Security in Internet of Things

Abstract

The Internet helped people to connect with static information available, but now it’s helping to build connections from people to people, physical things. Nowadays, the Internet of Things (IoT) represents a diverse technology and usage with a wide range of business opportunities and risks. IoT allows data to be transferred from physical devices to the internet. The increase in smart devices results in a network with information that helps to communicate in different ways. IoT helps physical objects to connect and identify other devices over IP addresses without any human interface.

We discuss the concepts about IoT, its security challenges, and characteristics.

I. Introduction

The vast number of insecure Internet of Things (IoT) gadgets, which have high calculation power, make them an easy and attractive target for attackers. These attackers attempt to compromise these devices and use them to create large-scale botnets.

A botnet is a network of infected machines or bots, also known as zombies, that operates with a command-and-control system. It is used for various malicious activities, such as distributed denial-of-service (DDoS) attacks (refer to the “Bot-nets” sidebar).

In November 2013, Symantec scientists discovered the Linux.Darlloz worm, which exploited a PHP vulnerability to spread to IoT devices, such as home routers, TV set-top boxes, surveillance cameras, printers, and industrial control systems. In January 2014, a variant of the worm was discovered, which included a cryptocurrency mining tool.

In September 2016, the creation of an IoT botnet from the Mirai malware emerged, perhaps being the largest botnet on record. It was responsible for a 600-Gbps attack targeting Brian Krebs’s security blog (krebsonsecurity.com).

Mirai’s strategy is quite simple: it uses an array of 62 common default usernames and passwords to access primarily home routers, network-enabled cameras, and digital video recorders, which generally have weaker security than other consumer IoT devices.

In that same month, a Mirai-based attack against the French web host OVH set a new record for the largest recorded DDoS attack, reaching a rate of 1.1 Tbps and possibly peaking at 1.5 Tbps.

II. IoT Security Risks

These DDoS attacks weren’t a shock. By analysing customary computing systems, it’s clear that IoT systems are at a higher security risk for many reasons: IoT systems don’t have well-defined perimeters and are constantly changing due to device and user mobility.

1. IoT frameworks are very heterogeneous concerning communication mediums and conventions, stages, and devices.
2. IoT devices could be autonomous entities that control other IoT devices.
3. IoT systems may consist of “things” not intended to be connected to the Internet.
4. IoT systems, or parts of them, could be physically unprotected and/or controlled by various parties.
5. Unlike smartphones applications, which require authorization for installation and numerous user interactions, granular permission requests probably won’t work in IoT systems due to the large number of devices.

Subsequently, various IoT frameworks lack even basic security. Table 1 shows the most common IoT vulnerabilities as identified by the Open Web Application Security Project (OWASP; www.owasp.org). A July 2014 report on IoT device security by HP found, on average, 25 vulnerabilities per device. For instance, 80 percent of devices failed to require passwords of sufficient length and complexity, 70 percent didn’t encrypt local and remote traffic communications, and 60 percent contained vulnerable user interfaces and/or weak firmware.

III. Protection Techniques

Guaranteeing that IoT gadgets are not misused as zombies involves a few well-understood security techniques that address the most common vulnerabilities. An October 2016 alert by the US Computer Emergency Readiness Team (US-CERT) about the Mirai botnet provides a thorough rundown of such practices, which include:

1. Guarantee that all default passwords are changed to complex passwords.
2. Install new patches in IoT gadgets to ensure security.
3. Remove Universal Plug and Play (UPnP) on switches except if it is essential.
4. Check IP ports 2323/TCP and 23/TCP for potential attacks to increase unauthorized control over IoT gadgets using the system terminal (Telnet).
5. Observe for suspected issues on port 48101, as malicious devices often propagate malware by using this port to report back to the hacker.

The US-CERT caution advises explicit end-client activities, such as acquiring IoT devices only from organizations with good security reputations and understanding the devices’ communication capabilities, as they are at a higher risk of malware attacks. These security measures are commendable and can provide fundamental protection for their applications. However, the scalability of human interaction with IoT devices may limit them. Automated methods, which would manage the security of such devices, are greatly needed. Another challenge of IoT devices is that even if they have known software vulnerabilities, patches or workarounds may not be downloaded for a significant amount of time. Under these circumstances, intrusion detection systems become even more important. Also, since many of the devices themselves may not have adequate processors or sufficient memory, the intrusion-detection test will likely occur at a gateway device.

IV. System Architecture

From Figure 2, the U2IoT has three layers: the perception layer, the network layer, and the application layer. The perception layer boasts advancements that sense physical objects and convert them into cyber-entities. Most of the detecting devices feature radio-frequency identification (RFID), radar, infrared detection, the Global Positioning System (GPS), as well as Wi-Fi, Bluetooth, and ZigBee remote sensor systems. This layer further includes mechanical and electronic actuators, valves, and switches that connect with the sensors and implement their directions. Fig 2 illustrates the Unit and Ubiquitous IoT system architecture. The U2IoT consists of three layers: the perception layer, the network layer, and the application layer. Nearly all network units, including routers, interfaces, communication channels, and gateways, belong to the network layer. Management and data centers serve as network nodes – unit M&DCs are managed by local (lM&DC), industrial (iM&DC), and national (nM&DC) entities. Heterogeneous system setups may incorporate the Internet, remote sensor systems (personal area, local, regional, metropolitan), and mobile and telecommunications systems. This layer ensures reliable data transfer and connectivity by utilizing secure data coding, integration, mining, and aggregation-based algorithms.

The application layer supports applications in local, industrial, and national IoTs, managed respectively by lM&DCs, iM&DCs, and nM&DCs. A local IoT connects unit IoTs in a specific area; an industrial IoT manages unit IoTs in industries like transportation or telecommunications, while a national IoT coordinates a nation’s local and industrial IoTs. This layer also comprises service integration, transnational supervision, and global coordination. IoT applications, ranging from smart homes to smart grids, implement standard protocols like the Constrained Application Protocol (CoAP) and Wireless Application Protocol (WAP), in addition to widely accepted service synthesis technologies such as service-oriented architectures and cloud computing.

Things in the U2IoT exist as both physical objects and cyber-entities. This holds four distinct characteristics.

Space-time consistency: A cyber-entity can interact with other cyber-entities in any mode or condition. Cyber-entities can enter or leave connections at any time without disrupting ongoing sessions. Heterogeneous systems incorporate synchronization, registration, and relation methods to guarantee space-time consistency.

Multi-identity coexistence: A cyber-entity can assume multiple identities, including a core identity and various temporary or additional identities, predicated on its applications. These identities can be represented by different identifiers or non-identifiers. For instance, RFID-based inventory control systems assign a unique identifier like an Electronic Product Code to tagged goods, while biometric methods like fingerprints and iris scans qualify as unique non-identifiers. In different contexts, non-unique identifiers and non-identifiers can jointly represent things.
Dynamic Interaction: A cyber-entity can adjust to various conditions. A cyber-entity is related to other cyber-entities in a direct or indirect manner. Intelligent data processing is supported by universal communications across networks.

Social Awareness: In a cyber-entity, the relationship to physical objects can be described by social characteristics. These characteristics incorporate perspectives, such as ownership, control boards, alliance relationship modeling, and behavior formalization.

Fig 3. Three Cyber Entity Interaction Scenarios.

V. SECURING CYBERENTITY INTERACTION

The three RFID-based connection scenarios among U2IoT cyber entities were illustrated in Figure 3. Here, “T” represents a tag (cyber target), “R” represents a reader (cyber sensor), and lM&DC, iM&DC, and nM&DC suggest unit, local, industrial and national M&DCs, respectively.
The terms uM&DCl and uM&DCi denote uM&DCs, relating to their default local and mechanical M&DCs respectively. Figure 4 illustrates the proposed secure solutions for each scenario.

Scenario 1: Secure Data Access
In this scenario, T and R establish shared authentication and uM&DCl confirms that both are authorized cyber entities. T and R fall under the authority of uM&DCl, which, being a trusted entity, can access the identified tag information for management. Learning that T is legitimate, R transmits T and R’s authentication to uM&DCl for identity confirmation. Subsequently, uM&DCl validates T and R. Upon validation, uM&DCl sends a private distribution message to T. R then forwards an authentication to T for verification. If R proves to be authentic, T and R establish a mutual trust for secure data transmission.

Scenario 2: Privacy-Preserving Data Sharing
This scenario sees an interaction between a local and industrial IoT, managed by lM&DC and iM&DC, respectively. These IoTs retain autonomous access to R’s data fields, with uM&DCl and uM&DCi allowing mutual access to each other’s systems without compromising user privacy. Firstly, uM&DCl and uM&DCi send access challenges to R who interacts simultaneously with uM&DCl and uM&DCi. If R is confirmed authentic, uM&DCl sends a data sharing request to R for verification. Next, R interfaces with uM&DCi, reciprocating similar actions. Once R acquires data sharing requests from both uM&DCl and uM&DCi, it checks if they seek access to each other’s data. If so, R transmits the shared data to uM&DCl and uM&DCi, respectively. However, in the event of mismatching data sharing requests, R will not reveal any information.
Scenario 3: Secure Access Authority Transfer

This scenario includes an interaction among a local, industrial, and national IoT. Here, uM&DCl is initially under lM&DC’s control, from which iM&DC needs to get access to authority. lM&DC exchanges uM&DCl’s authority to iM&DC with secured privacy, and nM&DC performs the last confirmations for lM&DC and iM&DC.

First, iM&DC transmits an entrance test to uM&DCl for authority exchange, and the latter reacts with an authentication operator for iM&DC’s check. If uM&DCl is lawful, iM&DC responds with an operator for identity declaration.

Next, uM&DCl forwards iM&DC’s validation operator to lM&DC for check. If iM&DC is lawful, lM&DC answers with an authentication operator to uM&DCl. Thereafter, uM&DCl creates authority permission and forwards lM&DC’s authentication operator to iM&DC for check.

If lM&DC is legitimate, lM&DC and iM&DC mutually agree on the authority exchange. Next, iM&DC transmits lM&DC and iM&DC’s authentication operators to nM&DC for character presentation. When it determines their legitimacy, nM&DC transmits a secret code to iM&DC for distribution, concluding the last authority enrolment.

The proposed solution fulfils four essential security properties.

Session Freshness: Pseudo-random numbers and session-sensitive operators such as session identifiers and timestamps serve as access challenges to prevent forward and reverse link ability. Even if the cyber entities become corrupted, previous or subsequent sessions will be arbitrary.

Mutual Authentication: Trusting connections are based on pre-shared insights, such as keys or pseudonyms, as well as cryptographic calculations.

Hierarchical Access Control: Distinctive access authorities are assigned to cyber entities to ensure security. For instance, uM&DCl has full authority on T, but R has limited authority on T. Moreover, uM&DCl and uM&DCi have independent access authorities on R’s data fields to avoid authority-exceeding violations.

Privacy Preservation: Anonymous data sharing is used to protect privacy; data will be shared only for matched requests.

Did you like this example?

1028

43