Internet of things security

Jihad DAZINE, Abderrahim MAIZATE*, Larbi HASSOUNI#

Abstract IOT devices are emerging technologies used to provides solutions & Countermeasures to address security
interconnect devices and people to the internet. IOT security issues. Finally, section 5 concludes our study.
issues have very bad consequences which makes IOT devices
attractive target for hackers. Indeed, compromising IOT
security may cause personal injury, prolonged downtime or
damage to capital goods. However, satisfaction of security of
II. ARCHITECTURAL DESIGN OF IOT
these heterogeneous devices is becoming more challenging.
Moreover, IOT devices often have limited resources which
In IoT, each layer is defined by its functions. There are
requires the use of adapted security solutions. different opinions regarding the number of layers in IoT.
This paper aims to discuss IOT security methodologies and T.ARA [25] discusses the various architectures of IoT from
solutions. Furthermore, we analyze architectural design of the RFC perspective and layered approach and presented
secure IOT, and we present IOT security requirements. Several architectures which can be composed of four layers,
Finally, we discuss IOT threats, vulnerabilities, attacks, five layers or six layers. Other researches show the structure
countermeasures and solutions. of IOT system as a three layers architecture [20] [22].
However, according to many researches [12] [5] [19] [27]
[22], IOT architecture can be summarized in 4 layers.
Keywords iot, security, architecture, threats

I. INTRODUCTION
Fig.1 shows the basic four-layer architectural framework of
The Internet of Things (IoT) refers to an area where IoT
everyday objects, places and environments are
interconnected with one another via the Internet [14]. They
can be used in many areas including logistics [2], smart
health [3], smart connected vehicles (2-2014Greengard), Application layer
smart grid [4], energy, smart home or smart city [1]. It aims
to make our life easier by performing daily tasks.
IOT security becomes more challenging because of IOT
devices characteristics which include extremely large scale, Middleware layer
low cost design, resource constraints, device heterogeneity,
preference of functions over security, higher privacy
requirements, and harder trust managements [8]. Indeed,
Small size restrictions and insubstantial processing
capabilities of many interconnected devices could impede
Network layer
encryption and other powerful security measures [12].
IOT security issues may have very bad consequences.
For example, in 2010, the global digital attacks were used as Perception layer
a weapon, in fact, the Iranian installations were infiltrated by
a virus called "Stuxnet", which destroyed the military
equipment [22]. Fig. 1. IOT architectural layers
This study proposes an architectural design of iot
devices. It presents an overview of challenges presents in
IOT security levels. To address the security challenges in A. Perception layer
IoT, we will analyze iot security problems based on four-
layer architecture. The contributions of the paper include The Perceptual layer is the most basic layer also known as
analysis of IoT security design, and identification of open recognition layer, collecting information and identifying the
issues in IoT security based on its architecture. The physical world through various types of information sensors
remainder of this paper is structured as follows: In Section 2 like RFID, Barcodes, Wi- [7]
we present IOT layered architecture. Section 3 describes IOT
security requirements and presents the main security issues
and challenges associated with each layer of iot; Section 4:

978-1-5386-4315-0/18/$31.00 ©2018 IEEE

137
B. Network layer
5) Non repudiation
The network layer is the infrastructure to support wireless or This ensures that component cannot deny events they
wired connections among things; [5] It permits the carried out. Nonrepudiation is considered as a cyber security
transmission & initial processing & classification of requirement that provides proof of entities behaviors in IoT
information, through existing correspondence systems [12] networks [26].

6) Other requirements
C. Middeleware layer
Anonymity is the service of hiding data sources, it also
Middleware layer contains Firmware, operating system helps in terms of assuring data confidentiality and
code, system application & programming frameworks [12]. privacy.
It aims to provide management services required by users or freshness guarantees that the data are recent and no
applications. This layer can also be named computation old messages have been replayed [13].
layer which describes means of receiving data, processing Authenticity: This ensures that all authorized
data, making decisions and delivering the decisions to the components are genuine and can prevent against user
application layer. [23] impersonation. Authenticity is one of the security
goals used for preventing
D. Application layer security attacks in IoT [26].
The application layer provides tactical understanding by Privacy: data could be leaked at any time and used by
using information collected and transmitted from lower unauthorized consumers if the security of personal
layers [23] in order to provide and present various privacy is not ensured. Moreover, concerns over
services to the end user [24] privacy spread wide, particularly as wireless devices
can track user's actions, behaviors, health status,
location, and ongoing preferences, which could put a
III. IOT SECURITY ISSUES
Security goals of Confidentiality, Integrity and [21].
Availability (CIA) are also applied to IoT. However, due to
IoT restrictions and limitations in terms of B. IOT security threats
the components and devices, heterogeneity and low
resources, additional concerns can be added. In this section, There have been many achievements in the research field of
we will present the general security requirements that the IoT IoT, however there are still some open challenges that needs
must have, then we will discuss the security issues specific to to be addressed for the ubiquity of this technology. In this
each layer of the IoT. section some of the threats in each architectural layer that
needs special attention are discussed [19].
A. IOT security requirements
The main IOT security requirements are: 1) Perception layer
1) Confidentiality: It is exposed to many threats that include the followings:
It is very important to ensure that the data is secure and a) Unauthorized Access & tag cloning: In RFID
only available to authorized users by protecting information systems, the attacker can access tags can without
against unauthorized access and [20]. authorization and alter, modify or delete the data. Tag
Cloning. [19] Happens when cybercriminals cerate a replica
2) Integrity of the tag and hence compromising it in a way that the
to assure consistency and accuracy of data, and that it is reader cannot distinguish between the original and the
not tampered during the transmission due to intended or
compromised tag.
unintended interference. This feature can be imposed by
maintaining end-to-end security in IoT communication, and b) Eavesdropping: refers to the process of listening
by using hash functions and digital signatures to ensure the to an ongoing communication, which is an initial step for
integrity of data. launching the other attacks. Such attacks are easier to
perform on unprotected wireless channels, because the
3) Availability
communication takes place in an open insecure wireless
Data, devices and services must be available and reachable channel [13].
whenever users need it in. The attacks on IoT devices may
hinder the provision of services through the conventional c) Spoofing: is when an attacker broadcasts fake
denial-of-service attacks [16]. information to the RFID systems and makes it to assume its
originality falsely which makes it appearing from the
4) Authentication original source. This way attacker gets full access to the
system making it vulnerable [19].
Each object in the IoT must be able to clearly identify and
authenticate other objects. However, this process can be d) Jamming: The jamming attacks on wireless devices
very challenging because of the nature of the IoT; many in IoT target deterioration of the networks by emitting radio
entities are in interaction in this process [20] (devices, frequency signals without following a specific protocol,
people, services, service providers and processing units) resulting in malfunctioning or unpredictable behavior of the
which makes it very challenging. system [16].

138
 e) Sleep deprivation attack. The energy constrained
devices in I v 3) Middleware layer
by causing the sensor nodes to stay awake. It results in The IoT middleware is designed to render communication
depletion of battery when a large number of tasks is set to be among heterogeneous entities of the IoT paradigm and must
executed in the 6LoWPAN environment [16]. be secure enough for provision of service [16].
f) Physical attacks: tamper with the hardware a) Dos attack. It may cause a shutdown of the system
components and are harder to perform because it requires which results in unavailability of the services. The DoS or
expensive material. Some examples are de-packaging of distributed DoS attack can destroy service availability
ship, layout reconstruction, micro-probing [17] because Internet attack entails low cost [29].
b) Unauthorized Access. Middle-ware Layer provides
different interfaces for the applications and data storage
2) Network layer facilities [19]. The attacker can easily cause damage to the
Network layer is exposed to several attacks: system by forbidding the access to the related services of
a) Sybil Attack. the attacker manipulates the node to IoT or by deleting the existing data. So an unauthorized
present multiple identities for a single node due to which a access could be fatal for the system.
considerable part of the system can be compromised c) Malicious Insider someone from the inside tampers
resulting in false information about the redundancy [19]. the data which can be easily extracted and then altered on
b) Buffer reservation attack. As a receiving node purpose from the inside [19].
requires to reserve buffer space for re-assembly of incoming
packets, an attacker may exploit it by sending incomplete 4) Application layer :
packets [16]. This attack results in denial-of-service as other a) Denial-of-Service (DoS) Attack. DoS attempts to
fragment packets are discarded due to the space occupied by make the IoT devices inaccessible [19] to its intended users
incomplete packets sent by the attacker. through interruption of service. This attack is similar to that
c) Malicious code injection. By exploiting a in the middleware layer, in which attackers can destroy the
vulnerability in the software, the attacker is able to inject availability of the application itself [29].
malicious code into the system. Most often, this code can do b) Counterfeiting: means imitation or forgery. An
a multitude of tasks, such as shutting down or taking control active attacker can easily duplicate and modify the contents
of the device [10]. of the IoT devices because of the security nature of these
d) Sinkhole Attack. It is a kind of attack in which the device [18].
adversary makes the compromised node look attractive to c) Spear-Phishing Attack. It is an email spoofing attack
the nearby nodes due to which all the data flow from any in which victim, a high ranking person, is lured into opening
particular node is diverted towards the compromised node the email through which the adversary gains access to the
resulting in packets drop i.e. all the traffic is silenced while credentials of that victim and then by a pretense retrieves
the system is fooled to believe that the data has been more sensitive information [19].
received on the other side. Moreover this attack results in
d) Insecure software: various vulnerabilities in IoT
more energy consumption which can cause DoS attack [19].
include those caused by insecure software/firmware [16].
e) Denial of service attack.The DoS attack hinders the This may cause other issues like Malicious Code Injection
availability of a system offering services. During this attack when the attacker injects any kind of malicious code into the
the illegal entity consumes the resources exhaustively, system to steal some kind of data from the user.
thereby making the system unavailable to the legal entities.
e) CoAP security with internet: The Constrained
This attack is generally achieved by launching resource
Application Protocol (CoAP) being a web transfer protocol
consuming activities like flooding the network with useless
for constrained device uses DTLS bindings with various
traffic [13].
security modes to provide end-to-end security. The CoAP
f) RPL routing attack. The IPv6 Routing Protocol for messages follow a specific format defined in RFC-7252,
Low-Power and Lossy Networks (RPL) is vulnerable to which need to be encrypted for secure communication.
several attacks triggered through compromised nodes Similarly, the multicast support in CoAP requires adequate
existing in the network [16]. The attack may result in key management and authentication mechanisms [16].
depletion of resources and eavesdropping
f) Sniffing Attack. An attacker can force an attack on
g) Replay attack. Allows interception and resends the the system by introducing a sniffer application into the
original message and modifieds it to compromise the target system [19], which could gain network information resulting
IoT devices. Attackers hold the current conversation or in corruption of the system.
session to be replayed soon. At a later time, a replayed
message will confuse the IoT recipient device and from that 5) Other threats
cause a dangerous toward the IoT system [11].
a) Cross layer threats: Information is shared &
h) Man in the middle attack: This attack occurs when exchanged between the four layers, which brings some
the adversary silently listens to the communication of two challenges such as: trust guarantee, users privacy, secure
legal parties with the intent to delay, alter or delete data sharing among layers. That might cause information
messages exchanged during communication [13].

139
leakage: sensitive information might not be protected at the authentication mechanism, end-to-end encryption [22] in
borders of layer [5]. order to prevent spreading fake information caused by an
b) Threats caused by maintenance of IOT: illegal access to the sensor node. For example, DoS attack
Maintenance of IOT can cause some issues such as: drives a lot of useless traffic towards it through a number of
misconfiguring or failing to configure remote IOT end node, botnets fueled by the system of interconnected devices [19].
device or gateway, a Security management issue caused by Encryption should be used in network layer by using
logs & key leakage at IOT end node [5], or a failure of protocols such as TLS if available or other standard
management system. encryption techniques [28]. Encrypting data in transit
between IoT devices embedded into the network and back-
end systems using cryptographic algorithms such as AES-
256, would help maintain data integrity and it will also
IV. IOT SECURITY COUNTERMEASURES prevent the data being sniffed by potential attackers [12].
In this section we discuss the main countermeasures to b) Routing security: routing algorithms are
address IOT security issues. implemented to ensure the privacy of data exchange
between the sensor nodes and the processing systems. There
1) Perception layer have been many researches carried out for the routing ways
The main security measures in perception layer of iot are: including Source Routing, in which data to be transmitted is
a) Authentication: The device should authenticate itself stored in the form of packets which is then sent to the
before receiving or transmitting any sort of data by using processing system after being analyzed by the intermediate
machine authentication, biometrics, two-factor nodes, And the Hop-byHop routing in which only address of
authentication [12]... Nest the American manufacturer of the data destination is known. The security of routing is
smart home products announced it will roll out two-factor ensured by providing multiple paths for the data routing
authentication to secure its thermostats and smart cameras which improves the ability of the system to detect an error
[14]. and keep performing upon any kind of failure in the system
b) Encryption: Encryption should be used in [19].
authentication via cryptographic hash algorithms that c) Data privacy: The safety control mechanisms
provides digital signatures to the terminals. [19] Moreover, monitors the system for any kind of intrusion [19] and
using symmetric and asymmetric encryption algorithms finally Data integrity methods are implemented to make sure
such as RSA, DSA, BLOWFISH and DES ensures that the that the data received on the other end is the same as the
data generated or forwarded by the terminal are not original one.
intercepted by unauthorized access. The common
information with encryption algorithm protection prevents
data that are cracked, abandoned or replayed. [29] 3) Middleware and application layer
The main solutions to address iot security issues in the
c) Anonymity: in order to provide the privacy of
middleware and application layers are:
sensitive information, anonymity of the location and identity
is obtained using K-Anonymity approach which ensures the a) Authentication. authentication process prevents the
protection of the information like identity and location of access to unauthorized users by integrated identity
the user [19] identifications. Authentication is done by some cooperating
services and users can choose the associated information to
d) Intrusion detection: IDS can monitor the behavior of be shared with the services. However, the main challenge
nodes timely and find the suspicious behavior of nodes [27] faced by securities in these two layers is the introduction of
in order to achieve control security and lower the weight of new techniques in mass application (e.g., cloud computing
malicious nodes and mechanisms [29] and virtualization) [29]. The cloud technology can be easily
e) Risk assessment : It examines every possible threat compromised, one of the worst threat is the insider threat.
and weakness within security mechanisms and node [19] Similarly Virtualization is exposed to DOS and data theft
and discovers the new threats to the system. It could help etc. A lot of research is needed in both domains to provide
preventing the security breaches and determining the best secure environment.
security strategies. b) Data Security. Data security is ensured by various
f) Physical security: physical protection of IOT encryption technologies which prevent the data stealing
devices, for example for the ones that have USB [14], from threats. Moreover, Anti-Dos firewalls are introduced to
plugging in an infected USB stick. The testing and prevent other malicious activities from the miscreant users
debugging tools must be disabled and hardware based [19].
mechanisms such as Trusted Platform Modules (TPMs) c) Software updates: The manufacturers of the best IoT
should be incorporated to improve physical security [16]. devices release permanent update of firmware; applying
them improves functionality and patches security
2) Network layer vulnerabilities [14]. Moreover, the software or firmware
To address iot security issues in the network layer, the main installed on the device should be updated regularly through
solutions are: an encrypted transmission mechanism. The updated files
a) End to end encryption: For different network should be downloaded from a secure server and these files
architecture, we need to configure the specific must be signed and properly validated prior to installation
[28].

140
 d) Intrusion detection: intrusion detection techniques [7]
Review on the Security challenges of internet of things and their
provide solutions for various security threats by generating
an alarm on occurrence of any suspicious activity in the [8]
system [19] due to the continuous monitoring and keeping a and open issues in I
[9]
intruder. ringer 2017
[10]
e) Security applications: Some smart devices such as
[11] M.Nawir, A.Amir, N.Yaakob, O.B.Lynn, Internet of Things (IoT):
Taxonomy of security attacks . 2016 3rd International Conference on
versions of antivirus apps can significantly boost your Electronic Design (ICED), pp. 321 326, 2016.
security [14]. [12] A.S.Syal, A.Gupta, Internet of Things: Review on security of novel
technology . International Conference On Smart Technologies For
f) Risk Assessment. The risk assessment gives Smart Nation (SmartTechCon), pp. 1405 1410, 2017.
justification for the effective security strategies and provides [13] I.Yaqoob, E.Ahmed, M.H.Rehman, A.I.A.Ahmed, M.A.A.-garadi,
improvements in the existing security structure [19]. The rise of ransomware and emerging security
challenges in the Internet of Things . Computer Networks, 129, pp.
g) Non technical measures: Increasing the Awareness 444 458, 2017.
of users so as to realize the importance of information [14] A.F.Mohammed. Security Issues in IoT , IJSRSET, pp. 933 940,
security and how to correctly use IoT services which could 2017
help in reducing the leakage of confidential information. [15] G.Arias, C.G.García, B.C.P. G-Bustelo. Midgar: Study of
Information Security Management should also be communications security among Smart Objects using a platform of
strenghtened by a good resource management, physical heterogeneous devices for the Internet of Things . Future Generation
Computer Systems, 74, pp. 444 466, 2017.
security information management and password
[16] M.A.Khan, K.Salah, IoT security: Review, blockchain solutions, and
management, etc [27]. open challenges . Future Generation Computer Systems, 82, pp. 395
411, 2017
[17] S.Babar & A.Stango & J.Sen & R.Prasad, Proposed embedded
security framework for Internet of Things (IoT) . 2011 2nd
International Conference on Wireless Communication, Vehicular
V. CONCLUSION & FUTURE WORK Technology, Information Theory and Aerospace and Electronic
Systems Technology, Wireless VITAE 2011, pp. 1 5, 2011.
IOT is an emerging research topic but with major [18] F.A.Alaba, M.Othman, I.A.T.Hashem, F.Alotaibi, Internet of Things
security issues. Consequently, iot security is an important security: A survey . Journal of Network and Computer Applications,
concern that needs to be well studied before developing 88(March), pp. 10 28, 2017.
more advanced Internet of Things (IoT) systems. Indeed, [19] M.U. Farooq, M.Waseem, A.Khairi, S.Mazhar, A Critical Analysis
on the Security Concerns of Internet of Things ( IoT ) . International
there is still many open problems in iot security, such as Journal of Computer Applications, 111(7), pp. 1 6, 2015.
privacy protection, standardization, network protocols, [20] R.Mahmoud, T. Yousuf, F.Aloul, I.Zualkernan, Internet of things
identity management... In this paper, we presented an (IoT) security: Current status, challenges and prospective measures .
architectural design of IOT. Moreover, we discussed iot 10th International Conference for Internet Technology and Secured
security requirements and detailed the main iot security Transactions, ICITST 2015, pp. 336 341, 2016.
threats. Finally, we presented some iot security [21] S.Moganedi., & J.Mtsweni, Beyond the convenience of the internet
of things: Security and privacy concerns . 2017 IST-Africa Week
countermeasures to address iot security issues. In the future, Conference (IST-Africa), pp. 1 10, 2017.
risk assessment, frameworks, policies, algorithms and [22] Y.Chahid, M.Benabdellah & A.A.
intrusion detection techniques should be explored and
standardized in order to afford better secure iot systems. [23] A. J. C.Trappey, C.V.Trappey, U.H. Govindarajan, A.C.Chuang &
J.J.Sun, J. J. (2017). A review of essential standards and patent
landscapes for the Internet of Things: A key enabler for Industry 4.0 .
Advanced Engineering Informatics, 33, pp. 208 229, 2017
[24] I.Cvitic., M.Vujic, & S.Husnjak, Classification of Security Risks in
REFERENCES the IoT Environment , pp. 0731 0740, 2016.
[25] T.Ara, P.G. Shah, & M.Prabhakar. Internet of Things Architecture
and Applications: A Survey . Indian Journal of Science and
[1] A.Aldairi & L.Tawalbeh. Cyber Security Attacks on Smart Cities
Technology, 9(45), 2016
and Associated Mobile Technologies . Procedia Computer Science,
pp. 1086 1091, 2017 [26] Cyber security
framework for Internet of Things-based Energy Internet . Future
[2] A.- Security and Privacy
Generation Computer Systems, 2018
Challenges in Industrial Internet of Things Invited , IEEE. 2015
[27]
[3] I.B. Ida, A.Jemai & A.Loukil, A survey on security of IoT in the
Proceedings - 9th International Conference on Computational
context of eHealth and clouds . International Design and Test
Intelligence and Security, CIS 2013, pp. 663 667, 2013.
Workshop, pp. 25 30, 2017.
[28] OWASP, Top IoT Vulnerabilities, 2016. URL:
[4] M. Ferrag, L. Maglaras, H.Janicke, .J.Jiang, & L.Shuf. Systematic
https://www.owasp.org/index.php/Top_IoT_Vulnerabilities
Review of Data Protection and Privacy Preservation Schemes for
. Sustainable Cities and Society, 2018. [29] W. Zhang, B.Qu Security Architecture of the Internet of Things
Oriented to Perceptual Layer IEEE, 2013.
[5] - a security point

[6] S. Sicari, A. Rizzardi, L.Grieco, and A. Coen-

141