IoT systems are a growing part of today’s data-centric world. However, IoT systems present some security complications not present in other systems. Notably, IoT devices run a wide range of operating systems, almost none implementing capability-based access control (CapBAC) as the primary access control model. We find CapBAC the superior access control model due to its granularity, flexibility, and ability to solve the confused deputy problem. We propose CapBox, a specialized system composed of a server, a library, and a compiler. CapBox connects to multiple IoT nodes, adding CapBAC access control to the nodes. This presents a simple and effective CapBAC interface for most IoT nodes, regardless of their underlying operating system and computational restraints.