IoT security: Review, blockchain solutions, and open challenges
Introduction
With the rapid growth of smart devices and high speed networks, the Internet of Things (IoT) has gained wide acceptance and popularity as the main standard for low-power lossy networks (LLNs) having constrained resources. It represents a network where “things” or embedded devices having sensors are interconnected through a private or a public network [[1], [2]]. The devices in IoT can be controlled remotely to perform the desired functionality. The information sharing among the devices then takes place through the network which employs the standard protocols of communication. The smart connected devices or “things” range from simple wearable accessories to large machines, each containing sensor chips. For instance, the Lenovo smart shoes contain chips which provide support of tracking and analyzing fitness data [3]. Similarly, the electrical appliances including washing machines, and refrigerators can be controlled remotely through IoT. The security cameras installed for surveillance of a location can be monitored remotely anywhere in the world.
Apart from the personal use, IoT serves the community needs as well. Various smart devices which perform diverse functionalities such as monitoring surgery in hospitals, detecting weather conditions, providing tracking and connectivity in automobiles, and identification of animals using biochips are already serving the community specific needs [4]. The data collected through these devices may be processed in real-time to improve efficiency of the entire system.
The future significance of IoT is evident due to its application in everyday life. It continues to grow rapidly due to evolution of hardware techniques such as improving bandwidth by incorporating cognitive radio based networks to address underutilization of frequency spectrum [[5], [6]]. In the literature, the Wireless Sensor Networks (WSNs) and Machine-to-Machine (M2M) or Cyber-Physical Systems (CPS) have now evolved as integral components for the broader term IoT. Consequently, the security problems related to WSN, M2M, or CPS continue to arise in the context of IoT with the IP protocol being the main standard for connectivity. The entire deployment architecture therefore needs to be secured from attacks which may hinder the services provided by IoT as well as may pose threat to privacy, integrity or confidentiality of data. Since the IoT paradigm represents a collection of interconnected networks, and heterogeneous devices, it inherits the conventional security issues related to the computer networks. The constrained resources pose further challenges to IoT security since the small devices or things containing sensors have limited power and memory. Consequently, the security solutions need to be adapted to the constrained architectures.
There has been a tremendous effort in recent years to cope with security issues in the IoT paradigm. Some of these approaches target security issues at a specific layer, whereas, other approaches aim at providing end-to-end security for IoT. A recent survey by Alaba et al. [7] categorizes security issues in terms of application, architecture, communication, and data. This proposed taxonomy for IoT security is different from the conventional layered architecture. The threats on IoT are then discussed for hardware, network, and application components. Similarly, another survey by Granjal et al. [8] discusses and analyzes security issues for the protocols defined for IoT. The security analyses presented in [[9], [10], [11]]discuss and compare different key management systems and cyrptographic algorithms. Similarly, the authors in [[12], [13], [14]] target a comparative evaluation of intrusion detection systems. An analysis of security issues for fog computing is presented in [[15], [16]]. A survey by Sicari et al. [17] discusses contributions providing confidentiality, security, access control and privacy for IoT along with the security for middleware. The authors discuss trust management, authentication, privacy issues, data security, network security, and intrusion detection systems. For edge computing based paradigms including mobile cloud computing, mobile edge computing and fog computing, the identity and authentication, access control systems, network security, trust management, fault tolerance and implementation of forensics are surveyed in [18].
A survey of privacy preserving mechanisms for IoT is given in [19]. The author describes the secure multi-party computations to be enforced for preserving privacy of IoT users. The mechanisms of credit checking and attribute based access control are described to be effective solutions for privacy preserving in IoT. Zhou et al. [20] discuss different security threats and their possible countermeasures for cloud-based IoT. The authors describe identity and location privacy, node compromising, layer removing or adding, and key management threats for IoT using clouds. Another survey by Zhang et al. [21] discusses major IoT security issues in terms of unique identification of objects, authentication and authorization, privacy, the need for lightweight cryptographic procedures, malware, and software vulnerabilities. The IOT-a project [22] describes a reference architecture for IoT whose compliance requires implementation for trust, privacy, and security. The trust model is expected to provide data integrity and confidentiality while making end-to-end communication possible through an authentication mechanism. Moreover, to avoid improper usage of data, the privacy model requires defining access policies and mechanisms for encrypting and decrypting data. The security aspect incorporates three layers corresponding to the services, communication, and application. Similarly, the Open Web Application Security Project (OWASP) [23] describes top 10 vulnerabilities for the IoT architecture. These vulnerabilities include insecure interfaces of entities of the IoT architecture, inappropriate security configuration, physical security and insecure software/firmware.
In sharp contrast to the survey articles found in the literature, our main contributions in this article can be summarized as follows:
-
A parametric analysis of security threats and their mapping to possible solutions for IoT.
-
Taxonomy and categorization of IoT security issues with respect to its layers, and the countermeasures used to address these issues.
-
Discussion of basic characteristics of the blockchain based security solutions and analysis of their effectiveness for securing IoT.
-
Future directions highlighting possible solutions for open IoT security problems.
The rest of the paper is organized as follows. Section 2 delineates the IoT architecture and the security challenges being faced at each layer of the protocol stack deployed by IoT. Section 3 categorizes the main security issues, whereas, Section 4 analyzes and describes a mapping of the solutions proposed. Various solutions related to blockchain security are discussed and analyzed in Section 5. In Section 6, we discuss the research challenges posing main hindrance to IoT security and their possible solutions before concluding the paper in Section 7.
Section snippets
IoT architecture and security challenges
A typical IoT deployment contains heterogeneous devices with embedded sensors interconnected through a network, as shown in Fig. 1. The devices in IoT are uniquely identifiable and are mostly characterized by low power, small memory and limited processing capability. The gateways are deployed to connect IoT devices to the outside world for remote provision of data and services to IoT users.
Categorization of security issues
As the IoT paradigm encompasses a wide variety of devices and equipment ranging from small embedded processing chips to large high-end servers, it needs to address security issues at different levels.
A taxonomy of security issues for IoT is given in Fig. 3 along with publication references related to each issue. We categorize the security threats with regard to the IoT deployment architecture as described below.
-
Low-level security issues
-
Intermediate-level security issues
Security solutions for IoT
The security threats in IoT exploit vulnerabilities of various components such as applications/interfaces, network components, software, firmware, and physical devices, existing at different levels. The users in an IoT paradigm interact with these components through protocols which may also be dismantled of their security measures. The countermeasures for security threats address vulnerabilities of this interaction at different layers to attain a specific security level. The diverse protocols
Blockchain solutions for IoT security
Blockchain technology has been foreseen by industry and research community as a disruptive technology that is poised to play a major role in managing, controlling, and most importantly securing IoT devices. This section describes how blockchain can be a key enabling technology for providing viable security solutions to todays challenging IoT security problems. The section first gives a brief background about blockchain, and then outlines open research IoT security problems and challenges which
Open challenges and future research directions
This section discusses the challenges being envisaged for effective implementation of security for IoT devices.
Conclusion
Todays IoT devices are insecure and incapable of defending themselves. This is due to mainly the constrained resources in IoT devices, immature standards, and the absence of secure hardware and software design, development, and deployment. The efforts of defining a robust global mechanism for securing the IoT layers are also being hampered due to diversity of resources in IoT. In this paper, we survey and review main IoT security issues. We categorize these issues depending upon the high-level,
Minhaj Ahmad Khan completed his M.S. and Ph.D. degrees in Computer Science from University of Versailles, France. He also holds a post-doc from University of Bordeaux-I, France. He is currently working as Associate Professor at Bahauddin Zakariya University, Multan. His research interests include Computer Networks and High Performance Computing. He has several publications in prestigious journals and conferences on these topics.
References (136)
- et al.
The internet of things: A survey
Comput. Netw.
(2010) - et al.
White space: Definitional perspectives and their role in exploiting spectrum opportunities
Telecommun. Policy
(2016) - et al.
Internet of things security: A survey
J. Netw. Comput. Appl.
(2017) - et al.
Key management systems for sensor networks in the context of the internet of things
Comput. Electr. Eng.
(2011) - et al.
Review: a survey of intrusion detection in wireless network applications
Comput. Commun.
(2014) - et al.
Fog computing: Issues and challenges in security and forensics
- et al.
Security, privacy and trust in internet of things: The road ahead
Comput. Netw.
(2015) - et al.
Efficient naming, addressing and profile services in Internet-of-Things sensory environments
Ad Hoc Netw.
(2014) - et al.
{DTLS} based security and two-way authentication for the Internet of Things
Ad Hoc Netw.
(2013) - et al.
The Internet of Things: 20th Tyrrhenian Workshop on Digital Communications
(2014)
Cognitive-radio-based internet of things: Applications, architectures, spectrum related functionalities, and future research directions
IEEE Wirel. Commun.
Security for the internet of things: A Survey of existing protocols and open research issues
IEEE Commun. Surv. Tutor.
Why is IPSec a viable option for wireless sensor networks
Enforcing security mechanisms in the IP-based internet of things: An algorithmic overview
Algorithms
A survey of intrusion detection systems in wireless sensor networks
IEEE Commun. Surv. Tutor.
On the vital areas of intrusion detection systems in wireless sensor networks
IEEE Commun. Surv. Tutor.
Mobile edge computing, Fog et al.: A survey and analysis of security threats and challenges
Future Gener. Comput. Syst.
Internet of things and privacy preserving technologies
Security and privacy for cloud-based IoT: Challenges
IEEE Commun. Mag.
IoT security: Ongoing challenges and research opportunities
The feasibility of launching and detecting jamming attacks in wireless networks
Low-power DoS attacks in data wireless LANs and countermeasures
SIGMOBILE Mob. Comput. Commun. Rev.
Enhanced secrecy in stochastic wireless networks: Artificial noise with secrecy protected zone
Trans. Info. for. Sec.
Enhancing physical-layer secrecy in multiantenna wireless systems: An overview of signal processing approaches
IEEE Signal Process. Mag.
Channel-Based detection of sybil attacks in wireless networks
IEEE Transa. Inf. Forensics Secur.
A survey of recent intrusion detection systems for wireless sensor network
Protection against packet fragmentation attacks at 6LoWPAN adaptation layer
6LoWPAN Fragmentation attacks and mitigation mechanisms
Security analysis survey and framework design for IP connected LoWPANs
VeRA - version number and rank authentication in RPL
Evaluating sinkhole defense techniques in RPL networks
Mitigation of black hole attacks in Routing Protocol for Low Power and Lossy Networks
Secur. Commun. Netw.
Visualisation of wormholes in underwater sensor networks: A distributed approach
Int. J. Secur. Netw.
Design of sinkhole node detection mechanism for hierarchical wireless sensor networks
Sec. Commun. Netw.
Sybil attacks and their defenses in the internet of things
IEEE Internet Things J.
Network-layer security for the Internet of Things using TinyOS and BLIP
Int. J. Commun. Syst.
Cited by (1839)
A novel IoT trust model leveraging fully distributed behavioral fingerprinting and secure delegation
2024, Pervasive and Mobile ComputingExploring Blockchain-driven security in SDN-based IoT networks
2024, Journal of Network and Computer ApplicationsExperts and intelligent systems for smart homes’ Transformation to Sustainable Smart Cities: A comprehensive review
2024, Expert Systems with ApplicationsMSLShard: An efficient sharding-based trust management framework for blockchain-empowered IoT access control
2024, Journal of Parallel and Distributed ComputingFeature extraction for machine learning-based intrusion detection in IoT networks
2024, Digital Communications and NetworksAn anonymous authentication and secure data transmission scheme for the Internet of Things based on blockchain
2024, Frontiers of Computer Science
Minhaj Ahmad Khan completed his M.S. and Ph.D. degrees in Computer Science from University of Versailles, France. He also holds a post-doc from University of Bordeaux-I, France. He is currently working as Associate Professor at Bahauddin Zakariya University, Multan. His research interests include Computer Networks and High Performance Computing. He has several publications in prestigious journals and conferences on these topics.
Prof. Khaled Salah is a full professor at the Department of Electrical and Computer Engineering, Khalifa University, UAE. He received the B.S. degree in Computer Engineering with a minor in Computer Science from Iowa State University, USA, in 1990, the M.S. degree in Computer Systems Engineering from Illinois Institute of Technology, USA, in 1994, and the Ph.D. degree in Computer Science from the same institution in 2000. Khaled has over 145 publications and 3 patents. He has been the recipient of several prestigious awards for his outstanding research. He is a senior member of IEEE, and serves on the Editorial Boards of many WOS-listed journals including IET Communications, IET Networks, Elsevier’s JNCA, Wiley’s SCN, Wiley’s IJNM, J.UCS, and AJSE.