RFC 8576
Internet of Things (IoT) Security: State of the Art and Challenges
Pages: 50
Informational
Informational
Part 3 of 3 – Pages 36 to 50
6. Conclusions and Next Steps
This document provides IoT security researchers, system designers, and implementers with an overview of security requirements in the IP- based Internet of Things. We discuss the security threats, state of the art, and challenges. Although plenty of steps have been realized during the last few years (summarized in Section 4.1) and many organizations are publishing general recommendations describing how IoT should be secured (Section 4.3), there are many challenges ahead that require further attention. Challenges of particular importance are bootstrapping of security, group security, secure software updates, long-term security and quantum-resistance, privacy protection, data leakage prevention -- where data could be cryptographic keys, personal data, or even algorithms -- and ensuring trustworthy IoT operation. Authors of new IoT specifications and implementers need to consider how all the security challenges discussed in this document (and those that emerge later) affect their work. The authors of IoT specifications need to put in a real effort towards not only addressing the security challenges but also clearly documenting how the security challenges are addressed. This would reduce the chances of security vulnerabilities in the code written by implementers of those specifications.7. Security Considerations
This entire memo deals with security issues.8. IANA Considerations
This document has no IANA actions.
9. Informative References
[ACE-DTLS] Gerdes, S., Bergmann, O., Bormann, C., Selander, G., and L. Seitz, "Datagram Transport Layer Security (DTLS) Profile for Authentication and Authorization for Constrained Environments (ACE)", Work in Progress, draft-ietf-ace-dtls-authorize-08, April 2019. [ACE-OAuth] Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and H. Tschofenig, "Authentication and Authorization for Constrained Environments (ACE) using the OAuth 2.0 Framework (ACE-OAuth)", Work in Progress, draft-ietf-ace- oauth-authz-24, March 2019. [ARCH-6TiSCH] Thubert, P., "An Architecture for IPv6 over the TSCH mode of IEEE 802.15.4", Work in Progress, draft-ietf-6tisch- architecture-20, March 2019. [Article29] Article 29 Data Protection Working Party, "Opinion 8/2014 on the Recent Developments on the Internet of Things", WP 223, September 2014, <https://ec.europa.eu/justice/ article-29/documentation/opinion- recommendation/files/2014/wp223_en.pdf>. [AUTO-ID] "Auto-ID Labs", September 2010, <https://www.autoidlabs.org/>. [BACNET] American Society of Heating, Refrigerating and Air- Conditioning Engineers (ASHRAE), "BACnet", February 2011, <http://www.bacnet.org>. [BITAG] Broadband Internet Technical Advisory Group, "Internet of Things (IoT) Security and Privacy Recommendations", November 2016, <https://www.bitag.org/report-internet-of- things-security-privacy-recommendations.php>. [BOOTSTRAP] Sarikaya, B., Sethi, M., and D. Garcia-Carillo, "Secure IoT Bootstrapping: A Survey", Work in Progress, draft-sarikaya-t2trg-sbootstrapping-06, January 2019. [C2PQ] Hoffman, P., "The Transition from Classical to Post- Quantum Cryptography", Work in Progress, draft-hoffman- c2pq-04, August 2018.
[cctv] "Backdoor In MVPower DVR Firmware Sends CCTV Stills To an Email Address In China", February 2016, <https://hardware.slashdot.org/story/16/02/17/0422259/ backdoor-in-mvpower-dvr-firmware-sends-cctv-stills-to-an- email-address-in-china>. [ChaCha] Bernstein, D., "ChaCha, a variant of Salsa20", January 2008, <http://cr.yp.to/chacha/chacha-20080128.pdf>. [CSA] Cloud Security Alliance Mobile Working Group, "Security Guidance for Early Adopters of the Internet of Things (IoT)", April 2015, <https://downloads.cloudsecurityalliance.org/whitepapers/S ecurity_Guidance_for_Early_Adopters_of_the_Internet_of_Thi ngs.pdf>. [DALI] DALIbyDesign, "DALI Explained", February 2011, <http://www.dalibydesign.us/dali.html>. [Daniel] Park, S., Kim, K., Haddad, W., Chakrabarti, S., and J. Laganier, "IPv6 over Low Power WPAN Security Analysis", Work in Progress, draft-daniel-6lowpan-security-analysis- 05, March 2011. [DCMS] UK Department for Digital Culture, Media & Sport, "Secure by Design: Improving the cyber security of consumer Internet of Things Report", March 2018, <https://www.gov.uk/government/publications/ secure-by-design-report>. [DHS] U.S. Department of Homeland Security, "Strategic Principles For Securing the Internet of Things (IoT)", November 2016, <https://www.dhs.gov/sites/default/files/publications/ Strategic_Principles_for_Securing_the_Internet_of_Things- 2016-1115-FINAL....pdf>. [Diet-ESP] Migault, D., Guggemos, T., Bormann, C., and D. Schinazi, "ESP Header Compression and Diet-ESP", Work in Progress, draft-mglt-ipsecme-diet-esp-07, March 2019. [Dyn-Attack] Oracle Dyn, "Dyn Analysis Summary Of Friday October 21 Attack", October 2016, <https://dyn.com/blog/ dyn-analysis-summary-of-friday-october-21-attack/>.
[ecc25519] Bernstein, D., "Curve25519: new Diffie-Hellman speed records", February 2006, <https://cr.yp.to/ecdh/curve25519-20060209.pdf>. [ECSO] "European Cyber Security Organisation", <https://www.ecs-org.eu/>. [ENISA-ICS] European Union Agency for Network and Information Security, "Communication network dependencies for ICS/ SCADA Systems", February 2017, <https://www.enisa.europa.eu/publications/ ics-scada-dependencies>. [ETSI-GR-QSC-001] European Telecommunications Standards Institute (ETSI), "Quantum-Safe Cryptography (QSC); Quantum-safe algorithmic framework", ETSI GR QSC 001, July 2016, <https://www.etsi.org/deliver/etsi_gr/ QSC/001_099/001/01.01.01_60/gr_qsc001v010101p.pdf>. [Fairhair] "The Fairhair Alliance", <https://www.fairhair-alliance.org/>. [FCC] US Federal Communications Commission, Chairman Tom Wheeler to Senator Mark Warner, December 2016, <https://docs.fcc.gov/public/attachments/ DOC-342761A1.pdf>. [FTCreport] US Federal Trade Commission, "FTC Report on Internet of Things Urges Companies to Adopt Best Practices to Address Consumer Privacy and Security Risks", January 2015, <https://www.ftc.gov/news-events/press-releases/2015/01/ ftc-report-internet-things-urges-companies-adopt-best- practices>. [GDPR] "The EU General Data Protection Regulation", <https://www.eugdpr.org>. [GSMAsecurity] "GSMA IoT Security Guidelines and Assessment", <http://www.gsma.com/connectedliving/future-iot-networks/ iot-security-guidelines>. [HIP-DEX] Moskowitz, R. and R. Hummen, "HIP Diet EXchange (DEX)", Work in Progress, draft-ietf-hip-dex-06, December 2017.
[IEEE802ah] IEEE, "Status of Project IEEE 802.11ah", IEEE P802.11 - Task Group AH - Meeting Update, <http://www.ieee802.org/11/Reports/tgah_update.htm>. [IIoT] "Industrial Internet Consortium", <http://www.iiconsortium.org>. [IoTSecFoundation] Internet of Things Security Foundation, "Establishing Principles for Internet of Things Security", <https://iotsecurityfoundation.org/establishing- principles-for-internet-of-things-security>. [IPv6-over-NFC] Choi, Y., Hong, Y., Youn, J., Kim, D., and J. Choi, "Transmission of IPv6 Packets over Near Field Communication", Work in Progress, draft-ietf-6lo-nfc-13, February 2019. [ISOC-OTA] Internet Society, "Online Trust Alliance (OTA)", <https://www.internetsociety.org/ota/>. [LoRa] "LoRa Alliance", <https://www.lora-alliance.org/>. [LWM2M] OMA SpecWorks, "Lightweight M2M (LWM2M)", <http://openmobilealliance.org/iot/lightweight-m2m-lwm2m>. [Mirai] Kolias, C., Kambourakis, G., Stavrou, A., and J. Voas,, "DDoS in the IoT: Mirai and Other Botnets", Computer, Vol. 50, Issue 7, DOI 10.1109/MC.2017.201, July 2017, <https://ieeexplore.ieee.org/document/7971869>. [Moore] Moore, K., Barnes, R., and H. Tschofenig, "Best Current Practices for Securing Internet of Things (IoT) Devices", Work in Progress, draft-moore-iot-security-bcp-01, July 2017. [MULTICAST] Tiloca, M., Selander, G., Palombini, F., and J. Park, "Group OSCORE - Secure Group Communication for CoAP", Work in Progress, draft-ietf-core-oscore-groupcomm-04, March 2019. [NB-IoT] Qualcomm Incorporated, "New Work Item: NarrowBand IOT (NB- IOT)", September 2015, <http://www.3gpp.org/ftp/tsg_ran/TSG_RAN/TSGR_69/Docs/ RP-151621.zip>.
[NHTSA] National Highway Traffic Safety Administration, "Cybersecurity Best Practices for Modern Vehicles", Report No. DOT HS 812 333, October 2016, <https://www.nhtsa.gov/staticfiles/nvs/ pdf/812333_CybersecurityForModernVehicles.pdf>. [NIST-Guide] Ross, R., McEvilley, M., and J. Oren, "Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems", NIST Special Publication 800-160, DOI 10.6028/NIST.SP.800-160, November 2016, <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ NIST.SP.800\ -160.pdf>. [NIST-LW-2016] Sonmez Turan, M., "NIST's Lightweight Crypto Project", October 2016, <https://www.nist.gov/sites/default/files/ documents/2016/10/17/ sonmez-turan-presentation-lwc2016.pdf>. [NIST-LW-PROJECT] NIST, "Lightweight Cryptography", <https://www.nist.gov/ programs-projects/lightweight-cryptography>. [NISTSP800-122] McCallister, E., Grance, T., and K. Scarfone, "Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)", NIST Special Publication 800-122, April 2010, <https://nvlpubs.nist.gov/nistpubs/legacy/sp/ nistspecialpublication800-122.pdf>. [NISTSP800-30r1] National Institute of Standards and Technology, "Guide for Conducting Risk Assessments", NIST Special Publication 800-30 Revision 1, September 2012, <https://nvlpubs.nist.gov/nistpubs/Legacy/SP/ nistspecialpublication800-30r1.pdf>. [NISTSP800-34r1] Swanson, M., Bowen, P., Phillips, A., Gallup, D., and D. Lynes, "Contingency Planning Guide for Federal Information Systems", NIST Special Publication 800-34 Revision 1, May 2010, <https://nvlpubs.nist.gov/nistpubs/Legacy/SP/ nistspecialpublication800-34r1.pdf>. [OCF] "Open Connectivity Foundation", <https://openconnectivity.org/>.
[OMASpecWorks] "OMA SpecWorks", <https://www.omaspecworks.org/ipso-alliance>. [OneM2M] "OneM2M", <http://www.onem2m.org>. [OSCORE] Selander, G., Mattsson, J., Palombini, F., and L. Seitz, "Object Security for Constrained RESTful Environments (OSCORE)", Work in Progress, draft-ietf-core-object- security-16, March 2019. [OWASP] The OWASP Foundation, "IoT Security Guidance", February 2017, <https://www.owasp.org/index.php/IoT_Security_Guidance>. [RD] Shelby, Z., Koster, M., Bormann, C., Stok, P., and C. Amsuess, Ed., "CoRE Resource Directory", Work in Progress, draft-ietf-core-resource-directory-20, March 2019. [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, DOI 10.17487/RFC2818, May 2000, <https://www.rfc-editor.org/info/rfc2818>. [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. Levkowetz, Ed., "Extensible Authentication Protocol (EAP)", RFC 3748, DOI 10.17487/RFC3748, June 2004, <https://www.rfc-editor.org/info/rfc3748>. [RFC3756] Nikander, P., Ed., Kempf, J., and E. Nordmark, "IPv6 Neighbor Discovery (ND) Trust Models and Threats", RFC 3756, DOI 10.17487/RFC3756, May 2004, <https://www.rfc-editor.org/info/rfc3756>. [RFC3833] Atkins, D. and R. Austein, "Threat Analysis of the Domain Name System (DNS)", RFC 3833, DOI 10.17487/RFC3833, August 2004, <https://www.rfc-editor.org/info/rfc3833>. [RFC4016] Parthasarathy, M., "Protocol for Carrying Authentication and Network Access (PANA) Threat Analysis and Security Requirements", RFC 4016, DOI 10.17487/RFC4016, March 2005, <https://www.rfc-editor.org/info/rfc4016>. [RFC4108] Housley, R., "Using Cryptographic Message Syntax (CMS) to Protect Firmware Packages", RFC 4108, DOI 10.17487/RFC4108, August 2005, <https://www.rfc-editor.org/info/rfc4108>.
[RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The Kerberos Network Authentication Service (V5)", RFC 4120, DOI 10.17487/RFC4120, July 2005, <https://www.rfc-editor.org/info/rfc4120>. [RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple Authentication and Security Layer (SASL)", RFC 4422, DOI 10.17487/RFC4422, June 2006, <https://www.rfc-editor.org/info/rfc4422>. [RFC4555] Eronen, P., "IKEv2 Mobility and Multihoming Protocol (MOBIKE)", RFC 4555, DOI 10.17487/RFC4555, June 2006, <https://www.rfc-editor.org/info/rfc4555>. [RFC4621] Kivinen, T. and H. Tschofenig, "Design of the IKEv2 Mobility and Multihoming (MOBIKE) Protocol", RFC 4621, DOI 10.17487/RFC4621, August 2006, <https://www.rfc-editor.org/info/rfc4621>. [RFC4738] Ignjatic, D., Dondeti, L., Audet, F., and P. Lin, "MIKEY- RSA-R: An Additional Mode of Key Distribution in Multimedia Internet KEYing (MIKEY)", RFC 4738, DOI 10.17487/RFC4738, November 2006, <https://www.rfc-editor.org/info/rfc4738>. [RFC4919] Kushalnagar, N., Montenegro, G., and C. Schumacher, "IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs): Overview, Assumptions, Problem Statement, and Goals", RFC 4919, DOI 10.17487/RFC4919, August 2007, <https://www.rfc-editor.org/info/rfc4919>. [RFC4944] Montenegro, G., Kushalnagar, N., Hui, J., and D. Culler, "Transmission of IPv6 Packets over IEEE 802.15.4 Networks", RFC 4944, DOI 10.17487/RFC4944, September 2007, <https://www.rfc-editor.org/info/rfc4944>. [RFC5191] Forsberg, D., Ohba, Y., Ed., Patil, B., Tschofenig, H., and A. Yegin, "Protocol for Carrying Authentication for Network Access (PANA)", RFC 5191, DOI 10.17487/RFC5191, May 2008, <https://www.rfc-editor.org/info/rfc5191>. [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, RFC 5652, DOI 10.17487/RFC5652, September 2009, <https://www.rfc-editor.org/info/rfc5652>.
[RFC5713] Moustafa, H., Tschofenig, H., and S. De Cnodder, "Security Threats and Security Requirements for the Access Node Control Protocol (ANCP)", RFC 5713, DOI 10.17487/RFC5713, January 2010, <https://www.rfc-editor.org/info/rfc5713>. [RFC5903] Fu, D. and J. Solinas, "Elliptic Curve Groups modulo a Prime (ECP Groups) for IKE and IKEv2", RFC 5903, DOI 10.17487/RFC5903, June 2010, <https://www.rfc-editor.org/info/rfc5903>. [RFC6024] Reddy, R. and C. Wallace, "Trust Anchor Management Requirements", RFC 6024, DOI 10.17487/RFC6024, October 2010, <https://www.rfc-editor.org/info/rfc6024>. [RFC6272] Baker, F. and D. Meyer, "Internet Protocols for the Smart Grid", RFC 6272, DOI 10.17487/RFC6272, June 2011, <https://www.rfc-editor.org/info/rfc6272>. [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, January 2012, <https://www.rfc-editor.org/info/rfc6347>. [RFC6550] Winter, T., Ed., Thubert, P., Ed., Brandt, A., Hui, J., Kelsey, R., Levis, P., Pister, K., Struik, R., Vasseur, JP., and R. Alexander, "RPL: IPv6 Routing Protocol for Low-Power and Lossy Networks", RFC 6550, DOI 10.17487/RFC6550, March 2012, <https://www.rfc-editor.org/info/rfc6550>. [RFC6551] Vasseur, JP., Ed., Kim, M., Ed., Pister, K., Dejean, N., and D. Barthel, "Routing Metrics Used for Path Calculation in Low-Power and Lossy Networks", RFC 6551, DOI 10.17487/RFC6551, March 2012, <https://www.rfc-editor.org/info/rfc6551>. [RFC6568] Kim, E., Kaspar, D., and JP. Vasseur, "Design and Application Spaces for IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs)", RFC 6568, DOI 10.17487/RFC6568, April 2012, <https://www.rfc-editor.org/info/rfc6568>. [RFC6690] Shelby, Z., "Constrained RESTful Environments (CoRE) Link Format", RFC 6690, DOI 10.17487/RFC6690, August 2012, <https://www.rfc-editor.org/info/rfc6690>. [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, October 2012, <https://www.rfc-editor.org/info/rfc6749>.
[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., Morris, J., Hansen, M., and R. Smith, "Privacy Considerations for Internet Protocols", RFC 6973, DOI 10.17487/RFC6973, July 2013, <https://www.rfc-editor.org/info/rfc6973>. [RFC7049] Bormann, C. and P. Hoffman, "Concise Binary Object Representation (CBOR)", RFC 7049, DOI 10.17487/RFC7049, October 2013, <https://www.rfc-editor.org/info/rfc7049>. [RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for Constrained-Node Networks", RFC 7228, DOI 10.17487/RFC7228, May 2014, <https://www.rfc-editor.org/info/rfc7228>. [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained Application Protocol (CoAP)", RFC 7252, DOI 10.17487/RFC7252, June 2014, <https://www.rfc-editor.org/info/rfc7252>. [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. Kivinen, "Internet Key Exchange Protocol Version 2 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 2014, <https://www.rfc-editor.org/info/rfc7296>. [RFC7401] Moskowitz, R., Ed., Heer, T., Jokela, P., and T. Henderson, "Host Identity Protocol Version 2 (HIPv2)", RFC 7401, DOI 10.17487/RFC7401, April 2015, <https://www.rfc-editor.org/info/rfc7401>. [RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May 2015, <https://www.rfc-editor.org/info/rfc7515>. [RFC7516] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)", RFC 7516, DOI 10.17487/RFC7516, May 2015, <https://www.rfc-editor.org/info/rfc7516>. [RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517, DOI 10.17487/RFC7517, May 2015, <https://www.rfc-editor.org/info/rfc7517>. [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, <https://www.rfc-editor.org/info/rfc7519>.
[RFC7520] Miller, M., "Examples of Protecting Content Using JSON Object Signing and Encryption (JOSE)", RFC 7520, DOI 10.17487/RFC7520, May 2015, <https://www.rfc-editor.org/info/rfc7520>. [RFC7668] Nieminen, J., Savolainen, T., Isomaki, M., Patil, B., Shelby, Z., and C. Gomez, "IPv6 over BLUETOOTH(R) Low Energy", RFC 7668, DOI 10.17487/RFC7668, October 2015, <https://www.rfc-editor.org/info/rfc7668>. [RFC7696] Housley, R., "Guidelines for Cryptographic Algorithm Agility and Selecting Mandatory-to-Implement Algorithms", BCP 201, RFC 7696, DOI 10.17487/RFC7696, November 2015, <https://www.rfc-editor.org/info/rfc7696>. [RFC7744] Seitz, L., Ed., Gerdes, S., Ed., Selander, G., Mani, M., and S. Kumar, "Use Cases for Authentication and Authorization in Constrained Environments", RFC 7744, DOI 10.17487/RFC7744, January 2016, <https://www.rfc-editor.org/info/rfc7744>. [RFC7815] Kivinen, T., "Minimal Internet Key Exchange Version 2 (IKEv2) Initiator Implementation", RFC 7815, DOI 10.17487/RFC7815, March 2016, <https://www.rfc-editor.org/info/rfc7815>. [RFC7925] Tschofenig, H., Ed. and T. Fossati, "Transport Layer Security (TLS) / Datagram Transport Layer Security (DTLS) Profiles for the Internet of Things", RFC 7925, DOI 10.17487/RFC7925, July 2016, <https://www.rfc-editor.org/info/rfc7925>. [RFC8046] Henderson, T., Ed., Vogt, C., and J. Arkko, "Host Mobility with the Host Identity Protocol", RFC 8046, DOI 10.17487/RFC8046, February 2017, <https://www.rfc-editor.org/info/rfc8046>. [RFC8105] Mariager, P., Petersen, J., Ed., Shelby, Z., Van de Logt, M., and D. Barthel, "Transmission of IPv6 Packets over Digital Enhanced Cordless Telecommunications (DECT) Ultra Low Energy (ULE)", RFC 8105, DOI 10.17487/RFC8105, May 2017, <https://www.rfc-editor.org/info/rfc8105>. [RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)", RFC 8152, DOI 10.17487/RFC8152, July 2017, <https://www.rfc-editor.org/info/rfc8152>.
[RFC8240] Tschofenig, H. and S. Farrell, "Report from the Internet of Things Software Update (IoTSU) Workshop 2016", RFC 8240, DOI 10.17487/RFC8240, September 2017, <https://www.rfc-editor.org/info/rfc8240>. [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", STD 90, RFC 8259, DOI 10.17487/RFC8259, December 2017, <https://www.rfc-editor.org/info/rfc8259>. [RFC8376] Farrell, S., Ed., "Low-Power Wide Area Network (LPWAN) Overview", RFC 8376, DOI 10.17487/RFC8376, May 2018, <https://www.rfc-editor.org/info/rfc8376>. [RFC8387] Sethi, M., Arkko, J., Keranen, A., and H. Back, "Practical Considerations and Implementation Experiences in Securing Smart Object Networks", RFC 8387, DOI 10.17487/RFC8387, May 2018, <https://www.rfc-editor.org/info/rfc8387>. [RFC8428] Jennings, C., Shelby, Z., Arkko, J., Keranen, A., and C. Bormann, "Sensor Measurement Lists (SenML)", RFC 8428, DOI 10.17487/RFC8428, August 2018, <https://www.rfc-editor.org/info/rfc8428>. [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, <https://www.rfc-editor.org/info/rfc8446>. [RFC8520] Lear, E., Droms, R., and D. Romascanu, "Manufacturer Usage Description Specification", RFC 8520, DOI 10.17487/RFC8520, March 2019, <https://www.rfc-editor.org/info/rfc8520>. [RG-T2TRG] IRTF, "Thing-to-Thing Research Group (T2TRG)", <https://datatracker.ietf.org/rg/t2trg/charter/>. [SchneierSecurity] Schneier, B., "The Internet of Things Is Wildly Insecure -- And Often Unpatchable", January 2014, <https://www.schneier.com/essays/archives/2014/01/ the_internet_of_thin.html>. [SEAL] Microsoft, "Microsoft SEAL: Fast and Easy-to-Use Homomorphic Encryption Library", <https://www.microsoft.com/en-us/research/project/ microsoft-seal/>. [shodan] "Shodan", <https://www.shodan.io>.
[sigfox] "Sigfox - The Global Communications Service Provider for the Internet of Things (IoT)", <https://www.sigfox.com>. [Thread] "Thread", <http://threadgroup.org>. [TR69] Oppenheim, L. and S. Tal, "Too Many Cooks - Exploiting the Internet-of-TR-069-Things", December 2014, <https://media.ccc.de/v/31c3_-_6166_-_en_-_saal_6_- _201412282145_-_too_many_cooks_-_exploiting_the_internet- of-tr-069-things_-_lior_oppenheim_-_shahar_tal>. [venona-project] National Security Agency | Central Security Service, "VENONA", <https://www.nsa.gov/news-features/declassified- documents/venona/index.shtml>. [WG-6lo] IETF, "IPv6 over Networks of Resource-constrained Nodes (6lo)", <https://datatracker.ietf.org/wg/6lo/charter/>. [WG-6LoWPAN] IETF, "IPv6 over Low power WPAN (6lowpan)", <http://datatracker.ietf.org/wg/6lowpan/charter/>. [WG-ACE] IETF, "Authentication and Authorization for Constrained Environments (ace)", <https://datatracker.ietf.org/wg/ace/charter/>. [WG-ACME] IETF, "Automated Certificate Management Environment (acme)", <https://datatracker.ietf.org/wg/acme/charter/>. [WG-CoRE] IETF, "Constrained RESTful Environment (core)", <https://datatracker.ietf.org/wg/core/charter/>. [WG-LPWAN] IETF, "IPv6 over Low Power Wide-Area Networks (lpwan)", <https://datatracker.ietf.org/wg/lpwan/charter/>. [WG-LWIG] IETF, "Light-Weight Implementation Guidance (lwig)", <https://datatracker.ietf.org/wg/lwig/charter/>. [WG-MSEC] IETF, "Multicast Security (msec)", <https://datatracker.ietf.org/wg/msec/charter/>. [WG-SUIT] IETF, "Software Updates for Internet of Things (suit)", <https://datatracker.ietf.org/wg/suit/charter/>. [WG-TEEP] IETF, "Trusted Execution Environment Provisioning (teep)", <https://datatracker.ietf.org/wg/teep/charter/>.
[Williams] Williams, M. and J. Barrett, "Mobile DTLS", Work in Progress, draft-barrett-mobile-dtls-00, March 2009. [wink] Barrett, B., "Wink's Outage Shows Us How Frustrating Smart Homes Could Be", Wired, Gear, April 2015, <http://www.wired.com/2015/04/smart-home-headaches/>. [ZB] "Zigbee Alliance", <http://www.zigbee.org/>. [Ziegeldorf] Ziegeldorf, J., Garcia Morchon, O., and K. Wehrle, "Privacy in the Internet of Things: Threats and Challenges", Security and Communication Networks, Vol. 7, Issue 12, pp. 2728-2742, DOI 10.1002/sec.795, 2014.
Acknowledgments
We gratefully acknowledge feedback and fruitful discussion with Tobias Heer, Robert Moskowitz, Thorsten Dahm, Hannes Tschofenig, Carsten Bormann, Barry Raveendran, Ari Keranen, Goran Selander, Fred Baker, Vicent Roca, Thomas Fossati, and Eliot Lear. We acknowledge the additional authors of a draft version of this document: Sye Loong Keoh, Rene Hummen, and Rene Struik.Authors' Addresses
Oscar Garcia-Morchon Philips High Tech Campus 5 Eindhoven, 5656 AE The Netherlands Email: oscar.garcia-morchon@philips.com Sandeep S. Kumar Signify High Tech Campus 7 Eindhoven, 5656 AE The Netherlands Email: sandeep.kumar@signify.com Mohit Sethi Ericsson Jorvas 02420 Finland Email: mohit@piuha.net