The Internet of Things (IoT) represents a technologically optimistic future where objects will be connected to the internet and make intelligent collaborations with other objects anywhere, anytime. Although it makes appreciable development, there are still uncertainties about security concepts of its usage that is usually considered as a major concern in the design of IoT architectures. This paper presents a general survey of all the security issues in IoT along with an analysis of IoT architectures. The study defines security requirements and challenges that are common in IoT implementations and discusses security threats and related solutions on each layer of IoT architecture to make this technology secure and more widespread accordingly.
Although Internet of Things (IoT) is a well-known term and a rising trend in IT arena, there has been no agreed definition by the world community of users until now. In fact, there are many different groups in industry and standardization organizations that formulate similar ideas but in different forms and based on different components or aspects of an IoT system.
The best definition for the Internet of Things would be defined by ITU-T Y.2060:
“Global infrastructure for the society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies.”
IoT is such a system that supplies connectivity and interactive communication for anything. Even though “being connected” is usually used in term of electronic devices in our daily life, physical objects that have hardware such as sensors or actuators, connect to the Internet with unique addresses. Data of physical object are transmitted continuously through wired/wireless networks to platforms where it will be interpreted. Physical objects are capable of understanding complexity of the environment and reacting due to their feature of sense and communication. The revolutionary advance in this case is that physical objects begin to be deployed and adopted widely. In addition, most of them begin to work properly without human intervention [
In future, every object in our daily life will be connected to Internet. Mobile phones will be used as the center point or the remote control for all objects in the physical world commonly called as IoT [
Emphasizing security issues surrounding IoT is the main goal of this paper. Security is an important concern for IoT technology because of following reasons [
・ IoT is accepted as an extended version of some different technologies such as Wireless Sensor Networks, Mobile Broadband and 2G/3G Communications Networks which are already under threat because of various security flaws.
・ Every device is connected to Internet in IoT technologies and Internet is an unsecured environment naturally. There are many evil-minded people who are on the lookout for various system breaches and remote code executions.
・ Objects in IoT communicate with each other; hence, there is a possibility that privacy and security can be hindered.
This study presents a general survey of all the security issues in IoT along with an analysis of IoT architectures. The paper describes security requirements and challenges that are usually faced in IoT implementations and mentions security threats and related solutions on each layer of IoT architecture to make this technology secure and more widespread.
The paper is organized as follows. In Section 2, IoT scope and recommended architecture are described. Section 3 studies security requirements and challenges for IoT implementations. In Section 4, security threats plaguing the Internet of Things are surveyed in such a way that all these threats are categorized based on layers of IoT architecture. Section 5 discusses security solutions and research directions on each layer and finally Section 6 concludes this study.
IoT purposes to enable things to be connected anyplace and anytime using any service/network [
In the study of Uma Mahesh et al. [
a) Hardware: Sensors, central units and built-in communication hardware are included in this level. Since a sensor has limited hardware, it is usually utilized in sensor networks that multiple sensors are linked together. A central unit that is a source of centralized services in IoTs, has a capable of storing, processing, and delivering data to users.
b) Middleware: It consists of storage and calculation tools for data analytics. Cloud computing is given as an example in this section.
Cloud computing is the integrity of several traditional technologies such as hardware virtualization, service-oriented architecture, load-balancing, distributed computing, grid computing, utility computing and autonomic computing. It can be considered as a natural step forward from the grid-utility model [
c) Presentation: There are visualization and interpretation tools in presentation level. These tools are designed for various applications and can be accessed from any platform.
From the network point of view, the opportunity of accessing information through tagged object by browsing on Internet primarily inspired the idea of IoT. Bringing objects into the digital world and identifying them by using their Internet addresses are supplied with different tagging technologies such as RFID, NFC and QR Codes [
Wireless sensor network (WSN) is another type of data collection technology of the IoT that has some features to maintain the control over many nodes through wireless communication such as multi-hopping and self-organization. A WSN system contains a central unit that provides wireless connectivity back to the wired world and distributed nodes [
According to Jian An et al. [
1) Perception Layer: The sensor technology, intelligence embedded technology, nano technology and tagging technology are located in this layer. Main purpose of the layer is the identification of unique objects and the collection of information from the physical world with the help of its sensors [
2) Network Layer: It contains WSN, optical fiber communication networks, broad television networks, 2G/3G communications networks, fixed telephone networks and closed IP data networks for each carrier. Transfer of collected information from sensors, devices, etc., to an information processing system is under the responsibility of this layer.
3) Support Layer: The layer involves information processing systems which takes information in one form and processes (transforms) it into another form. This processed data is stored in a database and will be available when there is a demand. This layer works very closely with applications. Therefore, researchers prefer to place it in application layer [
4) Application Layer: In this layer, there are practical and useful applications which are developed based on user requirements or industry specifications such as smart traffic, precise agriculture, smart home, mining monitor, etc.
Hui Suo et al. [
Security requirements are examined in studies [
In order to fulfill these requirements in
In this section, existing threats in IoT systems are examined in four categories based on IoT architecture which have been addressed in Section 2. The examination is summarized in
Authenticity: | Only legal users should be allowed to access the system or sensitive information [ |
---|---|
Authorization: | The privileges of device components and applications should be limited as so they are able to access only the resources they need to do their addressed tasks [ |
Confidentiality: | Information transmission between the nodes should be protected from intruders [ |
Integrity: | Related information should not be tampered [ |
Availability and Continuity: | In order to avoid any potential operational failures and interruptions, availability and continuity in the provision of security services should be ensured [ |
Interoperability: | Relevant security solutions should not prevent the functionality of interconnected heterogeneous devices in IoT network system [ |
---|---|
Resource constraints: | In IoT architecture, most of nodes lack of storage capacity, power and CPU. They generally use low-bandwidth communication channels. Hence, it is unable to apply some security techniques such as frequency hopping communication and public key encryption algorithm. Setup of security system is very difficult under these circumstances [ |
Data volumes: | Although some IoT applications use brief and infrequent communication channels, there are considerable number of IoT system such as sensor-based, logistics and large scale system that have potentials to entail huge volume of data on central network or servers [ |
Privacy protection: | Since a great number of RFID systems are short of suitable authentication mechanism, anyone can tracks tags and find the identity of the objects carrying them. Intruders can not only read the data, but can also modify or even delete data as well [ |
Scalability: | The IoT network consists of a large number of nodes. The proposed security mechanism on IoT should be scalable [ |
Autonomic control: | Traditional computers need users to configure and adapt them to different application domains and different communication environments. However, objects in IoT network should establish connections spontaneously, and organize/configure themselves for adapting to the platform they are operating in. This kind of control also involves some techniques and mechanisms such as self-configuring, self-optimizing, self-management, self-healing and self-protecting [ |
Sensor and intelligence embedded technologies including RFID readers, sensors or GPS are under threat because of various security flaws. Main threats are discussed below:
Spoofing: It is initiated with a fake broadcast message sent to sensor network by the attackers. It makes it to assume its originality falsely which makes it appearing from the original source [
Signal/Radio Jamming: It is a type of DoS attack that it occupies the communication channel between the nodes and hinders them from communicating with each other [
Device-tampering/Node-capturing: The attacker captures the sensor node physically replaces the node with their malicious node. This type of attack usually results in the attacker gaining total control over the captured node and harms the network [
Path-based DoS Attack (PDoS): In this type of DoS attack, the attacker overpowers sensor nodes a long distance away by flooding a multihop end-to-end communication path with either replayed packets or injected spurious packets [
Node Outage: The attack is applied logically or physically to the network and it stops the functionality of network components. Node services such as reading, collecting and initiating operations are stopped because of this attack [
Eavesdropping: Wireless characteristics of RFID system make it possible that attacker sniffs out the confidential information such as password or any other data flowing from tag-to-reader or reader-to-tag making the system vulnerable [
Various kinds of perception layer attacks are listed below with related risks on security mechanisms of IoT in
Network layer which is known as the next-generation network are exposed to many kinds of threats. Related threats that come from this layer are listed below:
Selective Forwarding: In such attacks, malicious nodes do not forward some messages and selectively drop them, ensuring that they cannot propagate later
Attacks | Risks |
---|---|
Spoofing | Authenticity, integrity and confidentiality. |
Signal/Radio Jamming | Availability and integrity. |
Device-tampering/Node-capturing | Availability, integrity, authenticity and confidentiality. |
Path-based DoSAttack | Availability and authenticity. |
Node Outage | Availability and authenticity. |
Eavesdropping | Confidentiality. |
on. The attacker who is responsible for suppression or modification of packets originating from a select few nodes can sometimes forward the remaining traffic not to reveal her wrongdoing. There are different types of selective forwarding attacks. In one type, the malicious node can selectively drop the packets coming from a particular node or a group of nodes. This situation poses a risk of DoS attack for that node or a group of nodes. Another type of selective forwarding attack is called Neglect and Greed. In this type of attack, the subverted node arbitrarily skips routing some messages [
Sybil Attack: It is clarified as a malicious device illegitimately taking on multiple identities [
Sinkhole Attack (Blackhole): The sink hole is defined in [
Wormhole: This form of DoS attack induces relocation of bits of data from its original position in the network. This relocation of data packet is carried out through tunneling of bits of data over a link of low latency [
Man-in-the-Middle Attack: This attack is described as a form of eavesdropping in which the unauthorized party can monitor or control all the private communications between the two parties hideously. The unauthorized party can even fake the identity of the victim and communicate normally to gain more information [
Hello-flood Attack: High traffic in channels is the main disrupting effect of this attack which congests the channel with an unusually high number of useless messages. Basically, a single malicious node sends a useless message which is then replied by the attacker to create a high traffic [
Acknowledgement Flooding: Routing algorithms in sensor-based systems need acknowledgements from time to time. In this type of DoS attack, a malicious node sends false information to destined neighboring nodes by the help of these acknowledgements [
Target of threats in support layer are mainly data storage technologies. These threats are discussed below:
Tampering with Data: The attack appears when a person from the inside tampers the data for personal benefits or commercial benefits of any 3rd party companies. The data can be extracted and modified easily on purpose from the inside [
DoS Attack: Similar effects of DoS attacks that are discussed in previous layers are seen in this layer, too; e.g. it shuts down the system which results in unavailability of the services.
Unauthorized Access: The attacker can easily infiltrate into the system and damage the system by preventing the access to the related services of IoT or deleting sensitive data. Hence, an unauthorized access can be fatal for the system [
The personalized services based on the needs of the users are included in the application layer; e.g. the interface that user can control devices in IoT [
Sniffer/Loggers: Attackers can introduce sniffer/logger programs into the system that take important information from the network traffic. The main goal of the sniffer is to steal passwords, files (FTP files, E-mail files), and E-mail text. Many protocols are prone to sniffing [
Injection: Attackers may enter code directly into the application that is executed on the server. This is a very common attack, easy to exploit, and can cause some bad results such as data loss, data corruption and lack of accountability [
Session Hijacking: This attack reveals personal identities by exploiting security flaws in authentication and session management. This type of attack is very common and effects of attack are really important. With the identity of someone else, attacker can do anything the real user can do [
DDoS (Distributed Denial of Service): Its working principle is the same as the traditional Denial of Service attack. However, it is executed by multiple attackers at the same time [
Social Engineering: A serious threat for application layer where attackers can obtain information from users via chats, knowing each other etc. [
Recommended solutions and research directions with respect to security in IoT are examined in three categories: security of perception layer, security of network layer and security of support and application layers. The examination is summarized in
Taking security measures for the perception layer dates back times before IoT.
Type | Algorithm | Purpose |
---|---|---|
Symmetric Encryption | Advanced encryption standard (AES) | Confidentiality |
Asymmetric Encryption | Rivestshamir Adelman (RSA)/Elliptic curve cryptography (ECC) | Digital Signatures, Key Transport |
Asymmetric Key Agreement | Diffie-hellman (DH) | Key Agreement |
Hashing | SHA-1/SHA-256 | Integrality |
Equipments such as RFID readers, sensors, gateways, GPS and other devices require to be secured efficiently. OWASP has identified poor physical security in the top 10 IoT vulnerabilities [
Data collection is an important issue for this layer. In [
Cryptographic processing is one of the main tasks in security mechanisms for sensor data on IoT. These operations that are often used in order to guarantee privacy of data include encryption and decryption, key and hash generation, and sign and verify hashes.
Wander et al. [
Risk Assessment is a fundamental of IoT security which determines the extent of the potential threat and the risk associated with an IoT system. The output of this process helps to identify appropriate controls for reducing or eliminating risk during the risk mitigation process. A number of organizations have developed guidelines for conducting risk assessment such as the U.S. National Institute of Standards and Technology (NIST) [
The security of network layer can be examined in two main sub-layers; wireless and wired. One of the initial actions in wireless security sub-layer is the development of protocols for authentication and key management [
The wired security sub-layer is concerned with devices, which communicate with other devices on the IoT system using wired channels. Common security techniques are applied in wired type networks are firewalls and Intrusion Prevention System (IPS). If the network has firewall or IPS, it can inspect network packets deeply that are destined towards the destination. However, existing IoT has no ability in terms of packet inspection and packet filtering. There is an ongoing research on this issue where security researchers try to design a low resource-hungry firewall for IoT to provide the ability of packet inspection [
All information about the security of network layer that is discussed above is summarized in
Devipriya et al. [
Sub-layers | Security Techniques | Purposes |
---|---|---|
Wireless | TLS/SSL | Authenticity, Confidentiality, Integrity |
IPSec | ||
PPSK | ||
Wired | Firewall | |
IPS |
systems uses steganography techniques. The second sublayer corresponds to national applications and their security systems, ensuring that sent and received data are secure. Therefore, various security techniques are applied in these systems based on the scope of each system such as authentication, authorization, access control list, selective disclosure, intrusion detection, firewall, and antivirus.
According to Farooq et al. [
Data security is another issue on these layers [
・ Safe programming and anti-virus software testing against malicious code injections and service loopholes,
・ Verification of data and developing temporary cache against malicious operations,
・ Session inspection mechanism to stop attacks of hijacking and redo sessions,
・ Boundary inspection, data encryption mechanism and resource access control to avoid leakage of privacy.
The IoT is vulnerable to a number of attacks that are mentioned in previous sections to disrupt the whole system, thus intrusion detection is a crucial concept for IoT deployments in real world such as industrial automation, building automation, smart metering and smart grids [
IoT is an emerging technology that has attracted a considerable number of researchers from all around the world. There have been major contributions making this technology adapted into our daily life. However, there are lots of key issues addressing security concerns of IoT and they need more research effort to be solved.
In this paper, security concepts of IoT were reviewed substantially. Requirements and challenges of security measures in IoT were analyzed and collected under different headings. All kinds of security threats that may be critical in the development and implementation of IoT in different fields have been discussed and classified with respect to layers of IoT architecture: perception layer, network layer, support layer and application layer. Finally, the recent solutions have been provided for these threats and research directions with respect to security concerns have been introduced such as cryptographic mechanisms and firewalls.
Leloglu, E. (2017) A Review of Security Concerns in Internet of Things. Journal of Computer and Communications, 5, 121-136. http://dx.doi.org/10.4236/jcc.2017.51010