Stuart Millar

DOI: https://doi.org/10.48550/arXiv.2112.14618

2021-12-30

Abstract:The use of IoT in society is perhaps already ubiquitous, with a vast attack surface offering multiple opportunities for malicious actors. This short paper first presents an introduction to IoT and its security issues, including an overview of IoT layer models and topologies, IoT standardisation efforts and protocols. The focus then moves to IoT vulnerabilities and specific suggestions for mitigations. This work's intended audience are those relatively new to IoT though with existing network-related knowledge. It is concluded that device resource constraints and a lack of IoT standards are significant issues. Research opportunities exist to develop efficient IoT IDS and energy-saving cryptography techniques lightweight enough to reasonably deploy. The need for standardised protocols and channel-based security solutions is clear, underpinned by legislative directives to ensure high standards that prevent cost-cutting on the device manufacturing side.

Cryptography and Security,Networking and Internet Architecture

Nan Zhang,Soteris Demetriou,Xianghang Mi,Wenrui Diao,Kan Yuan,Peiyuan Zong,Feng Qian,XiaoFeng Wang,Kai Chen,Yuan Tian,Carl A. Gunter,Kehuan Zhang,Patrick Tague,Yue-Hsun Lin

DOI: https://doi.org/10.48550/arXiv.1703.09809

2017-03-29

Abstract:Inspired by the boom of the consumer IoT market, many device manufacturers, start-up companies and technology giants have jumped into the space. Unfortunately, the exciting utility and rapid marketization of IoT, come at the expense of privacy and security. Industry reports and academic work have revealed many attacks on IoT systems, resulting in privacy leakage, property loss and large-scale availability problems. To mitigate such threats, a few solutions have been proposed. However, it is still less clear what are the impacts they can have on the IoT ecosystem. In this work, we aim to perform a comprehensive study on reported attacks and defenses in the realm of IoT aiming to find out what we know, where the current studies fall short and how to move forward. To this end, we first build a toolkit that searches through massive amount of online data using semantic analysis to identify over 3000 IoT-related articles. Further, by clustering such collected data using machine learning technologies, we are able to compare academic views with the findings from industry and other sources, in an attempt to understand the gaps between them, the trend of the IoT security risks and new problems that need further attention. We systemize this process, by proposing a taxonomy for the IoT ecosystem and organizing IoT security into five problem areas. We use this taxonomy as a beacon to assess each IoT work across a number of properties we define. Our assessment reveals that relevant security and privacy problems are far from solved. We discuss how each proposed solution can be applied to a problem area and highlight their strengths, assumptions and constraints. We stress the need for a security framework for IoT vendors and discuss the trend of shifting security liability to external or centralized entities. We also identify open research problems and provide suggestions towards a secure IoT ecosystem.

Cryptography and Security

Miao Yu,Jianwei Zhuge,Ming Cao,Zhiwei Shi,Lin Jiang

DOI: https://doi.org/10.3390/fi12020027

2020-01-01

Future Internet

Abstract:With the prosperity of the Internet of Things (IoT) industry environment, the variety and quantity of IoT devices have grown rapidly. IoT devices have been widely used in smart homes, smart wear, smart manufacturing, smart cars, smart medical care, and many other life-related fields. With it, security vulnerabilities of IoT devices are emerging endlessly. The proliferation of security vulnerabilities will bring severe risks to users’ privacy and property. This paper first describes the research background, including IoT architecture, device components, and attack surfaces. We review state-of-the-art research on IoT device vulnerability discovery, detection, mitigation, and other related works. Then, we point out the current challenges and opportunities by evaluation. Finally, we forecast and discuss the research directions on vulnerability analysis techniques of IoT devices.

Xin Huang,Paul Craig,Hangyu Lin,Zheng Yan

DOI: https://doi.org/10.1002/sec.1259

IF: 1.968

2015-05-11

Security and Communication Networks

Abstract:The 5th generation wireless system (5G) will support Internet of Things (IoT) by increasing the interconnectivity of electronic devices to support a variety of new and promising networked applications such as the home of the future, environmental monitoring networks, and infrastructure management systems. The potential benefits of the IoT are as profound as they are diverse. However, the benefits of the IoT come with some significant challenges. Not the least of these is that the increased interconnectivity integral to an IoT network increases its vulnerability to malevolent attacks. There is still no proven methodology for the design of security frameworks with device authentication and access control. This paper attempts to address this problem through the development of a prototype security framework with robust and transparent security protection. This includes an investigation into the security requirements of three different characteristic IoT scenarios (concretely, body IoT, home IoT, and hotel IoT), a design of new authentication mechanisms, and an access control subsystem with fine‐grained roles and risk indicators. Our prototype security framework gives us an insight into some of the major difficulties of IoT security as well as providing some feasible solutions. Copyright © 2015 John Wiley & Sons, Ltd. This paper includes an investigation into the security requirements of three different characteristic Internet of Things (IoT) scenarios (concretely, body IoT, home IoT, and hotel IoT), a design of new authentication mechanisms, and an access control subsystem with fine‐grained roles and risk indicators. Our prototype security framework gives us an insight into some of the major difficulties of IoT security and provides some feasible solutions.

computer science, information systems,telecommunications

Zhen Ling,Kaizheng Liu,Yiling Xu,Chao Gao,Yier Jin,Cliff Zou,Xinwen Fu,Wei Zhao

DOI: https://doi.org/10.48550/arXiv.1805.05853

2018-05-15

Abstract:In this paper, we present an end-to-end view of IoT security and privacy and a case study. Our contribution is three-fold. First, we present our end-to-end view of an IoT system and this view can guide risk assessment and design of an IoT system. We identify 10 basic IoT functionalities that are related to security and privacy. Based on this view, we systematically present security and privacy requirements in terms of IoT system, software, networking and big data analytics in the cloud. Second, using the end-to-end view of IoT security and privacy, we present a vulnerability analysis of the Edimax IP camera system. We are the first to exploit this system and have identified various attacks that can fully control all the cameras from the manufacturer. Our real-world experiments demonstrate the effectiveness of the discovered attacks and raise the alarms again for the IoT manufacturers. Third, such vulnerabilities found in the exploit of Edimax cameras and our previous exploit of Edimax smartplugs can lead to another wave of Mirai attacks, which can be either botnets or worm attacks. To systematically understand the damage of the Mirai malware, we model propagation of the Mirai and use the simulations to validate the modeling. The work in this paper raises the alarm again for the IoT device manufacturers to better secure their products in order to prevent malware attacks like Mirai.

Cryptography and Security

Ismail Butun,Patrik Österberg,Houbing Song

DOI: https://doi.org/10.1109/COMST.2019.2953364

2019-10-29

Abstract:Wireless Sensor Networks (WSNs) constitute one of the most promising third-millennium technologies and have a wide range of applications in our surrounding environment. The reason behind the vast adoption of WSNs in various applications is that they have tremendously appealing features, e.g., low production cost, low installation cost, unattended network operation, autonomous and longtime operation. WSNs have started to merge with the Internet of Things (IoT) through the introduction of Internet access capability in sensor nodes and sensing ability in Internet-connected devices. Thereby, the IoT is providing access to huge amount of data, collected by the WSNs, over the Internet. However, owing to the absence of a physical line-of-defense, i.e. there is no dedicated infrastructure such as gateways to watch and observe the flowing information in the network, security of WSNs along with IoT is of a big concern to the scientific community. Besides, recent integration and collaboration of WSNs with IoT will open new challenges and problems in terms of security. Hence, this would be a nightmare for the individuals using these systems as well as the security administrators who are managing those networks. Therefore, a detailed review of security attacks towards WSNs and IoT, along with the techniques for prevention, detection, and mitigation of those attacks are provided in this paper. In this text, attacks are categorized and treated into mainly two parts, most or all types of attacks towards WSNs and IoT are investigated under that umbrella: "Passive Attacks" and "Active Attacks". Understanding these attacks and their associated defense mechanisms will help to pave a secure path towards the proliferation and public acceptance of IoT technology.

Cryptography and Security,Networking and Internet Architecture

Xiang Chen,Changlin Yang,Yuhong Nan,Zibin Zheng

DOI: https://doi.org/10.1109/jiot.2024.3506976

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:IoT systems are increasingly widespread across various fields. Concurrently, vulnerabilities in IoT devices are continuously emerging, potentially leading to severe consequences such as information leakage, system failure, or even resource abuse. For IoT system developers, understanding the characteristics of these critical vulnerabilities is crucial for safeguarding the security of IoT systems. However, existing studies on IoT vulnerabilities have not specifically focused on such severe or critical vulnerabilities, i.e., high-risk vulnerabilities. Moreover, previous works analyzed IoT vulnerabilities based on unofficial information sources, such as online reports, GitHub issues, or open-sourced projects. To fill this gap, this paper presents the first large-scale empirical study on high-risk IoT vulnerabilities based on the well-known vulnerability data source, i.e., the National Vulnerability Database (NVD), which is maintained by the U.S. government. We constructed a database consisting of 1,739 IoT-related vulnerabilities archived over the last two decades (from 1999 to 2023), including 1,076 high-risk vulnerabilities for analysis. We classified the high-risk vulnerabilities into four categories, consisting of 25 different weakness types. We further collected 11 detection tools and summarized their capabilities in detecting IoT vulnerabilities. Our study sheds lights on new findings and insights for developers to secure the IoT system.

Binbin Zhao,Shouling Ji,Wei-Han Lee,Changting Lin,Haiqin Weng,Jingzheng Wu,Pan Zhou,Liming Fang,Raheem Beyah

DOI: https://doi.org/10.1109/tdsc.2020.3037908

2020-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:The Internet of Things (IoT) has become ubiquitous and greatly affected peoples' daily lives. With the increasing development of IoT devices, the corresponding security issues are becoming more and more challenging. Such a severe security situation raises the following questions that need urgent attention: What are the primary security threats that IoT devices face currently? How do vendors and users deal with these threats? In this article, we aim to answer these critical questions through a large-scale systematic study. Specifically, we perform a ten-month-long empirical study on the vulnerability of 1,362,906 IoT devices varying from six types. The results show sufficient evidence that N-days vulnerability is seriously endangering the IoT devices: 385,060 (28.25 percent) devices suffer from at least one N-days vulnerability. Moreover, 2669 of these vulnerable devices may have been compromised by botnets. We further reveal the massive differences among five popular IoT search engines: Shodan [1], Censys [2], [3], Zoomeye [4], Fofa [5], and NTI [6]. To study whether vendors and users adopt defenses against the threats, we measure the security of MQTT [7] servers, and identify that 12740 (88 percent) MQTT servers have no password protection. Our analysis can serve as an important guideline for investigating the security of IoT devices, as well as advancing the development of a more secure environment for IoT systems.

Aniruddha Bhattacharjya,Xiaofeng Zhong,Jing Wang,Xing Li

DOI: https://doi.org/10.1007/978-3-319-92564-6_7

2018-01-01

Abstract:The Internet of Things (IoT) signifies the interconnection of exceedingly heterogeneous networked entities, for instance, sensors, actuators, smart phones, etc. In accord with concrete functions, the network structure of the IoT is divided into three hierarchies: the bottom hierarchy is the sensing equipment for information acquisition; the middle hierarchy is the network for data transmission, whereas the top hierarchy is intended for applications and middleware. The uniqueness of the IoT proclaims new challenges to security requirements, dissimilar from previous technology trends. Moreover, to guarantee resilience, fail-over and recovery mechanisms must be provided to uphold operations under failure or attacks, and to return to normal operations (failure/attack mitigation). To uphold the end-to-end method, the gateway requirements to endure invisible to the communicating endpoints. The Constrained …

Ayush Shah,Ambar Pal,H. B. Acharya

DOI: https://doi.org/10.48550/arXiv.1604.00389

2016-04-04

Abstract:A massive current research effort focuses on combining pre-existing 'Intranets' of Things into one Internet of Things. However, this unification is not a panacea; it will expose new attack surfaces and vectors, just as it enables new applications. We therefore urgently need a model of security in the Internet of Things. In this regard, we note that IoT descends directly from pre-existing research (in embedded Internet and pervasive intelligence), so there exist several bodies of related work: security in RFID, sensor networks, cyber-physical systems, and so on. In this paper, we survey the existing literature on RFID and WSN security, as a step to compiling all known attacks and defenses relevant to the Internet of Things.

Networking and Internet Architecture,Cryptography and Security

Mohammed Aziz Al Kabir,Wael Elmedany,Mhd Saeed Sharif

DOI: https://doi.org/10.1080/23742917.2023.2228053

2023-07-13

Journal of Cyber Security Technology

Abstract:The increasing prevalence of IoT devices has brought about numerous security challenges due to their relatively simple internal architecture and low-powered hardware warranted by their small footprint requirement. As there are billions of IoT devices in use today, the sheer number of such devices pose a great security challenge as they are often constrained by a number of hardware and software limitations in addition to being designed with a focus on convenience, ease of use, mass production, and low cost, rather than security. The seemingly exponentially increasing number of such devices make it harder to keep track of – and patch – insecure IoT devices. This paper explores the common security threats, attacks, and vulnerabilities relating to IoT devices and highlights the challenges associated with securing them against emerging security threats and cyberattacks. Due to their role as gateways to connected devices and susceptibility to forming botnets or facilitating man-in-the-middle attacks, IoT devices are a lucrative target for cybercriminals. The paper discusses various remediation and mitigation techniques that can be implemented to better secure IoT devices, including access control mechanisms, secure communication protocols, and regular updates and patches. By better understanding the security challenges associated with IoT devices and implementing effective mitigation techniques, individuals and businesses can ensure the safety, security, and privacy of their connected devices and networks.

Wei Zhou,Chen Cao,Dongdong Huo,Kai Cheng,Lan Zhang,Le Guan,Tao Liu,Yan Jia,Yaowen Zheng,Yuqing Zhang,Limin Sun,Yazhe Wang,Peng Liu

DOI: https://doi.org/10.1109/jiot.2021.3059457

IF: 10.6

2021-07-15

IEEE Internet of Things Journal

Abstract:In recent years, Internet-of-Things (IoT) platforms and systems have been rapidly emerging. Although IoT is a new technology, new does not mean simpler (than existing networked systems). Contrarily, the complexity (of IoT platforms and systems) is actually being increased in terms of the interactions between the physical world and cyberspace. The increased complexity indeed results in new vulnerabilities. This article seeks to provide a review of the recently discovered logic bugs that are specific to IoT platforms and systems and discuss the lessons we learned from these bugs. In particular, 20 logic bugs and one weakness falling into seven categories of vulnerabilities are reviewed in this survey.

computer science, information systems,telecommunications,engineering, electrical & electronic

Youakim Badr,Xiaoyang Zhu,Mansour Naser Alraja

DOI: https://doi.org/10.1007/s11761-021-00327-z

2021-10-01

Service Oriented Computing and Applications

Abstract:In the past few years, the Internet of Things (IoT) has emerged, grown and gradually affected the daily lives of human beings in many new application domains, ranging from wearable devices, smart manufacturing, to smart homes and ambient intelligence just to mention a few. However, realizing the full potential of IoT while ensuring user security and privacy remains an open research challenge. Existing security solutions and techniques are mainly conceived for centralized and distributed information systems and are not directly applicable to IoT-based systems. In fact, IoT systems have unconventional characteristics such as intermittent connectivity, high scalability, dynamic changes and limited resources and thus require a paradigm shift to develop innovative security and privacy solutions. In this survey, we firstly give an overview of security and privacy in IoT. After defining the context of IoT systems, we identify four main characteristics, which imply unprecedented threats and challenges to existing security solutions and techniques. From the perspective of these characteristics and IoT security requirements, we identify and elaborate specific threats and challenges related to the radio-frequency identification (RFID), wireless sensor networks (WSNs) and mobile delay tolerant networks (MDTNs), which are building blocks in many IoT-based systems. In addition, we discuss potential countermeasures to handle IoT threats and challenges.

Xingbin Jiang,Michele Lora,Sudipta Chattopadhyay

DOI: https://doi.org/10.1145/3379542

IF: 5.3

2020-05-31

ACM Transactions on Internet Technology

Abstract:The revolutionary development of the Internet of Things has triggered a huge demand for Internet of Things devices. They are extensively applied to various fields of social activities, and concerning manufacturing, they are a key enabling concept for the Industry 4.0 ecosystem. Industrial Internet of Things (IIoT) devices share common vulnerabilities with standard IoT devices, which are increasingly exposed to the attackers. As such, connected industrial devices may become sources of cyber, as well as physical, threats for people and assets in industrial environments. In this work, we examine the attack surfaces of a networked embedded system, composed of devices representative of those typically used in the IIoT field. We carry on an analysis of the current state of the security of IIoT technologies. The analysis guides the identification of a set of attack vectors for the examined networked embedded system. We set up the corresponding concrete attack scenarios to gain control of the system actuators and perform some hazardous operations. In particular, we propose a couple of variations of Mirai attack specifically tailored for attacking industrial environments. Finally, we discuss some possible

computer science, information systems, software engineering

Tianlong Yu,Vyas Sekar,Srinivasan Seshan,Yuvraj Agarwal,Chenren Xu

DOI: https://doi.org/10.1145/2834050.2834095

2015-01-01

Abstract:The Internet-of-Things (IoT) has quickly moved from the realm of hype to reality with estimates of over 25 billion devices deployed by 2020. While IoT has huge potential for societal impact, it comes with a number of key security challenges---IoT devices can become the entry points into critical infrastructures and can be exploited to leak sensitive information. Traditional host-centric security solutions in today's IT ecosystems (e.g., antivirus, software patches) are fundamentally at odds with the realities of IoT (e.g., poor vendor security practices and constrained hardware). We argue that the network will have to play a critical role in securing IoT deployments. However, the scale, diversity, cyberphysical coupling, and cross-device use cases inherent to IoT require us to rethink network security along three key dimensions: (1) abstractions for security policies; (2) mechanisms to learn attack and normal profiles; and (3) dynamic and context-aware enforcement capabilities. Our goal in this paper is to highlight these challenges and sketch a roadmap to avoid this impending security disaster.

Xiruo Liu,Meiyuan Zhao,Sugang Li,Feixiong Zhang,Wade Trappe

DOI: https://doi.org/10.3390/fi9030027

2017-06-28

Future Internet

Abstract:The Internet of Things (IoT) is a recent trend that extends the boundary of the Internet to include a wide variety of computing devices. Connecting many stand-alone IoT systems through the Internet introduces many challenges, with security being front-and-center since much of the collected information will be exposed to a wide and often unknown audience. Unfortunately, due to the intrinsic capability limits of low-end IoT devices, which account for a majority of the IoT end hosts, many traditional security methods cannot be applied to secure IoT systems, which open a door for attacks and exploits directed both against IoT services and the broader Internet. This paper addresses this issue by introducing a unified IoT framework based on the MobilityFirst future Internet architecture that explicitly focuses on supporting security for the IoT. Our design integrates local IoT systems into the global Internet without losing usability, interoperability and security protection. Specifically, we introduced an IoT middleware layer that connects heterogeneous hardware in local IoT systems to the global MobilityFirst network. We propose an IoT name resolution service (IoT-NRS) as a core component of the middleware layer, and develop a lightweight keying protocol that establishes trust between an IoT device and the IoT-NRS.

Bhaskar Tejaswi,Mohammad Mannan,Amr Youssef

2023-07-26

Abstract:A diverse set of Internet of Things (IoT) devices are becoming an integrated part of daily lives, and playing an increasingly vital role in various industry, enterprise and agricultural settings. The current IoT ecosystem relies on several IoT management platforms to manage and operate a large number of IoT devices, their data, and their connectivity. Considering their key role, these platforms must be properly secured against cyber attacks. In this work, we first explore the core operations/features of leading platforms to design a framework to perform a systematic security evaluation of these platforms. Subsequently, we use our framework to analyze a representative set of 52 IoT management platforms, including 42 web-hosted and 10 locally-deployable platforms. We discover a number of high severity unauthorized access vulnerabilities in 9/52 evaluated IoT management platforms, which could be abused to perform attacks such as remote IoT SIM deactivation, IoT SIM overcharging and IoT device data forgery. More seriously, we also uncover instances of broken authentication in 13/52 platforms, including complete account takeover on 8/52 platforms along with remote code execution on 2/52 platforms. In effect, 17/52 platforms were affected by vulnerabilities that could lead to platform-wide attacks. Overall, vulnerabilities were uncovered in 33 platforms, out of which 28 platforms responded to our responsible disclosure. We were also assigned 11 CVEs and awarded bounty for our findings.

Cryptography and Security

Yimin Guo,Yajun Guo,Ping Xiong,Fan Yang,Chengde Zhang

DOI: https://doi.org/10.1109/tifs.2024.3382934

IF: 7.231

2024-05-10

IEEE Transactions on Information Forensics and Security

Abstract:Designing an efficient and secure authentication scheme is a significant means to ensure the security of IoT systems. Hundreds of authentication schemes tailored for IoT environments have been proposed in recent years, and regrettably, many of them were soon found to have succumbed to security vulnerabilities. In an effort to investigate the underlying reason for this, Wang et al. (at TIFS'23) recently analyzed the vulnerability of authentication schemes from the perspective of provable security. However, we observe that some authentication schemes with sound security proofs and heuristic security analysis are also not resistant to certain attacks, and even those that have been improved several times are still not immune. To explore the deep-seated reasons for security vulnerabilities in IoT authentication schemes, we divide security attacks into explicit and implicit attacks and find that many authentication schemes exhibit security under explicit attacks but are rendered vulnerable under implicit attacks. Further, we propose the relationship between the design goals of security attributes of authentication schemes and implicit attacks, analyze the vulnerability of three typical authentication schemes under implicit attacks, and find that only the security attributes capable of resisting the strongest implicit attacks are secure. Finally, we offer some specific suggestions on how to achieve the security attribute goals.

computer science, theory & methods,engineering, electrical & electronic

Mahyar Taj Dini,Volodymyr Sokolov

DOI: https://doi.org/10.5281/zenodo.2528814

2019-02-23

Abstract:The rapid development of "smart" devices leads to explosive growth of unprotected or partially protected home networks. These networks are easy prey for unauthorized access, the collection of personal information (including from surveillance cameras), interference in the operation of individual devices and the entire system as a whole. In addition, existing solutions for managing a smart house offer work in the cloud, which in turn reduces the availability of the system and simultaneously increases the risk of the unscrupulous use of personal information by the service provider (up to the sale of data to a third party). This article examines the existing access technologies, their weaknesses, and offers solutions to improve the overall security of the system with a local IoT gateway and virtual subnets.

Cryptography and Security,Networking and Internet Architecture

Abasi-amefon Obot Affia,Hilary Finch,Woosub Jung,Issah Abubakari Samori,Lucas Potter,Xavier-Lewis Palmer

DOI: https://doi.org/10.3390/iot4020009

2023-05-25

IoT

Abstract:The concept of the Internet of Things (IoT) spans decades, and the same can be said for its inclusion in healthcare. The IoT is an attractive target in medicine; it offers considerable potential in expanding care. However, the application of the IoT in healthcare is fraught with an array of challenges, and also, through it, numerous vulnerabilities that translate to wider attack surfaces and deeper degrees of damage possible to both consumers and their confidence within health systems, as a result of patient-specific data being available to access. Further, when IoT health devices (IoTHDs) are developed, a diverse range of attacks are possible. To understand the risks in this new landscape, it is important to understand the architecture of IoTHDs, operations, and the social dynamics that may govern their interactions. This paper aims to document and create a map regarding IoTHDs, lay the groundwork for better understanding security risks in emerging IoTHD modalities through a multi-layer approach, and suggest means for improved governance and interaction. We also discuss technological innovations expected to set the stage for novel exploits leading into the middle and latter parts of the 21st century.