The primary objective of the Internet of Things (IoT) is to connect billions of devices and extend Internet pervasively to everyday human lives. However, the IoT devices are easily vulnerable to severe physical and software attacks, since once deployed in the environment these devices are unprotected and unattended. In these security-sensitive deployment nature, keeping the network available for its intended purpose is crucial .
The IoT devices are more attractive to malicious attackers as numerous IoT devices are carried with insecure defaults which include open access to management systems through the Internet-facing interfaces, remotely exploitable code, and default administrative credentials. Moreover, the Distributed Denial of Service (DDOS) attack hijacks the network devices that are insecure by overwhelming it with high traffic from multiple sources. Thus, it creates online services unavailable . The issues of attacks on IoT routing are shown in figure 1.
|Denial of Service (DoS)Attacks||IoT devices that connected to the Internet||Blackmailer endeavors to terminate or mess up the network. Distributed attack crash the network and auto shut the IoT system.|
|Wormhole attacks||Packets Location||Tunneling or re-transmitting the packets from one location to another locationr|
|Sybil attacks||Data Integrity and resource utilization||An adversary is Masquerading the normal users for propagating malware to a website. The IoT system is likely to generate the wrong report.|
|Spoofed, replayed or altered routing information||Detectable IoT devices and routing Informations||In the beginning, spoofer only listens to the appropriate transmitter but does not transmit any signal. Spoofer starts to send when the legitimate transmitter stops sending.|
- Figure 1: Security Issues in IoT Routing
- Table 1: Types of Attacks on IoT
Attacks Target Technique Weakness Denial of Service (DoS)Attacks IoT devices that connected to the Internet Blackmailer endeavors to terminate or mess up the network. Distributed attack crash the network and auto shut the IoT system.
- Disable the network
- Reduction in network capacity
Wormhole attacks Packets Location Tunneling or re-transmitting the packets from one location to another locationr
- Difficult in checking the routing information
Sybil attacks Data Integrity and resource utilization An adversary is Masquerading the normal users for propagating malware to a website. The IoT system is likely to generate the wrong report.
- Costly network
- Launch attack to geographic routing protocol
Spoofed, replayed or altered routing information Detectable IoT devices and routing Informations In the beginning, spoofer only listens to the appropriate transmitter but does not transmit any signal. Spoofer starts to send when the legitimate transmitter stops sending.
- High end to end delay
- Routes sources are likely to be shortened or extended
Also, the security breaches create enormous implications in which threats are shifted from handling information to the actual control of devices, i.e., moving attack threats from the cyber environment to the physical environment. This movement radically generates a fertile and extensive attack surface from well-known devices and threats to the added threats of new devices, workflows, and protocols. Thus the risks of attacks are further increased in IoT environment . The several types of attacks are described in table 1.
Owing to the broader contexts of IoT, one of the principal challenges that must be overcome to impel the IoT into the real world is security. The architectures of IoT are believed to deal with the population of billions of things, which are likely to interact with each other and other entities such as virtual entities or human beings. All these interactions must be secured in protecting the information and limiting the incidents which affect the entire IoT. However, it is a complex task in IoT. In this context, each node needs to be able to confirm the actual identity of other nodes. Otherwise, an attacker can easily capture a node, thus allowing access to interfere other communications. The authentication, data integrity, confidentiality, and energy efficiency related to security concern are the significant challenges in IoT since numerous personal things connected with IoT bring the potential risk concerning security.
The authentication ensures the users of a device who have the authorized credentials to access the information. For authentication, there exists the need for infrastructure to exchange the public and private keys between nodes. Thus the attacker simply extracts the cryptography secrets. Also, due to the inability of exchanging many messages with the authentication servers, the authentication approaches are not feasible in IoT context. This same reason applies to the sensor nodes in a less restrictive way. During the process of data transfer, there exist the security issues such as illegal node access, data leakage, and unlawful attacks.
The IoT objects are often unattended and easy prey for a malicious attacker who can capture the node identity and launch the physical as well as network-based attacks.
Numerous works have been proposed for cryptography and key management solutions.
However, they do not provide the exact solution to prevent the man-in-the-middle and proxy attack problem.
The entity authentication can solve these issues through the appropriate security key management methods
However, in distributed IoT architectures, any entity can connect with other entities at any time, in which these entities are not likely to know about each other in advance. Thus, the security key management becomes a crucial problem in resolving the security issues in IoT . The vulnerability of nodes and communication channels along with high dynamic topology make IoT security a challenging task to deal.
In addition to the security challenges, the data integrity issues have been extensively analyzed in many conventional communication and computing systems. By ensuring the data that arrives at the receiver node is unaltered, the data integrity efficiently prevents man-in-the-middle modification. Due to the self-organizing attribute and constraint nature of IoT sensor nodes, the use of authorized solution through connected servers poses great difficulties for secure routing among IoT sensor nodes, as IoT networks are easily prone to various attacks . The brutal attacks such as eavesdropping, injection of fake information into the network and wireless broadcast of messages immensely compromise the integrity of IoT communication.
To achieve confidentiality during data transmission, cryptographic-based protocols need to be incorporated. Commonly public and symmetric key cryptographic algorithms are implemented. However, these cryptographic protocols do not ensure total security. In an IoT context, a critical aspect of security is safeguarding the confidentiality of information and the authentication of each device placed. The end-to-end data confidentiality can be attained through encryption method, which can be supplied by existing security protocols, such as Internet Protocol security or Transport Layer Security (TLS). However, there is an issue with these security protocols when choosing the cryptographic keys and user certificates required for encryption and authentication. Moreover, privacy protection has become an increasingly challenging task in IoT, as it makes the bulk of information readily available via remote access mechanisms. Recently, numerous privacy protection methods have been discussed  . However, most of the methods aim at protecting individual privacy features such as location. The different privacy classifications included in an IoT applications are expensive in the process of protecting all of them. Owing to the running efficiency and economic cost of system implementation, there is no possibility to employ any privacy protection methods in several cases .
IoT devices are expected to be reachable by other devices at all times. This feature implies that the device or at least its communication is consuming energy even when the device is in the proper use of its primary function. Most of the devices are entered in a standby state, which consumes significantly less electrical energy. Billions of devices need excessive standby energy, even if the individual device needs only average power.
On the other hand, IoT routing protocols are likely to enable efficient use of energy, as it can provide control possibilities and new data collection. The IoT application is likely to range from a simple monitoring such as measuring the temperature in a building, to a complex IoT application such as providing complete energy automation of an entire campus. IoT communications are likely to be required offline, where information is exchanged on demand or online allows real-time control. The building control applications can provide efficient use of the energy in a building while ensuring comfort to building occupants.
The security feature that public key cryptography can be a possible solution for sensor nodes that operate as client nodes. A key is commonly used to perform encryption/decryption using symmetric cryptographic algorithms and to provide data integrity using message authentication codes. In symmetric cryptographic algorithms, the same key is employed for encryption and decryption or integrity verification and integrity value generation.
The features above do not sufficiently cover key distribution mechanisms. Besides, heterogeneous classifications due to different unrelated criteria are taken into consideration. By taking into account the classifications, especially the different taxonomy covers asymmetric key distribution mechanisms for IoT, in addition to symmetric approaches. In the deterministic approach, key management goes further by distinguishing protocols that have server participating in the key negotiation process for protocols that do not rely on any third party during the key establishment phase. Moreover, IoT is broadly applied to industries, homes, and many other applications. Due to these more applications of IoT, the secure transmission becomes a critical issue to assure the system safety. The hybrid encryption technique is one kind of cryptographic paradigm that can be applied to the IoT. It provides the benefit of both the symmetric and asymmetric key performance. Thus, it enables low computational complexity and strong security.
- Yang, Yuchen, et al. “A Survey on Security and Privacy Issues in Internet-of-Things.” IEEE Internet of Things Journal, 2017.
- Arış, Ahmet, Sema F. Oktuğ, and Sıddıka Berna Örs Yalçın. “Internet-of-Things security: Denial of service attacks.” IEEE Conference on Signal Processing and Communications, 2015.
- Nguyen, Kim Thuat, Maryline Laurent, and Nouha Oualha. “Survey on secure communication protocols for the Internet of Things.” Ad Hoc Networks,2015.
- J.-Y. Lee, W.-C. Lin, Y.-H.Huang, A lightweight authentication protocol for internet of things, in: 2014 International Symposium on Next-Generation Electronics, ISNE 2014, Kwei-Shan, 2014.
- Medaglia, Carlo Maria, and Alexandru Serbanati. “An overview of privacy and security issues in the internet of things.” In The Internet of Things, pp. 389-395. Springer New York, 2010.
- R. Roman, C. Alcaraz, J. Lopez, N. Sklavos, Key management systems for sensor networks in the context of the internet of things, Computers & Electrical Engineering 37 (2011).
- Roman, R., Zhou, J. and Lopez, J., 2013. On the features and challenges of security and privacy in distributed internet of things. Computer Networks,57(10), pp.2266-2279.ELSEVIER.
- K. Chugh, L. Aboubaker, and J. Loo, “Case Study of a Black Hole Attack on LoWPAN-RPL,” in Proc. of the Sixth International Conference on Emerging Security Information, Systems and Technologies (SECURWARE), Rome, Italy (August 2012).
- Lu, X., Qu, Z., Li, Q. and Hui, P., 2015. Privacy information security classification for internet of things based on internet data. International Journal of Distributed Sensor Networks. ACM.
- P. De Leusse, P. Periorellis, T. Dimitrakos, and S. K. Nair, “Self managed security cell, a security model for the internet of things and services,” in Proceedings of the 1st International Conference on Advances in Future Internet (AFIN ’09),Athens, Greece, June 2009