult to create uniform security and privacy mechanisms and ensure the interoperability of various devices.

Consequently, this initial session focused on emerging privacy concerns and discussed ways to protect users’ personal data while still enabling the functionality of IoT devices.

The speaker started with some background on autonomous systems and their future, particularly the Internet of Autonomous Things (IoAT). The talk traced the evolution of IoT from the 1980s to the present, highlighting the transition from basic sensing technologies to advanced networked and controlled systems. The talk included a range of examples of autonomous technologies, such as Waymo self-driving cars, dog-bots, food delivery robots, and drones, emphasizing their growing presence in everyday life.

The second part of the talk focused on critical security challenges faced by autonomous systems. The speaker stresses the high stakes involved, citing incidents, such as crashes of Uber and Tesla autonomous vehicles and recent malicious activities, such as protesters disabling driverless cars with traffic cones. The discussion extended to system vulnerabilities, including failures in LIDAR and camera detection and sophisticated attacks, e.g., LIDAR spoofing and IRL speed sign alterations. Despite exploring potential solutions, such as cryptographic measures and cross-domain validation, the speaker concluded that no definitive, provable solutions have been established to address these complex cyber-physical security challenges.

The speaker highlighted critical challenges researchers face in accessing robust datasets, emphasizing their importance for advancing IoT research in areas, such as home automation, healthcare, smart cities, and wearables. While there are numerous public datasets for diverse purposes (such as intrusion detection and activity recognition), they often have limitations, including data collection bias, static nature, as low as low variability, volume, and quality.

To address these issues, the speaker proposed the development of domain- and application-specific community IoT research infrastructures. These infrastructures, hosted by a few (trusted?) entities, would provide flexibility for researchers to conduct experiments and facilitate collaborative data collection across multiple nodes or locales. Current examples include Mcity test facility and FIT IoT testbed that offer controlled environments for testing and data collection. Whereas, initiatives (e.g., IoT Inspector and Scooterlab) demonstrate innovative approaches to user-owned device data collection. However, sustaining these infrastructures presents challenges, such as funding, regulatory compliance, and resource maintenance. Looking forward, there is a strong advocacy for expanding community IoT infrastructures, supporting advanced data analysis techniques, and fostering public-private partnerships to enhance resource pooling and research collaboration.

The talk presented fingerprinting of encrypted traffic, focusing on privacy issues in AR/VR/XR environments. These technologies, utilized in education, gaming, medical therapy, and sports, can inadvertently reveal sensitive information, such as user interests, reaction times, and physical attributes (e.g., height), depending on whether headsets or other sensors are used. Despite encryption, traffic patterns remain discernible, posing privacy risks. Potential adversaries include communication partners, ISPs, and anyone monitoring the traffic.

In experiments involving PhD students playing VR games, traffic was sniffed at WiFi routers to analyze patterns. The testbed consisted of two players, WiFi routers, and a game server. Using SVM, researchers could detect the type of hardware used, the game played, and the winner, although DNN was ineffective due to limited data. The study demonstrated that activities within VR environments could be inferred from traffic analysis, highlighting the need for more diverse participant samples and advanced analytical techniques. A comparison between WiFi and Ethernet showed negligible differences in traffic patterns.

The talk started with an overview of the importance of GDPR and its challenges. GDPR, enforced since May 2018, has garnered significant interest from companies aiming to avoid fines and ensure compliance. The implementation is complex, especially without a legal background, and involves working with lawyers to interpret and implement GDPR. The primary focus has been on web-based applications, addressing data subject rights, but the growing use of AI in IoT systems adds another layer of complexity. The talk highlights the difficulty in transitioning legacy systems and emphasizes the need for robust solutions to manage data subject rights effectively.

Current approaches, e.g., RuleKeeper, Fontus, and WebTTC, each offer different technical means of GDPR compliance, though with limitations. RuleKeeper uses static manifest files for rule enforcement, Fontus from SAP employs classical security methods with dataflow tracking, and WebTTC combines formal verification with tainting and logic-based approaches. However, none fully meet all GDPR requirements, with WebTTC being the only one to cover user rights comprehensively. The challenges include determining the appropriate level for privacy enforcement, ensuring data provenance, and achieving interoperability in IoT spaces where devices and software from different vendors often do not work seamlessly together. The talk concluded by emphasizing the need for more integrated and adaptable privacy enforcement solutions.

The talk started with the overview of the evolution of computing, emphasizing the commoditization of sensing, computation, and actuation programming. The discussion then delved into the complexity of autonomous systems, which integrate multiple interacting components equipped with diverse sensors and actuators, often relying on large deep-learning models. These systems, such as robotic vehicles and drones, process various deterministic and non-deterministic inputs to make command decisions, highlighting the intricate integration of physical processes with digital connectivity.

The talk also examined specific examples, such as object tracking and sensor spoofing attacks on drones, underscoring the challenges of modeling adversaries and the complexity of these systems. The discussion extended to hybrid modeling approaches that combine formal methods and program analysis to ensure the correctness and unified behavior of autonomous systems. As autonomous systems become more connected and cooperative, their complexity and the challenges in securing them will increase. The future will see advancements in cognitive architectures and human-like perception. Still, significant challenges remain, such as dealing with uncertainty, adaptive attacks, and the need for expertise across various domains. Collaboration and establishing benchmarks will be crucial for addressing these challenges in secure autonomy.

The talk delved into privacy-preserving computation, particularly in the context of machine learning inference at the edge of IoT devices. The problem involves computing data locally on these constrained devices while balancing privacy, security, latency, and accuracy. The talk evaluated the pros and cons of various methods, noting that no single approach is a clear winner and suggesting a combined strategy.

Three primary methods were explored: homomorphic encryption and multi-party computation (FHE/MPC), TEE, and obfuscation/information removal techniques. FHE/MPC offers strong privacy and security but suffers from poor latency, though hardware accelerators show promise. TEEs provide secure computation with better latency but have system-level vulnerabilities and hardware limitations. Obfuscation, while providing weaker privacy guarantees, ensures low latency and fewer system-level concerns. The talk compares these methods across privacy/security, accuracy, and latency, suggesting improvements such as better latency for FHE/MPC and TEE, as well as stronger privacy for obfuscation. The conclusion emphasizes a “cocktail” approach, combining these techniques to optimize privacy-preserving computation while addressing hidden problems like data guarantees on devices and unintentional data leaks.

The discussion covered the AI landscape at the edge, with devices like Nvidia Jetson and products from Qualcomm, Apple, and Huawei. It outlined the challenges in the ML market related to hardware, software, and services. Key issues include proving ownership, usage control, IP tracing, and ensuring the safety and integrity of models for end users. The talk then covered various methods for attestation and watermarking, including hardware and DL fingerprints, LLM output and model watermarks, and proof of provenance using zero-knowledge proofs. The overarching idea is to robustly and unobtrusively embed information in the distribution, which is challenging for large models. There is a need for research to adapt these techniques to the evolving landscape of AI, particularly as synthetic data becomes more prevalent than real data on the internet.

The talk addressed the challenges of deploying PETs in practice, focusing more on security than privacy. It began by underscoring the complexity of security when collaborating with many stakeholders. The speaker discussed various domains at Bosch, including mobility solutions, industrial technologies, consumer goods, and energy and building technology. These domains share characteristics, such as connectivity, performance, intelligence, personalization, and convenience, which introduce system-level complexities, vulnerabilities, and the handling of big (and personal) data. The focus was particularly on automotive security, covering individual ECUs, in-vehicle networks, connected vehicles, and cloud services. The discussion emphasized the importance of intrusion detection and prevention systems, mandated by government regulations, which operate at multiple levels to detect, analyze, and respond to security events.

The talk elaborated on developing host-based IDS for detecting compromised ECUs using low-cost solutions (e.g., power-trace analysis) despite the inherent constraints of microcontrollers compared to PCs. The talk also covered the challenges in designing detection algorithms with low sampling rates and discussed anomaly detection within vehicles, focusing on low false positive rates, distributed deployment, and real-world performance. The talk also addressed the scaling of data collection for IDS purposes, proposing a configurable and customizable testbed to collect semi-synthetic data. Collaboration with different OEMs was highlighted to build a comprehensive platform for data collection, network simulation, and environment simulation involving engineers, pen-testers, and researchers. The talk concluded by acknowledging challenges such as distribution fidelity, reverse engineering of DBC dictionaries, and the privacy effects on trace correctness.

The last segment of this session was a lively discussion. Topics included the following:

• $\mathrm{■}$

  There is no optimal algorithm for determining who should act first or who is the fastest in certain (IoT/CPS) domains.

• $\mathrm{■}$

  Autonomous vehicles are challenging for research due to the difficulty of reverse engineering and parameterization. When an intrusion is detected, it is unclear what actions should be taken in real-time situations.

• $\mathrm{■}$

  Research should include attacks that assume limited access to vehicle software stacks, e.g., fuzzing UDS protocols, and responses often involve degrading car functions, such as slowing down and stopping safely.

• $\mathrm{■}$

  Balancing safety and security in autonomous driving systems is a complex issue, with safety often (rightfully) taking precedence over security in critical situations.

• $\mathrm{■}$

  In human-driven systems, security is intertwined with safety concerns, such as slowing down a car while overtaking, leading to potential accidents.

• $\mathrm{■}$

  False positives in real-time detection systems can misinform users – this needs to be addressed in system designs.

• $\mathrm{■}$

  Adversary models vary by system, focusing on tamper detection in vehicle software as a key step in preventing attacks.

• $\mathrm{■}$

  Remote access to cars through cloud services or wireless connections is a significant security risk, as is re-flashing ECUs without attestation.

• $\mathrm{■}$

  Testing object recognition systems in vehicles is complex due to proprietary black-box models used by manufacturers, and extensive testing environments are required to gather sufficient data.

• $\mathrm{■}$

  Current research in automotive security includes attacks that manipulate vehicle systems through remote access, infotainment systems, or OBD connections, while minimizing hardware assumptions.

• $\mathrm{■}$

  Discussions on solutions to security issues in autonomous driving include real-time updates and detection systems that ensure changes in ECU software are detected promptly.

• $\mathrm{■}$

  Questions about broader attacks on vehicles, as opposed to isolated incidents, highlight concerns about large-scale vulnerabilities.

• $\mathrm{■}$

  Other topics include the role of cloud services in vehicle security, the necessity of remote operators for autonomous cars, and privacy concerns surrounding IoT devices and vehicle cameras capturing individuals.

• $\mathrm{■}$

  GDPR and other privacy regulations were discussed, particularly regarding their applicability to IoT systems, where users are often unaware of being sensed or recorded by devices.

• $\mathrm{■}$

  The challenge of handling sensitive data (e.g., in facial recognition) in public spaces was highlighted, with potential technical solutions like automated obfuscation being suggested but questioned for practical and scalable implementation.

• $\mathrm{■}$

  Solutions to privacy concerns in IoT involve balancing the need for safety and security in public systems with the rights of individuals to privacy.

In an increasingly interconnected digital landscape, the boundaries between hardware and software are becoming more porous, giving rise to both innovative opportunities and complex security challenges. This session aims to explore the multifaceted nature of security and privacy in modern computing environments.

As devices evolve and systems integrate, ensuring robust security and privacy measures becomes paramount. This session aims to address the unique challenges posed by heterogeneous environments, including IoT ecosystems, cloud computing, and edge devices. It delves into emerging methodologies and frameworks that facilitate the seamless implementation of security and privacy services across these boundaries, as well as the potential implications for users, organizations and researchers.

The talk begins with an overview of the speaker’s background and an introduction to the topic of medical device cybersecurity. It delves into the history of medical devices, highlighting early findings such as the absence of cryptography in wireless medical devices and the potential for inducing fatal heart rhythms via RF replay or induction. The discussion evolves to address the rise of malware and ransomware, mainly targeting hospitals and the power grid, leading to significant disruptions, including the shutdown of hospitals during ransomware attacks. Real-world examples from the Ukraine-Russia conflict illustrate the severe impact of cyberattacks on healthcare, revealing plans to target over 400 hospitals and causing disruptions in critical treatments like cancer care.

The speaker also explores the regulatory landscape, detailing the pathways for medical device approvals and the responsibilities of manufacturers to submit risk audits to the FDA, provide software, and handle vulnerabilities. Challenges include the distribution of malware through firmware updates, with examples of ventilators being recalled due to infected firmware. The scope of FDA regulation is discussed, noting that therapeutic and diagnostic devices are regulated, but not personal devices like step trackers. The talk concludes with a discussion on threat modeling, the difficulties in addressing legacy devices, and the point at which liability shifts from manufacturers to hospitals for end-of-life devices.

The presentation defines cyber-physical vulnerabilities and provides examples to illustrate their complexity. A detailed explanation of how drone control works is given, including the role of the IMU and the control unit. The speaker presents a case study from a 2015 paper on “rocking drones,” demonstrating how resonating the IMU with sound can disrupt the drone’s control, causing it to fall. Videos and formulas illustrate the effects of sound-induced resonance on drones, although commercial applications are limited by the short travel distance of sound.

Further discussion covers the use of sound pressure and explosives to disrupt sensors, with insights from military research. The concept of electromagnetic injection is introduced, showing how random sensor data can paralyze drones. The range of this attack is discussed, highlighting the dependency on power and the mainboard of the drone. The talk concludes with open problems and a video example involving a Tesla, showing how laser pointers can interfere with control systems, raising questions about future research directions in cyber-physical security.

This talk focuses on symbolic execution as a method for analyzing IoT software, emphasizing its ability to generate mathematical descriptions of control and data flow for more rigorous program analysis. The workflow of dynamic symbolic execution (DSE) is explained, from translating binary/source code into intermediate representation to managing states with and without symbols. The potential of combining DSE with IoT is explored, highlighting benefits like bug hunting and exploit generation in controlled lab settings but noting challenges in modeling interactions with hardware and running DSE on real IoT devices.

The speaker outlines potential directions for real-time DSE on IoT devices and symbolic hardware emulation, discussing benefits like runtime anomaly detection and better understanding of hardware behavior. However, challenges remain, such as the lack of DSE engines for ARM architecture, high-speed execution requirements, and difficulties in capturing hardware interactions. The talk concludes with a call for novel symbolic execution methods tailored to IoT’s unique needs, stressing the importance of continued research in this area to improve IoT security.

The talk introduces the concept of data-driven security and its application in IoT firmware, starting with the transition from Robot Operating Systems (ROS) to ROS-Military and the use of large language models to detect vulnerabilities. The discussion covers threat modeling for large-scale IoT deployments, emphasizing the need for frameworks to simulate large-scale environments using technologies like Docker. The challenges and solutions of embedded firmware fuzzing are highlighted, particularly the use of multi-stream fuzzers like MultiFuzz to test monolithic firmware across different hardware platforms.

The speaker addresses the critical role of firmware in interfacing hardware and applications, detailing the potential issues with firmware updates, such as those seen in the CrowdStrike case. Dynamic patching is proposed as a solution to maintain device operation during updates, emphasizing the need for resilience in remote, contested, and safety-critical environments. The talk also touches on the contributions of governments, industry, and academia to solving these challenges, as well as the concept of Digital Twins for threat modeling and fuzzing in IoT environments.

The speaker discusses the complexity of integrating security measures in large-scale IoT deployments, arguing that the scope of security problems often lies more in system and threat models than in errors in security analysis. Examples from recent IoT research, such as the Bluetooth vulnerability, illustrate how usability features can introduce security risks when threat models expand beyond their initial context. The talk emphasizes the need for realistic threat models that balance comprehensiveness with practicality and the challenges of agreeing on common threat models and experimental standards.

The talk also explores the expectations of reviewers for broader testing across more devices and environments, as well as the difficulty of defining adequate testing scopes. The speaker calls for a streamlined approach to adversary models, similar to those in cryptography and network security, to establish common standards for evaluating IoT security. This standardization could facilitate more effective and scalable security solutions across diverse IoT ecosystems.

The talk introduces the concept of “privacy by birth,” focusing on strategies to protect data at the sensor level in IoT devices. It highlights the vast amount of data generated by sensors such as biosensors, microphones, and cameras, as well as the regulatory challenges associated with sensitive data. The lifecycle of data from generation to destruction is discussed, with a focus on ensuring privacy from the moment data is created. The limitations of privacy measures applied after data is generated are noted, emphasizing the need for sensors to perform their tasks without compromising privacy.

The speaker proposes redesigning hardware to create “smart sensors” capable of ensuring privacy by birth while addressing the compatibility and usability challenges posed by legacy sensors. Examples like CAMPro and MicroPro sensors are provided, demonstrating how human activity recognition can be achieved without leaking sensitive information such as facial data. The talk concludes with a demonstration of techniques to anonymize voice data, ensuring that humans can understand speech while preventing machines from identifying voiceprints, and a video highlighting the potential for backdoors in sensors.

The post-session discussion centered on key topics relating to privacy and the challenges of balancing functionality with user control in sensor technology. It highlighted a common theme: while privacy is a key concern in academic and regulatory debates, both consumers and vendors often deprioritize it in favor of cost, convenience, and economic interests. It also expands on several critical issues related to device security, threat models, and the challenges within the research community, especially regarding the peer review process and paper rejections.

A secure and correct Root of Trust (RoT) is essential to anchor the security of all system components. IoT devices typically achieve this through Trusted Execution Environments (TEEs). Over the years, various TEE technologies have been developed and implemented. However, existing designs often reveal significant limitations and vulnerabilities.

This session examines the challenges that complicate RoT design within the IoT landscape. Some of these obstacles – such as restricted resources, limited energy availability, and connectivity constraints – stem from the inherent nature of IoT devices. Additionally, new threats have emerged, including micro-architectural level attacks. Finally, the session will explore novel design opportunities and areas that current approaches have yet to consider.

The talk discussed the evolution and application of TEEs in IoT controllers from 2016 to 2024, with a focus on extending these environments into various sensors. It highlighted the diverse IoT categories and use cases, such as smart cities, vehicular, military, home, and industrial IoT, noting that the volume of home IoT devices is expected to surpass that of mobile phones. The presentation emphasized the future of small, ubiquitous computing devices, often costing less than one Euro, with features like isolated key material, immutable trust roots, secure firmware upgrades, and self-assessment capabilities.

Different approaches to implementing TEEs were examined, such as ARM TrustZone and software-based solutions, detailing specific use cases like Apple’s MFI and Xiaomi MiJia. The speaker also covered the deployment challenges of TEEs in mobile phones and various attempts to implement trusted environments, including ARMv8-M and ESP32-S3, highlighting their challenges in real-world applications. The final part addressed the need for secure home IoT despite the slow momentum and potential missing killer use cases, similar to how regulatory compliance, DRM, and financial services boosted mobile phone security.

This talk focused on the importance of verifying RoT for device binding, which is crucial for secure remote attestation. It discussed the issue of adversaries in the device under checking colluding with other devices to evade verification and the gap between cyberspace identities (IP, MAC, host) and physical identities (TV, WiFi access points, camera), exacerbated by compromised software such as kernels. The speaker emphasized the need for securely measured unique physical properties, like geolocation and fingerprints, that can be verified by a trusted verifier.

Potential solutions were explored, including human-assisted methods using devices as verifiers and the challenges of establishing a universal physical property for RoT binding. The talk highlighted the complexities of trustworthy device pairing and the need for scalable authentication solutions, concluding that while RoT binding is fundamental to trusted computing, it remains a challenging issue to resolve.

This talk introduced the concept of the Internet of Collaborative Things (IoCT), focusing on the idea of devices collaborating in terms of computing, sensing, perception, and networking. The speaker discussed the benefits of sharing resources among devices, such as efficiency in power usage, cost reduction, and enabling new applications like cooperative sensing, perception, and crowdsourcing. However, the focus was on the challenges rather than solutions, with a motivating example of a visiting robot needing to navigate a building and perform tasks based on received instructions.

The challenges identified included issues with the computation stack, security and privacy on devices, and ensuring confidentiality and integrity in device interactions. The speaker emphasized the need for systematic approaches to address these challenges, utilizing existing solutions, open-source infrastructure, and academic contributions. The discussion revolved around how to extend trust to other entities in the IoCT ecosystem, addressing availability, real-time constraints, and the integration of various trust mechanisms.

This talk provided a critical analysis of the integration of RTOS with trusted computing in MCUs. It focused on the Cortex-M series, which typically lacks memory management units and virtual memory, and the difficulties of combining real-time availability with integrity and isolation. The speaker highlighted the problems with current MCU RTOS implementations, such as FreeRTOS and Zephyr, and the conflicts between RTOS requirements and TEE requirements.

Examples of conflicts included time interference, where atomic execution of security services can disrupt real-time operations, and resource sharing, where spatial isolation can break real-time guarantees. The talk also discussed the lack of meaningful isolation in most current RTOS implementations, the low usage of memory protection units, and the absence of clear specifications for RTOS guarantees. The speaker concluded that while there are proposed run-time trusted computing services, significant challenges remain in integrating them with real-time operating systems.

This talk addressed the open issues with existing TEE implementations, starting with the global platform definition of TEE and summarizing the most popular implementations. The speaker pointed out that while there is a common API, differences in underlying implementations can create interoperability issues, making it difficult to write secure applications. Portability issues were also discussed, particularly the lack of support for bare-metal devices, GPUs, NPUs, TPUs, and ASICs, as well as the emerging requirements from new hardware platforms.

The talk highlighted the limitations of vendor-specific TEEs, the challenges of ensuring security and assurance, and the large TCBs that are becoming even larger with new architectures like ARMv9. Issues such as the lack of protection for cache evictions and interrupt latency, the need for extensibility, and the potential benefits of RISC-V for customizable TEEs were discussed. The speaker concluded that while TEEs offer significant security benefits, there are numerous unresolved issues that need to be addressed to improve their effectiveness and interoperability.

This talk argued for the need for active RoTs for IoT devices, highlighting that IoT device manufacturers often do not prioritize security or privacy due to budget constraints, rush-to-market pressures, and other factors. The speaker warned of an impending “IoT armageddon,” citing incidents like the Mirai DDoS attack as previews of potential widespread IoT vulnerabilities. The talk emphasized the ubiquity of IoT devices in various settings and the impact on users who are not device owners, raising the question of whether these users should be informed about nearby devices.

The proposed solution, PAISA (Privacy-Agile IoT Sensing and Actuation), involves IoT devices announcing themselves and utilizing active RoTs to control timers and network peripherals. This approach aims to inform all potentially impacted users about nearby devices, their capabilities, and their current software state without requiring hardware modifications. The talk also discussed the limitations of PAISA, such as compatibility issues with other platforms and the inability to apply to TEE-less devices, concluding that while active RoTs offer a proactive approach to IoT security, there are still significant challenges to be addressed.

Mission-critical systems have increasingly relied on IoT technologies to enhance their operational capabilities and efficiency, across various sectors, including transportation, healthcare, and energy. These IoT technologies collect data in real-time and allow systems to leverage information for improved decision-making and control. However, the security issues associated with IoT in mission-critical systems have emerged as a paramount concern. This session engaged with the multifaceted security challenges endemic to these systems.

This session discusses three special technologies that are more widely used in mission-critical systems than in the Internet, e.g., 5G networks, sensors, and position and time technologies. The threats to these technologies are typically analog instead of digital, and the results of attacks could lead to safety consequences, causing physical damage. The presentations in this section highlights the importance of interdisciplinary efforts in tackling these complex threats in the analog world, while most traditional mitigation strategies are insufficient.

Private 5G networks, dedicated cellular networks deployed for specific organizations, offer numerous advantages such as dedicated infrastructure, enhanced security, customization, improved reliability, lower latency, and higher capacity. These benefits make private 5G an attractive solution for safety-critical applications where traditional WiFi is deemed insufficient, as seen in Korea’s push for 5G in critical infrastructure. Deployments in various sectors such as railroads, medical fields, and power utilities highlight the practical applications and benefits of private 5G. For example, in railroads, it aids in handling safety issues and maintaining infrastructure, while in the medical field, it supports telemedicine and surgical assistance.

However, security vulnerabilities persist across all generations from 2G to 5G, largely due to the need for backward compatibility and the complex ecosystem involving governments, carriers, and device vendors. These vulnerabilities pose significant risks, especially in safety-critical applications where even minor attacks, like detaching a user from the network, can have severe consequences. The talk underscores the importance of addressing these vulnerabilities and suggests future directions, including developing secure implementations for private 5G, creating cellular intrusion detection and prevention systems, and securing standards for the upcoming 6G.

Signal injection attacks, which manipulate sensor readings through electromagnetic interference, present a significant challenge to the integrity of sensor systems. These attacks exploit long wires acting as unintended antennas, altering the analog signals that sensors rely on. While detection strategies exist, such as monitoring for adversarial signals or deviations in sensor data, they are not foolproof and detecting an attack is only part of the problem. The real challenge lies in determining the appropriate response once an attack is detected.

Several proposed solutions, such as using additional sensors or entering a ’safe mode’, each have their own limitations and costs. For instance, using more sensors increases expense and complexity, and stopping systems may not always be feasible, especially for vehicles or medical devices. Another approach involves recovering clean signals, but this often requires additional hardware and forethought. The talk calls for further research into practical and effective responses to signal injection attacks, particularly in scenarios where existing mitigation strategies are insufficient.

In the realm of IoT and autonomous systems, the interplay between digital (soul) and physical (body) components creates unique security challenges. Traditional vulnerabilities often target either the digital or physical domain, but IoT systems are particularly susceptible to out-of-band vulnerabilities that exploit the interactions between these domains. Examples include sound waves disrupting drone operations or side-channel attacks that leverage cross-field signals. These vulnerabilities highlight the risks inherent in trusting sensor data and the physical integrity of devices.

The increasing miniaturization of sensors and integration of multiple functions into single devices exacerbate these vulnerabilities. For instance, smaller microphones are more prone to out-of-band attacks, and integrating logic chips with wireless capabilities can lead to new attack vectors like the ’screaming channel’. The talk emphasizes the need for comprehensive security measures that address both digital and physical aspects of IoT devices. This includes developing tools for detecting out-of-band vulnerabilities, redesigning systems for better resilience, and fostering real-time tolerance to attacks.

Analog security concerns the vulnerabilities in sensors that stem from their physical properties and interactions with the environment. Research has shown that sensors can be manipulated through various means such as sound waves and laser light, leading to significant security breaches in devices ranging from smartphones to medical equipment. For instance, sound waves can be used to hack a phone or inject false steps into a fitness tracker, demonstrating the broad range of potential attacks.

Addressing these threats requires a deep understanding of sensor physics and the development of robust countermeasures. Solutions like altering the design of micro-electro-mechanical systems (MEMS) to be less susceptible to interference or using ultrasound instead of sound waves for communication are being explored. The talk highlights the ongoing research and innovative approaches needed to secure sensors against emerging analog threats, underscoring the importance of interdisciplinary efforts in tackling these complex challenges.

The reliability of positioning and timing information, especially from Global Navigation Satellite Systems (GNSS), is critical for numerous applications. However, GNSS signals are vulnerable to various attacks that can manipulate location and time data. These attacks range from simple signal interference to sophisticated relay and replay attacks that capture and retransmit GNSS signals to deceive receivers. Such vulnerabilities can have serious implications for any system relying on accurate positioning, including civilian infrastructure.

Defending against these attacks involves augmenting GNSS receivers with additional sensors, inertial measurement units, and network localization methods, though these solutions come with their own limitations in accuracy and feasibility. Another approach is time-based detection, which refines time solutions to ensure continuous trust in the data. The talk also discusses advanced methods like using UAVs for localizing attackers and mobile crowdsensing for enhanced detection capabilities. The ongoing challenge is to develop robust, practical defenses that maintain the accuracy and availability of GNSS data amidst evolving threats.

The post-session discussion focused on key topics related to improve the security of IoT devices in the real world, including calling for collaborations between academic research and industry needs, building “Citizen Lab” to facilitate research on both offensive and defensive strategies, and creating standards and regulations as a compelling motivator for changes.

An interesting and challenging design space for security researchers is the one where IoT devices are unattended and in some case even without the possibility to be reached and physically repaired or replaced. Yet designing for such domains trust and security mechanisms that can dynamically adapt to configuration changes and to the discovery of new attacks is important.

This section explores examples of these demanding environments, such as outer space, low-orbit satellites, underwater networks, and smart grids. These domains are rapidly evolving, with significant investment and development from both public and private sectors. The session’s discussions will highlight the unique security challenges and threats inherent to each domain. Additionally, it will address the complexities introduced by the increasingly competitive and open market dynamics, which make securing these environments even more difficult.

The talk centers on the challenges and vulnerabilities faced by autonomous systems, particularly in ensuring security for fully unattended operations. One example highlighted is a “traffic cone attack,” where simple cones are used to immobilize driverless cars, posing a significant and practical threat to these systems. Compared to other sophisticated attack methods, using traffic cones is not only affordable and transferable but also highly stealthy, leveraging ordinary items to disrupt autonomous vehicles. This underscores a key point: low-cost, simple interventions can exploit vulnerabilities in highly advanced systems, raising concerns about their resilience.

The speaker discusses the pursuit of true autonomy and its inherent risks. Without human drivers, autonomous systems struggle to handle disruptions that a driver could easily solve, such as moving a blocking object. Possible solutions like adding mechanical arms or relying on remote operators either add complexity and cost or undermine the goal of complete autonomy. Even with remote assistance, replicating the situational awareness of a human driver is challenging, affecting safety and security. The speaker suggests that autonomy and security can sometimes be at odds, and achieving a balance may require sacrificing certain autonomous functions to enhance overall system safety.

The presentation focuses on the security challenges of underwater cyber-physical systems, extending concepts previously explored in terrestrial and aerial environments. It begins by discussing physics-based vulnerabilities, such as physical adversarial attacks that exploit physical phenomena to manipulate automated behavior. One example mentioned is a laser interference attack demonstrated in a Usenix paper, which causes sensors to fail in detecting pedestrians. The concept of “oversensing,” where sensors detect more than intended, is also highlighted as a potential attack vector. The presentation then shifts to underwater environments, exploring how traditional vulnerabilities apply to the emerging “blue economy” that revolves around oceanic resources, energy harvesting, and resilience to climate change.

The underwater Internet of Things (IoUT) is presented as a crucial aspect of this new blue economy, comprising assets like pipelines, data centers, and communication networks. The focus on underwater data centers emphasizes natural cooling benefits and climate stability but introduces unique vulnerabilities, such as acoustic injection attacks that can manipulate server operations through sound-induced vibrations. Challenges for underwater IoT security include unstable communication channels, low-energy and sparsely distributed devices, and a lack of established security standards. The key question is whether existing security frameworks designed for land-based IoT can be effectively adapted to underwater environments, given the unique physical and operational constraints of the ocean.

The talk addresses the pressing issue of ensuring energy security against cyber-attacks on the increasingly connected and distributed energy systems. While energy production and distribution have seen massive advances, the security aspect remains lagging, with limited research and solutions currently in place. The speaker emphasized the need to consider security from the ground up as the energy landscape transforms, especially with the proliferation of distributed energy resources (DERs) and consumer energy resources (CERs). Australia’s push towards renewable energy, such as South Australia’s aim to be 100% renewable by 2027, and the increased use of household solar and battery systems highlight the urgent need for robust cybersecurity measures to secure the energy grid.

The challenges include dealing with a landscape that was developed without security in mind, vulnerabilities in unencrypted communication, lack of device management, and the absence of a standardized security framework for DERs. The speaker drew parallels between current energy device installations and insecure IoT camera installations, emphasizing the need for better threat modeling and adherence to standards. The integration of virtual power plants and smart applications only complicates this landscape further, leading to increased dependency on other critical infrastructures. As governments start paying more attention to smart energy, the nexus of climate and cybersecurity becomes an important area of concern, necessitating a proactive approach rather than the current “install and pray” mindset.

The talk covers the growing security and privacy challenges in space, especially with the surge in low-Earth orbit satellite launches and evolving technology. With emerging trends like mega-constellations, interplanetary networks, and spacecraft autonomy, the focus shifts to how such systems will cope with cybersecurity threats. Highlighted were potential attack scenarios, such as “blackhole” attacks (where a satellite disappears), “ghost” attacks (fake satellite impersonation), and “residence evil” (rogue, self-contained satellites). The architecture of modern small satellites, such as Ireland’s EIRSAT-1, was discussed, emphasizing onboard sensors and ARM-based computing platforms. Challenges include secure communication in highly dynamic and constrained environments, prevention of satellite user localization, and implementation of robust PKI systems in space.

The talk also addressed the limitations of existing solutions for securing space assets, like traditional PKI models, which are unsuitable due to sporadic connectivity, dynamic topology, and restricted power and storage. Challenges surrounding user localization were stressed, as there is a real risk of privacy violations in situations where authoritarian regimes or military conflicts limit terrestrial communication, as seen in Ukraine. Existing privacy measures like encryption or Tor are insufficient against metadata correlation, necessitating custom protocols to maintain user privacy. Lastly, the speaker suggested the potential of overlay networks for satellite internet and discussed the implications of physical security, compromised nodes, and the need for optimized fake traffic to enhance user location privacy in space systems.

The presentation discussed the intersection of 5G terrestrial networks and space networks, exploring security challenges and potential defenses for these large-scale systems. It began by reviewing the evolution and complexities of cellular network security, highlighting vulnerabilities across different generations and attack surfaces like user equipment, network infrastructure, and configurations. Despite advancements, many 5G systems still lack complete security due to the complexity and optional implementation of certain security measures. The discussion then shifted to space networks, detailing the various segments (launch, ground, space, user, link) and their susceptibility to attacks, including fake location information, communication jamming, and message manipulation. Space systems often lack robust security mechanisms, as they are typically deployed for decades with limited updates.

The core of the talk addressed the convergence of space networks (NTN) with 5G/6G terrestrial networks (NR), enabling expanded coverage and connectivity for IoT devices in areas without terrestrial network access. However, this integration poses several challenges, particularly regarding how to extend the security guarantees of terrestrial networks to space-based systems. Key challenges include the relatively weaker security of NTN compared to NR, the impact of NTN-NR integration on attack surfaces, and the need to understand potential attackers in both domains. The speaker also highlighted opportunities to leverage the unique physical properties of space, such as orbital movements and signal propagation characteristics, to create secure systems through physically-backed security measures.

In an era where the Internet of Things (IoT) continues to proliferate across various industries, the scalability of security measures has become a paramount concern. This seminar session focused on the complex interplay between security, usability, and user trust in the rapidly evolving IoT landscape. The main goal is to inspire actionable strategies that address multifaceted challenges of securing large IoT deployments, while addressing privacy and usability concerns.

The presentation introduced a framework called zPROBE, aimed at enhancing both privacy and robustness in FL for IoT networks. Federated Learning is a machine learning approach that trains a central model using data distributed across many IoT nodes, which often contain private information. The challenge addressed is protection of this data from privacy risks (such as model inversion attacks) and ensuring robustness against malicious clients who may try to degrade model performance. Traditional privacy measures, such as differential privacy and Secure Multi-Party Computation we discussed as well as their limitations in terms of utility and efficiency.

The zPROBE approach was proposed as a solution, leveraging Zero-Knowledge Proofs (ZKPs) and rank-based statistics to securely aggregate data and maintain robustness in the presence of adversarial threats. The system uses a semi-honest server that clusters clients randomly while each client provides a ZKP to ensure privacy during data aggregation. This approach enables the identification and mitigation of outlier attacks, such as Byzantine attacks, which malicious clients may use to disrupt the model. Results show that rank-based statistics help maintain robustness better than existing methods, keeping overhead low and the system scalable. The conclusion emphasizes the ongoing challenge of designing efficient cryptographic methods that enhance privacy without compromising the utility and scalability of IoT Federated Learning.

The presentation addresses the challenges of maintaining IoT device communication during internet shutdowns, a scenario that often correlates with political unrest. When governments impose internet blackouts, censorship-resistant methods relying on traffic modification, such as disguising sensitive data as mundane videos, become ineffective since there is no connectivity to exploit. The proposed solution involves leveraging mobile ad-hoc communication, allowing local peer-to-peer connections even when internet access is severed. This approach aims to keep individuals connected to others in proximity and potentially those outside of the immediate range, despite adversarial efforts by authorities to control or surveil these networks.

The situation is complex, as mobile ad-hoc networks must contend with issues like scalability, intermittent device disconnection, and adversarial conditions where authorities partially restrict communication, especially for protest coordination. Techniques like ring signatures are being explored to enhance anonymity and resist flooding attacks, although these aren’t applicable to all devices. Scaling communication to larger areas poses additional challenges, and while satellite communication could be an alternative, it may not be entirely secure or accessible for widespread use. The speaker underlines that even with limited connectivity, every small effort contributes to enabling communication in a highly restricted environment.

This talk explores the current role of cloud services in IoT systems, focusing on their security and privacy challenges. It begins by examining typical cloud functions in IoT: remote control of devices, interoperability, software updates, and analytics. While these services provide significant functionality, they also create substantial vulnerabilities. For example, remote control mechanisms can be compromised, providing attackers with access to all connected devices. Similarly, integrators – cloud hubs that link multiple IoT products – are prime targets due to the elevated privileges they hold, making security breaches particularly severe. Privacy concerns also arise, as cloud services can see all device data and patterns, often beyond what’s necessary for functionality.

The talk proposes a shift towards minimizing trust in cloud services by applying the principle of least privilege, aiming for a design that can handle cloud security failures gracefully. A case study on trigger-action platforms exemplifies the concept, demonstrating how small cloud-hosted scripts could operate with far fewer data than they currently access. The speaker emphasizes rethinking how we construct IoT services to ensure that cloud privileges are strictly limited, asking critical questions about which functionalities are essential and how they can be delivered securely with minimal cloud access.

The presentation (with music) focuses on managing secure IoT networks, highlighting the expanding IoT landscape, which consists of a vast and diverse ecosystem of interconnected devices. Despite numerous security threats, the persistence of IoT devices necessitates proactive integration and automation approaches. The speaker emphasizes the need for practical solutions, particularly in integrating security measures into an expanding network of diverse devices. The presentation highlights a rising trend in cyberattacks and emphasizes the importance of measuring security consistently. This involves developing a “key security indicator” to understand security risks across various devices, such as audio sensors and active triggers.

In terms of network management, the importance of visibility, control, and automation is stressed, with a common saying: “You can’t protect what you cannot see.” Full understanding of network activity, along with a balance between centralized and decentralized control, is crucial for responding to threats effectively. Scalable security strategies include leveraging edge computing and employing holistic, collaborative approaches to ensure comprehensive IoT security. The concluding note underlines the importance of scalable network management, comprehensive security, and collaborative efforts to secure the future of IoT environments.

Small and medium-sized businesses (SMBs) face significant challenges when building secure IoT devices, particularly in key areas such as secure provisioning, deployment, and maintaining security throughout the device lifecycle. Typically, SMBs produce devices like kitchen utilities, lights, and robots, often in quantities of 10,000 to 50,000 units per year, with small development teams and limited security expertise. Regulatory requirements, intellectual property protection, and maintaining device reliability drive the need for security, but SMBs often struggle to implement proper key management and secure boot processes due to limited resources and knowledge. Existing frameworks like IANA or industry standards for secure CI/CD pipelines are often either too complex or impractical for smaller businesses to adopt, leading to difficulties in securely managing keys and provisioning devices.

Most SMBs lack dedicated security professionals, relying instead on developers who are not well-versed in security procedures, leading to potential vulnerabilities such as improper key storage and a lack of recovery mechanisms for lost or stolen keys. Current solutions for secure device provisioning and deployment, such as AWS IoT or Azure, are often targeted at larger customers, leaving SMBs to attempt DIY approaches like threshold signatures. Despite the existence of several standards and frameworks (e.g., TUF, SLSA, in-toto), these are often too complex or academic for SMBs to use practically. There is a need for simplified and specialized procedures tailored to the requirements of smaller IoT deployments, allowing these companies to effectively secure their devices while managing resources efficiently.

The presentation addresses the challenges of scaling security services in IoT networks, particularly in the context of a rapidly expanding “Internet of Everything” that will soon involve trillions of connected devices. Current security architectures, which rely heavily on centralized client-server models and trusted third parties, are inadequate for such a large-scale and decentralized system. The speaker emphasizes the difficulties inherent in using publish-subscribe (pub/sub) communication models, which are increasingly relevant in IoT networks. Security issues include handling malicious subscribers, compromised publishers, and untrusted brokers. Establishing end-to-end encryption is complex due to scalability challenges, the limited resources of IoT devices, the need for group/broadcast encryption, and the absence of trusted key management entities. Additionally, dynamic membership in groups complicates key revocation, and timely delivery of security updates through potentially untrusted brokers remains a significant hurdle.

Further complications arise when addressing compromised devices within the network. Attestation is critical for identifying compromised endpoints, but the network’s heterogeneity means that multiple attestation methods must coexist, each providing different security guarantees. The presentation also discusses the challenge of enabling on-demand attestation and securing attestation information against replay attacks, which is further complicated by time synchronization issues. Finally, the speaker outlines the role of projects like Simpl, which aim to address some of these challenges by managing key information, facilitating attestation, and identifying compromised devices. However, there remain open issues, particularly concerning the scalability of security solutions and the integration of heterogeneous security measures across diverse devices and communication models.

The presentation discusses the challenges and solutions for scaling credential management in large-scale IoT environments, particularly focusing on vehicular communication systems. It emphasizes the need to manage multiple ephemeral pseudonyms for vehicles, ensuring both security and privacy requirements. The speaker highlights the complexities of designing and evaluating a Public-Key Infrastructure (PKI) suitable for vehicular applications (VPKI), addressing the management of short-lived credentials, the diverse types of entities involved, and the constraints of large-scale deployment. The system faces challenges such as handling malicious users, scalability, and balancing security, privacy, and efficiency requirements under different operational loads.

A cloud-based, scalable VPKI service is proposed for efficient credential management, enabling quick provisioning of pseudonyms and dynamic handling of credential loads. Additional topics include vehicle-centric revocation strategies and the use of specialized cryptographic methods to enhance privacy through mechanisms like mix zones and decoy traffic. The discussion highlights the importance of scalability, cost efficiency, and privacy preservation in managing credential operations in dynamic vehicular networks, ultimately aiming for a secure and privacy-respecting system capable of global deployment.

Presentations were followed by a discussion on the following topics:

The final session serves as a comprehensive wrap-up, summarizing key topics covered during the whole seminar. It also introduces potential research directions to continue the exploration and address unresolved issues. This session emphasizes the insights gained from discussions, identifying critical gaps, and calls for fostering collaborative research in the field.

• $\mathrm{■}$

  Emphasis on Privacy and Security Challenges in IoT. In IoT environments, privacy and security challenges are pervasive, but often there is an important gap between theoretical frameworks and practical implementation challenges. The discussions highlight the complexity of creating robust security measures that address diverse threats, especially when real-world constraints make certain theoretical solutions difficult to deploy effectively.

• $\mathrm{■}$

  Hardware versus Software Trade-offs, with a Focus on TEEs. Exploring the trade-offs between hardware and software solutions, particularly in the context of Trusted Execution Environments (TEEs), highlights their advantages and limitations. While TEEs provide a secure enclave for sensitive computations, limitations such as scalability, interoperability, and vulnerability to certain physical attacks remain open research challenges.

• $\mathrm{■}$

  The Role of Secure Hardware in IoT Security Secure hardware plays a crucial role in enhancing IoT security, especially in environments where devices operate autonomously, such as satellites and self-driving vehicles. The discussions delved into the unique security challenges in these contexts, where unattended operation makes conventional security measures ineffective.

• $\mathrm{■}$

  Critique on the Absence of Formal Methods and Usable Security Discussions Participants reflect on the general lack of assurance in existing IoT solutions and the potential benefits formal methods could bring, such as more rigorously designed security solutions. This critique also covers usable security, emphasizing the importance of designing security solutions that end-users can effectively utilize without unnecessary complexity.

• $\mathrm{■}$

  Sensitivity and Societal Awareness of Self-Driving Car Threats The discussions addressed how societal awareness around the security threats to self-driving technology remains limited. By raising sensitivity to these issues, the seminar aimed to highlight the implications of security breaches in self-driving cars, especially as these vehicles become integral to public transportation and logistics.

• $\mathrm{■}$

  Scalability Challenges in Securing Large IoT Deployments As IoT systems expand, so do the challenges of securing these vast networks. The discussions explored the complexities of provisioning, key management, and device authentication in distributed systems. Addressing these challenges is essential for the scalable deployment of secure IoT solutions that can withstand high levels of connectivity and data exchange.

• $\mathrm{■}$

  Balancing Mission-Criticality, Safety, and Security in IoT Design The need to balance mission-critical functions, safety requirements, and security measures, especially in cloud-based IoT services emerged in the discussions as well as the need to foster further collaborations between the two research communities of dependability and cybersecurity.

• $\mathrm{■}$

  Need for Common and Publicly Accessible IoT Testbeds The seminar highlighted how policy priorities and funding allocations shape IoT security research and development. Calls for large-scale testbeds and collaboration between private and public sectors highlight the importance of policy and financial support for advancing IoT security solutions.

• $\mathrm{■}$

  Broader Discussion on Threat Models and Attacker Motivations It’s important to distinguish between pure physical attacks, for example, placing a cone on a self-driving car to disrupt its operation, from digital ones that are the ones on which the community should focus on. This segment emphasizes the need for a comprehensive analysis of threat models that consider diverse attacker motivations, from denial-of-service (DoS) attacks to irrational and economically motivated threats. Understanding these motivations aids in designing more nuanced and resilient IoT security frameworks.

• $\mathrm{■}$

  Advocacy for Resilient System Designs and Sensor Fusion Logic Participants advocate for designing IoT systems with enhanced resilience to counter vulnerabilities. Integrating sensor fusion logic, which combines data from multiple sources, can improve system accuracy and reduce susceptibility to individual sensor failures or attacks. The seminar concludes with calls for ongoing collaboration, inviting participants to contribute to future projects and discussions. It encourages follow-up meetings to foster a continued exchange of ideas and support for evolving research initiatives.

The consensus among participants is that the IoT landscape will undergo significant transformation in the coming years, driven by the rapid digitalization of industrial and commercial sectors. This digital shift will likely lead to exponential growth in the deployment of IoT technologies, accompanied by the development of new generations of devices, more powerful, intelligent, and pervasive. As IoT devices increasingly replace human roles in critical safety applications, they will bring forth new security challenges. Addressing these challenges will require incorporating non-technical dimensions such as usability, inclusivity, and accessibility, which are essential to ensuring that IoT technologies serve all users effectively and safely.

As IoT-related attacks and incidents inevitably increase, ethical and social considerations will become increasingly central to the IoT research agenda. Participants noted that traditional security frameworks, previously used for IT ecosystems such as the web, may not provide adequate protection in safety-critical IoT systems, where failures could lead to loss of life. Therefore, new proactive and preventative security paradigms will be necessary to address the specific risks associated with IoT in these high-stakes environments.

Looking forward, participants identified emerging trends in IoT security, including a tighter integration of human and cyber systems. This integration raises unique ethical and security concerns, particularly as bionic enhancements and other human-cyber hybrids become more commonplace. These advancements suggest a future where the line between human and machine is increasingly blurred, presenting new dimensions of security and privacy challenges that must be addressed.

In light of these factors, participants agreed on the need for more frequent and collaborative forums like this seminar. Such gatherings will be crucial for the IoT community to assess and discuss the evolving security and privacy landscape, establishing priorities and refining approaches to meet the complex demands of future IoT systems.