IoT: Internet of Threats? A Survey of Practical Security Vulnerabilities in Real IoT Devices

The Internet of Things (IoT) is rapidly spreading, reaching a multitude of different domains, including personal health care, environmental monitoring, home automation, smart mobility, and Industry 4.0. As a consequence, more and more IoT devices are being deployed in a variety of public and private environments, progressively becoming common objects of everyday life. It is hence apparent that, in such a scenario, cybersecurity becomes critical to avoid threats like leakage of sensible information, denial of service (DoS) attacks, unauthorized network access, and so on. Unfortunately, many low-end IoT commercial products do not usually support strong security mechanisms, and can hence be target of—or even means for—a number of security attacks. The aim of this article is to provide a broad overview of the security risks in the IoT sector and to discuss some possible counteractions. To this end, after a general introduction to security in the IoT domain, we discuss the specific security mechanisms adopted by the most popular IoT communication protocols. Then, we report and analyze some of the attacks against real IoT devices reported in the literature, in order to point out the current security weaknesses of commercial IoT solutions and remark the importance of considering security as an integral part in the design of IoT systems. We conclude this article with a reasoned comparison of the considered IoT technologies with respect to a set of qualifying security attributes, namely integrity, anonymity, confidentiality, privacy, access control, authentication, authorization, resilience, self organization.

[1]  Mahmoud Ammar,et al.  Journal of Information Security and Applications , 2022 .

[2]  Wondimu K. Zegeye Exploiting Bluetooth Low Energy Pairing Vulnerability in Telemedicine , 2015 .

[3]  Nan Jiang,et al.  Security analysis of Internet-of-Things: A case study of august smart lock , 2017, 2017 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[4]  Rolf H. Weber,et al.  Internet of Things - New security and privacy challenges , 2010, Comput. Law Secur. Rev..

[5]  Carles Gomez,et al.  Overview and Evaluation of Bluetooth Low Energy: An Emerging Low-Power Wireless Technology , 2012, Sensors.

[6]  Ping Pan,et al.  Internet Engineering Task Force , 1995 .

[7]  Paul Fremantle,et al.  A survey of secure middleware for the Internet of Things , 2017, PeerJ Prepr..

[8]  Yier Jin,et al.  Privacy and Security in Internet of Things and Wearable Devices , 2015, IEEE Transactions on Multi-Scale Computing Systems.

[9]  Dave Evans,et al.  How the Next Evolution of the Internet Is Changing Everything , 2011 .

[10]  Tang Ming . Wei Lian. Si Tuo Lin Si,et al.  Cryptography and Network Security - Principles and Practice , 2015 .

[11]  G. Edward Suh,et al.  Physical Unclonable Functions for Device Authentication and Secret Key Generation , 2007, 2007 44th ACM/IEEE Design Automation Conference.

[12]  Andrew Y. Lindell Attacks on the Pairing Protocol of Bluetooth v 2 . 1 , 2008 .

[13]  Ragib Hasan,et al.  Towards an Analysis of Security Issues, Challenges, and Open Problems in the Internet of Things , 2015, 2015 IEEE World Congress on Services.

[14]  Niraj K. Jha,et al.  A Comprehensive Study of Security of Internet-of-Things , 2017, IEEE Transactions on Emerging Topics in Computing.

[15]  Xiang-Yang Li,et al.  System Statistics Learning-Based IoT Security: Feasibility and Suitability , 2019, IEEE Internet of Things Journal.

[16]  Miodrag Potkonjak,et al.  Lightweight secure PUFs , 2008, ICCAD 2008.

[17]  Georgios Kambourakis,et al.  DDoS in the IoT: Mirai and Other Botnets , 2017, Computer.

[18]  Donald E. Eastlake,et al.  Randomness Requirements for Security , 2005, RFC.

[19]  Monodeep Kar,et al.  Energy Efficient and Side-Channel Secure Cryptographic Hardware for IoT-Edge Nodes , 2019, IEEE Internet of Things Journal.

[20]  Tomás Rosa,et al.  Bypassing Passkey Authentication in Bluetooth Low Energy , 2013, IACR Cryptol. ePrint Arch..

[21]  Guang Gong,et al.  Design and Implementation of Warbler Family of Lightweight Pseudorandom Number Generators for Smart Devices , 2016, ACM Trans. Embed. Comput. Syst..

[22]  Masaya Yoshikawa,et al.  Shuffling Based Side-Channel Countermeasure for Energy Harvester , 2018, 2018 IEEE 7th Global Conference on Consumer Electronics (GCCE).

[23]  Hanno Wirtz,et al.  6LoWPAN fragmentation attacks and mitigation mechanisms , 2013, WiSec '13.

[24]  Robin Kravets,et al.  CryptoCoP: Lightweight, Energy-efficient Encryption and Privacy for Wearable Devices , 2016, WearSys '16.

[25]  Jason Smith,et al.  The SIMON and SPECK lightweight block ciphers , 2015, 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[26]  Frederik Armknecht,et al.  Insecure to the touch: attacking ZigBee 3.0 via touchlink commissioning , 2017, WISEC.

[27]  Peng Liu,et al.  The Effect of IoT New Features on Security and Privacy: New Threats, Existing Solutions, and Challenges Yet to Be Solved , 2018, IEEE Internet of Things Journal.

[28]  Lorrie Faith Cranor,et al.  Your Location has been Shared 5,398 Times!: A Field Study on Mobile App Privacy Nudging , 2015, CHI.

[29]  Mohammed Bouhorma,et al.  Denial-of-Service attacks on 6LoWPAN-RPL networks: Issues and practical solutions , 2014 .

[30]  Andrey Bogdanov,et al.  spongent: A Lightweight Hash Function , 2011, CHES.

[31]  Morris J. Dworkin,et al.  Recommendation for Block Cipher Modes of Operation: Methods and Techniques , 2001 .

[32]  Anne Canteaut,et al.  PRINCE - A Low-latency Block Cipher for Pervasive Computing Applications (Full version) , 2012, IACR Cryptol. ePrint Arch..

[33]  Athanasios V. Vasilakos,et al.  A survey on trust management for Internet of Things , 2014, J. Netw. Comput. Appl..

[34]  Elaine B. Barker Digital Signature Standard (DSS) , 2013 .

[35]  H. Tschofenig,et al.  Performance of State-ofthe-Art Cryptography on ARM-based Microprocessors , 2015 .

[36]  Tarik Taleb,et al.  An Accurate Security Game for Low-Resource IoT Devices , 2017, IEEE Transactions on Vehicular Technology.

[37]  Robert J. McEliece,et al.  A public key cryptosystem based on algebraic coding theory , 1978 .

[38]  Carsten Bormann,et al.  The Constrained Application Protocol (CoAP) , 2014, RFC.

[39]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[40]  Srinivas Devadas,et al.  Physical Unclonable Functions and Applications: A Tutorial , 2014, Proceedings of the IEEE.

[41]  Luis Hernández Encinas,et al.  A Lightweight Pseudorandom Number Generator for Securing the Internet of Things , 2017, IEEE Access.

[42]  HyunGon Kim,et al.  Protection Against Packet Fragmentation Attacks at 6LoWPAN Adaptation Layer , 2008, 2008 International Conference on Convergence and Hybrid Information Technology.

[43]  Mike Ryan,et al.  Bluetooth: With Low Energy Comes Low Security , 2013, WOOT.

[44]  William M. Daley,et al.  Digital Signature Standard (DSS) , 2000 .

[45]  Riccardo Bonetto,et al.  Secure communication for smart IoT objects: Protocol stacks, use cases and practical examples , 2012, 2012 IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM).

[46]  Andrea Zanella,et al.  Confirmed traffic in LoRaWAN: Pitfalls and countermeasures , 2018, 2018 17th Annual Mediterranean Ad Hoc Networking Workshop (Med-Hoc-Net).

[47]  Grant Hernandez,et al.  Smart Nest Thermostat A Smart Spy in Your Home , 2014 .

[48]  Geoff Mulligan,et al.  The 6LoWPAN architecture , 2007, EmNets '07.

[49]  Giancarlo Fortino,et al.  Evaluating Critical Security Issues of the IoT World: Present and Future Challenges , 2018, IEEE Internet of Things Journal.

[50]  Christophe Guyeux,et al.  A Hardware and Secure Pseudorandom Generator for Constrained Devices , 2018, IEEE Transactions on Industrial Informatics.

[51]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[52]  Roel Maes,et al.  Physically Unclonable Functions , 2012, Springer Berlin Heidelberg.

[53]  Mark Zwolinski,et al.  Overview of PUF-based hardware security solutions for the internet of things , 2016, 2016 IEEE 59th International Midwest Symposium on Circuits and Systems (MWSCAS).

[54]  Jorge Sá Silva,et al.  Security for the Internet of Things: A Survey of Existing Protocols and Open Research Issues , 2015, IEEE Communications Surveys & Tutorials.

[55]  Kai Zhao,et al.  A Survey on the Internet of Things Security , 2013, 2013 Ninth International Conference on Computational Intelligence and Security.

[56]  Andrea Zanella,et al.  Platforms and Protocols for the Internet of Things , 2015, IOT 2015.

[57]  Yu Cheng,et al.  Ghost-in-ZigBee: Energy Depletion Attack on ZigBee-Based Wireless Networks , 2016, IEEE Internet of Things Journal.

[58]  Miodrag Potkonjak,et al.  Security of IoT systems: Design challenges and opportunities , 2014, 2014 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[59]  Andrea Zanella,et al.  Mathematical Modeling of LoRa WAN Performance with Bi-directional Traffic , 2018, 2018 IEEE Global Communications Conference (GLOBECOM).

[60]  Siarhei Kuryla,et al.  RPL: IPv6 Routing Protocol for Low power and Lossy Networks , 2010 .

[61]  Pavan Pongle,et al.  A survey: Attacks on RPL and 6LoWPAN in IoT , 2015, 2015 International Conference on Pervasive Computing (ICPC).

[62]  Remi Badonnel,et al.  A Taxonomy of Attacks in RPL-based Internet of Things , 2016, Int. J. Netw. Secur..

[63]  Alessandro Neri,et al.  Security Access Protocols in IoT Capillary Networks , 2017, IEEE Internet of Things Journal.

[64]  Bo Peng,et al.  A side-channel attack countermeasure based on segmented modular exponent randomizing in RSA cryptosystem , 2008, 2008 11th IEEE Singapore International Conference on Communication Systems.

[65]  Ralph C. Merkle,et al.  A Certified Digital Signature , 1989, CRYPTO.

[66]  Jeffrey Knockel,et al.  Every step you fake: a comparative analysis of fitness tracker privacy and security , 2016 .

[67]  Syed Misbahuddin,et al.  IoT based dynamic road traffic management for smart cities , 2015, 2015 12th International Conference on High-capacity Optical Networks and Enabling/Emerging Technologies (HONET).

[68]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[69]  Zhifeng Zhao,et al.  AI-Based Two-Stage Intrusion Detection for Software Defined IoT Networks , 2018, IEEE Internet of Things Journal.

[70]  Thomas Peyrin,et al.  The PHOTON Family of Lightweight Hash Functions , 2011, IACR Cryptol. ePrint Arch..

[71]  Jian Wang,et al.  Implementing an Attack on Bluetooth 2.1+ Secure Simple Pairing in Passkey Entry Mode , 2012, 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications.

[72]  Nicola Laurenti,et al.  Wireless physical layer authentication for the Internet of Things , 2017 .

[73]  Yosra Ben Saied Collaborative security for the internet of things , 2013 .

[74]  Andrew Y. Lindell Comparison-Based Key Exchange and the Security of the Numeric Comparison Mode in Bluetooth v2.1 , 2009, CT-RSA.

[75]  Sean Carlisto de Alvarenga,et al.  A survey of intrusion detection in Internet of Things , 2017, J. Netw. Comput. Appl..

[76]  Francesca Palombini,et al.  Comparison of CoAP Security Protocols , 2020 .

[77]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[78]  Choong Seon Hong,et al.  Attack Model and Detection Scheme for Botnet on 6LoWPAN , 2009, APNOMS.

[79]  Luigi Alfredo Grieco,et al.  Security, privacy and trust in Internet of Things: The road ahead , 2015, Comput. Networks.

[80]  David E. Culler,et al.  Transmission of IPv6 Packets over IEEE 802.15.4 Networks , 2007, RFC.

[81]  Adi Shamir,et al.  Extended Functionality Attacks on IoT Devices: The Case of Smart Lights , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[82]  Mahmudur Rahman,et al.  Secure Management of Low Power Fitness Trackers , 2013, IEEE Transactions on Mobile Computing.

[83]  Zach Shelby,et al.  CoAP Security Options , 2011 .

[84]  Luigi Coppolino,et al.  My Smart Home is Under Attack , 2015, 2015 IEEE 18th International Conference on Computational Science and Engineering.

[85]  Selwyn Piramuthu,et al.  Security/privacy of wearable fitness tracking IoT devices , 2014, 2014 9th Iberian Conference on Information Systems and Technologies (CISTI).

[86]  William Stallings,et al.  Cryptography and network security , 1998 .

[87]  Parth H. Pathak,et al.  Uncovering Privacy Leakage in BLE Network Traffic of Wearable Fitness Trackers , 2016, HotMobile.

[88]  Wen-Zhan Song,et al.  Enhanced Cyber-Physical Security in Internet of Things Through Energy Auditing , 2019, IEEE Internet of Things Journal.

[89]  William Stallings,et al.  Cryptography and Network Security: Principles and Practice , 1998 .

[90]  Andrea Zanella,et al.  Internet of Things for Smart Cities , 2014, IEEE Internet of Things Journal.

[91]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.