CyberSecurity: A Review of Internet of Things (IoT)

Security Issues, Challenges and Techniques

Aishah Abdullah Reem Hamad Mada Abdulrahman Hanan Moala Salim ELKHEDIRI
ALFRHAN ALHUSAIN ALASSAF ALALWI BIND research group
College of Computer College of Computer College of Computer College of Computer College of Computer
Qassim University Qassim University Qassim University Qassim University Qassim University
Saudi Arabia Saudi Arabia Saudi Arabia Saudi Arabia Saudi Arabia
[email protected] [email protected] [email protected] [email protected] [email protected]

Abstract— The network revolution is becoming bigger and more

complex and data need to be secured against cybercrimes.
Cybercrimes caused the loss of billions of dollars affecting the
global economy, with the intention to maliciously affect critical
and confidential information. With the presence of these crimes
committed on a daily basis, the security of the cyberspace has
become an urgent reaction to reduce and possibly avoid the effect
of cybercrimes. Nowadays, the internet of things (IoT) revolution
is becoming the focus of research, and both security and privacy
are recognized as the main issues for IoT applications, mainly
because of its implementation in critical areas, such as healthcare
systems. In this paper, the cybersecurity state in IoT domain
along with its security challenges are discussed, also we
address some security requirements and techniques to
overcome these challenges. Finally, blockchain technology
is discussed as a recommended solution to support IoT
security.
Keywords- Cyber-Attacks, Cybersecurity, IoT Security, Security
Techniques, Blockchain.
I. INTRODUCTION
Network attacks are malicious activities designed to disrupt,
deny, degrade or destroy vital information and services. The
attacks on networks are delivered through data streaming on
network computers to jeopardize the computer system's
confidentiality or its availability. In recent times, cybercrime has
caused a significant loss of billions of dollars, with a possible
negative effect on the global economy. Therefore, the security
of computer systems is crucial in modern life [1]. The Internet
Crime Complaint Center (IC3) was mainly established with the
intention of fighting cybercrimes. In 2018, The IC3 published its
report on cybercrime, it received complaints from victims across
the world. Fig. 1 illustrates the number of IC3 complaints
received from the last five years, reaching its maximum total of
351,937 complaints in 2018, the estimated total losses of the last
five years is around $7.45 billion [1],[2].
According to ISO/IEC 27001:2013, information security is
the protection of confidentiality, integrity, and availability of
information. Confidentiality means that information is not made
available or exposed to unauthorized individuals, entities, or
400,000 351,937
301580 298728 288012
300,000 269422
200,000
100,000
0
2018 2017 2016 2015 2014
Total Complaints
Figure 1. The number of IC3 complaints received from thelast five years [2].
processes. Integrity is the property of accuracy and
completeness. Availability is being accessible upon demand by
an authorized entity. Other properties, such as authenticity,
accountability, non-repudiation, and reliability can also be
involved [3].
Moreover, The Internet of Things (IoT) revolution has been
a focus of research, which is shifting everyday objects into
smart things, with the ability to interact among themselves and
with the surrounding environment. The motivation behind IoT
is to improve the quality of services given to people, develop
the using of public resources, and to reduce the operational
costs of the services, the major goal is mainly to create a better
life for human beings [4]. The IoT term refers to, first, the
global network that uses internet technology to interconnect
smart object to each other. Second, a group of supporting
technologies such as sensor/actuators, Radio Frequency
Identifications (RFIDs). Third, a set of application and services
that use it in business purposes [5].
The resulting system of IoT may include a very large
number of heterogeneous devices. Therefore, security and
privacy are widely recognized that reproduce critical issues in
such a context. On the one hand, confidentiality and integrity of
the transferred and stored data should be secured, as well as,
authentication and authorization mechanisms must be
implemented to prevent unauthorized individuals or devices to

978-1-7281-0108-8/19/$31.00 ©2019 IEEE

falsely access the system. On the other hand, privacy of users, as
the ability to provide data protection and users anonymity,
should be guaranteed. In fact, not solving these serious
problems, IoT will not reach enough popularity and all its
potentials can be wasted [6].
In the next future, billions of smart devices will be included
in the IoT, which can process, sense and motivate capabilities
eligible to be connecting with the internet. However, since
scurity and privacy issues are considered as one of the greatest
challenges for IoT, the security issues are highlighted because
of the lack of standards intended for devices with limited
resources and heterogeneous technologies. Therefore, these
devices cause many vulnerabilities that appear as a fertile
ground for cyber threats[7].
Implementing IoT in sensitive applications in our lives,
including industrial application, and some which are directly
connect with the individual's life such as smart homes [7], makes
them very attractive targets for cyber-attacks. The majority of
these threats are not new, but the fact that utilizing them in a Figure 2. IoT Architecture [10]
domestic context causes second-order threats to the physical and
emotional safety of the residents [8]. At the end of 2016, a
the attacker is recolonized as the main purpose of most of the
multiple Distributed Denial-of-Service (DDoS ) attacks targeted
researches in IoT field. Table.I. summarize the possible threats
to the Domain Name System (DNS) provider for Dyn company
(that support main internet platforms and services such as of IoT in each layer.
Twitter,PayPal, VISA, etc.) through using botnet which contains Confirming the potential cyber threats on IoT, the
a great vulnerable IoT devices (such as printers, IP cameras) that researchers Abomhara and Køien [12] highlighted the reasons
was infected by Mirai malware[7]. for hacking the connected devices or machines. These reasons
include firstly, the lack of monitoring of devices in IoT due to
Starting from this worrying and challenging context, this unattended operation by humans in most IoT devices. Secondly,
paper discusses the current status and how to protect IoT from dependence on the wireless network in communication between
cyber threats, by highlighting IoT challenges and some proposed IoT devices, which an attacker can obtain confidential
solutions. As an aim to participate in the IoT field, we review information by eavesdropping the flowed data. Finally, poor of
some recent researches in IoT regarding cybersecurity threats supporting new and complex security schemes due to restricted
and techniques to deter these threats. The remaining of this paper capabilities of some IoT devices. In addition, the authors
is as follows: Section II presents the related work of discussed the potential cybercrimes in the IoT that aim to steal
cybersecurity in IoT. Section III reviews some discussions about intellectual property, identity and brand thefts.
cybersecurity threats and solutions. Section IV presents the
conclusion. TABLE I. THREATS IN IOT MODEL [7]

II. RELATED WORK Layer Main Threats

In this section, some of the previous work in the IoT domain Data Leakage
are reviewed, focusing on the cybersecurity aspect and its Application layer
DoS Attacks
potential threats. In addition, a generic IoT system architecture
will be discussed with some of its potential threats. Malicious Code Injection

According to most of the researchers' opinion, a generic IoT Network layer Routing Attacks
system architecture contains three main layers: Perception layer,
Network layer, and Application layer as shown in Fig.2. Each of DoS Attacks
these system levels' security challenges and techniques will be Data Transit Attacks
discussed in Section (III). Enhancing the security of IoT model
should be applied in all three layers, with taking into Perception layer Physical Attacks
consideration each vulnerability and possible attacks for each
layer [9]. Impersonation

Cyber threats can exploit each limitation and vulnerabilities DoS Attacks
in IoT. Hossain et al. [11] discussed the security threats based Routing Attacks (e.g. in WSN, RSN)
on limitations on hardware, software, and networks. The goal
of their research is to identify limitations in IoT, in order to Data Transit Attacks (in WSN or
make the IoT system more robust and reliable against attack. RSN)
Supporting and solving each vulnerability before exploiting by
 The researches of IoT also discussed the importance of
applying the cryptography objective in IoT system. As an aim to TABLE II. SECURITY FEATURES IN IOT ARCHITECTURE
augmenting the reliability of IoT [12]. They focused on
cryptography objectives, which is shown in Fig.3 below. Security Security Security
Layer
Consequently, Katagi et al. [13] discussed applying lightweight Features Requirements Challenges
Nodes have - Lightweight - Unauthorized
cryptography, which is a cryptographic algorithm designed to limited power encryption Access to the
complement with constrained environments. Two-goals of and storage, technology. Tags.
lightweight cryptography, firstly, to increase communication Perception thus, difficult to - Sensor data - Tag Cloning
efficiency, secondly, to be applicable to limited resource Layer set up a security protection. - Eavesdropping.
devices. protection - Spoofing.
system. - RF Jamming.
Finally, the researcher Christidis and Devetsikiotis [14]
examined whether the blockchain technology makes a good fit High ability to - Identity - Sybil Attack.
provide a authentication. - Sleep
for the IoT that can upgrade its security. Blockchain is a complete safety - Anti-DDoS Deprivation
distributed peer-to-peer network that offer a trusted environment Network protection, with Attack.
without any central authority. Their research showed that Layer the possibility of - DoS Attack.
blockchain integration with IoT can be very powerful and can Man-in-the- - Malicious code
brings authentication, integrity, and nonrepudiation into the Middle attack injection.
and counterfeit - Man-in-the-
network using the asymmetric encryption. Also, each block in attack. Middle Attack.
the blockchain has a distinctive hash which allow nodes to use it Problems of data - Authentication
to verify the integrity of the block’s contents. Finally, the system privacy, access and key
- Malicious code
uses digital signature algorithm (DSA) to authenticate that the control process, agreement.
injection.
authorized user is using the block. Application and information - Privacy
- DoS Attack.
Layer disclosure, protection.
- Spear-Phishing
III. DISCUSSION - Security
attack.
education and
- Sniffing Attack.
The IoT is often used in crucial areas e.g., medical service management.
and healthcare, and intelligent transportation. Therefore, the
security of information and network should be highly equipped
with properties such as, identification, confidentiality, A. Perception Layer
integrality, and un-deniability [15]. In this section, we will
analyze the IoT security requirements and challenges based on The lowest level which collects all types of information
its features, then some of the proposed security techniques are through physical equipment, such as, RFID reader, all kinds of
listed to overcome the potential attacks. sensors, GPS and other equipment. The key component in this
layer is the sensor, for capturing and representing the physical
I. IoT Security Architecture world in the digital world. The perceptual nodes are usually have
As we stated in Section.II, the IoT architecture can be limited power and storage capacity. Therefore, it is very difficult
divided into three main layers, as previously shown in Fig.2, to set up a security protection system. Meanwhile, outsider
each layer’s security features and its requirements will be attacks such as denial of service (DoS) cause new security
explained. Then, some potential security challenges of all layers problems. Also, sensor data needs the protection for integrity,
will be reviewed. The summary of this section is shown in Table authenticity, and confidentiality [15].
II. • Security Requirements for Perception Layer
Firstly, authentication at the first node is required to prevent
an outsider node access. Secondly, to ensure the confidentiality
of the transmitted information between the nodes, data
encryption is indispensable and it has to be a lightweight
encryption technology to balance the safety level and the limited
resources. On the other hand, the integrity and authenticity of
sensor data is a very important aspect [15].
• Some Security Challenges in Perception Layer
Firstly, unauthorized access to the Tags can occur, because
of the lack of a proper authentication mechanism in RFID
systems, tags are possible to be accessed by anyone without any
authorization, the attacker can read, modified or even deleted the
data. Therefore, tag Cloning is possible, which refers to the
possibility of capturing tags by an attacker who can create a
replica of the tag and then compromising it in a way that the
reader cannot distinguish between the real and the compromised
Figure 3. CIA triad [7] tag [16].
 Secondly, Eavesdropping can occur because of the wireless
characteristics of the RFID, it becomes very easy for the attacker
to sniff out the confidential information flowing from tag-to-
reader or reverse. Thirdly, spoofing can take place when an
attacker broadcasts fake information to the RFID systems and
makes it assume its originality falsely, in this way the attacker
can get full access to the system making it vulnerable. Finally,
RF Jamming is likely to happen, by compromising the RFID
tags to simulate a DoS attack in which disrupts the
communication through RF signals with large number of noise
signals [16].
B. Network Layer
It is the second layer, which plays a main role in providing a
reliable transmission of information (synchronization) from the
perceptual layer. In this layer, the information transmission uses
some basic networks, which are the mobile/private network,
wireless and wired network, and communication protocols are
also important to the information exchange process between
devices. The network layer consists of the Wireless Sensor
Network (WSN), which is responsible to transfer the data from
the sensor to the destination with high reliability. The network
layer has a relatively high ability to provide a complete safety
protection, but Man-in-the-Middle attack and counterfeit attack
are still possible, meanwhile, network congestion with large
number of flowed data can be occurred. Therefore, the security
mechanism in this layer is very essential to the IoT [15] [16].
• Security Requirements for Network Layer
In this layer, existing communication security mechanisms
are difficult to be applied. Identity authentication is required to
prevent any outsider nodes, confidentiality and integrality are
also important and it need to be established to the data.
Distributed denial of service attack (DDoS) is a very common
attack in the network and a serious one in the IoT, so stopping
the DDOS attack for the vulnerable node is a problem that need
to be solved [15].
• Some Security Challenges in Network Layer
Firstly, Sybil attack can happen in this layer, which is a kind
of attack in which the attacker presents itself with multiple
identities for a single node to disturb other nodes, it can cause a
false information about the redundancy to the system [15].
Secondly, sleep deprivation attack can occur, since the
sensor nodes in the WSN are powered with limited lifetime
batteries, so the nodes are restricted to sleep to extend their
lifetime. This attack keeps the nodes running to consume more
battery to minimize the battery lifetime, which leads the nodes
eventually to shut down [15].
Thirdly, DoS attack is another possibility, which jams the
network with a lot of traffic by an attacker, to exhaust the
resource of the system, which leads to network unavailability.
Fourthly, a Man-in-the-Middle attack can take place, which aims
to eavesdrop to the communication channel to monitor or control
all the private communications between the two parties. Finally,
malicious code injection attack might occur, which is a serious
attack in which an attacker uses a node to inject a malicious code
into the system which gives the attacker a full control of the
network, it might even cause a complete network shutdown [15].
C. Application Layer
The uppermost layer which provides personalized services
according to the users' needs. The application layer interface
provides the users an access to the IoT using a personal computer
or mobile equipment. The security needs vary in different
application environments, and the data sharing characteristic is
creating many problems of data privacy, access control process,
and information disclosure [15].
• Security Requirements for Application Layer
In order to solve the security problem of the application
layer, two features are required. One is the authentication and
key agreement across the heterogeneous network, the other is
the user’s privacy protection. In addition, in the term of
information security, education and management are extremely
significant, especially password management [15].
• Some Security Challenges in Application Layer
Firstly, malicious code injection attack can occur in this
layer, which allows the attacker to inject a malicious code on the
system to leverage from an end-user to steal data. Secondly, with
a sophisticated DoS attack, it offers a smokescreen to execute an
attack to break the defensive system and hence jeopardizing the
user's data privacy. Thirdly, spear-phishing attack can happen,
which is an email spoofing attack in which a victim, usually a
high ranking person, is led to open an email through which the
attacker can gain access to the victim's data. Finally, a sniffing
attack can be executed where the attacker can force an attack on
the system by using a sniffer application, which might collect
network information causing a corruption to the system [16].
II. Security Techniques at Different Layers
There are many researches dedicated to provide a reliable
well-defined security architecture to ensure the confidentiality
of the data, security, and privacy. W. Zhang et al. suggested an
architecture for the security against the possible attacks, here we
list these proposed techniques in each layer as summarized in
Fig.4 [16].
A. Perception Layer Security Techniques
Perception Layer is the lowest layer of the IoT architecture
which offers several security features to the hardware. The
purposes of this layer are [16]:
• Authentication. Authentication can be applied using
Cryptographic Hash Algorithms, which offers digital
signatures to the terminals that could defeat all the
possible known attacks such as Side-channel attack.
• Data Privacy. It can be guaranteed by both symmetric
and asymmetric encryption algorithms, which prevents
any unauthorized access to the sensor data while being
gathered or sent to the next layer.
• Privacy of sensitive information. To conceal the
sensitive information, anonymity of the location and
identity can be offered by using K-Anonymity approach
which guarantees the protection of the user information
like identity and location etc.
• Risk Assessment. An element which identifies new
threats to the system, which could help to avoid the
security breaches and to determine the best security
strategies. A Dynamical Risk Assessment method for
IoT is one of the examples.
B. Network Layer Security Techniques
The network layer is exposed to many kinds of
attacks. Because of the openness of the wireless
channels, communications monitoring can be easily
launched by an attacker. The network layer security can
be classified into three types which are [16]:
• Authentication: A robust authentication process and
point to point encryption can prevent illegal access to
the sensor nodes. The most common type of attack is
the DoS attack. Figure 4. Security Techniques at Different Layers [15]

• Routing Security: Routing algorithms are implemented

to ensure the privacy of data exchange between the
sensor nodes and the processing systems. The security
of routing is guaranteed by providing multiple paths for
the data routing which helps the system to detect any
errors and keep performing even if any type of failure
occurred.
• Data Privacy: The control mechanisms monitor the
system for any type of intrusion. Therefore, Data
integrity methods are performed to ensure the received
data are in the same original situation.
C. Application Layer Security Techniques
III. Recommended Solution for IoT Security
The blockchain technology has become an attractive topic
for many fields. Blockchain is a distributed open ledger which
is shared publicly between all the members on the network.
Blockchain has a lot of features, one of the essential features is
using the cryptography which can provide the authentication and
integrity for the information in the network. The integration of
blockchain into IoT brings some refinements such as
decentralization and scalability, identity, autonomy, reliability,
security, and market of services. Therefore, these points could
be appealing for who are working in the IoT area [14], [17].

This layer gives the user access to the IoT and it As discussed in Section. II, many researchers studied the
needs to be secured. The security categorization is [16]: recent IoT solution, which is the integration of blockchain into
IoT [14], based on that, we recommend the blockchain as a joint
• Authentication: Firstly, the authentication process solution to serve all three layers of IoT. Fig.5 shows how
blocks the access of any unauthorized user by utilizing blockchain can serve security requirements in term of
identity identifications, this layer supports authentication using a digital signature algorithm (DSA),
authentications by some particular cooperating services integrity based on a hash algorithm, confidentiality by using
which means users can choose which information can asymmetric cryptography.
be shared with the services. The main technologies used
in this layer are Cloud computing and Virtualization,
both are possible to attack.
• Intrusion Detection: Intrusion detection techniques
provide solutions for many security threats by
constantly monitoring the system to generate an alarm
in case of any suspicious activity, it also keeps a log of
the attacker’s activities which could help to trace the
attacker. There are many existing intrusion detection
techniques including: the data mining approach and
anomaly detection.
• Data Security. Data security can be ensured by many
encryption technologies which prevent the data-stealing
threats. Furthermore, to prevent other malicious
activities of the attackers, Anti- Dos firewalls and up to
date malware and spyware are offered.

Figure 5. Blockchain joint solution

 IV. CONCLUSTION AND FUTURE WORK [10] J. SathishKumar and D. R. Patel, “A Survey on Internet of Things:
Security and Privacy Issues,” Int. J. Comput. Appl., vol. 90, no. 11,
In this paper, we discussed the cybersecurity state in the IoT pp. 20–26, 2014.
domain, focusing on its security requirements and challenges [11] M. M. Hossain, M. Fotouhi, and R. Hasan, “Towards an Analysis of
that face each IoT layer. In addition, we addressed some Security Issues, Challenges, and Open Problems in the Internet of
Things,” Proc. - 2015 IEEE World Congr. Serv. Serv. 2015, pp. 21–
security techniques to overcome these challenges and 28, 2015.
threats. Finally, blockchain was discussed as a recommended [12] M. Abomhara and G. M. Køien, “Cyber Security and the Internet of
solution that supports IoT security in terms of confidentiality, Things: Vulnerabilities, Threats, Intruders and Attacks,” J. Cyber
authentication, and integrity. In conclusion, the aim of this work Secur. Mobil., vol. 4, no. 1, pp. 65–88, 2015.
is to highlight the recent researches in this field as a contribution
[13] M. Katagi and S. Moriai, “Lightweight cryptography for the Internet
to share liability of knowledge. As a future work, we plan to of Things,” Sony Corp., pp. 7–10, 2008.
examine and evaluate the blockchain integration with IoT, by
[14] K. Christidis and M. Devetsikiotis, “Blockchains and Smart
reviewing some real-life examples to analyze its effectiveness
Contracts for the Internet of Things,” IEEE Access, vol. 4, pp. 2292–
toward IoT security and privacy.
2303, 2016.
[15] H. Suo, J. Wan, C. Zou, J. Liu," Security in the internet of things: a
ACKNOWLEDGMENT review ", Computer Science and Electronics Engineering (ICCSEE),
012 international conference, vol. 3, pp. 648-651, 2012.
We would like to thank Dr. Salim Elkhediri for his assistance [16] M. U.Farooq, M. Waseem, A. Khairi and S. Mazhar, "A Critical
to complete this paper. We are extremely grateful to him for Analysis on the Security Concerns of Internet of Things (IoT)",
providing such a helpful support and guidance. International Journal of Computer Applications, vol. 111, no. 7, pp.
1-6, 2015.
REFERENCES [17] A. Reyna, C. Martín, J. Chen, E. Soler, and M. Díaz, “On blockchain
and its integration with IoT. Challenges and opportunities,” Futur.
[1] A. Abubakar, H. Chiroma, S. Muaz and L. Ila, "A Review of the
Gener. Comput. Syst., vol. 88, no. 2018, pp. 173–190, 2018.
Advances in Cyber Security Benchmark Datasets for Evaluating
Data-Driven Based Intrusion Detection Systems", Procedia
Computer Science, vol. 62, pp. 221-227, 2015.
[2] “Filing a Complaint with the IC3,” Internet Crime Complaint Center
(IC3) | Business E-mail Compromise E-mail Account Compromise
The 5 Billion Dollar Scam. [Online]. Available:
https://www.ic3.gov/default.aspx.
[3] R. Alguliyev, Y. Imamverdiyev and L. Sukhostat, "Cyber-physical
systems and their security issues", Computers in Industry, vol. 100,
pp. 212-223, 2018.
[4] O. Sezer, E. Dogdu and A. Ozbayoglu, "Context-Aware Computing,
Learning, and Big Data in Internet of Things: A Survey", IEEE
Internet of Things Journal, vol. 5, no. 1, pp. 1-27, 2018.
[5] A. Balti, A. Kashid , B. Patil," security Issues in Internet of Things
(IoT): A Survey ", International Journal of Advanced Research in
Computer Science and Software Engineering, vol. 5, pp. 450-455,
2015.
[6] S. Sicari, A. Rizzardi, D. Miorandi, C. Cappiello and A. Coen-
Porisini, "A secure and quality-aware prototypical architecture for
the Internet of Things", Information Systems, vol. 58, pp. 43-55,
2016.
[7] M. Frustaci, P. Pace, G. Aloi and G. Fortino, "Evaluating Critical
Security Issues of the IoT World: Present and Future Challenges,"
in IEEE Internet of Things Journal, vol. 5, no. 4, pp. 2483-2495,
Aug. 2018.
[8] R. Heartfield et al., “A taxonomy of cyber-physical threats and
impact in the smart home,” Comput. Secur., vol. 78, no. October,
pp. 398–428, 2018.
[9] Q. Jing, A. V. Vasilakos, J. Wan, J. Lu, and D. Qiu, “Security of the
Internet of Things: perspectives and challenges,” Wirel. Networks,
vol. 20, no. 8, pp. 2481–2501, 2014