Internet of Things Security: Challenges and Key Issues

Computer Sciences Department, Faculty of Sciences and Techniques, Moulay Ismail University, Errachidia, Morocco Laboratory of Spectroscopy, Molecular Modeling, Materials, Nanomaterial, Water and Environment, CERNE2D, Mohammed V University, Faculty of Science, Rabat, Morocco Department of Computer Science and Mathematics, High School of Technology, Cadi Ayyad University, Essaouira 44000, Morocco Computer Science Department, Bahria University (Islamabad Campus), Islamabad, Pakistan


Introduction
In recent years, technology sector has known a real evolution. Furthermore, it has become an indispensable tool in our everyday life. Among these recent technologies, the Internet of ings (IoT) has been improved continuously and has attracted more and more people. is growth has positively impacted many sectors, including social security, agriculture, education, water management, house security, smart grid, and so on. erefore, the number of connected devices is increasing day after day. According to Strategy Analytics, the connected objects will reach more than 38 billion by the end of 2025 and 50 billion by 2030 [1].
IoT is a new technology that allows the implementation of systems interconnecting several objects, either in the physical or virtual world [2,3]. In fact, the evolution of the Internet began with the creation of a simple computer network linking personal computers and then moved on to client-server architecture networks, World Wide Web, e-mail, file sharing, etc. Subsequently, it now reaches a wide area network interconnecting billions of intelligent objects, which were embedded in sophisticated systems. eir operation is based on sensors and actuators designed for monitoring, controlling, and interacting with the physical environment where they exist.
Despite many advantages, IoT has three main problems that are data collection, data transmission, and data security. To collect data, many sensing tools have been introduced and adapted to the IoT devices. For transferring collected data, various protocols have been developed and adapted in order to enable to the IoT devices to connect to existed networks and exchange data. However, for the last one, it does not give the attention that it merits. Consequently, many classic and recent security issues are closely related to the IoT as well as authentication, data security, authorization, etc. Indeed, a weakness in authentication can lead to numerous attacks, including replay attack, Denning-Sacco attack, denial of service attack, password guessing attack, etc.
On the other hand, the authentication of IoT devices throughout heterogonous and interconnected protocols is a great challenge. Moreover, these protocols should take into account issues related to limitation of IoT devices as well as energy consumption, small memory size, and low processing capability .
In the literature review, previous studies [34][35][36][37][38][39][40][41][42][43][44][45] have surveyed the security of IoT technology. However, our study reveals some security challenges and issues of IoT. Consequently, the focus of this review paper is to categorize the security tasks and topics that are encountered in the IoT environment. Hence, we provide here a short guidance to researchers to accomplish secure IoT services like authentication, access control, and so on. e remainder of this paper is organized as follows. In Section 2, IoT architecture is detailed. Section 3 is reserved for discussing IoT security issues. IoT security requirements are presented in Section 4. In Section 5, we compare some authentication approaches applied in IoT authentication environment. Finally, conclusions are given in Section 6.

IoT Architecture
e concept "Internet of ings" may be defined as a standard that refers to a large network connecting various sensors, actuators, and microcontrollers introduced in distinct objects. A large number of interconnected equipment such as smartphone, industrial machines, computers, vehicles, medical tools, irrigation system, TVs, or refrigerators can be part of the IoT [46]. Furthermore, IoT is a rather recent design that stands out from its antecedents, including all traditional, mobile, and sensor-based Internet networks. IoT includes a very large number of hybrid terminals. Since the majority of these devices can be connected to the Internet, they generally support common web techniques, including HTTP, JSON, XML, etc. One of the strengths of this technology is that it is well supported and can therefore be adapted to different existing infrastructures. Furthermore, some new protocols are especially considered for IoT, for example, CoAP and MQTT are alternatives to HTTP and 6LoWPAN is also an alternative of IPv4/IPv6. Due to non-standardization of IoT, there are various architectures that are different [47]. However, we focus here on two known ones that are three-and five-layer architectures. As illustrated in Figure 1, the three-layer architecture consists of three layers including perception, networking, and application layers. e role of each layer is described in the following.
(i) e perception layer is the first layer of IoT architecture. It is connected to the physical world for sensing and collecting data from their environment. is layer consists of sensors and actuators to measure some values such as temperature, pH, light, gas, and so on, and to detect some functionality such as location and motion. (ii) e network layer is the second layer; its role is to connect to various smart devices, gateways, and servers. It is responsible for transferring the captured values to other IoT network components. For these reasons, IoT uses several kinds of communication protocols and norms such as 4G/5G, Wi-Fi, ZigBee, Bluetooth, 6LoWPAN, WiMAX, and so on [48]. (iii) e application layer can offer the specific service requested by user. For instance, this application can provide doctors some health parameters of patients. is layer determines which applications can be installed, such as smart environment [49][50][51][52], smart homes [53][54][55], and water monitoring [56,57].
On the other hand, the five-layer architecture includes processing and business layers in addition to the three previous ones. As depicted in Figure 2, the five layers are perception, transport, processing, application, and business layers. e responsibilities of perception, transport, and application layers are identical to the similar layers in threelayer architecture. e roles of the addition layers are detailed as follows: (i) e processing layer is also recognized as the middleware layer. It is responsible for controlling, analyzing, processing, and storing received data. It can make decisions according to the processing data without human intervention. is layer benefits from existing solutions including cloud computing, big data, and databases. (ii) e business layer has a responsibility to manage the whole IoT systems [47]. So, its role is to control applications, business, and profit models. Furthermore, the users' privacy can be managed by this layer.

Security Issues in IoT
3.1. DOS. Denial of service (DOS) is a security attack that aims to prevent legitimate user and entity to have an authorized access to network resources. It is considered as the most popular and dominant attack. Generally, attackers can use flooding attack to exhaust system's resources including memory, CPU, and bandwidth [58][59][60][61][62][63]. us, he either prevents the system to provide service or he makes it ineffective. In this attack, pirates can use numerous skills such as sending unwanted packets or flooding network with multiple messages. erefore, legitimate users are prevented from taking advantage of services.

Replay Attack.
Replay attack is among old attacks on communication network, especially on authentication and key exchanging protocols. It allows the pirate to capture and store a fragment or the whole of captured session in a legitimate traffic [64,65]. After gaining the trust in a public network, the attacker either sends the captured message to the entity that has participated in origin session or to another different destination [66]. erefore, in IoT networks, replay attack is measured as a security weakness in which particular data are stored without any authorization before been sent back to the receiver. e goal of this attack is to trap the person in an unauthorized operation [67]. For example, in a smart home system, a temperature sensor is used to detect the temperature and then the measured values are sent to system controller. Based on these values, the system can run or stop the air conditioner to adapt the air temperature as desired by the personnel. However, if an attacker has pirated the sensor's temperature, he can save the day's values and send them at night. As result, the air conditioner will not be functioning normally.
To deal with replay attack, current solutions use three main mechanisms including timestamp, nonce, and response-challenge. e first one is the mechanism that helps to detect replay attack by checking the freshness of received message. Nonetheless, it is hard to assure time synchronization between IoT objects [68]. e second mechanism is the nonce, which is a series of random digits. However, the problem of this mechanism is that the node has no sufficient memory for keeping the list of received nonces. e last mechanism is the challenge-response. It has as objective to verify that the other party can resolve some challenges. But this technique necessitates that the two entities have a preshared secret.

Password Guessing Attack.
Due to the importance of password in authentication process and its large adoption by numerous authentication protocols, pirates have invented various attacks to get the correct one. Hence, the most used attack is password guessing. Particularly, this attack can be executed either online or offline. In this attack, an attacker eavesdrops on the communication between two entities during authentication phase to get some useful values. en, attacker must guess all probable passwords to succeed in the authentication [60,[69][70][71][72][73][74][75].

Spoofing Attack.
In the network security context, spoofing attack is a situation when an unauthorized entity produces falsified parameter [76]. e goal of this attack is to make servers believe that the attacker is an authorized entity [62]. So, the pirate gains the trust of the authority. For example, in smart health, the pirate can send fake information to authentication server. So, if he performed the authentication phase successfully, he can request victim's sensor and then get the secret health information about this victim [38,[77][78][79].

Insider Attack.
In cyber security field, insider attack occurs when a legitimate entity that has an authorized access tries to harm the system. e action of authorized entity can be either intentional or accidental [80][81][82][83][84]. In both cases, the system is considered vulnerable and we should find out the solution in the short term. According to [85], more than 57% Security and Communication Networks of confidential business data are targeted by insider attack. On the other hand, the study [86] confirms that more than 60% of existing attacks have been completed by insider.

Required Security Services for IoT
After debating various security attacks applied by attackers, this section mentions some security services.
us, the objective of this section is to discuss the security requirements for IoT devices. As illustrated in Table 1, IoT solutions must come with some basic security services including authorization, authentication, confidentiality, availability, integrity, and non-repudiation.

Confidentiality.
Generally, confidentiality can be defined as the capability and aptitude to prevent an unauthorized user to access private data. erefore, it promises and guarantees that the personal information is only consulted, edited, or removed by authorized entity [38]. Particularly, in the Internet of ings network, confidentiality is one of the significant security services. However, the confidentiality is the most attacked service [87]. For example, viruses, spywares, and Trojans are considered as malware applications that attack the confidentiality of the user's private data. ey can interact with system as executable codes or scripts with the aim to have an unauthorized access [88].
In an IoT context, for warranting and assuring the confidentiality of personal information captured by sensors and for preventing them from being discovered by the third party, the encryption algorithms and cryptographic methods can be used [89]. erefore, all transmitted data between two devices must be encrypted. As a result, nobody can understand the message except legitimate entities [90].

4.2.
Availability. An alternative required security service of IoT is the availability of resources to the legitimate entities independent of where and when they exist. Availability denotes that the resources and information must be easily reached by the legitimate user when he wants [91]. Moreover, in the IoT architecture, the sensor is available if it can communicate the sensed values in real time.
Likewise, the availability of an actuator means that it can execute user received commands immediately without any remarkable delay. e availability of some particular resources could be interrupted as consequences of usage of dissimilar data transmission channel, networks, and protocols [46]. On the other hand, for damaging the availability, attackers may use three main malicious attacks including denial of service (DOS) attack, flooding attack, or black hole attack. For the first one, it is probably practiced in the availability situation. Pirates can use the simple denial of service (DOS) attack or distributed denial of service (DDOS) attack that necessitates the collaboration between various resources. For the flooding attack, the attacker can flood the networks by unwanted messages and commands for exhausting device resources. is attack not only targets bandwidth but also decreases CPU and memory capabilities. So, the device will not be reached or the communication will be slow [92].
In order to guarantee the availability of appropriate resources, we can select distributed approach for operating the system and use numerous platforms which simplify the incorporation of various systems remotely [76].

Authentication.
Authentication service is considered the biggest challenge in the IoT network. It includes verification of identity. On the one hand, in the authentication procedure, the devices must be able to check the validity and legitimacy of remote use in a public network. On the other hand, authentication prevents unauthorized person to take part in a private secured communication [38]. Previous authentication schemes are based on single factor that is a simple password. However, these schemes have to face various issues related to the password. First of all, users can easily forget the password. Secondly, users may have weak password. Finally, attackers are able to guess the correct password, either using exhaustive research attack or dictionary attack. Accordingly, password-based authentication is not enough to promise security. In our days, authentication schemes based on smart card offer multifactor authentication [4][5][6][7][8][9]. Typically, the system requires two factors including a valid smart card and correct preshared secret. Even so, it comprises the use of biometric print.
Due to the important position of authentication mechanism in the Internet of ings security, we have reserved the two following sections for discussing various techniques used for authentication in IoT and for studying some proposed IoT authentication schemes.

Authorization.
With the growth of number of connected objects to the Internet network, authorization is becoming a critical issue in the IoT system. In fact, it refers to the security service responsible for determining user right and privileges (read, write, or delete). It identifies also the access control rules to allow or deny permissions to the IoT devices. us, the challenge is to prevent users with limited privileges to get additional ones to have an unauthorized access to devices and their data [93][94][95][96][97].

4.5.
Integrity. Integrity means that the message was not reformed by an unauthorized entity in the transmission session. So, it guarantees that the receiver has received Table 1: Security requirements for IoT basic layers.

Security services IoT layers Perception
Networking exactly what the source has sent. e main objective is to stop an unauthorized object doing illegal modification. For sustaining the safety of smart devices in IoT network, the system should guarantee data integrity. erefore, neither unauthorized objects nor user access should be granted. Besides, the cryptography and encryption mechanisms can be applied when the transmitted data are very important [37]. For instance, the authors of [98] suggested the usage of HMAC-SHA 256 algorithm for reassuring data integrity.

Non-Repudiation.
Non-repudiation is one of the security aspects, which insures that communication members have ability to send or receive information in its integrality [99]. In addition, it makes confident that the transfer of data or identifications between two IoT objects is undeniable [100]. Non-repudiation guarantees to a source node to send its data, as well as to a receiving node to confirm that the received data are matching with data's source [34].

IoT Authentication Techniques
Due to the ability of IoT to access to all users' information, the user's private life must be protected against the malicious attacks. Furthermore, the devices should not be accessed by unauthorized users. So, it is necessary to check the user's identity before getting the authorization. Hence, the verification of user's identity can be done in many ways. Nevertheless, the most frequently used is authentication system, which is based on the prior sharing secrets, keys, or passwords. Consequently, in this section, we review the techniques that are applied for reinforcing the authentication in IoT environment.

One Time Password Authentication.
One time password (OTP) which is also called dynamic password is a password that is valid for authentication in one transaction. In the literature survey, various OTP authentication protocols are proposed for securing the communication in IoT environment.
On the other hand, for reinforcing the OTP authentication, Lee and Kim [109] proposed in 2013 an insider attack-resistant OTP scheme based on bilinear maps. However, it needs complex computation. Based on this problem, Shivraj et al. [110] proposed a robust OTP scheme for IoT. e proposed protocol uses the principles of lightweight identity-based elliptic curve cryptography and Lamport's OTP algorithm.

ECC-Based Mutual Authentication.
Generally, IoT devices have a limited resources. Besides, the communication between sensors, actuators, objects, and nodes must be in real time. For these reasons, it is indispensable to propose a lightweight authentication protocol for IoT. Accordingly, Azrour et al. [71] proposed an efficient authentication scheme for IoT.
is protocol is based on elliptic curve cryptography (ECC) which is measured better than the traditional RSA encryption algorithm. Furthermore, in addition, various authentication protocol based on ECC are proposed in [111][112][113][114][115]. Elliptic curve cryptography is considered more efficient and more secure especially for systems with limited memory and processing capabilities.

ID-and Password-Based
Authentication. ID-based authentication is an approach for distinguishing authorized entities from illegal ones. According to ID, the user is either allowed or denied to access the resource. User ID refers to all attributes that can characterize one user form another, for instance, username, e-mail, phone number, IP address, etc. In IoT environment, numerous protocols are proposed [74,[116][117][118] based on this technique. However, this method is generally adopted in the server/client authentication architecture. In view of that, a server is required in IoT environment for storing user's ID and secret in server's database.
On the other hand, the usage of ID-based authentication approach has some issues that are detailed in following lines. Firstly, how user's data are stored in server? Is the server capable to protect them against stolen verifier attack and insider attack? Secondly, users may forget their authentication parameters. erefore, they cannot perform the next authentication. In this case, it is not suitable to save personal ID in an electronic device (laptop, tablet, and smartphone), even if it is not connected to public network. irdly, the transmission of user ID in public network is another challenge. In this situation, the hash functions or cryptography algorithm are recommended.

Certificate-Based Authentication.
For addressing problems of ID-and password-based authentication, an alternative approach was proposed [119]. is technique is called certificate-based authentication. Certificate-based authentication has been commonly adopted by multiple applications. For example, in order to verify user's identity in banking application, Hiltgen et al. [120] proposed a new certificate-based authentication scheme. is approach has been also used in IoT environment [120][121][122][123][124]. Although certificate-based authentication provides more security, device certificate processing and used algorithms necessitate a high processing resource, which is not always available in IoT devices. As a result, this approach is not suitable for IoT objects [125].

Blockchain.
Blockchain is a particular sort of database. It is different from a traditional database because of the specific way in which it stores data. Blockchains save data in a series of blocks that are then linked to each other. In recent years, different authors have taken advantage of this recent technology to propose authentication protocol for IoT [22, 31-33, 126, 127]. e sustainability and verification of the data stored in the blockchain provide Security and Communication Networks the confidence to use accurately recorded data in the future and at the same time provide transparency, anonymity, and traceability.
Multiple and different authentication methods are used in the IoT environment. As demonstrated in Table 2, the majority of proposed IoT authentication protocols are based on encryption cryptography. In this situation, two types of cryptography are used. e first type is asymmetric encryption algorithm such as ECC, while the second one is symmetric encryption algorithm like AES. Furthermore, the hash functions are utilized in some authentication for hashing essential parameters. Finally, the random numbers are also adopted in certain protocol as they can be used to ensure the freshness of messages.
On the other hand, the advantages and limitations of some selected IoT authentication protocols are depicted in Table 3. As we can notice, the protocol is considered effective only if it is lightweight as well as fulfils all security requirements. To sum up, we can conclude that the running time and processing time are important due to the limitation capability of IoT devices.

Conclusions
Internet of ings has a significant role in the rapid development that recent technology has known recently. ese technologies have made the exchange of data easier. However, the security of user's data should not be ignored. Accordingly, the study performed in this paper is mainly focused on the security of IoT technology. Hence, as we have mentioned before, IoT suffers from several attacks, namely, DOS, password guessing, replay, and insider attacks. Authentication is the first security services that IoT has to satisfy, so we have detailed the authentication approaches adopted for IoT. e most techniques used for rienforcing the authentication are one time password, ECC-based mutual authetication, ID-based authentication, certificatebased authentication, and blockchain. After comparing recent authentication protocols, we have concluded that the majority of them is based on encryption cryptography.
Finally, in our future work, we will try to enhance the security of IoT environment by proposing secure and efficient IoT authentication schemes.

Protocol
Advantages Limitations [113] Is lightweight Uses only hash function [114] Can detect man-in-the-middle attacks Uses certificates that need an important space in memory [90] Can be implemented in real-time IoT networks Vulnerable Based on two-factor authentication [89] Can deal against insider attack based on bilinear maps Needs complex computation [84] Surpasses HOTP Is heavyweight Not efficient for IoT devices [115] Offers mutual authentication Vulnerable against some attacks [116] Guarantees authentication and session key exchange Does not cover all IoT service requirements [74] Can be used with cloud servers Cannot resist all attacks [117] Very lightweight Based only on one hash function [118] Lightweight mutual authentication Operates only in CoAP-based IoT environment [119] Can be used for authentication protocol for IoT-based RFID systems e running time of protocol is not very fast 6 Security and Communication Networks