Workshop on Security and Privacy in Standardized IoT (SDIoTSec) 2026 Program

Policymakers and computer scientists speak different languages. Getting tech policy right requires technologists to learn how to communicate so policymakers can understand the issues and make reasonable judgements. In this keynote, I present lessons learned from twenty-five years of policy work in cybersecurity.

Speaker's Biography: Susan Landau is Professor of Cyber Security and Policy in Computer Science, Tufts University. Previously, as Bridge Professor of Cyber Security and Policy at The Fletcher School and School of Engineering, Department of Computer Science, Landau established an innovative MS degree in Cybersecurity and Public Policy joint between the schools. She has been a senior staff privacy analyst at Google, distinguished engineer at Sun Microsystems, and faculty at Worcester Polytechnic Institute, University of Massachusetts Amherst, and Wesleyan University. She has served at various boards at the National Academies of Science, Engineering and Medicine and for several government agencies. She is the author or co-author of four books and numerous research papers. She has received the USENIX Lifetime Achievement Award, shared with Steven Bellovin and Matt Blaze, and the American Mathematical Society's Bertrand Russell Prize.

As Matter adoption and device deployment grow, it is essential to assess alignment with international IoT security frameworks and standards. This interim study evaluates Matter specifications against 18 international frameworks to identify compliance and security gaps. An independent IoT security framework, the Cloud Security Alliance (CSA), was used to provide a taxonomy and grouping of security controls, from which six core security domains were initially selected: (i) device certification, (ii) attack-surface minimization, (iii) secure communications (iv) software update mechanisms, (v) logging/telemetry, and (vi) secure storage. The analysis highlights areas where Matter provides strong guidance and where it is less prescriptive compared to regulations and frameworks such as the Cyber Resilience Act (CRA), NIST, and ETSI. Future work will extend the assessment with ten additional domains, extending the analytical mapping of Matter’s compliance and non-compliance, and providing valuable insights for manufacturers, developers, and regulators.

Matter is a recent interoperability standard that aims to address fragmentation in smart homes by providing a common system for integrating disparate smart-home devices. As Matter adoption grows, it also creates a shared platform on which new smart-home mechanisms can be implemented and evaluated end-to-end across realistic deployments.

However, turning a research idea into a runnable prototype in a Matter-based deployment is tedious. We address this shortcoming by presenting a practical template for implementing custom clusters in the open-source Matter SDK and invoking it from a widely used smart-home controller. Using a running example, we add a simple cluster that erases sensitive data stored on a smart device. We view this template as an enabling step for the community. While Matter’s open reference implementation provides common ground, the concrete steps required to add and exercise experimental functionality remain scattered. Our template and walkthrough consolidate the necessary steps needed for a reproducible workflow that researchers can adapt for exploring new security and privacy mechanisms.

A Software Bill of Materials (SBOM) enables rapid understanding of software composition and improves the efficiency of vulnerability management. However, inconsistencies between the components described in the SBOM and those that actually exist on a device can result in missed detections or false positives during SBOM-based vulnerability analysis, thereby increasing the risk of executing unknown threats. This study proposes SBOM-based Access Control (SBOM-AC), a mechanism that determines whether a program may be executed by enforcing access control policies derived from the SBOM. By denying the execution of programs that do not match the SBOM, SBOMAC reduces security risks arising from the runtime execution of unmanaged programs. Denial logs can also be used to improve the completeness and accuracy of the SBOM, thereby reducing missed detections and false positives in SBOM-based vulnerability management and enabling the identification of unexpected execution attempts. SBOM-AC can be implemented as a Linux Security Module (LSM), making it suitable for deployment on Linux-based IoT devices and compatible with existing Mandatory Access Control systems. Experimental results show that SBOMAC introduces a maximum latency of only 0.14 ms. Based on this measurement, the estimated performance impact of SBOM-AC on device services is negligible.

Evidence from digital devices in general, and Internet of Things (IoT) and embedded devices in particular, plays an increasing role in modern investigations. Yet their diversity in hardware and software encumbers their analysis and analysis results appear fragmented and hard to assess. Investigators, therefore, face the challenge of finding and interpreting relevant digital evidence stored on these devices. In order to standardize the forensic analysis of digital devices and structure research results, we present the User–Device Interaction Model (UDIM), a device-centric formal model that is based on the types of interaction between a device, users, and other devices across interaction types and locations. By integrating the analysis results of 42 IoT devices from the literature, we show how UDIM supports standardized analysis, and helps law enforcement agencies prioritize resources during seizures. Furthermore, the model can be used to assess the coverage of forensic examinations, to ensure thoroughness and completeness of investigations.

With the advance of IoT technology, embedded systems have become omnipresent in everyday life, taking on ever more security sensitive tasks. Because of this, the security analysis of embedded firmware has reached unprecedented importance.

At the same time, the need to keep production and operation costs low imposes strong resource constraints and optimization pressure on the design of embedded IoT devices. Trade-offs include smaller firmware images that lack debug symbols, and lighter housing that is harder to disassemble. Notably, the cheapest products tend to receive the least amount of vendor support, thus making them more vulnerable, while simultaneously being the least amenable to analysis, thus making it harder for third parties to assess and address the resulting risks.

Knowing which precise microcontroller unit (MCU) is built into a particular device allows insight into its memory map, which is valuable for both static and dynamic analysis of its firmware. However, while it is usually easy to determine the manufacturer and model of an IoT appliance through visual inspection, identifying the MCU at the core of the device is often only possible after destructive disassembly.

To address this problem, we propose an automatic approach to derive the MCU of an embedded device from its firmware image. The approach is based on identifying which addresses the firmware expects to be accessible and finding the most similar MCU memory map in a pre-calculated knowledge base. Our approach does not depend on debug symbols or physical access to any part of the embedded device.

In our evaluation, this approach correctly identifies the precise MCU series 57% of the time and finds the most precise available memory map 44% of the time.

Many IoT devices suffer from a vast array of security vulnerabilities. Unlike traditional software applications, security flaws in IoT devices can cause real physical damage, which makes avoiding them all the more important. This session will cover a new approach to this problem, using capabilities from the recently standardized ECMA-430 Natural Language Interaction Protocol (NLIP). It will cover how a natural language interface combined with built-in enterprise-grade security creates a much improved security baseline for your devices.

Speaker's Biography: Sanjay Aiyagari is a Chief Architect in Red Hat’s Telco CTO Office working with service providers in their advanced technology initiatives including AI/ML and edge computing. With a long background in networking (Cisco) and virtualization (VMware), at Red Hat he is now helping enterprises use these capabilities to build out secure, decentralized data architectures to help customers escape lock-in. He is actively involved in ECMA TC 56 which develops NLIP to allow AI agents to work across all LLMs, in O-RAN nGRG which is bringing AI capabilities to 6G networks, and in 3GPP SA5, which is working on OAM for 6G.

Prior to Red Hat, he ran product management and strategy at Siaras, a startup and pioneer in the multicloud networking space. Before that, he spent six years at VMware, where he advised the world’s largest telcos in virtualizing their critical real-time network functions. Beyond typical product delivery roles at Cisco, he also contributed as one of the earliest key members to the OASIS AMQP (ISO-19464) specification, which is widely used in cloud management, financial trading, transportation and military systems today. Beyond ECMA and O-RAN, he has also contributed to numerous other industry groups, including OASIS, ETSI ENI, IOWN Global Forum, and the Enterprise Neurosystem's Secure Connectivity working group, as well as contributing to inputs for the White House's National AI Research Resource and the UN Framework Convention on Climate Change Technology Executive Committee.

Mr. Aiyagari has a BS in Electrical Engineering from Cornell University and an MS in Computer Science from Columbia University.

Matter seeks to resolve long-standing interoper-ability problems in the Internet of Things (IoT), yet little is known about how developers experience the standard in day-to-day work. This paper examines over 13,000 issues from the official Project CHIP GitHub repository to understand the kinds of problems contributors report when implementing and integrating Matter. Using topic modeling and qualitative analysis, we identify four recurring areas of concern—Testing, Interoperability, Development, and Platform & Network—and describe how they manifest in the evolution of the codebase and tooling. The findings reveal systematic technical and integration challenges and point to concrete opportunities to refine Matter’s test infrastructure, cross-vendor guidance, and documentation as the standard continues to mature.

The EU’s Cyber Resilience Act (CRA) establishes mandatory cybersecurity requirements for products with digital elements, effectively acting as a security standard for the consumer Internet of Things (IoT). While standardization aims to reduce systemic vulnerabilities, security and privacy flaws in standardized requirements can be inherited at scale by widely deployed IoT products. In this paper, we analyze the CRA through the lens of standardized IoT security. We discuss implications for IoT standards and governance, stressing measurable security properties, automated evaluation, and supply-chain considerations. We argue that standardized IoT security cannot be treated as a purely procedural or compliance-driven exercise: regulatory ambiguity, limitations in conformity assessment scalability and harmonization, and gaps between formal compliance and real-world security outcomes risk turning standardization into a mechanism for scaling insecurity rather than mitigating it. Addressing these challenges requires sustained multidisciplinary research at the intersection of IoT standardization, security engineering, and governance, including systematic risk modeling approaches and the development of edge-centric threat models for local IoT environments.

Intrusion Detection Systems (IDS) remain vulnerable to zero-day attacks that manifest themselves as previously unseen traffic patterns. Traditional neural IDS models, constrained by closed-world assumptions, often misclassify such traffic as benign, leading to significant security risks. We present DQNIDS, a deep reinforcement learning framework that integrates a Convolutional Neural Network (CNN) for feature extraction with a Deep Q-Network (DQN) for uncertainty-aware decision-making. Unlike threshold-based open-set methods, DQN-IDS dynamically learns to separate known and unknown traffic using softmax-derived confidence metrics maximum probability, probability gap, and entropy as its state representation. Evaluated on the CICIDS-2017 and UNSW2015 datasets, the proposed system achieves a binary F1-score of 97.8% (known vs. unknown) and reduces missed zero-day traffic compared to state-of-the-art threshold-based approaches. The DQN stage introduces negligible runtime overhead relative to CNN inference, yielding a deployable two-stage open-set NIDS suitable for IoT and other resource-constrained environments.

Mobile apps may collect, share, and analyze data from users. Although users can choose to decline apps’ data collection behaviors through mobile permission systems or in-app settings, it is challenging and time-consuming for users to manually discover and correctly configure all the privacy settings for apps on their mobile phones. This issue also occurs in IoT apps, where users need to configure each device separately. Although they can manage some settings with platform apps (like Apple Home), many IoT devices expose device-specific settings within a device specific app. In this position paper, we propose the PRIVACYPROFILE, a framework that allows users to easily set their global privacy preferences and apply them to apps automatically. Users can indicate whether each of their privacy-related information can be collected, shared, and analyzed in their profile. Compatible apps then read the privacy profile and automatically configure their settings for users, e.g., enabling data collection behaviors or disabling data sharing. This design enables users to easily configure their privacy preferences once, rather than having to manually open each app and locate the corresponding privacy settings.

Mass adoption of home IoT devices has been slower than expected, and numerous user studies have looked at issues consumers have regarding the use of these devices. But despite multiple studies on user concerns around the world regarding characteristics sought in home IoT devices, two important aspects have largely been missing. The first is the wide variety of housing types. Almost all user studies studying desired characteristics of home IoT devices have focused on the single-family stand-alone home environment. Wide adoption of home IoT devices, however, will mean use in a variety of living situations: rental apartments, condominiums, retirement communities, dormitories, and others. This introduces new complexities, including the second largely ignored issue. In these other types of housing situations, multiple other players are involved in the deployment of home IoT devices, including builders, landlords, housing managers, government regulators, and more. Getting home IoT devices right includes factoring in the characteristics that these other players desire and expect. This will be particularly critical in standardization efforts for home IoT.

Previous work has shown that home IoT devices must satisfy obvious requirements of security, privacy, and interoperability – and less obvious ones of reliability, safety, data portability, usability, and controllability. Our work extends this list in in two important ways. First, by broadening the literature review to other previously ignored but highly relevant fields, including human-building interaction, we collect all previously studied characteristics relevant to home IoT. Second, we provide precise definitions of each; as a result of the analysis involved, we introduce new characteristics not previously considered by the computer science community. Our research in delineating required characteristics of home IoT provides a crucial building block for standardizing home IoT devices.