Abstract
The production of embedded and constrained IoT devices is a security-critical but often neglected step in the product security lifecycle. The secure development of devices has become empowered over the last decade via the implementation of DevOps processes. However, the transmission of created artifacts into the production site and onto the device itself is a regularly overlooked procedure in the security assessment. This study shows the complexity and proposes a production model that is split into four stages for analysis. The four stages comprise (1) the transmission of artifacts, (2) the management of artifacts, (3) programming of the device, and (4) provisioning of the IoT device. Assets and threat actors are defined, and critical scenarios are introduced to explain their impact on IoT device production. Concluding, the discussion presents possible approaches and their limitations based on the given variety. In the future, this will facilitate the protection of critical and valuable phases of production, thereby enhancing the security and trustworthiness of IoT devices.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Abiona, O.O., Oladapo, O.J., Modupe, O.T., Oyeniran, O.C., Adewusi, A.O., Komolafe, A.M.: The emergence and importance of DevSecOps: integrating and reviewing security practices within the DevOps pipeline. World J. Adv. Eng. Technol. Sci. 11(2), 127–133 (2024). https://doi.org/10.30574/wjaets.2024.11.2.0093
Akter, S., Khalil, K., Bayoumi, M.: A survey on hardware security: current trends and challenges. IEEE Access 11, 77543–77565 (2023). https://doi.org/10.1109/access.2023.3288696
Al Barazanchi, I.I., Hashim, W., Thabit, R., Sekhar, R., Shah, P., Penubadi, H.R.: Secure trust node acquisition and access control for privacy-preserving expertise trust in WBAN networks, pp. 265–275. Springer, Cham (2024). https://doi.org/10.1007/978-3-031-62881-8_22
Alahi, M.E.E., et al.: Integration of IoT-enabled technologies and artificial intelligence (AI) for smart city scenario: recent advancements and future trends. Sensors 23(11), 5206 (2023). https://doi.org/10.3390/s23115206
Ali, B., Awad, A.I.: Cyber and physical security vulnerability assessment for IoT-based smart homes. Sensors 18(3), 817 (2018). https://doi.org/10.3390/s18030817
Boeckl, K., et al.: Considerations for managing internet of things (IoT) cybersecurity and privacy risks. US Department of Commerce, National Institute of Standards and Technology (2019). https://doi.org/10.6028/nist.ir.8228
Boyes, H., Hallaq, B., Cunningham, J., Watson, T.: The industrial internet of things (IIoT): an analysis framework. Comput. Ind. 101, 1–12 (2018). https://doi.org/10.1016/j.compind.2018.04.015
Car, P., De Luca, S.: EU Cyber Resilience Act. EPRS, European Parliament (2022). https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
Chiara, P.G.: The IoT and the new EU cybersecurity regulatory landscape. Int. Rev. Law Comput. Technol. 36(2), 118–137 (2022). https://doi.org/10.1080/13600869.2022.2060468
Davis, K.R., Peabody, B., Leach, P.: Universally Unique IDentifiers (UUIDs). No. 9562 in Request for Comments, RFC Editor (2024). https://doi.org/10.17487/rfc9562. https://www.rfc-editor.org/info/rfc9562
Dodson, D., et al.: Securing small business and home internet of things (IoT) devices: mitigating network-based attacks using manufacturer usage description (MUD). National Institute of Standards and Technology (2021). https://doi.org/10.6028/nist.sp.1800-15
Everett, C.: Ransomware: to pay or not to pay? Comput. Fraud Secur. 2016(4), 8–12 (2016). https://doi.org/10.1016/s1361-3723(16)30036-7. https://www.sciencedirect.com/science/article/pii/S1361372316300367
Finney, H., Donnerhacke, L., Callas, J., Thayer, R.L., Shaw, D.: OpenPGP Message Format. RFC 4880 (2007). https://doi.org/10.17487/RFC4880. https://www.rfc-editor.org/info/rfc4880
Force, J.T.: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (Discussion Draft). Technical report, National Institute of Standards and Technology (2018). https://csrc.nist.gov/pubs/sp/800/37/r2/final
Gokarna, M., Singh, R.: DevOps: a historical review and future works. In: 2021 International Conference on Computing, Communication, and Intelligent Systems (ICCCIS), pp. 366–371. IEEE (2021). https://doi.org/10.1109/icccis51004.2021.9397235
Hacquebord, F., Hilt, S., Sancho, D.: The Near And Far Future Of Ransomware Business Models. Trend Micro Research (2022). https://www.key4biz.it/wp-content/uploads/2022/12/wp-the-near-and-far-future-of-ransomware.pdf
Halak, B.: CIST: a threat modelling approach for hardware supply chain security. In: Halak, B. (ed.) Hardware Supply Chain Security, pp. 3–65. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-62707-2_1
ISO Central Secretary: Cybersecurity – IoT security and privacy – Guidelines. Standard ISO/IEC 27400:2022(E), International Organization for Standardization, Geneva, CH (2022). https://www.iso.org/standard/80136.html
ISO Central Secretary: Cybersecurity – IoT security and privacy – Device baseline requirements. Standard ISO/IEC 27402:2023(E), International Organization for Standardization, Geneva, CH (2023). https://www.iso.org/standard/80136.html
Khalifa, M., Algarni, F., Ayoub Khan, M., Ullah, A., Aloufi, K.: A lightweight cryptography (LWC) framework to secure memory heap in Internet of Things. Alex. Eng. J. 60(1), 1489–1497 (2021). https://doi.org/10.1016/j.aej.2020.11.003
Manogaran, G., Varatharajan, R., Lopez, D., Kumar, P.M., Sundarasekar, R., Thota, C.: A new architecture of internet of things and big data ecosystem for secured smart healthcare monitoring and alerting system. Futur. Gener. Comput. Syst. 82, 375–387 (2018). https://doi.org/10.1016/j.future.2017.10.045
Mayoral-Vilches, V., García-Maestro, N., Towers, M., Gil-Uriarte, E.: DevSecOps in Robotics (2020). https://doi.org/10.48550/ARXIV.2003.10402
McKnight, M.: IoT, industry 4.0, industrial Iot...why connected devices are the future of design. KnE Eng. 2(2), 197 (2017). https://doi.org/10.18502/keg.v2i2.615
Merabet, G.H., et al.: Intelligent building control systems for thermal comfort and energy-efficiency: a systematic review of artificial intelligence-assisted techniques. Renew. Sustain. Energy Rev. 144, 110969 (2021). https://doi.org/10.1016/j.rser.2021.110969
MITRE: MITRE ATT &CK Framework (2015). https://attack.mitre.org. Accessed 05 Sept 2024
Nzeako, G., Okeke, C.D., Akinsanya, M.O., Popoola, O.A., Chukwurah, E.G.: Security paradigms for IoT in telecom networks: conceptual challenges and solution pathways. Eng. Sci. Technol. J. 5(5), 1606–1626 (2024). https://doi.org/10.51594/estj.v5i5.1111
Parihar, V., Malik, A., Bhawna, Bhushan, B., Chaganti, R.: From smart devices to smarter systems: the evolution of artificial intelligence of things (AIoT) with characteristics, architecture, use cases and challenges, pp. 1–28. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-31952-5_1
Pise, A.A., et al.: Enabling artificial intelligence of things (AIoT) healthcare architectures and listing security issues. Comput. Intell. Neurosci. 2022(1), 1–14 (2022). https://doi.org/10.1155/2022/8421434
Skouloudi, C., Malatras, A., Naydenov, R., Dede, G.: Guidelines for Securing the Internet of Things. Technical report, European Union Agency for Cybersecurity (ENISA) (2020). https://www.enisa.europa.eu/publications/guidelines-for-securing-the-internet-of-things
Sleem, A., Elhenawy, I.: Survey of artificial intelligence of things for smart buildings: a closer outlook. J. Intell. Syst. Internet Things 8(2), 63–71 (2023). https://doi.org/10.54216/jisiot.080206
Soares, E., Sizilio, G., Santos, J., da Costa, D.A., Kulesza, U.: The effects of continuous integration on software development: a systematic literature review. Empirical Softw. Eng. 27(3) (2022). https://doi.org/10.1007/s10664-021-10114-1
Stahl, D., Martensson, T., Bosch, J.: Continuous practices and devops: beyond the buzz, what does it all mean? In: 2017 43rd Euromicro Conference on Software Engineering and Advanced Applications (SEAA). IEEE (2017). https://doi.org/10.1109/seaa.2017.8114695
Tatineni, S.: Compliance and audit challenges in DevOps: a security perspective. Int. Res. J. Mod. Eng. Technol. Sci. 5(10), 1306–1316 (2023). https://doi.org/10.56726/IRJMETS45309
Yousefnezhad, N., Malhi, A., Främling, K.: Security in product lifecycle of IoT devices: a survey. J. Netw. Comput. Appl. 171, 102779 (2020). https://doi.org/10.1016/j.jnca.2020.102779
Zakerabasali, S., Ayyoubzadeh, S.M.: Internet of things and healthcare system: a systematic review of ethical issues. Health Sci. Rep. 5(6), e863 (2022). https://doi.org/10.1002/hsr2.863
Zhang, J., Tao, D.: Empowering things with intelligence: a survey of the progress, challenges, and opportunities in artificial intelligence of things. IEEE Internet Things J. 8(10), 7789–7817 (2021). https://doi.org/10.1109/jiot.2020.3039359
Acknowledgments
This study was supported by the German Federal Ministry of Education and Research (BMWK) through grant number 16KIS1956.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2025 IFIP International Federation for Information Processing
About this paper
Cite this paper
Schubaur, P., Knauer, P., Merli, D. (2025). Threats to the IoT Device Production Processes – A Blind Spot in the Product Security Lifecycle. In: Rey, G., Tigli, JY., Franquet, E. (eds) Internet of Things. 7th IFIPIoT 2024 International IFIP WG 5.5 Workshops. IFIPIoT 2024. IFIP Advances in Information and Communication Technology, vol 738. Springer, Cham. https://doi.org/10.1007/978-3-031-82065-6_7
Download citation
DOI: https://doi.org/10.1007/978-3-031-82065-6_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-82064-9
Online ISBN: 978-3-031-82065-6
eBook Packages: Computer ScienceComputer Science (R0)
