International Journals of Advanced Research in
Computer Science and Software Engineering
ISSN: 2277-128X (Volume-7, Issue-6)
Research Article
June
2017
Security Challenges in Internet of Things (IoT)
Alok Kumar Pathak
Scientist-D, National Informatics Centre, New Delhi,
India
Abstract— The Term ‘Internet of things’ can be roughly understood as the use of standard Internet protocols for
interconnection of highly heterogeneous networked entities for the human-to-thing or thing-to-thing communication
in embedded networks. Because of the inherent nature of the IOT devices the security threats, although
acknowledged, but is still not fully understood how existing IP security protocols and architectures could be used to
connect various devices that range from 8-bit chips to 32 and 64 bit new generation Raspberry Pi based devices
running full fledged Linux operating systems. Inefficient security capabilities and irregular or no patching of
vulnerabilities in these devices, coupled with lack of consumer security alertness, provide malicious users with
opportunities to exploit these devices. In this paper, we discuss the broad usage areas of IoT, Security threats in the
IoT ecosystems and finally the steps and the approaches to mitigate the threats.
Keywords— IoT, Security, Protocol, DDoS,
I. INTRODUCTION
The Internet in late 80s and early 90s, fascinated everyone with the potential to change the way how people could
communicate, ideate and collaborate in the years to come. All this happened amid constant fear that Internet is insecure
and vulnerable to attacks compromising on user privacy. Similarly the Internet of Things (IoT) has been charming
everyone since last couple of years because of its potential to rapidly transform businesses and people‘s lives. IoT
comprises of devices (including sensors) that interact and communicate with other machines, objects and environments
thereby creating an ecosystem for ‗Smart‘ Surroundings. As per the prediction by Gartner there will be around 26 billion
devices connected to each other by 2020. Other analysts even predict the number to be in excess of 50 billion[1].
Obviously this would end up generating huge volume of raw data that needs to be processed and analysed to generate
meaningful information to help stakeholders take informed decisions
The term IoT was first coined by the Auto-ID centre [2] in 1999. There have been rapid developments in the
fundamental concepts ever since. The IoT now presents a strong area of research with various initiatives underway be it
the (re)design, application, or the use of standard Internet technology. With the introduction of IPv6 and web services as
fundamental building blocks for IoT applications [3], it promises to bring a number of basic advantages including: (i)
Simple Integration with Internet hosts (ii) Ease in development of different appliances (iii) A homogeneous interface for
applications, removing the need for application-level proxies. This has simplified the deployment of scenarios of IoT
ecosystems ranging from building automation to production environments to smart homes.
IoT Architecture
A simple representation of IoT architecture may be described in four components[4] : a) IoT Devices called
‗Things‘ b) The Gateway c) Network and Cloud and finally d) The Service layer as shown in figure 1.
Please note that the cloud infrastructure could also be an in house server instead. But this approach is not cost effective.
© www.ijarcsse.com, All Rights Reserved
Page | 648
Pathak International Journals of Advanced Research in Computer Science and Software Engineering
ISSN: 2277-128X (Volume-7, Issue-6)
IoT Devices
By definition, the IoT devics is anything that can be interconnected in home, business and industrial set up with
capability to collect and send information to the service layer for analysis. The devices basically have sensors that detect
or gather the current state or information. The devices come in all kinds of capabilities and processing [5].
 At the lowest level, the devices have 8-bit controllers like Arduino boards.
 The devices could be based on 32 bit architecture running embedded Linux platform like OpenRWT
 The latest and the most powerful devices may have full Linux OS (or Android) running on 32 or even 64 bit
platforms like Raspberry Pi. This category also includes the mobile apps running on Smartphone.
Gateways
Although the sophisticated devices may connect to the network using common protocol or technologies such as:
Direct Ethernet or Wi-Fi, Bluetooth low energy, Near field Communication(NFC) or Zigbee[6], the IoT devices were not
originally meant to connect to the Internet directly owing to the simplicity at the design level. Gateways help to fill up the
gap by enabling the devices to connect to Internet ensuring the manageability and security aspects. Around 85% of
existing IOT devices connects through gateway.
Network and Cloud Infrastructure
A network comprise of routers, repeaters and gateways, which control data flow and connect to telecom
networks such as 3G, 4G and LTE for IP based communications. The IoT devices generate enormous amount of data.
Cloud infrastructure provides the required hardware capacity and processing power for processing of this data.
Service Creation Layer
The middleware components such as the Service Bus; extract, transform, load [ETL], applications, web servers
which perform the act of data massaging and presenting it for consumption through various channels such as desktop,
browser and mobile applications (apps) comprise the stack of service creation layer.
II. APPLICATION DOMAINS
There is hardly any area where a potential use case of IoT is not being envisaged. Some of the chief areas where IoT is
supposed to transform the entire business domain are: Manufacturing and Logistics, Health care, Home Automation,
Banking and Finance and Retail[7].
 Manufacturing:
o Communication between Machine-to-machine and Machine-to-Infrastructure
o Tracking of Goods on the move and optimization of Logistics process
 Health care:
o Health Monitoring of patients from Remote
o Off premise Diagnosis and treatment
 Industrial and home automation:
o Smart city and Smart home Automation
o Work premise automation
o Remote monitoring of home appliance
o Smart billing systems for utilities like Gas, Electricity and home broadband
o Geo tagging of domestic and wild animals for monitoring
 Retail:
o Bar codes have limitations from the point of view of amount of data it can store and reflect. When
replaced with IoT devices , more relevant data could be fed to the monitoring systems thereby
improving the supply chain efficiency
o Informed shopping experience to the end customers
The areas where the IoT is being envisaged to be used are so diverse that it is extremely unlikely that same
manufacturer will be able to produce end to end solution and support full potential of IoT solution to even one domain.
Therefore there is plenty of scope for interfacing modules to be developed in order to integrate the ecosystem together.
Smart homes and Retail are the pioneering areas where plethora of IoT devices will be deployed in coming years. For
example, Walmart Company has already invested a lot in usage of IoT in their supply chain [8].
III. SECURITY ISSUES
The very basic promise of IoT is to have an ecosystem with all kinds of devices with ubiquitous access to
Internet deployed in areas like healthcare, home automation. These devices will generate huge amount of data for the
consumption of smart monitoring systems. This volume of data with non stringent authorization access will make it
difficult to plug in the security challenges. The major security bottlenecks and privacy concerns include [9]:
 User Authentication—Most of the devices operate on default password such as ‗1234‘ which is known to
everybody and thus pose a huge security risk. At times these are even configured to use the default
username/passwords.
© www.ijarcsse.com, All Rights Reserved
Page | 649




Pathak International Journals of Advanced Research in Computer Science and Software Engineering
ISSN: 2277-128X (Volume-7, Issue-6)
Limited Encryption at Transport Layer —since the majority of devices are very low level from the hardware
perspective, the encryption algorithm is not implemented thereby making the communication vulnerable to
spoofing.
Insecure interface—For the end use, the IoT-based solutions is accessed via a web browser or mobile
application interface. This web/mobile interface may also be prone to Open Web Application Security Project
(OWASP) [10] Top 10 vulnerabilities such as poor session management, Cross site scripting and Cross site
request forgery attacks
Unsecure code practices—At the middle layer, there could be issues related to unsecure coding of business and
service logic
Personal data privacy concerns—The IoT devices collect lot of personal information related to user
(especially in the health care domain) like name , age, contact number, Date of birth etc which is transmitted
over the network mostly without encryption posing severe privacy risk. Unauthorized access to such data would
lead to unwanted divulgence of user information. For instance, the kind of food one may be purchasing might be
analysed to understand the kind of health problems one might be facing.
IV. SECURITY BREACHES AND ATTACKS
The year 2015 was termed to be the year of IoT by the experts. However the months that followed witnessed many
security breaches and attacks which have raised question marks on the dependability and risk of having an ecosystem
wherein the small devices with limited scope to implement security connect to the Internet. For example, in October last
year (2016) much of America‘s Internet was brought down by a network of IoT devices (called the Mirai Botnet) The
cyber attack was reported to be the largest of its kind in history [11].
The botnet (comprising of compromised IoT Devices like IP cameras and DVRs) was used to carry out DDOS
attack on the servers of Dyn, a company that controls much of the internet‘s domain name system (DNS) infrastructure.
The attack was sustained for most part of the day affecting many sites including the hugely popular ones like Twitter, the
Guardian, Netflix, Reddit, CNN and many others in Europe and the US.
Security Mitigation
As on date no vendor manufactures end to end IoT solution and hence the system could me made secure only
when the security is embedded in the entire production life cycle. Every component of IoT solution must undergo
comprehensive security review to detect any potential vulnerability.
Some approaches towards minimization of security lapses are as under:
 Secure device platform—Any weakness in base device platform might lead to alteration of privilege the
default user has. The OS running on the devices should be thoroughly examined to validate its security and
configuration against the base lines of standard information security systems. Any intermediate interfaces
should not be included in the production environment
 Secure Network traffic—As it is difficult to implement sophisticated security/encryption algorithmic in the
devices because of the simplistic (or outdated) hardware architecture, the network traffic is thus vulnerable to
man in the middle type attacks. Possibility of implementing some lightweight encryption algorithms should be
explored to address the security concerns without affecting the performance requirements.
 Functional security requirements—A comprehensive high level functionality testing with emphasis on
security and penetration may be included as a part of testing phase. Must also include negative testing during the
validation. Whenever required the IoT solutions could use Software as a Service (SaaS)-based identity
management solutions for authorization and authentication requirements. The penetration testing should be held
periodically. This will also minimize the advanced persistent threats (APT) for IoT solutions.
 Side Channel attack Mitigation- This attack is a form of reverse engineering. Electronics circuits may produce
emissions (like heat or electromagnetic) as by products which an attacker can analyse to infer how the circuit
works and what data is being processed even without the access to the circuitry. As these emissions do not play
any role in the operation of circuit itself, it may go unnoticed which makes it extremely defenceless. This can
only be prevented by doing thorough testing specifically for side channel attacks as the part of security testing.
 Secure code reviews—secure code reviews during the development phase may reduce the cost of fixing the
defect greatly. Focus should be on areas with sensitive and security impacts such as boot process, security
enforcement and encryption modules.
 End-to-end penetration test—Finally an End-to-end penetration testing should be done across all the interfaces
to find out any vulnerabilities in the web, mobile and cloud interface of the IoT solutions. Each and every
component must be secured in order to have a full proof secure ecosystem.
Case Study of an IoT Solution
To identify the attack scenarios and formulate mitigation plans for each component in the IoT Solution, we may
take reference from the results of a US-based software company that developed a SecureTravel product using IoT
technology. The solution tracks the real time data about the speed and the location of the vehicles including the people
travelling on the vehicles [4].
© www.ijarcsse.com, All Rights Reserved
Page | 650
Pathak International Journals of Advanced Research in Computer Science and Software Engineering
ISSN: 2277-128X (Volume-7, Issue-6)
The IoT solution under study had the following components:
 Sensors in the vehicles
 Gateways
 Services
 Web interface
 Mobile interface
The solution was subjected to comprehensive penetration testing with attacks such as threat modelling using the
Spoofing, Tampering, Repudiation, Information disclosure, Denial of service (DoS), Elevation of privilege (STRIDE)
software The idea was to understand the scenarios and propose a mitigation strategy(figure 2).
V. CONCLUSION
To have a decently secure IoT solution it is important to include security testing in the early part of life cycle of the
solution. Mitigation of risks would also make the design easier to replicate. The secure systems development life cycle
(SDLC) practices, the Security and privacy challenges must be adhered to. The Penetration Testing and side channel
attack mitigation should happen periodically.
Although the contemporary generation of platforms like Intel Edison is based on faster Atom Silvermont cores,
which also runs many of the tablets and smartphones today, the majority of IoT devices run on chips are small and at
times based on outdated architectures like based on Quark processors, which uses the same Instruction set as outdated
Pentium P54C. This is because the majority of devices are wearable and disposable in nature and if implemented on high
end platform will not only require high battery power but would increase the cost of Hardware thereby making the
commercial viability questionable. We may eventually end up having powerful processors, such as Intel Atoms or
ARMv8 chips, in products, like smart refrigerators or washing machines with touchscreens, but highly unlikely and
impractical for disposable devices with small or no displays and with limited battery capacity.
Manufacturing complete platforms for various IoT devices, could definitely introduce more standardisation and
security. This may sound promising in principle but may lead to research and development of fewer platforms (just as in
case of Personal computers and laptops, the hardware is based on only two major architectures: Apple and IBM) which if
compromised would lead to cyber attacks of even greater proportions.
REFERENCES
[1]
Cisco, ―The Internet of Things,‖ Cisco Visualizations, 2014
[2]
AUTO-ID LABS. http://www.autoidlabs.org/. Online, last visited 10. June 2017.
[3]
E. Kim, D. Kaspar, N. Chevrollier, and JP. Vasseur. Design and Application Spaces for 6LoWPANs draft-ietf6lowpan-usecases-09. Design and Application Spaces for 6LoWPANs draft-ietf-6lowpan-usecases-09, January
2011.S.
[4]
S. Subramanian, V.V.Gopal and M Muthuswamy. ―Security and Privacy Challenges of IoT-enabled Solutions‖
ISACA Journal Volume 4, 2015
[5]
Intel, ―Developing Solutions for Internet of Things‖, white paper, 2014
[6]
Parneet Dhillon, Harsh Sadawarti. ―A Review Paper on Zigbee (IEEE 802.15.4) Standard‖. International Journal
of Engineering Research & Technology, Vol. 3 - Issue 4 (April- 2014)
[7]
Freescale, ―What the Internet of Things (IoT) Needs to Become a Reality‖, white paper, May 2014
© www.ijarcsse.com, All Rights Reserved
Page | 651
[8]
[9]
[10]
[11]
[12]
[13]
[14]
Pathak International Journals of Advanced Research in Computer Science and Software Engineering
ISSN: 2277-128X (Volume-7, Issue-6)
Hardgrave, Bill; ―RFID Adoption Is on Target,‖ RFID Journal, 5 January 2015
NCC Group, ―Security of Things: An Implementer‘s Guide to Cyber-Security for Internet of Things Devices
and Beyond‖, 2014
The Open Web Application Security Project. https://www.owasp.org/index.php/Main_Page. Online, last visited
10. June 2017.
http://www.autoidlabs.org/. Online, last visited 10. June 2017
WIRED, https://www.wired.com/2016/12/botnet-broke-internet-isnt-going-away/
Rolf H. Weber. ―Internet of Things – New security and privacy challenges‖. Science Direct, 2010
NCC Group, ―Security of Things: An Implementer‘s Guide to Cyber-Security for Internet of Things Devices
and Beyond‖, 2014,
© www.ijarcsse.com, All Rights Reserved
Page | 652