A Survey: Security Issues and Challenges in Internet of...

A Survey: Security Issues and Challenges inInternet of Things

Balaji Yedle1, Gunjan Shrivastava2, Arun Kumar3, Alekha Kumar Mishra4,and Tapas Kumar Mishra5

1,2,3,5Department of Computer Science and Engineering, National Institute OfTechnology, Rourkela

4Department of Computer Applications, National Institute Of Technology,Jamshedpur

1,2,3,5218CS2436,218CS2316,kumararun,[email protected]@nitjsr.ac.in

Abstract. Internet of Things (IoT) is an emerging technology, in whichsensible objects are connected to form a network and are in constanttouch with one another. Today’s IoT applications are developed usingdifferent architecture approaches like centralized, distributed, and coop-erative approach etc. In the IoT applications, security is a main concernwhich needs to be studied thoroughly and deduce feasible solutions. Thispaper presents a brief survey of existing security challenges at differentlayers of IoT protocols and the initial simulation results of the work.

Keywords: Internet of Things; Protocols; Security; IoT Architecture.

1 Introduction

In last decade, IoT applications has increased in fast pace and IoT is providingtrendy development in radio frequency identification (RFID), sensible sensors,communication technologies and web protocols. The objective of IoT is to formthe network of billions of wireless identifiable objects, which can communicatewith each other anywhere, anytime using any service [1]. The communication isnot only restricted to devices but it can also happen between people and theirenvironment. IoT is a technology which enables new applications by connectingdata acquisition devices together in support of intelligent decision making. Thedevices are embedded with sensors and actuators to collect surrounding informa-tion. The collected raw data is then processed by smart devices and the decisionsare made accordingly [2]. The popular IoT applications include transportation,health care, industrial automation, animal tracking etc.

IoT devices communicate using different channels like Bluetooth, WiFi, RFID,NFC etc. In IoT, conventional protocols of different layers can not be used dueto limited memory space and battery lifetime, therefore several protocols areproposed for different layers. As a large number of uniquely identifiable devices;IoT devices; are interacting with one another, it creates complex network where

2 Balaji Yedle et al.

large amount of data is exchanged [3]. Therefore, it increases the risk of sev-eral potential attacks. So, there must be proper security infrastructure with newsystems and protocols which can bound the threats related to confidentiality,integrity and availability [4].

The remainder of this paper is organized as follows: Section 2 describes thethree main approaches of the IoT architecture. The protocols used at differentlayers of IoT are presented in Section 3. Section 4 briefly discusses the securitygoals in IoT and various security threats at each layer are presented in Section5. Section 6 verifies the proposed authentication protocol and finally, Section 7concludes the paper.

2 IoT Architecture

The IoT approaches are based on two principles: edge intelligence and collab-oration. The authors [5] have discussed different approaches which are used tobuild IoT network. The approaches are depicted in Figure 1.

Smart Home

IoT Device

User

C) Connected Intranets of Things

Smart Home

IoT Device

Consumer

Cloud Platform

B) Collaborative IoT Approach

Smart Home

IoT Device

Consumer

Central Cloud

Platform

A) Centralized IoT Approach

Cloud Platform

Cloud

Platform

User

Smart Home

IoT Device

Consumer Cloud Platform

D) Distributed IoT Approach

Fig. 1. Overview of different IoT Approaches[6].

– Centralized IoT: This approach does not provide any of the two mentionedprinciples. In this approach, the network of things is passive, all the task,such as retrieval of data, processing data, combining and providing it to theusers is done by a single central entity. If a user wants to use the services, ithas to connect to the central entity.

– Collaborative IoT: In this approach, the main load is within the central en-tity, the only difference is with the collaboration principle. Therefore, variouscentral entities are used to exchange data. The users combine various serviceproviders to complete a given task.

A Survey: Security Issues and Challenges in Internet of Things 3

– Connected Intranets of Things: In this approach, the data acquisition net-works process information locally and provide it to central entities as wellas to local and remote end users. Due to the limitation of these entities, theinformation is mainly processed by central authority. However, if the cen-tral authority fails to provide information, the local information can still beaccessed.

– Distributed IoT: In distributed IoT approach, physical objects process, re-trieve, combine and provide information and services to other entities. Inthis approach node are distributed geographically. Nodes collaborate withother nodes to form an IoT network to provide real time application to user.

3 IoT Protocols

The different protocols at different layers are discussed below and the protocolstack is shown in Figure 2.

3.1 Application Layer Protocols

This section discusses about various application layer protocols which are prefer-ably used in IoT.

COAP, MQTT, XMPP, AMQP,

DDS

UDP

IPv6, 6LoWPAN, RPL

IEEE 802.15.4 MAC

IEEE 802.15.4 PHY, IEEE 802.11

ah, WirelessHART

Application

Layer

Transport Layer

Network Layer

Data Link Layer

Perception Layer

Fig. 2. IoT Protocol Stack [7].

Constrained Application Layer Protocol(CoAP) This protocol is a syn-chronous response/request application layer protocol similar to HTTP. CoAPis used for lightweight devices [8]. This protocol works on UDP which sup-ports multicast, unicast requests with low header overhead and less complexityand also provides security with the help of Datagram Transport Layer Security(DTLS) protocol [9]. The protocol stack of CoAP is divided into two parts Re-quest/Response layer and Message layer. Message layer is to exchange messagesbetween two end users over UDP [10]. Request/Response layer is responsible tostore request/response method code which helps to check if the messages arearrived in order. The different types of messages used in CoAP are conformable,non-conformable, acknowledgment and reset.


Message Queue Telemetry Transport (MQTT) MQTT protocol is forlightweight devices and constrained network. This protocol works on publish/subscribe mechanism. MQTT protocol is divided into three components: pub-lisher, broker(server) and subscriber. Each user can act as a publisher by register-ing to the broker as well as a subscriber by subscribing to a topic. The publisheris generator of data, it publishes specific topics and sends to the subscribed usersthrough the brokers. MQTT protocol works on TCP and provides the securityusing SSL/TLS protocol. MQTT provides three levels of Quality of Service formessage delivery that are: Fire and forget, deliver at least once, delivery exactlyonce.

Advanced Message Queuing Protocol (AMQP) This protocol is a mes-sage oriented protocol in IoT. AMQP supports publish/subscribe. It is reliableand inter-operable protocol which works on TCP. It works on three message com-munication primitives such as at-most-once, at-least-once and exactly once mes-sage delivery. Communication are handled by two main components: exchangesand message queues. Exchanges are used to route the messages to appropriatequeues. Routing between exchanges and message queues are based on prior rules.The main advantage of AMQP is its store and forward feature. AMQP handlessecurity using SSL/TLS security protocol.

3.2 Network Layer protocols

Network layer is divided into routing layer and encapsulation layer. The role ofrouting layer is to transfer packets between source and destination and encap-sulation layer helps in forming these packets.

IPv6 With the growing number of devices in the IoT network and limited sizeof IPv4, the addressing scheme has been shifted to IPv6. IPv6 addresses are 128bit long fixed length address given to every device. Since in IPv4 the numberof addresses are limited, therefore NAT is used to map multiple devices withthe same IP address. Therefore, these devices can easily access internet but theycannot be accessed through internet. Ipv6 helps in solving NAT issue and is moresuitable in IoT environment. It provide multicast communication in contrast toIPv4 which only supports broadcast communication, which saves a lot of batteryusage and hence less power is consumed.

6LoWPAN 6LoWPAN is referred as IPv6 over Low power Wireless PersonalArea Network. This protocol helps in transmission of IP version 6 packets con-suming low power. The protocol aims to connect the entire system at low datarates. It supports several IPv6 operations and specifications such as mappingIPv6 addresses with the system identifiers and identifying the neighboring de-vices. Security at this layer can be imposed using IPSec [11].


RPL RPL stands for Routing Protocol for Low-power and Lossy Networks.It works on distance vectors and creates destination oriented directed acyclicgraph (DODAG). The authors [12], have briefly described how RPL is ben-eficial for IoT. RPL protocols provides three types of communication: point-to-multipoint, multipoint-to-point, point-to-point [13]. The IoT environment isdynamic so routing protocols should fulfill several requirements, such as provid-ing routing topology to the moving objects [14]. The authors [15] have discussedseveral location based routing protocol which can be used in dynamic IoT envi-ronment.

3.3 Perception Layer Protocols

This section discuss about physical and MAC layer protocol. A novel MAC layerprotocol is briefly discussed in [16] for safely broadcasting messages.

IEEE 802.15.4 IEEE 802.15.4 is a protocol for lightweight devices and personalarea network. This protocol has a fixed frame format [17]. The protocol works asthe base for many other standard technologies. This protocol provides security,encryption and authentication [18]. IEEE 802.15.4 contains two types of networknodes, Full Function Devices (FFD) and Reduced Function Devices (RFD)[19].The hardware in IEEE 802.15.4 is supported by symmetric cryptography such asAdvanced Encryption Standard (AES). This protocol supports several securitymodes at MAC layer such as AES-CTR, AES-CBC-MAC-32, AES-CCM-32 etc.There are several limitation of this protocol such as unbounded delay, limitedcommunication reliability and no protection against interference.

4 Security Goals in IoT

The security goals that should be considered in IoT environment are as follows:

– Confidentiality: Confidentiality means to prevent sensitive informationfrom being accessed by unauthorized users. There are several ways to provideconfidentiality such as data encryption, managing data access and authenti-cation of the user [20].

– Integrity: Data integrity means to maintain accuracy, consistency, trust-worthiness of information. Data should not be altered during communicationsuch as modification of data by a third party or affected due to other factorsthat are human uncontrolled including server crash [21].

– Availability: Data availability means information should be available tousers whenever required. It ensures immediate access of information to au-thorized users.

5 Security Challenges in IoT

The categorization of security threats at different levels are discussed below.


5.1 Perception Layer Challenges

Perception layer is also called sensor layer because it consists of different sensorslike RFID, 2D bar-codes and sensor networks, which acts as data acquisitiondevices [22]. The threats of perception layer are discussed below.

– Eavesdropping: In this attack, the attacker can steal information such aspasswords by continuously listening the communication channel.

– Tag Cloning: In this attack, the attacker copies the tag of legitimate node,so user cannot differentiate between real and compromised node.

– Spoofing: In this attack, the attacker broadcasts fake information to thenodes and make them believe it is coming from real source.

– RF Jamming: In this attack, the attacker attacks on wireless devices bydisrupting the network with excess noise signals.

5.2 Network Layer Challenges

The purpose of this layer is to connect smart devices, devices in network and twoor more networks to each other [22]. Network layer threats are discussed below:

– Denial of Service (DOS): In this attack, attacker prevents authentic usersfrom accessing physical objects or network resources. The attacker floodsthe network with unnecessary requests thus increasing the network trafficand exhausting the resources.

– Man-in-the-middle Attack: In this attack, attacker secretly intercepts thecommunication between sender and receiver and spoof both the ends, con-vincing them that they are communicating with each other directly. Attackergains full control over communication and can alter messages based on re-quirements.

– Sleep Deprivation Attack: Since the sensor nodes are powered with batteriestherefore they follow a routine to sleep in between to extend battery life. Soin this attack, attacker keep the sensor nodes awake and reduce the batterylifetime which causes shutdown [4].

5.3 Application Layer Challenges

This layer provide services to the user so that both parties can communicatewith each other efficiently. In this layer, the attacker mainly attacks on privacyof each user. Application layer threats are discussed below:

– Malicious Code Injection: It is a piece of code which attacker injects into thesystem to steal the information. It also causes damage to the system andcan not be controlled or blocked by the anti-virus tools.

– Spear-Phishing Attack: In this attack, attacker sends personalized messagewhich contain malicious link of malware to a particular victim.

– Sniffing Attack: In this attack, attacker forces sniffer application to interceptthe network traffic. If any data packets are transmitted without encryptionit can be easily read by attacker.

– Privacy Leak: Since most of the IoT applications are executed on the commonoperating system, there are chances that attacker might steal users data.


Authentication Server Manufacture ServerController

New Device

NFC Internet

Fig. 3. Proposed System Model.

6 Simulations and Results

There are several security requirements which should be kept in mind beforedeploying the protocol in IoT network. Some of which are data privacy, trustmanagement, authentication, identity management and access control. The au-thors [23] have proposed a method to register a new device in the IoT envi-ronment by authenticating it first with the server. In the proposed protocol,there are four entities: device, controller, authenticating server and manufactur-ing server as shown in Figure 3. Since the devices added to the IoT environmentare lightweight, it does not have much resources hence this protocol uses NFC asa channel to communicate with the controller. Controller, authenticating serverand manufacturing server communicate with each other using Internet. Since

New Device ControllerAuthentication

Server

Manufacture

Server

{ID, RNd}{TID, TS1, IDd, RNd,

H(ID || FWd) }SKcs{IDd, {H(FWd || IDd), TS2,

TID}pk(MS)}

{IKd, TS2, TID}pk(AS)

{TID,TS1,PSK}IKd}SKcs}{{{PSK}Ikd}IKd, TID }

PSK Update

Through Access Point

PSK:{XOR(RNd,

RNas)}IKd

{a}b: Encrypting a using key b

Fig. 4. Proposed Operation Model.

the device added to the IoT environment is lightweight, it does not have muchresources hence this protocol uses NFC as a channel to communicate with thecontroller. NFC is a secure communication channel which works well upto a lim-ited range. Controller, authenticating server and manufacturing server communi-cate with each other using Internet. The protocol works with some assumptions,they are:

– there is no trust relationship between device and the controller until thedevice is registered.


Table 1. Abbreviations used in the protocol.

Notations Description

IDd Identifier of device.

IKd Initial Key for device.

FWd Firmware of device.

PSK Pre shared Key between device and authentication server.

RNx Nonce of entity ’x’.

SKcs Secret key between controller and authentication server.

TID Transaction identifier of device.

TSi Timestamp.

H() Hash function.

– there is no trust relationship between authenticating and manufacturingserver until the certificate verification.

– the controller and the authenticating server trust each other from advanceand also share a secret key SKcs.

– the device and the manufacturing server have an initial key IKD.

Before any process steps begins each entity have some prior knowledge. The newdevice have knowledge about the initial key IKd, the controller have manufac-turing server port, hash function H(FWd||ID) and Ip details which is obtainedby scanning the QR code attached with the device by the manufacturing server.The controller and the authenticating server also share a secret key SKcs. Themanufacturing server have prior knowledge about the initial key IKd. The oper-ational steps of the proposed protocol are depicted in Figure 4. In this paper theproposed protocol is verified using scyther tool. To verify the protocol scythertool have several security claims or attributes. If the security claims are satisfiedthe status of each claim is displayed OK otherwise it displays fail. In Figure 5the status of each security attributes like Alive, Weakagree, Niagree and Nisynchis OK. Therefore,the proposed method is safe from all attacks like man-in-the-middle attack, replay attack and impersonation attack. Also it shows that intialkey(IKd) of new device and pre-shared key (PSK) is secure and it will not beintercepted by any attacker.

7 Conclusion

This paper has presented a brief survey of existing security challenges in IoT andthe initial results of the work. The different architecture of the IoT infrastructurelike centralized, collaborative and connected intranets are discussed in detail.The paper also discusses the security goals like confidentiality, availability andintegrity. At last, the paper presents the security issues at each layer of IoTprotocols and initial simulation results. In future, we plan to simulate differentsecurity threats at each layer of the protocols and analyse the obtained results.Also, solutions to these security threats will be presented.


Fig. 5. Verification result using Scyther Tool.

References

1. Ibrar Yaqoob, Ejaz Ahmed, Ibrahim Abaker Targio Hashem, AbdelmuttlibIbrahim Abdalla Ahmed, Abdullah Gani, Muhammad Imran, and Mohsen Guizani.Internet of things architecture: Recent advances, taxonomy, requirements, and openchallenges. IEEE wireless communications, 24(3):10–16, 2017.

2. Mahmud Hossain, SM Riazul Islam, Farman Ali, Kyung-Sup Kwak, and RagibHasan. An internet of things-based health prescription assistant and its securitysystem design. Future generation computer systems, 82:422–439, 2018.

3. Danai Chasaki and Christopher Mansour. Security challenges in the internet ofthings. International Journal of Space-Based and Situated Computing, 5(3):141–149, 2015.

4. MU Farooq Muhammad, Waseem Anjum, and Khairi Sadia Mazhar. A criticalanalysis on the security concerns of internet of things (iot). International Journalof Computer Applications (0975 8887), 111(7), 2015.

5. Arbia Riahi, Enrico Natalizio, Yacine Challal, Nathalie Mitton, and Antonio Iera.A systemic and cognitive approach for iot security. In 2014 International Con-ference on Computing, Networking and Communications (ICNC), pages 183–188.IEEE, 2014.

6. Rodrigo Roman, Jianying Zhou, and Javier Lopez. On the features and challengesof security and privacy in distributed internet of things. Computer Networks,57(10):2266–2279, 2013.

7. Makkad Asim. A survey on application layer protocols for internet of things (iot).International Journal of Advanced Research in Computer Science, 8(3), 2017.


8. Reem Abdul Rahman and Babar Shah. Security analysis of iot protocols: A focusin coap. In 2016 3rd MEC international conference on big data and smart city(ICBDSC), pages 1–7. IEEE, 2016.

9. Makkad Asim. Security in application layer protocols for iot: A focus on coap.International Journal of Advanced Research in Computer Science, 8(5), 2017.

10. Ming Zhao, Arun Kumar, Tapani Ristaniemi, and Peter Han Joo Chong. Machine-to-machine communication and research challenges: A survey. Wireless PersonalCommunications, 97(3):3569–3585, 2017.

11. Jorge Granjal, Edmundo Monteiro, and Jorge Sa Silva. Security for the internetof things: a survey of existing protocols and open research issues. IEEE Commu-nications Surveys & Tutorials, 17(3):1294–1312, 2015.

12. Oana Iova, Pietro Picco, Timofei Istomin, and Csaba Kiraly. Rpl: The routingstandard for the internet of things... or is it? IEEE Communications Magazine,54(12):16–22, 2016.

13. Ming Zhao, Arun Kumar, Peter Han Joo Chong, and Rongxing Lu. A comprehen-sive study of rpl and p2p-rpl routing protocols: Implementation, challenges andopportunities. Peer-to-Peer Networking and Applications, 10(5):1232–1256, 2017.

14. Ming Zhao, Arun Kumar, Peter Han Joo Chong, and Rongxing Lu. A reliableand energy-efficient opportunistic routing protocol for dense lossy networks. IEEEWireless Communications Letters, 6(1):26–29, 2016.

15. Arun Kumar, Hnin Yu Shwe, Kai Juan Wong, and PH Chong. Location-basedrouting protocols for wireless sensor networks: A survey. Wireless Sensor Network,9(1):25–72, 2017.

16. Minglong Zhang, GG Md Nawaz Ali, Peter Han Joo Chong, Boon-Chong Seet, andArun Kumar. A novel hybrid mac protocol for basic safety message broadcastingin vehicular networks. IEEE Transactions on Intelligent Transportation Systems,2019.

17. Tara Salman and Raj Jain. Networking protocols and standards for internet ofthings. Internet of Things and Data Analytics Handbook (2015), 7, 2015.

18. Ala Al-Fuqaha, Mohsen Guizani, Mehdi Mohammadi, Mohammed Aledhari, andMoussa Ayyash. Internet of things: A survey on enabling technologies, proto-cols, and applications. IEEE communications surveys & tutorials, 17(4):2347–2376,2015.

19. Arun Kumar, Ming Zhao, Kai-Juan Wong, Yong Liang Guan, and Peter Han JooChong. A comprehensive study of iot and wsn mac protocols: Research issues,challenges and opportunities. IEEE Access, 6:76228–76262, 2018.

20. Daniele Miorandi, Sabrina Sicari, Francesco De Pellegrini, and Imrich Chlamtac.Internet of things: Vision, applications and research challenges. Ad hoc networks,10(7):1497–1516, 2012.

21. Luigi Atzori, Antonio Iera, and Giacomo Morabito. The internet of things: Asurvey. Computer networks, 54(15):2787–2805, 2010.

22. Muhammad Burhan, Rana Rehman, Bilal Khan, and Byung-Seo Kim. Iot ele-ments, layered architectures and security issues: A comprehensive survey. Sensors,18(9):2796, 2018.

23. Namhi Kang and Jeongin Kim. Entity authentication and secure registration forlightweight devices in internet of things. International Journal of Control andAutomation, 11(5):37–48, 2018.

A Survey: Security Issues and Challenges in Internet of...

Documents

Transcript of A Survey: Security Issues and Challenges in Internet of...