Title: IoT Security
Loaction: Room 3999
Time: Each Wednesday, 14:15 -16:00 (lecture) and Thursday, 09:45 - 11:15 (tutorial)
Language: Lecture and tutorial in English language.
Attending lectures: Mandatory
Credits: 5 ECTS credits
Duration: 4 SWS lecture
Upon successful completion of the module, the student should be able to: (1) Explain the basic concepts of IoT (computer) security and the most common threats that threaten modern IoT systems. (2) Plan and execute pen testing for IoT systems. (3) Choose, design, and implement some protection techniques to secure IoT systems
This course focuses on the security aspects within the IoT protocol stack (i.e., data, application, and network). The course starts by looking at the IoT stack and discussing the most common IoT applications and some recent attacks against those applications. The course discusses some of the famous crypto algorithms applied to secure the (exchanged) data. Students shall implement some of these algorithms and try some techniques to break them (if possible). The course also introduces some of the authentication protocols that shall be adopted to solve some security issues in modern IoT applications. Students must implement these protocols and, later, try to break them. Attacks such as DoS and MITM are discussed in detail during the course. The students need to perform such attacks using existing tools (e.g., using Kali Linux tools) or writing their own tools. The course investigates the SSL protocol as an excellent example of securing IoT communication. Students need to integrate this protocol to ensure secure communication between smart devices. Finally, the course discusses some of the IoT software vulnerabilities and attacks which exploit these security weaknesses and how to harden the system.
Must: good programming skills (Python, C).
Preferable: basic knowledge of computer networking and cryptography.
Description of achievement and assessment methods
The intended learning outcomes are assessed in a written exam at the end of the semester (60% of the final grade). Additionally, two assignments (in the form of Capture The Flag (CTF) competitions) are evaluated and contribute 20% each to the final grade. For each CTF, the teams' members need to collect flags to gain points. Each challenge will reveal a flag once it was solved that the students can submit to prove their successful work and gain the predefined points for that challenge. The team that will collect the highest number of points during the limited time of the CTF will gain the competition. The duration of every CTF will be two weeks. The goal of the CTF is to assess the capability of the student to perfom cyber secrurity attacks practically. Such knowldge will not be possible to be assessed via the written exam. On the other hand, the writen exam (90 minutes) will focus on the theoritical part of the security attacks and vulnerabilities.
Assessment criteria are:
- Ability to explain the basic security terms and attacks against the different layers of the IoT stack.
- Ability to perform basic penetration testing of IoT applications and protocols.
- Ability to define and implement some of the security mitigation mechanisms against various attacks.
We will not have ordinary homework or assignments in this course; instead, the students will form teams and play two locally hosted Capture The Flag (CTF) competitions. The first CTF is mainly about cryptography challenges while the second one is about attacking IoT devices. For each CTF, the teams' members need to collect flags to gain points. The students need to apply their gained knowledge to solve different challenges. Each challenge will reveal a flag once it was solved that the students can submit to prove their successful work and gain the predefined points for that challenge. The team that will collect the highest number of points during the limited time of the CTF will gain the competition.