Wenyuan Xu

DOI: https://doi.org/10.1145/3579856.3596442

2023-01-01

Abstract:Vulnerabilities pose a significant challenge in ensuring cybersesecurity for information systems. In the past, vulnerabilities were mainly associated with functional defects in system software and hardware, known as "in-band vulnerabilities," whereby "band" refers to the functional domain. However, with the rapid development of the Internet of Things (IoT), new security issues have emerged that traditional vulnerability categorization may not fully cover. IoT devices rely on sensors and actuators to interact with the real world, but this interaction process between physical and digital systems has created defects that are difficult to analyze and detect. These defects include unintentional coupling effects of sensors from ambient analog signals or abnormal channels that were not intentionally designed, collectively known as "out-of-band vulnerabilities." Various security incidents have highlighted the prevalence of out-of-band vulnerabilities in IoT systems, and their activation can result in serious consequences. To address this issue, we propose a vulnerability categorization framework that includes out-of-band vulnerabilities and provides examples for each category. Our talk highlights the need to shift the research paradigm for system security to encompass both in-band and out-of-band vulnerabilities in the intelligence era. Finally, we explore potential solutions for mitigating out-of-band vulnerabilities and securing IoT devices.

Miao Yu,Jianwei Zhuge,Ming Cao,Zhiwei Shi,Lin Jiang

DOI: https://doi.org/10.3390/fi12020027

2020-01-01

Future Internet

Abstract:With the prosperity of the Internet of Things (IoT) industry environment, the variety and quantity of IoT devices have grown rapidly. IoT devices have been widely used in smart homes, smart wear, smart manufacturing, smart cars, smart medical care, and many other life-related fields. With it, security vulnerabilities of IoT devices are emerging endlessly. The proliferation of security vulnerabilities will bring severe risks to users’ privacy and property. This paper first describes the research background, including IoT architecture, device components, and attack surfaces. We review state-of-the-art research on IoT device vulnerability discovery, detection, mitigation, and other related works. Then, we point out the current challenges and opportunities by evaluation. Finally, we forecast and discuss the research directions on vulnerability analysis techniques of IoT devices.

Binbin Zhao,Shouling Ji,Wei-Han Lee,Changting Lin,Haiqin Weng,Jingzheng Wu,Pan Zhou,Liming Fang,Raheem Beyah

DOI: https://doi.org/10.1109/tdsc.2020.3037908

2020-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:The Internet of Things (IoT) has become ubiquitous and greatly affected peoples' daily lives. With the increasing development of IoT devices, the corresponding security issues are becoming more and more challenging. Such a severe security situation raises the following questions that need urgent attention: What are the primary security threats that IoT devices face currently? How do vendors and users deal with these threats? In this article, we aim to answer these critical questions through a large-scale systematic study. Specifically, we perform a ten-month-long empirical study on the vulnerability of 1,362,906 IoT devices varying from six types. The results show sufficient evidence that N-days vulnerability is seriously endangering the IoT devices: 385,060 (28.25 percent) devices suffer from at least one N-days vulnerability. Moreover, 2669 of these vulnerable devices may have been compromised by botnets. We further reveal the massive differences among five popular IoT search engines: Shodan [1], Censys [2], [3], Zoomeye [4], Fofa [5], and NTI [6]. To study whether vendors and users adopt defenses against the threats, we measure the security of MQTT [7] servers, and identify that 12740 (88 percent) MQTT servers have no password protection. Our analysis can serve as an important guideline for investigating the security of IoT devices, as well as advancing the development of a more secure environment for IoT systems.

Xiang Chen,Changlin Yang,Yuhong Nan,Zibin Zheng

DOI: https://doi.org/10.1109/jiot.2024.3506976

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:IoT systems are increasingly widespread across various fields. Concurrently, vulnerabilities in IoT devices are continuously emerging, potentially leading to severe consequences such as information leakage, system failure, or even resource abuse. For IoT system developers, understanding the characteristics of these critical vulnerabilities is crucial for safeguarding the security of IoT systems. However, existing studies on IoT vulnerabilities have not specifically focused on such severe or critical vulnerabilities, i.e., high-risk vulnerabilities. Moreover, previous works analyzed IoT vulnerabilities based on unofficial information sources, such as online reports, GitHub issues, or open-sourced projects. To fill this gap, this paper presents the first large-scale empirical study on high-risk IoT vulnerabilities based on the well-known vulnerability data source, i.e., the National Vulnerability Database (NVD), which is maintained by the U.S. government. We constructed a database consisting of 1,739 IoT-related vulnerabilities archived over the last two decades (from 1999 to 2023), including 1,076 high-risk vulnerabilities for analysis. We classified the high-risk vulnerabilities into four categories, consisting of 25 different weakness types. We further collected 11 detection tools and summarized their capabilities in detecting IoT vulnerabilities. Our study sheds lights on new findings and insights for developers to secure the IoT system.

Nan Zhang,Soteris Demetriou,Xianghang Mi,Wenrui Diao,Kan Yuan,Peiyuan Zong,Feng Qian,XiaoFeng Wang,Kai Chen,Yuan Tian,Carl A. Gunter,Kehuan Zhang,Patrick Tague,Yue-Hsun Lin

DOI: https://doi.org/10.48550/arXiv.1703.09809

2017-03-29

Abstract:Inspired by the boom of the consumer IoT market, many device manufacturers, start-up companies and technology giants have jumped into the space. Unfortunately, the exciting utility and rapid marketization of IoT, come at the expense of privacy and security. Industry reports and academic work have revealed many attacks on IoT systems, resulting in privacy leakage, property loss and large-scale availability problems. To mitigate such threats, a few solutions have been proposed. However, it is still less clear what are the impacts they can have on the IoT ecosystem. In this work, we aim to perform a comprehensive study on reported attacks and defenses in the realm of IoT aiming to find out what we know, where the current studies fall short and how to move forward. To this end, we first build a toolkit that searches through massive amount of online data using semantic analysis to identify over 3000 IoT-related articles. Further, by clustering such collected data using machine learning technologies, we are able to compare academic views with the findings from industry and other sources, in an attempt to understand the gaps between them, the trend of the IoT security risks and new problems that need further attention. We systemize this process, by proposing a taxonomy for the IoT ecosystem and organizing IoT security into five problem areas. We use this taxonomy as a beacon to assess each IoT work across a number of properties we define. Our assessment reveals that relevant security and privacy problems are far from solved. We discuss how each proposed solution can be applied to a problem area and highlight their strengths, assumptions and constraints. We stress the need for a security framework for IoT vendors and discuss the trend of shifting security liability to external or centralized entities. We also identify open research problems and provide suggestions towards a secure IoT ecosystem.

Cryptography and Security

Muath A. Obaidat,Suhaib Obeidat,Jennifer Holst,Abdullah Al Hayajneh,Joseph Brown

DOI: https://doi.org/10.3390/computers9020044

2020-05-30

Computers

Abstract:The Internet of Things (IoT) has experienced constant growth in the number of devices deployed and the range of applications in which such devices are used. They vary widely in size, computational power, capacity storage, and energy. The explosive growth and integration of IoT in different domains and areas of our daily lives has created an Internet of Vulnerabilities (IoV). In the rush to build and implement IoT devices, security and privacy have not been adequately addressed. IoT devices, many of which are highly constrained, are vulnerable to cyber attacks, which threaten the security and privacy of users and systems. This survey provides a comprehensive overview of IoT in regard to areas of application, security architecture frameworks, recent security and privacy issues in IoT, as well as a review of recent similar studies on IoT security and privacy. In addition, the paper presents a comprehensive taxonomy of attacks on IoT based on the three-layer architecture model; perception, network, and application layers, as well as a suggestion of the impact of these attacks on CIA objectives in representative devices, are presented. Moreover, the study proposes mitigations and countermeasures, taking a multi-faceted approach rather than a per layer approach. Open research areas are also covered to provide researchers with the most recent research urgent questions in regard to securing IoT ecosystem.

Yasmine Harbi,Zibouda Aliouat,Allaoua Refoufi,Saad Harous

DOI: https://doi.org/10.1109/access.2021.3103725

IF: 3.9

2021-01-01

IEEE Access

Abstract:The Internet of Things (IoT) aims to transform everyday physical objects into an interconnected ecosystem with digital data accessible anywhere and anytime. “Things” in IoT are embedded with sensing, processing, and actuating capabilities and cooperate in providing smart and innovative services autonomously. The rapid spread of IoT services arises different security vulnerabilities that need to be carefully addressed. Several emerging and promising technologies and techniques are introduced to improve the security of IoT. This paper aims to provide an up-to-date vision of the current research topics related to IoT security. Initially, we introduce common elements and protocols of IoT to demystify the origins of threats in IoT. Then, we propose a taxonomy of IoT attacks and analyze the security vulnerabilities of IoT at different layers. Subsequently, we provide a comparison of recent security schemes based on emerging solutions including fog computing, edge computing, software-defined networking (SDN), blockchain, lightweight cryptography, homomorphic and searchable encryption, and machine learning. Finally, security challenges are discussed and future directions are highlighted for future interested researchers.

computer science, information systems,telecommunications,engineering, electrical & electronic

Pintu Kumar Sadhu,Venkata P. Yanambaka,Ahmed Abdelgawad

DOI: https://doi.org/10.3390/s22197433

IF: 3.9

2022-10-01

Sensors

Abstract:The overwhelming acceptance and growing need for Internet of Things (IoT) products in each aspect of everyday living is creating a promising prospect for the involvement of humans, data, and procedures. The vast areas create opportunities from home to industry to make an automated lifecycle. Human life is involved in enormous applications such as intelligent transportation, intelligent healthcare, smart grid, smart city, etc. A thriving surface is created that can affect society, the economy, the environment, politics, and health through diverse security threats. Generally, IoT devices are susceptible to security breaches, and the development of industrial systems could pose devastating security vulnerabilities. To build a reliable security shield, the challenges encountered must be embraced. Therefore, this survey paper is primarily aimed to assist researchers by classifying attacks/vulnerabilities based on objects. The method of attacks and relevant countermeasures are provided for each kind of attack in this work. Case studies of the most important applications of the IoT are highlighted concerning security solutions. The survey of security solutions is not limited to traditional secret key-based cryptographic solutions, moreover physical unclonable functions (PUF)-based solutions and blockchain are illustrated. The pros and cons of each security solution are also discussed here. Furthermore, challenges and recommendations are presented in this work.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Xingbin Jiang,Michele Lora,Sudipta Chattopadhyay

DOI: https://doi.org/10.1145/3379542

IF: 5.3

2020-05-31

ACM Transactions on Internet Technology

Abstract:The revolutionary development of the Internet of Things has triggered a huge demand for Internet of Things devices. They are extensively applied to various fields of social activities, and concerning manufacturing, they are a key enabling concept for the Industry 4.0 ecosystem. Industrial Internet of Things (IIoT) devices share common vulnerabilities with standard IoT devices, which are increasingly exposed to the attackers. As such, connected industrial devices may become sources of cyber, as well as physical, threats for people and assets in industrial environments. In this work, we examine the attack surfaces of a networked embedded system, composed of devices representative of those typically used in the IIoT field. We carry on an analysis of the current state of the security of IIoT technologies. The analysis guides the identification of a set of attack vectors for the examined networked embedded system. We set up the corresponding concrete attack scenarios to gain control of the system actuators and perform some hazardous operations. In particular, we propose a couple of variations of Mirai attack specifically tailored for attacking industrial environments. Finally, we discuss some possible

computer science, information systems, software engineering

Rachit,Shobha Bhatt,Prakash Rao Ragiri

DOI: https://doi.org/10.1007/s42452-021-04156-9

2021-01-01

SN Applied Sciences

Abstract:Abstract The Internet of Things (IoT) is a network of embedded devices that are uniquely identifiable and have embedded software required to communicate between the transient states. The purpose of this study is to explore discrete IoT security challenges pertaining to currently deployed IoT standards and protocols. We have presented a detailed review in this study that focuses on IoT's imminent security aspects, covering identification of risks pertaining to the current IoT system, novel security protocols, and security projects proffered in recent years. This work presents an updated review of the IoT architecture in the protocols and standards that are proffered for the next-gen IoT systems. A security-specific comparative analysis of protocols, standards, and proffered security models are presented as per IoT security requirements. This study elicits the need for standardization at the communication and data audit level, which exposes the hardware, software, and data to various threats and attacks. Our study reveals a need for protocols that are competent enough to be accorded for over one threat vector. This paper provides an insight into the latest security research trends, which will prove beneficial in the development of IoT security. The research outcomes can benefit the research community in IoT by integrating IoT-based devices' best security aspects.

Swastik Kumar Sahu,Kaushik Mazumdar

DOI: https://doi.org/10.3389/frai.2024.1397480

2024-05-15

Frontiers in Artificial Intelligence

Abstract:The rapid proliferation of Internet of Things (IoT) devices across various industries has revolutionized the way we interact with technology. However, this widespread adoption has also brought about significant security challenges that must be addressed to ensure the integrity and confidentiality of data transmitted and processed by IoT systems. This survey paper delves into the diverse array of security threats faced by IoT devices and networks, ranging from data breaches and unauthorized access to physical tampering and denial-of-service attacks. By examining the vulnerabilities inherent in IoT ecosystems, we highlight the importance of implementing robust security measures to safeguard sensitive information and ensure the reliable operation of connected devices. Furthermore, we explore cutting-edge technologies such as blockchain, edge computing, and machine learning as potential solutions to enhance the security posture of IoT deployments. Through a comprehensive analysis of existing security frameworks and best practices, this paper aims to provide valuable insights for researchers, practitioners, and policymakers seeking to fortify the resilience of IoT systems in an increasingly interconnected world.

Wei Zhou,Yuqing Zhang,Peng Liu

DOI: https://doi.org/10.1109/JIOT.2018.2847733

2018-02-09

Abstract:The future of Internet of Things (IoT) is already upon us. IoT applications have been widely used in many field of social production and social living such as healthcare, energy and industrial automation. While enjoying the convenience and efficiency that IoT brings to us, new threats from IoT also have emerged. There are increasing research works to ease these threats, but many problems remain open. To better understand the essential reasons of new threats and the challenges in current research, this survey first proposes the concept of "IoT features". Then, the security and privacy effects of eight IoT new features were discussed including the threats they cause, existing solutions and challenges yet to be solved. To help researchers follow the up-to-date works in this field, this paper finally illustrates the developing trend of IoT security research and reveals how IoT features affect existing security research by investigating most existing research works related to IoT security from 2013 to 2017.

Cryptography and Security

Aejaz Nazir Lone,Suhel Mustajab,Mahfooz Alam

DOI: https://doi.org/10.1002/spy2.318

2023-04-14

Security and Privacy

Abstract:It has become possible to link anything and everything to the Internet in recent decades due to the expanding Internet of Things (IoT). As a result, our usage of technology has changed a lot, causing digital disruption in the real world. IoT allows drones, sensors, digital set‐top boxes, surveillance cameras, wearable technology, and medical equipment to be connected to the internet. Healthcare, manufacturing, utilities, transportation, and housing are among the various sectors that has become intelligent. Recently, we have seen a surge in cybersecurity challenges and opportunities for the improvement of various IoT applications. Although cybersecurity and the IoT are extensively researched, there is a dearth of studies that exclusively focus on the evolution of cybersecurity challenges in the area of AI and machine learning, blockchain and zero trust, lightweight security, integration of IoT with 5G networks, and many more in the IoT world. The availability of environment‐capturing sensors and internet‐connected tracking devices allows for private life surveillance and cloud data transmission. Therefore, a significant problem for researchers and developers is to ensure the CIA (Confidentiality, Integrity, and Availability) security triangle for people. This paper presents a comprehensive study of cybersecurity applications, challenges, and opportunities in the IoT world. The IoT architectural layer, attacks against the IoT layer, and related issues are highlighted. Furthermore, cybersecurity issues and challenges in IoT along with the strength and weaknesses of existing techniques are discussed in detail. Our study will provide insight into various current cybersecurity research trends in the IoT world.

Xuanyu Duan,Mengmeng Ge,Triet Huynh Minh Le,Faheem Ullah,Shang Gao,Xuequan Lu,M. Ali Babar

DOI: https://doi.org/10.1109/prdc53464.2021.00016

2021-12-01

Abstract:Internet of Things (IoT) based applications face an increasing number of potential security risks, which need to be systematically assessed and addressed. Expert-based manual assessment of IoT security is a predominant approach, which is usually inefficient. To address this problem, we propose an automated security assessment framework for IoT networks. Our framework first leverages machine learning and natural language processing to analyze vulnerability descriptions for predicting vulnerability metrics. The predicted metrics are then input into a two-layered graphical security model, which consists of an attack graph at the upper layer to present the network connectivity and an attack tree for each node in the network at the bottom layer to depict the vulnerability information. This security model automatically assesses the security of the IoT network by capturing potential attack paths. We evaluate the viability of our approach using a proof-of-concept smart building system model which contains a variety of real-world IoT devices and poten-tial vulnerabilities. Our evaluation of the proposed framework demonstrates its effectiveness in terms of automatically predicting the vulnerability metrics of new vulnerabilities with more than 90% accuracy, on average, and identifying the most vulnerable attack paths within an IoT network. The produced assessment results can serve as a guideline for cybersecurity professionals to take further actions and mitigate risks in a timely manner.

Diego M. Mendez,Ioannis Papapanagiotou,Baijian Yang

DOI: https://doi.org/10.1080/19393555.2018.1458258

2017-07-11

Abstract:The Internet of Things (IoT) is intended for ubiquitous connectivity among different entities or "things". While its purpose is to provide effective and efficient solutions, security of the devices and network is a challenging issue. The number of devices connected along with the ad-hoc nature of the system further exacerbates the situation. Therefore, security and privacy has emerged as a significant challenge for the IoT. In this paper,we aim to provide a thorough survey related to the privacy and security challenges of the IoT. This document addresses these challenges from the perspective of technologies and architecture used. This work focuses also in IoT intrinsic vulnerabilities as well as the security challenges of various layers based on the security principles of data confidentiality, integrity and availability. This survey analyzes articles published for the IoT at the time and relates it to the security conjuncture of the field and its projection to the future.

Cryptography and Security

Aniruddha Bhattacharjya,Xiaofeng Zhong,Jing Wang,Xing Li

DOI: https://doi.org/10.1007/978-3-030-18732-3_7

2020-01-01

Abstract:To explore IoT’s hidden prospective and to address many global complications, the International Telecommunication Union (ITU) is working. They are making the IoT standardized for several years in the Telecommunication Standardization Sector (ITU-T). ITU-T Study Group 20 was formed in recent times, to further endorse coordinated advancement of global IoT technologies, services, and applications. Some of the important IoT projects, their security pitfalls and their applications domains are discussed here. We need some secure architecture. Case by case, we need multi-layer architectures for secure IoT, such as in the smart city environs; we have numerous protocols, access technologies, functions and several types of nodes. Universally, future focuses in the security issues of the Internet of Things would typically quintessence on the following features, related laws for the security of the Internet of Things …

Omerah Yousuf,Roohie Naaz Mir

DOI: https://doi.org/10.1108/ICS-07-2018-0084

2019-10-07

Information and Computer Security

Abstract:Internet of Things (IoT) is a challenging and promising system concept and requires new types of architectures and protocols compared to traditional networks. Security is an extremely critical issue for IoT that needs to be addressed efficiently. Heterogeneity being an inherent characteristic of IoT gives rise to many security issues that need to be addressed from the perspective of new architectures such as software defined networking, cryptographic algorithms, federated cloud and edge computing. The paper analyzes the IoT security from three perspectives: three-layer security architecture, security issues at each layer and security countermeasures. The paper reviews the current state of the art, protocols and technologies used at each layer of security architecture. The paper focuses on various types of attacks that occur at each layer and provides the various approaches used to countermeasure such type of attacks. The data exchanged between the different devices or applications in the IoT environment are quite sensitive; thus, the security aspect plays a key role and needs to be addressed efficiently. This indicates the urgent needs of developing general security policy and standards for IoT products. The efficient security architecture needs to be imposed but not at the cost of efficiency and scalability. The paper provides empirical insights about how the different security threats at each layer can be mitigated. The paper fulfills the need of having an extensive and elaborated survey in the field of IoT security, along with suggesting the countermeasures to mitigate the threats occurring at each level of IoT protocol stack.

Zhen Ling,Kaizheng Liu,Yiling Xu,Chao Gao,Yier Jin,Cliff Zou,Xinwen Fu,Wei Zhao

DOI: https://doi.org/10.48550/arXiv.1805.05853

2018-05-15

Abstract:In this paper, we present an end-to-end view of IoT security and privacy and a case study. Our contribution is three-fold. First, we present our end-to-end view of an IoT system and this view can guide risk assessment and design of an IoT system. We identify 10 basic IoT functionalities that are related to security and privacy. Based on this view, we systematically present security and privacy requirements in terms of IoT system, software, networking and big data analytics in the cloud. Second, using the end-to-end view of IoT security and privacy, we present a vulnerability analysis of the Edimax IP camera system. We are the first to exploit this system and have identified various attacks that can fully control all the cameras from the manufacturer. Our real-world experiments demonstrate the effectiveness of the discovered attacks and raise the alarms again for the IoT manufacturers. Third, such vulnerabilities found in the exploit of Edimax cameras and our previous exploit of Edimax smartplugs can lead to another wave of Mirai attacks, which can be either botnets or worm attacks. To systematically understand the damage of the Mirai malware, we model propagation of the Mirai and use the simulations to validate the modeling. The work in this paper raises the alarm again for the IoT device manufacturers to better secure their products in order to prevent malware attacks like Mirai.

Cryptography and Security

Xing Yang,Lei Shu,Ye Liu,Gerhard Petrus Hancke,Mohamed Amine Ferrag,Kai Huang

DOI: https://doi.org/10.1109/tii.2022.3141408

IF: 12.3

2022-07-01

IEEE Transactions on Industrial Informatics

Abstract:The connectivity and intelligence of Internet of Things (IoT) equipment offer improved services, but several technical challenges have emerged in recent years that hinder the widespread application of IoT, e.g., security and safety. Cyber-security and privacy countermeasures are widely used in IoT equipment, and many studies have been conducted. However, an important aspect that is often overlooked in security literature is IoT equipments physical security and safety, namely, preventing IoT equipment from vandalism and theft. Therefore, this article provides an overview of IoT equipments physical security and safety to draw attention to new research opportunities in this area. Afterward, we discuss, among other aspects, antitheft and antivandalism schemes along with circuit and system design, additional sensing devices, biometry and behavior analysis, and tracking methods. Besides, we summarize the artificial intelligence solutions for the physical security and safety of IoT equipment. Finally, we conclude with four future research opportunities.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Samundra Deep,Xi Zheng,Alireza Jolfaei,Dongjin Yu,Pouya Ostovari,Ali Kashif Bashir

DOI: https://doi.org/10.1002/ett.3935

IF: 3.6

2020-03-16

Transactions on Emerging Telecommunications Technologies

Abstract:<p>Internet of Things (IoT) is a novel paradigm, which not only facilitates a large number of devices to be ubiquitously connected over the Internet but also provides a mechanism to remotely control these devices. The IoT is pervasive and is almost an integral part of our daily life. These connected devices often obtain user's personal data and store it online. The security of collected data is a big concern in recent times. As devices are becoming increasingly connected, privacy and security issues become more and more critical and these need to be addressed on an urgent basis. IoT implementations and devices are eminently prone to threats that could compromise the security and privacy of the consumers, which, in turn, could influence its practical deployment. In recent past, some research has been carried out to secure IoT devices with an intention to alleviate the security concerns of users. There have been research on blockchain technologies to tackle the privacy and security issues of the collected data in IoT. The purpose of this paper is to highlight the security and privacy issues in IoT systems. To this effect, the paper examines the security issues at each layer in the IoT protocol stack, identifies the under‐lying challenges and key security requirements and provides a brief overview of existing security solutions to safeguard the IoT from the layered context.</p>

telecommunications