IoT Cloud Security Review

Recent years have seen the rapid development and integration of the Internet of Things (IoT) and cloud computing. The market is providing various consumer-oriented smart IoT devices; the mainstream cloud service providers are building their software stacks to support IoT services. With this emerging trend even growing, the security of such smart IoT cloud systems has drawn much research attention in recent years. To better understand the emerging consumer-oriented smart IoT cloud systems for practical engineers and new researchers, this article presents a review of the most recent research efforts on existing, real, already deployed consumer-oriented IoT cloud applications in the past five years using typical case studies. Specifically, we first present a general model for the IoT cloud ecosystem. Then, using the model, we review and summarize recent, representative research works on emerging smart IoT cloud system security using 10 detailed case studies, with the aim that the case studies together provide insights into the insecurity of current emerging IoT cloud systems. We further present a systematic approach to conduct a security analysis for IoT cloud systems. Based on the proposed security analysis approach, we review and suggest potential security risk mitigation methods to protect IoT cloud systems. We also discuss future research challenges for the IoT cloud security area.

[1]  Zhen Ling,et al.  SecT: A Lightweight Secure Thing-Centered IoT Communication System , 2018, 2018 IEEE 15th International Conference on Mobile Ad Hoc and Sensor Systems (MASS).

[2]  Nick Feamster,et al.  Cleartext Data Transmissions in Consumer IoT Medical Devices , 2017, IoT S&P@CCS.

[3]  Mazliza Othman,et al.  Internet of Things security: A survey , 2017, J. Netw. Comput. Appl..

[4]  Karl N. Levitt,et al.  Is Anybody Home? Inferring Activity From Smart Home Network Traffic , 2016, 2016 IEEE Security and Privacy Workshops (SPW).

[5]  Mahmoud Ammar,et al.  Journal of Information Security and Applications , 2022 .

[6]  Neha Agrawal,et al.  Defense Mechanisms Against DDoS Attacks in a Cloud Computing Environment: State-of-the-Art and Research Challenges , 2019, IEEE Communications Surveys & Tutorials.

[7]  Tamas Pflanzner,et al.  A Taxonomy and Survey of IoT Cloud Applications , 2017 .

[8]  Dirk Fox,et al.  Advanced Encryption Standard (AES) , 1999, Datenschutz und Datensicherheit.

[9]  Tao Xiang,et al.  Secure cloud storage meets with secure network coding , 2016, IEEE INFOCOM 2014 - IEEE Conference on Computer Communications.

[10]  Saumya K. Debray,et al.  Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[11]  Alexander Pretschner,et al.  Code obfuscation against symbolic execution attacks , 2016, ACSAC.

[12]  Jaehoon Paul Jeong,et al.  IoT security vulnerability: A case study of a Web camera , 2018, 2018 20th International Conference on Advanced Communication Technology (ICACT).

[13]  Patrick D. McDaniel,et al.  Program Analysis of Commodity IoT Applications for Security and Privacy , 2018, ACM Comput. Surv..

[14]  Jorge Sá Silva,et al.  Security for the Internet of Things: A Survey of Existing Protocols and Open Research Issues , 2015, IEEE Communications Surveys & Tutorials.

[15]  Brent Waters,et al.  Ciphertext-Policy Attribute-Based Encryption , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[16]  Zhen Ling,et al.  An End-to-End View of IoT Security and Privacy , 2017, GLOBECOM 2017 - 2017 IEEE Global Communications Conference.

[17]  B. B. Zaidan,et al.  Real-Time Fault-Tolerant mHealth System: Comprehensive Review of Healthcare Services, Opens Issues, Challenges and Methodological Aspects , 2018, Journal of Medical Systems.

[18]  Tsutomu Matsumoto,et al.  IoTPOT: Analysing the Rise of IoT Compromises , 2015, WOOT.

[19]  Nick Feamster,et al.  A Smart Home is No Castle: Privacy Vulnerabilities of Encrypted IoT Traffic , 2017, ArXiv.

[20]  Evangelos Pallis,et al.  A Survey on the Internet of Things (IoT) Forensics: Challenges, Approaches, and Open Issues , 2020, IEEE Communications Surveys & Tutorials.

[21]  Ross Anderson,et al.  Smart meter security : a survey , 2011 .

[22]  David Broman,et al.  Resilient Authentication and Authorization for the Internet of Things (IoT) Using Edge Computing , 2020, ACM Trans. Internet Things.

[23]  Ivana Podnar Žarko,et al.  Towards the cross-domain interoperability of IoT platforms , 2016, 2016 European Conference on Networks and Communications (EuCNC).

[24]  Roksana Boreli,et al.  An experimental study of security and privacy risks with emerging household appliances , 2014, 2014 IEEE Conference on Communications and Network Security.

[25]  Nick Feamster,et al.  User Perceptions of Smart Home IoT Privacy , 2018, Proc. ACM Hum. Comput. Interact..

[26]  Ahmad-Reza Sadeghi,et al.  Alexa Lied to Me: Skill-based Man-in-the-Middle Attacks on Virtual Assistants , 2019, AsiaCCS.

[27]  Sotiris Ioannidis,et al.  Review of Security and Privacy for the Internet of Medical Things (IoMT) , 2019, 2019 15th International Conference on Distributed Computing in Sensor Systems (DCOSS).

[28]  Alfred Menezes,et al.  The Elliptic Curve Digital Signature Algorithm (ECDSA) , 2001, International Journal of Information Security.

[29]  Franziska Roesner,et al.  Who's In Control?: Interactions In Multi-User Smart Homes , 2019, CHI.

[30]  Kim-Kwang Raymond Choo,et al.  Cyber-physical systems information gathering: A smart home case study , 2018, Comput. Networks.

[31]  Naveen K. Chilamkurti,et al.  Deep Learning: The Frontier for Distributed Attack Detection in Fog-to-Things Computing , 2018, IEEE Communications Magazine.

[32]  Kai Chen,et al.  Devil's Whisper: A General Approach for Physical Adversarial Attacks against Commercial Black-box Speech Recognition Devices , 2020, USENIX Security Symposium.

[33]  Ali Saman Tosun,et al.  Investigating Security and Privacy of a Cloud-Based Wireless IP Camera: NetCam , 2015, 2015 24th International Conference on Computer Communication and Networks (ICCCN).

[34]  Denys Poshyvanyk,et al.  A Study of Data Store-based Home Automation , 2018, CODASPY.

[35]  Xavier Masip-Bruin,et al.  A Survey of Communication Protocols for Internet of Things and Related Challenges of Fog and Cloud Computing Integration , 2018, ACM Comput. Surv..

[36]  Samy El-Tawab,et al.  Localization of Health Center Assets Through an IoT Environment (LoCATE) , 2017, 2017 Systems and Information Engineering Design Symposium (SIEDS).

[37]  Srikanth V. Krishnamurthy,et al.  IotSan: fortifying the safety of IoT systems , 2018, CoNEXT.

[38]  Morris J. Dworkin,et al.  SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions , 2015 .

[39]  Roksana Boreli,et al.  Network-level security and privacy control for smart-home IoT devices , 2015, 2015 IEEE 11th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob).

[40]  Tadayoshi Kohno,et al.  Computer security and the modern home , 2013, CACM.

[41]  Giancarlo Fortino,et al.  Towards Multi-layer Interoperability of Heterogeneous IoT Platforms: The INTER-IoT Approach , 2018, IoT 2018.

[42]  Zibouda Aliouat,et al.  A Review of Security in Internet of Things , 2019, Wireless Personal Communications.

[43]  Daniel J. Bernstein,et al.  The Poly1305-AES Message-Authentication Code , 2005, FSE.

[44]  Samy El-Tawab,et al.  Security analysis of an IoT system used for indoor localization in healthcare facilities , 2018, 2018 Systems and Information Engineering Design Symposium (SIEDS).

[45]  Atul Prakash,et al.  Security Implications of Permission Models in Smart-Home Application Frameworks , 2017, IEEE Security & Privacy.

[46]  Alvaro A. Cárdenas,et al.  Security & Privacy in Smart Toys , 2017, IoT S&P@CCS.

[47]  Mohd Anwar,et al.  Vulnerability Studies and Security Postures of IoT Devices: A Smart Home Case Study , 2020, IEEE Internet of Things Journal.

[48]  Sherali Zeadally,et al.  Efficient and Anonymous Mobile User Authentication Protocol Using Self-Certified Public Key Cryptography for Multi-Server Architectures , 2016, IEEE Transactions on Information Forensics and Security.

[49]  Budi Arief,et al.  Earworms Make Bad Passwords: An Analysis of the Nokē Smart Lock Manual Override , 2017, 2017 International Workshop on Secure Internet of Things (SIoT).

[50]  Lei Xu,et al.  Life after Speech Recognition: Fuzzing Semantic Misinterpretation for Voice Assistant Applications , 2019, NDSS.

[51]  Julian Schütte,et al.  LUCON: Data Flow Control for Message-Based IoT Systems , 2018, 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE).

[52]  Raimir Holanda Filho,et al.  Model-Based Quantitative Network Security Metrics: A Survey , 2017, IEEE Communications Surveys & Tutorials.

[53]  Donell Holloway,et al.  The internet of toys , 2017 .

[54]  Hongxin Hu,et al.  On the Safety of IoT Device Physical Interaction Control , 2018, CCS.

[55]  Xiangyu Liu,et al.  Your Voice Assistant is Mine: How to Abuse Speakers to Steal Information and Control Your Phone , 2014, SPSM@CCS.

[56]  Ari Juels,et al.  HAIL: a high-availability and integrity layer for cloud storage , 2009, CCS.

[57]  Adi Shamir,et al.  Extended Functionality Attacks on IoT Devices: The Case of Smart Lights , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[58]  Omar Alrawi,et al.  SoK: Security Evaluation of Home-Based IoT Deployments , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[59]  Marjan Kuchaki Rafsanjani,et al.  A survey on security challenges in cloud computing: issues, threats, and solutions , 2020, The Journal of Supercomputing.

[60]  David M. Eyers,et al.  Twenty Security Considerations for Cloud-Supported Internet of Things , 2016, IEEE Internet of Things Journal.

[61]  Patrick D. McDaniel,et al.  Soteria: Automated IoT Safety and Security Analysis , 2018, USENIX Annual Technical Conference.

[62]  Victor C. M. Leung,et al.  Developing IoT applications in the Fog: A Distributed Dataflow approach , 2015, 2015 5th International Conference on the Internet of Things (IOT).

[63]  Stefan Katzenbeisser,et al.  Protecting Software through Obfuscation , 2016, ACM Comput. Surv..

[64]  Murtuza Jadliwala,et al.  Light Ears: Information Leakage via Smart Lights , 2018 .

[65]  Carl A. Gunter,et al.  Charting the Attack Surface of Trigger-Action IoT Platforms , 2019, CCS.

[66]  Amirfardad Salami,et al.  A framework for comparing quantitative and qualitative criteria of IoT platforms , 2018, 2018 4th International Conference on Web Research (ICWR).

[67]  V. Singhal,et al.  A Survey: Review of Cloud IoT Security Techniques, Issues and Challenges , 2019, SSRN Electronic Journal.

[68]  Nick Feamster,et al.  Detecting Compressed Cleartext Traffic from Consumer Internet of Things Devices , 2018, ArXiv.

[69]  Kakali Chatterjee,et al.  Cloud security issues and challenges: A survey , 2017, J. Netw. Comput. Appl..

[70]  Victor I. Chang,et al.  Towards fog-driven IoT eHealth: Promises and challenges of IoT in medicine and healthcare , 2018, Future Gener. Comput. Syst..

[71]  P. G. Allen,et al.  Understanding and Improving Security and Privacy in Multi-User Smart Homes: A Design Exploration and In-Home User Study , 2019 .

[72]  Khaled Salah,et al.  IoT security: Review, blockchain solutions, and open challenges , 2017, Future Gener. Comput. Syst..

[73]  Lujo Bauer,et al.  Privacy Expectations and Preferences in an IoT World , 2017, SOUPS.

[74]  Fengyuan Xu,et al.  Internet Protocol Cameras with No Password Protection: An Empirical Investigation , 2018, PAM.

[75]  Earlence Fernandes,et al.  Security Analysis of Emerging Smart Home Applications , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[76]  Vittorio Miori,et al.  Interoperability of home automation systems as a critical challenge for IoT , 2019, 2019 4th International Conference on Computing, Communications and Security (ICCCS).

[77]  Roksana Boreli,et al.  Smart-Phones Attacking Smart-Homes , 2016, WISEC.

[78]  Kevin Fu,et al.  Trick or Heat?: Manipulating Critical Temperature-Based Control Systems Using Rectification Attacks , 2019, CCS.

[79]  Shih-Chia Huang,et al.  A Glance of Child's Play Privacy in Smart Toys , 2016, ICCCS.

[80]  Schahram Dustdar,et al.  Principles for Engineering IoT Cloud Systems , 2015, IEEE Cloud Computing.

[81]  Luigi Alfredo Grieco,et al.  Security, privacy and trust in Internet of Things: The road ahead , 2015, Comput. Networks.

[82]  Patrick Traynor,et al.  AuthLoop: End-to-End Cryptographic Authentication for Telephony over Voice Channels , 2016, USENIX Security Symposium.

[83]  Limin Yang,et al.  Security Vetting Process of Smart-home Assistant Applications: A First Look and Case Studies , 2020, ArXiv.

[84]  Srijita Basu,et al.  Cloud computing security challenges & solutions-A survey , 2018, 2018 IEEE 8th Annual Computing and Communication Workshop and Conference (CCWC).

[85]  Manar H. Alalfi,et al.  Security Analysis for SmartThings IoT Applications , 2019, 2019 IEEE/ACM 6th International Conference on Mobile Software Engineering and Systems (MOBILESoft).

[86]  Jinjun Chen,et al.  IoT and Big Data: An Architecture with Data Flow and Security Issues , 2017, IISSC/CN4IoT.

[87]  Srinivasan Seshan,et al.  Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the Internet-of-Things , 2015, HotNets.

[88]  Blase Ur,et al.  Rethinking Access Control and Authentication for the Home Internet of Things (IoT) , 2018, USENIX Security Symposium.

[89]  Pál Varga,et al.  Security threats and issues in automation IoT , 2017, 2017 IEEE 13th International Workshop on Factory Communication Systems (WFCS).

[90]  Qiang Cao,et al.  Fending off IoT-hunting attacks at home networks , 2017, CAN@CoNEXT.

[91]  Dawn Song,et al.  Smart Locks: Lessons for Securing Commodity Internet of Things Devices , 2016, AsiaCCS.

[92]  Nicola Dragoni,et al.  When the Price Is Your Privacy: A Security Analysis of Two Cheap IoT Devices , 2018, SEDA.

[93]  Nick Feamster,et al.  Security and Privacy Analyses of Internet of Things Children’s Toys , 2019, IEEE Internet of Things Journal.

[94]  Brent Waters,et al.  Attribute-based encryption for fine-grained access control of encrypted data , 2006, CCS '06.

[95]  Patrick P. C. Lee,et al.  Enabling Data Integrity Protection in Regenerating-Coding-Based Cloud Storage: Theory and Implementation , 2014, IEEE Transactions on Parallel and Distributed Systems.

[96]  David Aspinall,et al.  An IoT analysis framework: An investigation of IoT smart cameras' vulnerabilities , 2018, IoT 2018.

[97]  Nick Feamster,et al.  Evaluating the Contextual Integrity of Privacy Regulation: Parents' IoT Toy Privacy Norms Versus COPPA , 2019, USENIX Security Symposium.

[98]  Wei Zhang,et al.  HoMonit: Monitoring Smart Home Apps from Encrypted Traffic , 2018, CCS.

[99]  Proyash Podder,et al.  Expat: Expectation-based Policy Analysis and Enforcement for Appified Smart-Home Platforms , 2019, SACMAT.

[100]  Issa M. Khalil,et al.  Cloud Computing Security: A Survey , 2014, Comput..

[101]  Maria Ganzha,et al.  Semantic interoperability in the Internet of Things: An overview from the INTER-IoT perspective , 2017, J. Netw. Comput. Appl..

[102]  Jian Shen,et al.  Cloud-aided lightweight certificateless authentication protocol with anonymity for wireless body area networks , 2018, J. Netw. Comput. Appl..

[103]  Peng Liu,et al.  Discovering and Understanding the Security Hazards in the Interactions between IoT Devices, Mobile Apps, and Clouds on Smart Home Platforms , 2018, USENIX Security Symposium.

[104]  Nan Zhang,et al.  Dangerous Skills: Understanding and Mitigating Security Risks of Voice-Controlled Third-Party Functions on Virtual Personal Assistant Systems , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[105]  Usama Ahmed,et al.  Trust Evaluation in Cross-Cloud Federation , 2019, ACM Comput. Surv..

[106]  Johannes Obermaier,et al.  Analyzing the Security and Privacy of Cloud-based Video Surveillance Systems , 2016, IoTPTS@AsiaCCS.

[107]  Chao Gao,et al.  Security Vulnerabilities of Internet of Things: A Case Study of the Smart Plug System , 2017, IEEE Internet of Things Journal.

[108]  Mario Kusek,et al.  The symbIoTe Solution for Semantic and Syntactic Interoperability of Cloud-based IoT Platforms , 2019, 2019 Global IoT Summit (GIoTS).

[109]  Tony Q. S. Quek,et al.  Lightweight and Practical Anonymous Authentication Protocol for RFID Systems Using Physically Unclonable Functions , 2018, IEEE Transactions on Information Forensics and Security.

[110]  Bart Preneel,et al.  High Assurance Smart Metering , 2016, 2016 IEEE 17th International Symposium on High Assurance Systems Engineering (HASE).

[111]  Ahmad-Reza Sadeghi,et al.  Security analysis on consumer and industrial IoT devices , 2016, 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC).

[112]  Aarathi Prasad,et al.  Enabling Multi-user Controls in Smart Home Devices , 2017, IoT S&P@CCS.

[113]  Angela Orebaugh,et al.  A study of security and privacy issues associated with the Amazon Echo , 2018, IoT 2018.

[114]  Euijong Lee,et al.  PARBAC: Priority-Attribute-Based RBAC Model for Azure IoT Cloud , 2020, IEEE Internet of Things Journal.

[115]  B. B. Zaidan,et al.  Conceptual framework for the security of mobile health applications on Android platform , 2018, Telematics Informatics.

[116]  Salahaldeen Duraibi,et al.  The Security Issues in IoT - Cloud: A Review , 2020, 2020 16th IEEE International Colloquium on Signal Processing & Its Applications (CSPA).

[117]  Josep Domingo-Ferrer,et al.  Privacy-preserving cloud computing on sensitive data: A survey of methods, products and challenges , 2019, Comput. Commun..

[118]  Ari Juels,et al.  New approaches to security and availability for cloud data , 2013, CACM.

[119]  Michael Goldsmith,et al.  Nonsense Attacks on Google Assistant and Missense Attacks on Amazon Alexa , 2019, ICISSP.