вход по аккаунту



код для вставкиСкачать
Is there a Room for security and Privacy in IoT?
Elias Tabane
Tranos Zuva
Computer Systems Engineering Department
Tshwane University of Technology
ICT Department
Vaal University of Technology
Abstract-Internet of things (IoT) continues to the draw
attention of academics and researchers across the globe, since
it represents the future of ubiquitous Computing. This is
triggered by number of both digital and physical objects
connecting to each other using ICT technologies, platforms and
the internet to facilitate the whole processes of connectivity and
services provision. With this massive connectivity of objects
and devices forming the IoT, comes a great responsibility in
terms of confronting new sets of challenges ranging from IoT
security threats, ethics and privacy. In this paper we present
the survey into the security aspect of IoT.
In this day in age, more things (objects) are becoming
connected to the internet than humans. It is estimated that in
the near future this number on connectivity of different
thing and devices will escalates to tens or hundreds of times
larger than the number of connected people[ 4]. It is
expected that more than twenty house hold by the year 2012
will be in the position to generate additional internet traffic
than the entire in 2008 [5]. Furthermore, the computation
abilities and capabilities per IoT device is on an increase for
an example , todays smart phones are much faster than the
model ENIAC 1 computer ,which was built around 1940’s
approximately 100,000 times faster, says [3].
Keywords: Internet of Things (IoT), IoT security, IoT Privacy
The enormous amount of data generated by different IoT
smart devices and the highly sensitivity level of the
information concerned, are crucial aspects to be considered
as far as internet of things security is concerned. IoT areas
like e-health, e-transport, e-banking system and smart
buildings, are dammed as very sensitive areas, since should
the continuous data been generated be compromised, this
can results in severely damage to user privacy. In addition to
that, IoT smart devices have the capability to share data
from different streams, combine different sets of Input,
processing and lastly produce value to the communication
and data exchange. Consequently it is much important to
permit access to generated data by other smart IoT devices
at the same time preventing unauthorized access and misuse
of the kind of generated information and data [ 3].It is
expected that in IoT, most of the IoT devices will not only
be limited to the usage of one individual. This
kindofusability concerns as IoT devices start interacting
with one another will provide a significant set of security
challenges says[9].
The Integration of smart devices or smart things into the
contemporary internet Infrastructure is continuously
changing and reshaping the concept of what is currently
known as the Internet of things (IoT).This has seen a large
number of smart devices, sensors, and actuators connection
to the internet growing at an alarming rate, which according
to such trend is expected to increase in the coming years to
reach between 50 to 100 smart devices by the year
2020.Although the phenomenon has been around in another
forms, defined under different designation in previous years,
the Internet of Thing, is suddenly a thing to
stay. The capability to connect, integrate and communicate
with manage this huge number of network, computerize
smart devices (objects) via the Internet has lately became
very pervasive, from smart homes to smart cities, etransportation and e-health sector.
This type of conversion from closed networks into Public
and enterprise ICT network is steadily accelerating at a very
alarming stride, raising alarms about security aspect. As
many devices are becoming connected to another in every
aspect of our daily lives, the question will be: are we doing
enough to protect these devices from vulnerability threats of
intrusion and outside interference that can end up
compromising the security, personal privacy and general
public safety at large?
This research article after providing some introduction
on the concept of IoT security, we will give an overview of
IoT security, highlight IoT security threats and challenges,
issues the relating to IoT privacy more over we present and
outline the future research direction and recommendation.
The Internet of things is made up of four waves of devices
x Personal Computers, Servers, routers, switches, I
beacons and other related ICT devices which are
bought by people in ICT and many Enterprises.
x Health and Medical Machines, Kiosks ( vending
x Smart phones and tablets, video games consoles
which are normally used by home users
x Single purpose device like drones used for single
978-1-5090-2576-3/16/$31.00 ©2016 IEEE
making it hard to derive patterns.
The difficulties with strong and processing big data on
individual and corporate devices has led to offloading of
these data on to cloud servers which is deemed to offer an
on demand , elastic , scalable ,adequate self-service or an
effective and efficient enterprise service model. For an
example the MapReduce framework that deals with the
provision of distributed processing of large volumes of data
sets across wide clusters of computers and servers using a
simple programming model. Although these platforms seem
to be making an impact they have also raised some serious
security concerns among the IoT communities and security
experts. According to [9], the current platforms like Apache
HadoopTM, which are currently deployed to deal with big
data processing, distribution and storage, can also pose and
raises serious IoT security concerns mainly due to the fact
that distributed computing techniques or approach allows
data to be processed anywhere and time ,where resources
are currently available, further more creating multiple
copies of data fragments been processed at different servers
addition to the complexity of the IoT security.
Fig 1.. Towards an Internet of Things approach
The majority of these devices (objects) carry embedded
software and processor within then which in most case
cause the problem of vulnerability and security issues.
Amongst the common network topologies in IoT
environment is Heterogeneousnetwork topology, which uses
clustering tool to deal with the complexity of various IoT
environments. With this kind of topology deployment, any
hierarchical intrusion and detections approaches can be
easily be adopted and adapted in IoT. Furthermore statistical
detection, reputation and game of theoretic methods can also
be adopted in the cluster of smart things or smart objects
says [ 2]
[7], outline that as far as IoT security is concern, a high
degree of reliability is required, which trigger the following
IoT and privacy requirements:
x Resilience to attacks: The IoT systems have to
evade a single point of failure, by fine-tuning itself
to a level of node failures.
x Data authentication: As a matter of principle, all
retrieved address and devices data must go through
a process of authentication.
x Access control: IoT Information service Providers
must at some point have the ability to implement
access control measures on the data provided.
x Client privacy : some restriction measures must be
adopted ensuring that only the IoT information
service providers are able to surmise
discerning the use of the lookup IoT system
related to specific client( customer).
[2] emphasizes that is actually an urgent need for IoT
security and privacy conservancy in Cloud based IOT
systems, mainly due to the fact that the majority of IoT
devices, sensor tags and actuators generates large amount of
data from difference streams, connecting billions of smart
devices that are within our surrounding, meanwhile IoT
cloud platforms permit these data to be processed and be
stored in a remote locations. In their work they strong
argues that Anomaly detection can be anticipated to play a
very significant role in securing a cloud-centric since most
of the data is expected to consists of patterns, and if there is
any diversify from a certain set pattern, this could provide
more insight that indicates a possible security breach , threat
or an attack.
Although anomaly detection technique for IoT security is
widely been used to measure inwired and wired networks
that permit the discovery of anomaly patterns that do not
fully comply with the anticipated behaviour or systems of
data, it has some challenge and shortcomings. Among the
challenges of anomaly detection in IoT are:
x The difficulty to define anticipated behaviour due
to circumstance of data been distortedwith
inaccurate sensing, the effects of the surrounding
environment, noise etc.
x Most of IoT data and its behavioural patterns are
application dependedin most case making it
difficult to track anticipated behaviours.
x IoT smart devices (Objects) and their data streams
traffic are mostly heterogeneous in nature, there
Private and digital enterprises using IoT technologies will
have to adopt this IoT security requirement into their risk
management documents which is governing the issues of
IoT security, privacy and policies with the enterprise.
execute. And they are sometimes referred to as “heedless”
due to the fact that there isn’t any human being who is
behind their operation to can input authenticated credentials
or user names and passwords or decide if an application
should be consider as trusted or not, in most of instances
they make their own judgments and decisions.
As already mentioned, the issues of privacy and IoT security
are still considered the most crucial barrier for a fully
acceptance of IoT paradigm [ 1]. In order for some tangible
benefits to be derived from novel IoT environments where
billions of heterogeneous devices exists, issues related to
IoT security, privacy and ethics must be firstly tackled.
While in the present Internet there is a lot of standards
technologies and protocols dealing with issues of threats to
security, the simple limitation on the IoT devices and
networks prevents a clear and straight forward adaptation
and implementation of IoT solutions in the new arising sets
of security scenarios. In specific, the current traditional and
adopted security protocols and cryptographic primitive
setting, most often requires a lot of memory space and I.T
resources. Therefore , implementation and adaptation of
tradition security protocols solutions and intervention into
arising IoT scenario ,is still remain a major challenge
requiring an in-depth and holistic encompassing level of
expertise in the field of applied cryptography and security
engineering in order of privacy and security features to be
fully provided. Since more of the IoT devices are embedded
and deployed in a very hash, uncontrolled and unsecured
environments which hostile and vulnerable form any form
of attack, misuse and malicious intension.
IoT applications and devices will continue to pose equally
wide variety sets of security challenges and threats. For an
x In an Automated factory floor, dealing mostly with
embedded programmable controls that deals with
operations of robotic systems, end up been
integrated with the organization IT infrastructure.
The question arising from that is how will those
PLC be protected from human interference and
other vulnerabilities while at the same time the
organization will like to protect is investment in the
same I.T infrastructure and continues to leverage
the security controls measures available?
x A smart meter, the one that send electricity
consumption data to the city operating utility for a
dynamic billing or real time electricity grid
optimization, must be in position to protect the
data from unauthorized people. If data indicating
that the electricity is most of the time unutilized
and this will imply that the home owners are most
of the time not around and if such information
reaches the wrong hand it can be a serious threats
toward burglary and vandalizing of such property.
Also in the nuclear reactors similar control systems
are put in places and attached to the I.T
infrastructure, raising the question of how best can
these control systems receive software updates or
security patches without compromising on security
or incurring any essential recertification cost
whenever a patch is been rolled out?
[6], is of the opinion that IoT will give rise to a number of
security and privacy challenges and threats as compare to a
traditional IS/IT systems:
x This is mainly due to that fact that many smart
things around us most of them don’t belong to IT,
they are mostly devices attained and managed by
individuals, private owners, enterprises or belongs
to governments.
x The majority of these smart things or devices such
as tablets, smart phones, smart TV and other smart
gadgets contains embedded operating systems and
application software’s that poses real challenges in
terms of their security configurations and the
continuous keeping of patches.
x Incidents involving things (a hacked Smart home
system, traffic systems, smart cars etc.) can have a
serious impact on national security, home security
Fig. 2. Shows an example of a scenario where user security, privacy and
trust need to be provided
According to [ 10], most of embedded devices are been
designed with lower power consumption lasting for weeks,
months or a year, with a very small silicon form factor in
them and most of the time they have limited connectivity
capability. Their processing capability and memory are
specifically tailored for the task they are designed to
and financial consequences for both organizations
and government entities.
any security breach.
Device Authentication: whenever an IoT device
or any kind of device is plugged in into the
network system, it must first authenticate itself
before it can
receive any form of data
transmission. Majority of the embedded devices
most often lacks the user setting behind the
keyboard, waiting to put in the credentials in to
gain access to the network. The question arising
will be, how best do we then make sure that IoT
devices plugged into any network are correctly
identified before they are granted access and
authorization? The same rule the particular user is
granted access to the Enterprise network, should be
the same way all IoT devices should be granted
access when plugged into the network.
Firewalling and IPS. IoT devices will also require
a firewall to in order to control to and fro traffic
that is destined to be process at a particular device.
Since deeply embedded IoT devices have some
unique protocols, which differentiate them from
Enterprise ICT protocols.
Updates and Patches. As more IoT devices
connect to the Internet, they will resume receiving
some IoT software updates and IoT hot patches.
IoT operators will have to assume the role of
rolling out patches and on the other side IoT
devices must be in a position to authenticate them,
in a manner that will ensure that the bandwidth is
not much consumed at the same time ensuring that
the impairing of the functional safety of the devices
is maintained. IoT Software patches and security
updates will need to be carried out in a way that it
limits the possibilities of interruption to the
connectivity and that the safety of the IoT device is
not compromised.
The above factors seems to presents challenges, and some
urgent calls for interventions for new development of IoT
policies, management of the configuration and
vulnerabilities within IoT, Data collection, and dealing with
big data generated by difference IoT data streams.
IoT Security must be addressed throughout the smart device
(object) lifecycle, from the initial design phase right up to
the operational environment phase:
x Secure booting: when device is powered on, the
authenticity and the integrity of IoT software on
that particular device must be verified using
methodologies like cryptography, which generates
digital signatures. This will be exactly the same
way an individual sings in a legal document or a
bank cheque, these digital signature which is linked
to the IoT software image and authenticate by the
device itself, will ensures that only IoT software
which has been authorized to run on that particular
device and signed by the relevant entity that
authorized it at the first place is successfully
loaded. By so doing the foundation of trust would
have been established, though the smart device
might need further protection from other run-time
threats and some malicious intrusion.
Access Control: The second thing would be to
applied different forms of resources and access
controls toward the IoT devices. There should be a
building role based access control within the IoT
operating systems which act as an agent to limit the
privilege of the IoT devices components and IoT
application so that they are only allowed to access
specific resources relevant to the job which they
need to executes. Should at any given point the
component of the device become compromised, the
set access control should act as the first line of
defense by making sure that the intruder get
minimal access to some other part of the IoT
component. An IoT device based control system
acts the same way as network based access control
such as Microsoft Active directory or exchange
server whereby even if someone gain unauthorized
access to the enterprise network, only
compromised information will be limited to that
specific area of the network under that particular
credentials used. These type of least privilege
principles are very effective and essential in
ensuring that it minimizes the risk of the entire
network or IoT device been compromised during
Moreover, unlike traditional environments, IoT devices
generally have to work in harsh, uncontrolled, and even
hostile surrounding conditions, where they are prone to
attacks, misuse and malicious intentions. To address the
afore mentioned issues and challenges, we would need to
focus on the following three major areas:
x Design of lightweight security protocols and
cryptographic algorithms.
x Lightweight and efficient implementation of
security protocols and cryptographic algorithms.
x Secure implementation in hardware and software.
furthermore [7] highlights that it is very important that early
IoT protocols includes compulsory implementation of
security features aspects, such features will protect the
vulnerability of IoT devices from a series of threats and
attacks. Although automated key management still remains
a challenge in the field of IT security, it is still crucial in
ensuring that that IoT security protocol doesn’t only rely on
pre-shared management key. The process of credentialing
and registering of IoT devices will also be a challenge,
which will only be addressed by paring IoT security
protocols as a possible viable solution set. Lastly IoT
privacy issues and concerns might provide some
enticements for acceptance for designed IoT technologies
which can assist in prevention of information leakage.
Transport Layer security (TLS). This is the kind of
privacy enhancement technology which when based on the
applicable global structure, can surely enhance the
confidentiality and integrity of IoT privacy concerns.
DNS Security Extensions (DNSSEC), this privacy
enhancing technology, which makes use of public-key
cryptography to mark resource records, with the aim of
guarantying the original authenticity and integrity of a
certain delivered information.
According to [6] there are numerous research aspects to be
undertaken in the coming years. These are:
x Authentication of sensors as proof of origin.
x Authentication of requests for the access control to
sensor Data/configuration.
x Encryption, privacy, anti-eavesdropping, etc.
x Secure point to point connection for data integrity.
x Techniques to support privacy-by-design issues,
including data minimization, identification,
authentication and anonymity.
x Fine-grain and self-configuring access control
mechanisms emulating the real world.
Onion routing encrypts: this used to wrap data
(information) into multiple encryption layers, using the
public keys of onion routers on the transmits path. These
kind of process is ideal in matching a particular type of
IP(Internet protocol) packets to a particular source.
Private Information Retrieval (PIR) system, these are
systems that obscure which client (customer) is interested in
which type of information, whenever the EPCIS is been
located established.
The future Internet of Things will be driven by a cluster of
present and the future varied infrastructures which will be
prolonged into some real life scenarios. In IoT
environments, numerous factors such as the accumulative
number of different sensors and smart devices, the generated
larger quantity of sensitive information by IoT users and
smart devices and emerging IoT services impacting on our
daily lives; will create the urgent necessity to accurately
address emerging IoT security and privacy burning issues.
The IoT security aspects will remains critical for both smart
devices and all network levels operations.
[3], suggests that IOT Security can be addressed from three
x Identity and application related security and
privacy issues,
x Compliance related issues and
x legal issues
IoT security cannot be perceived as an add-on to a device,
but rather as part of the integrated function to the smart
device’s reliability. IoT software security measure needs to
be presented at the operating level, by taking benefit of the
hardware IoT security capabilities which are entering the
market. Building IoT security at an OS level can assists
Smart device developers and designers to configure the
systems in order to mitigate IoT security threats by ensuring
that the IoT platforms remains safe from intrusion[9 ].From
IoT privacy perspective, the fulfilment of IoT user privacy
requirements and satisfaction will quite difficult one. Over
the years a number of technologies have been developed
specifically aiming to address information privacy goals.
Among the privacy enhancing technologies are:
Bellis, M. "The History of the ENIAC Computer," 2012.
Butun, I.K., B. Erol-Kantarci, M. Anomaly detection and
preservation in Cloud-Centric Internet of Things, in IEEE ICC
2015 Workshop on Security and Privacy for Internet of Things
and Cyber Physical Systems. 2015, IEEE: USA.
[3] Miguel C. An analysis of M2M platforms: challenges and
opportunities for the Internet of Things. 2012.
[4] Chen, Y. Challenges and Opportunities of Internet of
[5] CISCO, "Imagine the Possibilities”. 2012.
[6] John, P. Securing the Internet of Things Survey. 2014.
[7] Sundmaeker, G. Friess, P. Woelffl, S. Vision and challenges for
realizing the Internet of Things. Cluster of European Research
Projects on the Internet of Things, European Commision. 2010.
[8] Tim, P. Security Challenges For the InternetOfThings. 2011.
[9] Wind, R. Security in the internet of thing. Lessons from the Past
for the Connected Future. 2015.
[10] Zettaset .The Big Data Security Gap:Protecting the Hadoop
Cluster. 2014.
Virtual Private networks: which are extranets developed
and established some closed group of I.T business partners.
These works only with partners who have access to this
VPN, with the aim of maintaining confidentiality and
integrity. Nonetheless, this kind of privacy solution does not
permit for a larger dynamic Global data exchange and is not
viable with the third party outside the boarder of the
Без категории
Размер файла
214 Кб
2016, icacce, 8073758
Пожаловаться на содержимое документа