IoT Security

General Information

Title: IoT Security

Lecturer: Mohammad Hamad, Andreas FinkenzellerSebastian Steinhorst

Loaction:   Room 3999

Time: Each Wednesday, 9:15 -11:00 (lecture)  and Thursday, 13:15 -  14:00 (tutorial)

Language:  Lecture and tutorial in English language.

Credits: 5 ECTS credits

Duration: 3 SWS lecture

 Study Goals

Upon successful completion of the module, the student should be able to: (1) Explain the basic concepts of IoT (computer) security and the most common threats that threaten modern IoT systems. (2) Plan and execute pen testing for IoT systems. (3)  Choose, design, and implement some protection techniques to secure IoT systems


This course focuses on the security aspects within the IoT protocol stack (i.e., data, application, and network). The course starts by looking at the IoT stack and discussing the most common IoT applications and some recent attacks against those applications. The course discusses some of the famous crypto algorithms applied to secure the (exchanged) data. Students shall implement some of these algorithms and try some techniques to break them (if possible). The course also introduces some of the authentication protocols that shall be adopted to solve some security issues in modern IoT applications. Students must implement these protocols and, later, try to break them. Attacks such as DoS and MITM are discussed in detail during the course. The students need to perform such attacks using existing tools (e.g., using Kali Linux tools) or writing their own tools. The course investigates the SSL protocol as an excellent example of securing IoT communication. Students need to integrate this protocol to ensure secure communication between smart devices. Finally, the course discusses some of the IoT software vulnerabilities and attacks which exploit these security weaknesses and how to harden the system.

Requirements (recommended)

Must: good programming skills (Python, C).
Preferable: basic knowledge of computer networking and cryptography.

Description of achievement and assessment methods

Achievement of the intended learning outcomes is assessed in a single written exam at the end of the semester (60% of the final grade). Additionally, 2  assignments in the shap of CTF competitions are given during the semester are evaluated and contribute to 40% of the final grade.  

Assessment criteria are:
- Ability to explain the basic security terms and attacks against the different layers of the IoT stack.
- Ability to perform basic penetration testing of IoT applications and protocols.
- Ability to define and implement some of the security mitigation mechanisms against various attacks.


We will not have ordinary homework or assignments in this course; instead, the students will form teams and play two locally hosted Capture The Flag (CTF) competitions. The first CTF is mainly about cryptography challenges while the second one is about attacking IoT devices. For each CTF, the teams' members need to collect flags to gain points. The students need to apply their gained knowledge to solve different challenges. Each challenge will reveal a flag once it was solved that the students can submit to prove their successful work and gain the predefined points for that challenge. The team that will collect the highest number of points during the limited time of the CTF will gain the competition.



Rank Team Name Member 1 Member 2
1 Honeypot Felix Schultz Michael Prommersberger
2 DaTeem Andrei-Cosmin Aprodu Davide Alessi
3 ChallengeSolver Laura Pichler Franz Behrendt



Rank Team Name Member 1 Member 2
1 Honeypot Felix Schultz Michael Prommersberger
2 Fsociety (Fun Society) Philipp Karg Rami Daouas
3 WhoAreWe? Manuel Krummschmidt  Bendix de Buhr