Abstract: Systems, methods, and/or techniques for transferring ownership or rolling-over machine-to-machine (M2M) and/or internet of things (IoT) devices from a first owner to a second owner may be disclosed. For example, at a M2M and/or IoT device, a roll-over token and/or a message with the roll-over token may be received. The roll-over token may be configured to be used to transfer ownership and/or update credentials, and/or the roll-over token may be configured to be requested by a first device management server (DMS) associated with the first owner and/or may be generated by a reset server (RS), for example, in response to the request by the first DMS. A validity of the roll-over token may be checked or determined.

Abstract: Systems, methods, and/or techniques for providing access network independent device provisioning of machine-to-machine (M2M) devices belonging to different M2M application domains may be disclosed. For example, a unique reference to a preliminary M2M ID module (PMI) associated with a M2M device. The M2M device with the PMI may be registered at a M2M ID provider (MIP). A M2M ID (MI) to replace the PMI may be generated using the MIP Additionally, a secure mutually authenticated communication channel may be set up with the M2M device within an application domain and/or may be provided for secure authorization of requests to the M2M device using the MI.

Abstract: Systems, methods, and/or techniques for mitigating attacks on an IoT device at a gateway device may be provided. The gateway device may receive a communication directed to an Internet of Things (IoT) device and forward it to the IoT device. The IoT device may indicate to the gateway device that the communication is associated with an attack and send the gateway device a sleep time period and a request to change a filtering rule set at the gateway device. The gateway device may change the filtering rule set and receive another communication directed to the IoT device. If the another communication is valid based on the filtering rule set with the change and a number of valid packets is less than a threshold, and the sleep time period has expired, the gateway device may send another communication to the IoT device.

Abstract: Systems, methods, and instrumentalities are disclosed for providing security to a wireless transmit receive unit (WTRU). A software vulnerability ticket (SVT) may be received by a WTRU. The SVT may include a location to fetch software update information, content of the software update information, and/or an indication that an update is not available. The SVT may be stored in a memory associated with the WTRU. It may be determined (e.g., by a security agent associated with the WTRU) whether the WTRU has a fresh SVT. A security agent may run in a secure execution environment on the WTRU. The secure execution environment may not be dependent on a main operating system associated with the WTRU. If it is determined that the WTRU has a fresh SVT, a security update may be performed. If it is determined that the WTRU does not have a fresh SVT, a recovery procedure may be executed.

Abstract: Systems, methods, and/or techniques for mitigating attacks on an IoT device at a gateway device may be provided. The gateway device may receive a communication directed to an Internet of Things (IoT) device and forward it to the IoT device. The IoT device may indicate to the gateway device that the communication is associated with an attack and send the gateway device a sleep time period and a request to change a filtering rule set at the gateway device. The gateway device may change the filtering rule set and receive another communication directed to the IoT device. If the another communication is valid based on the filtering rule set with the change and a number of valid packets is less than a threshold, and the sleep time period has expired, the gateway device may send another communication to the IoT device.

Abstract: Systems, methods, and/or techniques for transferring ownership or rolling-over machine-to-machine (M2M) and/or internet of things (IoT) devices from a first owner to a second owner may be disclosed. For example, at a M2M and/or IoT device, a roll-over token and/or a message with the roll-over token may be received. The roll-over token may be configured to be used to transfer ownership and/or update credentials, and/or the roll-over token may be configured to be requested by a first device management server (DMS) associated with the first owner and/or may be generated by a reset server (RS), for example, in response to the request by the first DMS. A validity of the roll-over token may be checked or determined.

Abstract: Systems, methods, and/or techniques may be disclosed to prevent credentials from being compromised during an attack or theft of Internet of Things (IoT) devices. Secure communications between IoT devices and a device management server may be managed. A group master key may be received at a local key generation unit or a particular IoT attached to a local area network. A first session group key may be generated at the local key generation unit or the particular IoT device using the received group master key and a sequence number. The first session group key may be sent from the local key generation unit to each of a plurality of IoT devices via the local area network.

Abstract: Systems, methods, and instrumentalities are disclosed for integrity protecting log entries generated from a first unit in a distributed system. For example, a first secret key may be received or obtained from a central management system and storing the first secret key in non-volatile memory. A second secret key may be calculated where the second secret key may be shared with a plurality of units within the same local communication domain as a unit using a secure key calculation. The second secret key may further be stored in volatile memory. The first and second keys may be used to calculate a first secret integrity protection key and a first broadcast encryption key. A security sensitive log entry may be generated and may be protected using the first integrity key and the first broadcast encryption key. The log entry may be broadcast to the plurality of units within the domain.

Abstract: Systems, methods, and/or techniques for providing access network independent device provisioning of machine-to-machine (M2M) devices belonging to different M2M application domains may be disclosed. For example, a unique reference to a preliminary M2M ID module (PMI) associated with a M2M device. The M2M device with the PMI may be registered at a M2M ID provider (MIP). A M2M ID (MI) to replace the PMI may be generated using the MIP Additionally, a secure mutually authenticated communication channel may be set up with the M2M device within an application domain and/or may be provided for secure authorization of requests to the M2M device using the MI.

Abstract: Systems, methods, and/or techniques for performing device recovery using a device management agent (DMAG) on a device may be provided. The DMAG may be in secure execution environment that may be protected by a hypervisor and/or may include or have a full network stack (e.g., via a tiny operating system associated therewith). The DMAG or other entity on the device may receive control of the device and/or may determine or detect whether an application and/or an operating system on the device may not be in a normal service. The DMAG or other entity may initiate a secure session with a DMS based on the application and/or operating system not being in the normal service such that the DMS may determine whether the device may have a potential software problem. The DMAG or other entity may set up or establish a recovery and/or upgrade session based on the device having the potential software problem (e.g.

Abstract: Methods and systems taught herein allow mobile device manufacturers to preconfigure mobile devices for subscription with any network operator having access to a centralized device directory server. The directory server stores device records, each including a preliminary subscription identity. Manufacturers individually provision new mobile devices with these preliminary subscription identities, and network operators preliminarily register subscribers by submitting requests to the directory server that cause it to link individual device records with the appropriate credential server addresses. Mobile devices gain temporary network access by submitting their preliminary subscription identities, which get passed along to the directory server for verification. In turn, the directory server generates authentication vectors giving the mobile devices temporary network access, and returns the appropriate credential server addresses.

Abstract: Methods and systems taught herein allow mobile device manufacturers to preconfigure mobile devices for subscription with any network operator having access to a centralized device directory server. The directory server stores device records, each including a preliminary subscription identity. Manufacturers individually provision new mobile devices with these preliminary subscription identities, and network operators preliminarily register subscribers by submitting requests to the directory server that cause it to link individual device records with the appropriate credential server addresses. Mobile devices gain temporary network access by submitting their preliminary subscription identities, which get passed along to the directory server for verification. In turn, the directory server generates authentication vectors giving the mobile devices temporary network access, and returns the appropriate credential server addresses.