Workshop on Security and Privacy in Standardized IoT (SDIoTSec) 2025 Program

IoT devices are increasingly popular and ubiquitous in numerous everyday settings. They sense and actuate the environment using a wide range of analog peripherals. They are often deployed in large numbers and perform critical tasks. It is no surprise that they represent attractive targets for various attacks. Recent history shows that few lessons were learned from well-known attacks and IoT devices are still commonly compromised via both known attacks and zero-day exploits. Alas, the worst is yet to come. This talk will consider several reasons for the current state of affairs in IoT (in)security and motivate research on actively secure and formally assured operation of IoT devices. This direction is both important and timely since common sense dictates that it is better to be prepared for a disaster that never comes than to be unprepared for the one that does.

Speaker's Biography: Gene Tsudik is a Distinguished Professor of Computer Science at the University of California, Irvine (UCI). He obtained his Ph.D. in Computer Science from USC. Before coming to UCI in 2000, he was at the IBM Zurich Research Laboratory (1991-1996) and USC/ISI (1996-2000). His research interests include many topics in security, privacy, and applied cryptography. Gene Tsudik was a Fulbright Scholar and a Fulbright Specialist. He is a fellow of ACM, IEEE, AAAS, IFIP, and a foreign member of Academia Europaea. From 2009 to 2015, he served as the Editor-in-Chief of ACM TOPS. He received the 2017 ACM SIGSAC Outstanding Contribution Award, the 2020 IFIP Jean-Claude Laprie Award, the 2023 ACM SIGSAC Outstanding Innovation Award, the 2024 Guggenheim Fellowship and the 2024 NDSS Test-of-Time Award. He has no social media presence.

Urban safety concerns about small animals under vehicles inspired the AniLarm IoT prototype, which uses a Seek Thermal Compact Camera and Raspberry Pi for realtime detection via thermal imaging. The system delivers results through auditory alerts and operates offline. This research evaluates the applicability of NIST IR 8259A standards, focusing on secure authentication, data protection, system integrity, and maintainability in edge IoT applications.

As the number of mobile applications continues to grow, privacy labels (e.g. Apple’s Privacy Labels and Google’s Data Safety Section) emerge as a potential solution to help users understand how apps collect, use and share their data. However, it remains unclear whether these labels actually enhance user understanding to build trust in app developers or influence their download decisions. In this paper, we investigate user perceptions of privacy labels through a comprehensive analysis of online discussions and a structured user study. We first collect and analyze Reddit posts related to privacy labels, and manually analyze the discussions to understand users’ concerns and suggestions. Our analysis reveals that users are skeptical of self-reported privacy labels provided by developers and they struggle to interpret the terminology used in the labels. Users also expressed a desire for clearer explanations about why specific data is collected and emphasized the importance of third-party verification to ensure the accuracy of privacy labels. To complement our Reddit analysis, we conducted a user study with 50 participants recruited via Amazon Mechanical Turk and Qualtrics. The study revealed that 76% of the participants indicated that privacy labels influence their app download decisions and the amount of data practice in the privacy label is the most significant factor.

The integration of robotics and IoT technologies into everyday systems has revolutionized smart environments while introducing critical security and privacy challenges. This paper presents FORESIGHT, a unified framework for threat modeling and risk assessment, that addresses vulnerabilities in autonomous robotics and IoT ecosystems. By categorizing threats into robot-oriented, user-oriented, and environmental domains, FORESIGHT enables comprehensive risk analysis and prioritization of high-risk threats. Using Bayesian networks, the framework evaluates cascading vulnerabilities and interdependencies across system layers. Aligned with international standards such as ISO 13482, IEC 62443, and GDPR, FORESIGHT ensures a structured approach to improving the resilience of humancentered interconnected systems.

The AI-Cybersecurity Nexus - Opportunities, Challenges, and Solutions Artificial Intelligence (AI) is revolutionizing cybersecurity, offering enhanced threat detection, proactive prevention, and streamlined response mechanisms. In this keynote, we will explore how AI is reshaping the cybersecurity landscape, especially IoT security, enabling faster incident resolution, more intuitive security tools, and greater overall efficiency. We will share key insights into what works, what doesn’t, and lessons learned from real-world implementations. However, while AI strengthens cybersecurity, it also introduces new vulnerabilities—adversarial AI, automated cyberattacks, and novel threat vectors that traditional defenses struggle to address. We will examine these emerging risks and the evolving tactics of malicious actors who leverage AI against security systems. Finally, this session will present actionable solutions to mitigate AI-driven threats, including fighting AI with AI, platformization, precision AI, adaptive defense strategies, responsible AI deployment, and the integration of AI with human intelligence to create more resilient security frameworks. Join us as we navigate the AI-cybersecurity nexus and chart a course toward a safer digital future.

Speaker's Biography: Dr. May Wang is the Chief Technology Officer for IoT Security at Palo Alto Networks, where she leads innovation in AI-driven cybersecurity solutions. She is the co-founder of Zingbox, the industry’s first AI-powered IoT security company, which was acquired by Palo Alto Networks in 2019. Before founding Zingbox, Dr. Wang served as a Principal Architect in the Cisco CTO Office. Dr. Wang holds a Ph.D. in Electrical Engineering from Stanford University and has received numerous accolades, including being recognized as the 2023 AI Entrepreneur of the Year by VentureBeat.

Wearable devices, often used in healthcare and wellness, collect personal health data via sensors and share it with nearby devices for processing. Considering that healthcare decisions may be based on the collected data, ensuring the privacy and security of data sharing is critical. As the hardware and abilities of these wearable devices evolve, we observe a shift in perspectives: they will no longer be mere data collectors, rather they become empowered to collaborate and provide users with enhanced insights directly from their bodies with ondevice processing. However, today’s data sharing protocols do not support secure data sharing directly between wearables. To this end, we develop a comprehensive threat model for such scenarios and propose a protocol, SecuWear, for secure real-time data sharing between wearable devices. It enables secure data sharing between any set of devices owned by a user by authenticating devices with the help of an orchestrator device. This orchestrator, one of the user’s devices, enforces access control policies and verifies the authenticity of public keys. Once authenticated, the data encryption key is directly shared between the data provider and data consumer devices. Furthermore, SecuWear enables multiple data consumers to subscribe to one data provider, enabling efficient and scalable data sharing. In evaluation, we conduct an informal security analysis to demonstrate the robustness of SecuWear and the resource overhead. It imposes latency overhead of approximately 1.7s for setting up a data sharing session, which is less than 0.2% for a session lasting 15 minutes.

The Internet of Things (IoT) is experiencing exponential growth, with projections estimating over 29 billion devices by 2027. These devices often have limited resources, necessitating the use of lightweight communication protocols. MQTT is a widely used protocol in the IoT domain, but defective security configurations can pose significant risks for the users. In this work, we classify the most commonly used open-source IoT applications that utilize MQTT as their primary communication protocol and evaluate the associated attack scenarios. Our analysis shows that home automation IoT applications have the highest number of exposed devices. In addition, our examination suggests that tracking applications are prone to higher risks as the normalized percentage of exposed devices for this category is 6.85% while only 2.91% of home automation devices are exposed. To tackle these issues, we developed a lightweight, opensource exposure detection system suitable for both computerbased clients and ESP32 microcontrollers. This system warns the users of compromised MQTT broker which enhances the overall security in IoT deployments without any significant overhead.

This paper presents an integration of Federated Learning (FL) with Big Data Analytics (BDA) for Intelligent Transportation Systems (ITS). By leveraging the decentralized nature of FL, the framework enhances privacy, reduces latency, and improves scalability, addressing key limitations of traditional BDA approaches. This research demonstrates the potential of FL to revolutionize data analytics in ITS by enabling realtime applications and facilitating personalized insights. The key contributions of this research include the integration of FL with BDA to tackle traditional BDA challenges, the implementation of FL algorithms within the proposed integrated framework, and a comprehensive performance and scalability analysis. Additionally, the paper presents the development and validation of a specialized ITS dataset designed for FL environments. These contributions collectively highlight the transformative potential of FL in optimizing traffic management and public transportation systems through efficient and scalable data analytics. We demonstrate FL’s capability to efficiently manage and analyze ITS data while maintaining user privacy and scalability. Our findings reveal that FedProx achieved the highest global accuracy at 79.61%, surpassing FedSGD at 79.10% and FedAvg at 78.01%.

The Internet of Things (IoT) ecosystem is rapidly expanding, connecting resource-constrained devices that require lightweight and efficient security mechanisms. The Matter protocol standardizes secure communication in smart homes, relying on X.509 certificates for device authentication. While effective, the management of these certificates—including creation, storage, distribution, and revocation—is cumbersome and resourceintensive for IoT devices. Additionally, Matter’s reliance on private key storage increases vulnerability to key compromise. This paper proposes an improved lightweight authentication protocol combining Physical Unclonable Functions (PUFs) and Public Key Infrastructure (PKI) tailored for Matter-compliant IoT devices. By dynamically generating device-unique keys during operation, PUFs eliminate the need to store private keys, mitigating key extraction threats. The protocol reduces certificate storage overhead and simplifies the pairing process. Performance evaluations demonstrate significant reductions in computational overhead while maintaining robust security. By addressing Matter-specific challenges, the proposed approach optimizes device authentication, supports Perfect Forward Secrecy (PFS), and is well-suited for large-scale IoT deployments.

Privacy compliance has become a significant concern for IoT users as the popularity of diverse IoT devices continues to grow. However, the heterogeneous nature of IoT brings challenges in designing effective privacy-preserving mechanisms. While Matter is a promising unifying connectivity protocol for IoT, it currently offers limited privacy compliance features. In this position paper, we propose the MATTERCOMPLIANCE framework, which achieves privacy compliance by design within the Matter protocol. The design of MATTERCOMPLIANCE follows three principles: providing reliable and proactive privacy disclosure for users, offering interfaces for developers to conveniently integrate privacy mechanisms, and enabling users to manage their privacy settings. By integrating privacy-preserving capabilities in the Matter protocol, MATTERCOMPLIANCE fills the gap in offering a unified solution for privacy compliance in IoT systems.

The quality of software update systems is critical for the performance, security, and functionality of IoT devices. Grounded in NIST IR 8259A standards, which emphasize secure updates, device integrity, and minimal disruption, this paper evaluates how these requirements align with user expectations and challenges. By examining the standard’s technical requirements, the study identifies gaps where user feedback can inform improvements in update mechanisms. A survey of 52 participants provides feedback into user behaviors and concerns regarding software updates. Key challenges include performance degradation, dissatisfaction with interface changes, and inconsistent cross-platform experiences. Users prioritize security alongside performance and feature updates but express reservations about system slowdowns and time-intensive update processes. The findings highlight the need for secure, fast, and user-focused update systems that align with NIST standards. Proposed strategies include lightweight updates, context-aware notifications, and rigorous testing protocols to improve system reliability and user compliance.

This paper presents mmProcess, a novel phasebased approach for speech reconstruction using millimeterwave (mmWave) technology, offering an alternative to existing Doppler-based and deep learning-dependent methods. By leveraging the phase variations in mmWave signals, mmProcess enables precise detection of fine vibrations caused by sound, facilitating accurate speech reconstruction without the need for large training datasets, prior knowledge, or complex neural networks. This eliminates the limitations of deep learning approaches, such as degraded performance with unseen languages and the significant time and cost required for system development. mmProcess combines advanced signal processing techniques, including range processing, phase unwrapping, and noise filtering, to transform raw mmWave radar data into high-fidelity speech signals. Experimental evaluations validate the effectiveness of the method, demonstrating its capability to operate in challenging scenarios while maintaining adaptability and cost efficiency.