IoT security: Review, blockchain solutions, and open challenges

https://doi.org/10.1016/j.future.2017.11.022Get rights and content

Highlights

  • IoT is a promising disruptive technology with incredible growth, impact and potential.

  • A review of emerging topics related to Internet of Things (IoT) security and Blockchain is presented.

  • A mapping of the major security issues for IoT to possible solutions is tabulated.

  • Blockchain technology and its robust solutions for challenging and critical IoT security problems are reviewed.

  • A parametric analysis of the state-of-the-art IoT security issues and solutions is described.

Abstract

With the advent of smart homes, smart cities, and smart everything, the Internet of Things (IoT) has emerged as an area of incredible impact, potential, and growth, with Cisco Inc. predicting to have 50 billion connected devices by 2020. However, most of these IoT devices are easy to hack and compromise. Typically, these IoT devices are limited in compute, storage, and network capacity, and therefore they are more vulnerable to attacks than other endpoint devices such as smartphones, tablets, or computers.

In this paper, we present and survey major security issues for IoT. We review and categorize popular security issues with regard to the IoT layered architecture, in addition to protocols used for networking, communication, and management. We outline security requirements for IoT along with the existing attacks, threats, and state-of-the-art solutions. Furthermore, we tabulate and map IoT security problems against existing solutions found in the literature. More importantly, we discuss, how blockchain, which is the underlying technology for bitcoin, can be a key enabler to solve many IoT security problems. The paper also identifies open research problems and challenges for IoT security.

Introduction

With the rapid growth of smart devices and high speed networks, the Internet of Things (IoT) has gained wide acceptance and popularity as the main standard for low-power lossy networks (LLNs) having constrained resources. It represents a network where “things” or embedded devices having sensors are interconnected through a private or a public network [[1], [2]]. The devices in IoT can be controlled remotely to perform the desired functionality. The information sharing among the devices then takes place through the network which employs the standard protocols of communication. The smart connected devices or “things” range from simple wearable accessories to large machines, each containing sensor chips. For instance, the Lenovo smart shoes contain chips which provide support of tracking and analyzing fitness data [3]. Similarly, the electrical appliances including washing machines, and refrigerators can be controlled remotely through IoT. The security cameras installed for surveillance of a location can be monitored remotely anywhere in the world.

Apart from the personal use, IoT serves the community needs as well. Various smart devices which perform diverse functionalities such as monitoring surgery in hospitals, detecting weather conditions, providing tracking and connectivity in automobiles, and identification of animals using biochips are already serving the community specific needs [4]. The data collected through these devices may be processed in real-time to improve efficiency of the entire system.

The future significance of IoT is evident due to its application in everyday life. It continues to grow rapidly due to evolution of hardware techniques such as improving bandwidth by incorporating cognitive radio based networks to address underutilization of frequency spectrum [[5], [6]]. In the literature, the Wireless Sensor Networks (WSNs) and Machine-to-Machine (M2M) or Cyber-Physical Systems (CPS) have now evolved as integral components for the broader term IoT. Consequently, the security problems related to WSN, M2M, or CPS continue to arise in the context of IoT with the IP protocol being the main standard for connectivity. The entire deployment architecture therefore needs to be secured from attacks which may hinder the services provided by IoT as well as may pose threat to privacy, integrity or confidentiality of data. Since the IoT paradigm represents a collection of interconnected networks, and heterogeneous devices, it inherits the conventional security issues related to the computer networks. The constrained resources pose further challenges to IoT security since the small devices or things containing sensors have limited power and memory. Consequently, the security solutions need to be adapted to the constrained architectures.

There has been a tremendous effort in recent years to cope with security issues in the IoT paradigm. Some of these approaches target security issues at a specific layer, whereas, other approaches aim at providing end-to-end security for IoT. A recent survey by Alaba et al. [7] categorizes security issues in terms of application, architecture, communication, and data. This proposed taxonomy for IoT security is different from the conventional layered architecture. The threats on IoT are then discussed for hardware, network, and application components. Similarly, another survey by Granjal et al. [8] discusses and analyzes security issues for the protocols defined for IoT. The security analyses presented in [[9], [10], [11]]discuss and compare different key management systems and cyrptographic algorithms. Similarly, the authors in [[12], [13], [14]] target a comparative evaluation of intrusion detection systems. An analysis of security issues for fog computing is presented in [[15], [16]]. A survey by Sicari et al. [17] discusses contributions providing confidentiality, security, access control and privacy for IoT along with the security for middleware. The authors discuss trust management, authentication, privacy issues, data security, network security, and intrusion detection systems. For edge computing based paradigms including mobile cloud computing, mobile edge computing and fog computing, the identity and authentication, access control systems, network security, trust management, fault tolerance and implementation of forensics are surveyed in [18].

A survey of privacy preserving mechanisms for IoT is given in [19]. The author describes the secure multi-party computations to be enforced for preserving privacy of IoT users. The mechanisms of credit checking and attribute based access control are described to be effective solutions for privacy preserving in IoT. Zhou et al. [20] discuss different security threats and their possible countermeasures for cloud-based IoT. The authors describe identity and location privacy, node compromising, layer removing or adding, and key management threats for IoT using clouds. Another survey by Zhang et al. [21] discusses major IoT security issues in terms of unique identification of objects, authentication and authorization, privacy, the need for lightweight cryptographic procedures, malware, and software vulnerabilities. The IOT-a project [22] describes a reference architecture for IoT whose compliance requires implementation for trust, privacy, and security. The trust model is expected to provide data integrity and confidentiality while making end-to-end communication possible through an authentication mechanism. Moreover, to avoid improper usage of data, the privacy model requires defining access policies and mechanisms for encrypting and decrypting data. The security aspect incorporates three layers corresponding to the services, communication, and application. Similarly, the Open Web Application Security Project (OWASP) [23] describes top 10 vulnerabilities for the IoT architecture. These vulnerabilities include insecure interfaces of entities of the IoT architecture, inappropriate security configuration, physical security and insecure software/firmware.

In sharp contrast to the survey articles found in the literature, our main contributions in this article can be summarized as follows:

  • A parametric analysis of security threats and their mapping to possible solutions for IoT.

  • Taxonomy and categorization of IoT security issues with respect to its layers, and the countermeasures used to address these issues.

  • Discussion of basic characteristics of the blockchain based security solutions and analysis of their effectiveness for securing IoT.

  • Future directions highlighting possible solutions for open IoT security problems.

The rest of the paper is organized as follows. Section 2 delineates the IoT architecture and the security challenges being faced at each layer of the protocol stack deployed by IoT. Section 3 categorizes the main security issues, whereas, Section 4 analyzes and describes a mapping of the solutions proposed. Various solutions related to blockchain security are discussed and analyzed in Section 5. In Section 6, we discuss the research challenges posing main hindrance to IoT security and their possible solutions before concluding the paper in Section 7.

Section snippets

IoT architecture and security challenges

A typical IoT deployment contains heterogeneous devices with embedded sensors interconnected through a network, as shown in Fig. 1. The devices in IoT are uniquely identifiable and are mostly characterized by low power, small memory and limited processing capability. The gateways are deployed to connect IoT devices to the outside world for remote provision of data and services to IoT users.

Categorization of security issues

As the IoT paradigm encompasses a wide variety of devices and equipment ranging from small embedded processing chips to large high-end servers, it needs to address security issues at different levels.

A taxonomy of security issues for IoT is given in Fig. 3 along with publication references related to each issue. We categorize the security threats with regard to the IoT deployment architecture as described below.

  • Low-level security issues

  • Intermediate-level security issues

Security solutions for IoT

The security threats in IoT exploit vulnerabilities of various components such as applications/interfaces, network components, software, firmware, and physical devices, existing at different levels. The users in an IoT paradigm interact with these components through protocols which may also be dismantled of their security measures. The countermeasures for security threats address vulnerabilities of this interaction at different layers to attain a specific security level. The diverse protocols

Blockchain solutions for IoT security

Blockchain technology has been foreseen by industry and research community as a disruptive technology that is poised to play a major role in managing, controlling, and most importantly securing IoT devices. This section describes how blockchain can be a key enabling technology for providing viable security solutions to todays challenging IoT security problems. The section first gives a brief background about blockchain, and then outlines open research IoT security problems and challenges which

Open challenges and future research directions

This section discusses the challenges being envisaged for effective implementation of security for IoT devices.

Conclusion

Todays IoT devices are insecure and incapable of defending themselves. This is due to mainly the constrained resources in IoT devices, immature standards, and the absence of secure hardware and software design, development, and deployment. The efforts of defining a robust global mechanism for securing the IoT layers are also being hampered due to diversity of resources in IoT. In this paper, we survey and review main IoT security issues. We categorize these issues depending upon the high-level,

Minhaj Ahmad Khan completed his M.S. and Ph.D. degrees in Computer Science from University of Versailles, France. He also holds a post-doc from University of Bordeaux-I, France. He is currently working as Associate Professor at Bahauddin Zakariya University, Multan. His research interests include Computer Networks and High Performance Computing. He has several publications in prestigious journals and conferences on these topics.

References (136)

  • B. Heater, Lenovo shows off a pair of intel-powered smart shoes, 2016. URL...
  • M. Rouse, I. Wigmore, Internet of things, 2016. URL...
  • KhanA.A. et al.

    Cognitive-radio-based internet of things: Applications, architectures, spectrum related functionalities, and future research directions

    IEEE Wirel. Commun.

    (2017)
  • GranjalJ. et al.

    Security for the internet of things: A Survey of existing protocols and open research issues

    IEEE Commun. Surv. Tutor.

    (2015)
  • GranjalJ. et al.

    Why is IPSec a viable option for wireless sensor networks

  • CiraniS. et al.

    Enforcing security mechanisms in the IP-based internet of things: An algorithmic overview

    Algorithms

    (2013)
  • ButunI. et al.

    A survey of intrusion detection systems in wireless sensor networks

    IEEE Commun. Surv. Tutor.

    (2014)
  • AbduvaliyevA. et al.

    On the vital areas of intrusion detection systems in wireless sensor networks

    IEEE Commun. Surv. Tutor.

    (2013)
  • S. Yi, Z. Qin, Q. Li, Security and privacy issues of fog computing: A survey, in: Wireless Algorithms, Systems, and...
  • RomanR. et al.

    Mobile edge computing, Fog et al.: A survey and analysis of security threats and challenges

    Future Gener. Comput. Syst.

    (2016)
  • OleshchukV.

    Internet of things and privacy preserving technologies

  • ZhouJ. et al.

    Security and privacy for cloud-based IoT: Challenges

    IEEE Commun. Mag.

    (2017)
  • ZhangZ.K. et al.

    IoT security: Ongoing challenges and research opportunities

  • IoT-A, Internet of Things–Architecture IoT-A Deliverable D1.5 –Final architectural reference model for the IoT v3.0,...
  • OWASP, Top IoT Vulnerabilities, 2016. URL...
  • IEEE, IeEEE Standard for Local and metropolitan networks–Part 15.4: Low-Rate Wireless Personal Area Networks...
  • T. Winter, P. Thubert, A. Brandt, J.W. Hui, R. Kelsey, Rfc 6550 - rpl: ipv6 routing protocol for low-power and lossy...
  • J. Postel, User datagram protocol, 1980. URL...
  • J.W. Hui, P. Thubert, Compression format for IPv6 datagrams over IEEE 802.15.4-based networks, 2011. URL...
  • A. Conta, S. Deering, M. Gupta, Internet control message protocol (ICMPv6) for the internet protocol version 6 (IPv6)...
  • Z. Shelby, K. Hartke, C. Bormann, The constrained application protocol (CoAP), 2014. URL...
  • XuW. et al.

    The feasibility of launching and detecting jamming attacks in wireless networks

  • NoubirG. et al.

    Low-power DoS attacks in data wireless LANs and countermeasures

    SIGMOBILE Mob. Comput. Commun. Rev.

    (2003)
  • ChaeS.H. et al.

    Enhanced secrecy in stochastic wireless networks: Artificial noise with secrecy protected zone

    Trans. Info. for. Sec.

    (2014)
  • HongY.-W.P. et al.

    Enhancing physical-layer secrecy in multiantenna wireless systems: An overview of signal processing approaches

    IEEE Signal Process. Mag.

    (2013)
  • XiaoL. et al.

    Channel-Based detection of sybil attacks in wireless networks

    IEEE Transa. Inf. Forensics Secur.

    (2009)
  • Y. Chen, W. Trappe, R.P. Martin, Detecting and localizing wireless spoofing attacks, in: 2007 4th Annual IEEE...
  • BhattasaliT. et al.

    A survey of recent intrusion detection systems for wireless sensor network

  • KimH.

    Protection against packet fragmentation attacks at 6LoWPAN adaptation layer

  • HummenR. et al.

    6LoWPAN Fragmentation attacks and mitigation mechanisms

  • RiazR. et al.

    Security analysis survey and framework design for IP connected LoWPANs

  • DvirA. et al.

    VeRA - version number and rank authentication in RPL

  • WeeklyK. et al.

    Evaluating sinkhole defense techniques in RPL networks

  • AhmedF. et al.

    Mitigation of black hole attacks in Routing Protocol for Low Power and Lossy Networks

    Secur. Commun. Netw.

    (2016)
  • A.A. Pirzada, C. McDonald, Circumventing sinkholes and wormholes in wireless sensor networks, in: International...
  • WangW. et al.

    Visualisation of wormholes in underwater sensor networks: A distributed approach

    Int. J. Secur. Netw.

    (2008)
  • WazidM. et al.

    Design of sinkhole node detection mechanism for hierarchical wireless sensor networks

    Sec. Commun. Netw.

    (2016)
  • ZhangK. et al.

    Sybil attacks and their defenses in the internet of things

    IEEE Internet Things J.

    (2014)
  • G. Wang, M. Mohanlal, C. Wilson, X. Wang, M. Metzger, H. Zheng, B.Y. Zhao, Social turing tests: Crowdsourcing sybil...
  • GranjalJ. et al.

    Network-layer security for the Internet of Things using TinyOS and BLIP

    Int. J. Commun. Syst.

    (2014)
  • Cited by (1839)

    • Exploring Blockchain-driven security in SDN-based IoT networks

      2024, Journal of Network and Computer Applications
    View all citing articles on Scopus

    Minhaj Ahmad Khan completed his M.S. and Ph.D. degrees in Computer Science from University of Versailles, France. He also holds a post-doc from University of Bordeaux-I, France. He is currently working as Associate Professor at Bahauddin Zakariya University, Multan. His research interests include Computer Networks and High Performance Computing. He has several publications in prestigious journals and conferences on these topics.

    Prof. Khaled Salah is a full professor at the Department of Electrical and Computer Engineering, Khalifa University, UAE. He received the B.S. degree in Computer Engineering with a minor in Computer Science from Iowa State University, USA, in 1990, the M.S. degree in Computer Systems Engineering from Illinois Institute of Technology, USA, in 1994, and the Ph.D. degree in Computer Science from the same institution in 2000. Khaled has over 145 publications and 3 patents. He has been the recipient of several prestigious awards for his outstanding research. He is a senior member of IEEE, and serves on the Editorial Boards of many WOS-listed journals including IET Communications, IET Networks, Elsevier’s JNCA, Wiley’s SCN, Wiley’s IJNM, J.UCS, and AJSE.

    View full text