Internet-of-Things Security and Vulnerabilities: Taxonomy, Challenges, and Practice

Recent years have seen rapid development and deployment of Internet-of-Things (IoT) applications in a diversity of application domains. This has resulted in creation of new applications (e.g., vehicle networking, smart grid, and wearables) as well as advancement, consolidation, and transformation of various traditional domains (e.g., medical and automotive). One upshot of this scale and diversity of applications is the emergence of new and critical threats to security and privacy: it is getting increasingly easier for an adversary to break into an application, make it unusable, or steal sensitive information and data. This paper provides a summary of IoT security attacks and develops a taxonomy and classification based on the application domain and underlying system architecture. We also discuss some key characteristics of IoT that make it difficult to develop robust security architectures for IoT applications.

[1]  Scott D. Lathrop,et al.  Wireless security threat taxonomy , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[2]  Yier Jin,et al.  Security and Privacy in IoT Era , 2017 .

[3]  Swarup Bhunia,et al.  Correctness and security at odds: Post-silicon validation of modern SoC designs , 2015, 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[4]  Sangeeta Sharma,et al.  The Evolution of RFID Security and Privacy: A Research Survey , 2011, 2011 International Conference on Communication Systems and Network Technologies.

[5]  Wu He,et al.  Internet of Things in Industries: A Survey , 2014, IEEE Transactions on Industrial Informatics.

[6]  Kevin Fu,et al.  Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[7]  Sanjay Jha,et al.  The holes problem in wireless sensor networks: a survey , 2005, MOCO.

[8]  Shi-Min Hu,et al.  Staying Secure and Unprepared: Understanding and Mitigating the Security Risks of Apple ZeroConf , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[9]  Xin Zhou,et al.  Study on security architecture in the Internet of Things , 2011, Proceedings of 2012 International Conference on Measurement, Information and Control.

[10]  Ahmad-Reza Sadeghi,et al.  Flexible and Fine-grained Mandatory Access Control on Android for Diverse Security and Privacy Policies , 2013, USENIX Security Symposium.

[11]  Zheng Xiao Yang SQL Injection-Database Attack Revolution and Prevention , 2015 .

[12]  Srdjan Capkun,et al.  Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars , 2010, NDSS.

[13]  Sarmad Ullah Khan,et al.  Future Internet: The Internet of Things Architecture, Possible Applications and Key Challenges , 2012, 2012 10th International Conference on Frontiers of Information Technology.

[14]  Matti Valovirta,et al.  Experimental Security Analysis of a Modern Automobile , 2011 .

[15]  Eric Peeters,et al.  System-on-Chip Platform Security Assurance: Architecture and Validation , 2018, Proceedings of the IEEE.

[16]  Ramjee Prasad,et al.  Proposed Security Model and Threat Taxonomy for the Internet of Things (IoT) , 2010, CNSA.

[17]  Sandip Ray,et al.  Extensibility in automotive security: Current practice and challenges , 2017, 2017 54th ACM/EDAC/IEEE Design Automation Conference (DAC).

[18]  Sukhdeep Kaur,et al.  Intelligent Transportation Architecture for Enhanced Security and Integrity in Vehicles Integrated Internet of Things , 2017 .

[19]  Friedemann Mattern,et al.  From the Internet of Computers to the Internet of Things , 2010, From Active Data Management to Event-Based Systems and More.

[20]  Xiaofeng Wang,et al.  UIPicker: User-Input Privacy Identification in Mobile Applications , 2015, USENIX Security Symposium.

[21]  Chin-Chen Chang,et al.  Some Forgery Attacks on a Remote User Authentication Scheme Using Smart Cards , 2003, Informatica.

[22]  Quanyuan Feng,et al.  RFID technology and its applications in Internet of Things (IoT) , 2012, 2012 2nd International Conference on Consumer Electronics, Communications and Networks (CECNet).

[23]  Antonio Iera,et al.  The Internet of Things: A survey , 2010, Comput. Networks.

[24]  Hovav Shacham,et al.  Comprehensive Experimental Analyses of Automotive Attack Surfaces , 2011, USENIX Security Symposium.

[25]  Ding Zhen-hua,et al.  A taxonomy model of RFID security threats , 2008, 2008 11th IEEE International Conference on Communication Technology.

[26]  Sandip Ray Transportation security in the era of autonomous vehicles: Challenges and practice , 2017, 2017 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[27]  Qishi Wu,et al.  AVOIDIT: A Cyber Attack Taxonomy , 2009 .

[28]  Aikaterini Mitrokotsa,et al.  Classification of RFID Attacks , 2008, IWRT.

[29]  Levente Buttyán,et al.  Embedded systems security: Threats, vulnerabilities, and attack taxonomy , 2015, 2015 13th Annual Conference on Privacy, Security and Trust (PST).

[30]  Earlence Fernandes,et al.  Security Analysis of Emerging Smart Home Applications , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[31]  Dhiren Patel,et al.  A Survey on Internet of Things: Security and Privacy Issues , 2014 .

[32]  Yier Jin,et al.  Privacy and Security in Internet of Things and Wearable Devices , 2015, IEEE Transactions on Multi-Scale Computing Systems.

[33]  Ragib Hasan,et al.  Towards an Analysis of Security Issues, Challenges, and Open Problems in the Internet of Things , 2015, 2015 IEEE World Congress on Services.

[34]  Yuan Xue,et al.  Taxonomy for description of cross-domain attacks on CPS , 2013, HiCoNS '13.

[35]  Benjamin K. S. Khoo,et al.  RFID as an Enabler of the Internet of Things: Issues of Security and Privacy , 2011, 2011 International Conference on Internet of Things and 4th International Conference on Cyber, Physical and Social Computing.

[36]  Yonghui Zhang,et al.  Intelligent Monitoring System on Refrigerator Trucks Based on the Internet of Things , 2011 .

[37]  Deepak Dembla,et al.  Investigating the security threats in Vehicular ad hoc Networks (VANETs): Towards security engineering for safer on-road transportation , 2014, 2014 International Conference on Advances in Computing, Communications and Informatics (ICACCI).

[38]  Muhammad Waseem,et al.  A Critical Analysis on the Security Concerns of Internet of Things (IoT) , 2015 .

[39]  Magdy A. Bayoumi,et al.  A Review on Internet of Things (IoT): Security and Privacy Requirements and the Solution Approaches , 2017 .

[40]  Steve Hanna,et al.  Take Two Software Updates and See Me in the Morning: The Case for Software Security Evaluations of Medical Devices , 2011, HealthSec.

[41]  Davor Svetinovic,et al.  A taxonomy of security and privacy requirements for the Internet of Things (IoT) , 2014, 2014 IEEE International Conference on Industrial Engineering and Engineering Management.

[42]  Salvatore J. Stolfo,et al.  A quantitative analysis of the insecurity of embedded network devices: results of a wide-area scan , 2010, ACSAC '10.

[43]  Xiaomei Wang,et al.  SQL Injections through Back-End of RFID System , 2009, 2009 International Symposium on Computer Network and Multimedia Technology.

[44]  S. Shankar Sastry,et al.  A Taxonomy of Cyber Attacks on SCADA Systems , 2011, 2011 International Conference on Internet of Things and 4th International Conference on Cyber, Physical and Social Computing.

[45]  Zhu Shunbing,et al.  Study On Key Technologies Of Internet Of Things Perceiving Mine , 2011 .

[46]  Hiroto Yasuura,et al.  Smart sensors at the IoT frontier , 2018 .

[47]  John R. Douceur,et al.  The Sybil Attack , 2002, IPTPS.

[48]  Lihua Huang,et al.  Cloud Computing and the Internet of Things: Technology Innovation in Automobile Service , 2013, HCI.

[49]  Miao Wu,et al.  Research on the architecture of Internet of Things , 2010, 2010 3rd International Conference on Advanced Computer Theory and Engineering(ICACTE).

[50]  Weizhe Zhang,et al.  Security Architecture of the Internet of Things Oriented to Perceptual Layer , 2013 .

[51]  Sandip Ray System-on-chip security assurance for IoT devices: Cooperations and conflicts , 2017, 2017 IEEE Custom Integrated Circuits Conference (CICC).

[52]  Zhen Ling,et al.  An End-to-End View of IoT Security and Privacy , 2017, GLOBECOM 2017 - 2017 IEEE Global Communications Conference.

[53]  Grant Hernandez,et al.  Smart Nest Thermostat A Smart Spy in Your Home , 2014 .

[54]  Manas Ranjan Patra,et al.  Cloud Computing: Security Issues and Research Challenges , 2011 .

[55]  Anitha S Sastry,et al.  Security Threats in Wireless Sensor Networks in Each Layer , 2013 .

[56]  Qi Alfred Chen,et al.  ContexloT: Towards Providing Contextual Integrity to Appified IoT Platforms , 2017, NDSS.

[57]  G. Padmavathi,et al.  A Survey of Attacks, Security Mechanisms and Challenges in Wireless Sensor Networks , 2009, ArXiv.

[58]  Yang Xiao,et al.  Cyber Security and Privacy Issues in Smart Grids , 2012, IEEE Communications Surveys & Tutorials.

[59]  Sapna Chaudhary,et al.  Content Sniffing Attack Detection in Client and Server Side: A Survey , 2013 .

[60]  Ramjee Prasad,et al.  Proposed embedded security framework for Internet of Things (IoT) , 2011, 2011 2nd International Conference on Wireless Communication, Vehicular Technology, Information Theory and Aerospace & Electronic Systems Technology (Wireless VITAE).

[61]  Sugata Sanyal,et al.  Sleep Deprivation Attack Detection in Wireless Sensor Network , 2012, ArXiv.

[62]  Daniel P. Shepard,et al.  Evaluation of Smart Grid and Civilian UAV Vulnerability to GPS Spoofing Attacks , 2012 .

[63]  Hong Zhou,et al.  Design and Research of Urban Intelligent Transportation System Based on the Internet of Things , 2012 .

[64]  Sang-Soo Yeo,et al.  Securing against brute-force attack: A hash-based RFID mutual authentication protocol using a secret value , 2011, Comput. Commun..

[65]  Jörg Schwenk,et al.  On Technical Security Issues in Cloud Computing , 2009, 2009 IEEE International Conference on Cloud Computing.

[66]  Nils Gruschka,et al.  Attack Surfaces: A Taxonomy for Attacks on Cloud Services , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.