On 24 February 2026, I successfully defended my PhD thesis on security and privacy challenges in the Internet of Things (IoT). The work brings together systems security, large-scale Internet measurement, and user-centered research to better understand where IoT ecosystems fail and what we can do about it.

Below is a short overview of the thesis, including an excerpt from the abstract.

Why this thesis matters

IoT devices are everywhere: in our homes, cars, and cities. Yet security and privacy protections often lag behind adoption. Vulnerabilities can appear in many places, not only within devices themselves but also in companion apps, cloud backends, smart TV ecosystems, and even in how users perceive and manage risk. My thesis tackles these challenges end-to-end, combining technical analyses with insights into human behavior and oversight gaps.

What I studied

1) Mapping real-world IoT app behavior with IoTFlow

A major part of the work introduces IoTFlow, a static analysis technique for Android IoT companion apps at scale. Using IoTFlow, we examined nearly 10,000 apps to reconstruct device communication endpoints and uncover insecure practices such as hardcoded credentials and exposed test interfaces.

2) Measuring IoT backends on the public Internet

Building on IoTFlow's findings, we expand the scope to the infrastructure behind IoT systems. We conducted a large-scale assessment of IoT backends across common protocols, MQTT, CoAP, and XMPP. We uncovered widespread issues including data leaks, weak authentication schemes, and denial-of-service threats.

3) Coordinated disclosure at scale

To translate findings into real-world improvements, we initiated a coordinated vulnerability disclosure process with the Dutch National Cyber Security Centre (NCSC). This included notifying thousands of affected operators and tracking remediation outcomes, revealing major gaps in how IoT security is monitored and enforced.

4) Privacy risks in Hybrid Broadcast Broadband TV (HbbTV)

Beyond "traditional IoT," the thesis also investigates smart TV ecosystems. I examined HbbTV privacy risks across five European countries, finding pervasive tracking and frequent policy non-compliance within smart TV channels.

5) Connecting the technical and human perspective

Finally, we explore how people understand and respond to IoT risks. In a two-part user study, I first built an expert-driven categorization of IoT devices and then ran a survey with 213 participants. The results show clear mismatches between perceived risk and actual security behavior across device categories.

What's next

Defending the thesis was a big milestone. IoT security isn't a single bug or a single patch. It's an ecosystem problem, spanning technology, incentives, and user realities. I hope that this work helps push both practical defenses and policy discussions in a direction that actually reduces harm for end users.