The effect of IoT new features on security and privacy: New threats, existing solutions, and challenges yet to be solved

IEEE Internet of Things Journal

Volumn 6, Issue 2, 2019, Pages 1606-1616

  Zhou, Wei ^a   Jia, Yan ^b   Peng, Anni ^a   Zhang, Yuqing ^a,c   Liu, Peng ^d  

^a UNIVERSITY OF CHINESE ACADEMY OF SCIENCES   (China)

^b XIDIAN UNIVERSITY   (China)

^c GRADUATE SCHOOL   (China)

^d PENNSYLVANIA STATE UNIVERSITY   (United States)

Author keywords

Internet of Things (IoT); IoT features; privacy; security; survey

Indexed keywords

AUTOMATION; COMPUTER PRIVACY; DATA PRIVACY; DOMESTIC APPLIANCES; FEATURE EXTRACTION; INTELLIGENT BUILDINGS; NETWORK PROTOCOLS; SECURITY OF DATA; SURVEYING; SURVEYS;

INDUSTRIAL AUTOMATION; INDUSTRIAL PRODUCTION; INTERNET OF THINGS (IOT); IOT FEATURES; RESEARCH CHALLENGES; SECURITY; SECURITY AND PRIVACY; SMART HOMES;

INTERNET OF THINGS;

EID: 85048613168     PISSN: None     EISSN: 23274662     Source Type: Journal    
DOI: 10.1109/JIOT.2018.2847733     Document Type: Article

References (74)

1. The Statistics Portal. (2017). Internet of Things (IoT) Connected Devices Installed Base Worldwide From 2015 to 2025 (in Billions). [Online]. Available: https://www.statista.com/statistics/471264/iotnumber-of-connected-devices-worldwide/
2. Internet of Things Market Statistics, Int. Data Corporat., Framingham, MA, USA, 2016. [Online]. Available: http://www.ironpaper.com/ webintel/articles/internet-of-things-market-statistics/
3. Bigthink Edge. (2016). Hacking the Human Heart. [Online]. Available: http://bigthink.com/future-crimes/hacking-The-human-heart
4. Envista Forensics. (2015). The Most Hackable Cars on the Road. [Online]. Available: http://www.envistaforensics.com/news/themost-hackable-cars-on-The-road-1
5. Wikipedia. 2016 Dyn Cyberattack. [Online]. Available: https:// en.wikipedia.org/w/index.php?title=2016Dyncyberattack&oldid=763 071700
6. R. Langner, "Stuxnet: Dissecting a cyberwarfare weapon," IEEE Security Privacy, vol. 9, no. 3, pp. 49-51, May/Jun. 2011.
7. R. Patterson. (2017). How Safe Is Your Data With the IoT and Smart Devices. [Online]. Available: https://www.comparitech.com/ blog/information-security/iot-data-safety-privacy-attackers/
8. GeekPwn. (2017). IoT Devices Have a Large Number of Low-Level Loopholes. [Online]. Available: http://www.sohu.com/ a/129188339198147
9. S. Li, T. Tryfonas, and H. Li, "The Internet of Things: A security point of view," Internet Res., vol. 26, no. 2, pp. 337-359, 2016.
10. J. Lin et al., "A survey on Internet of Things: Architecture, enabling technologies, security and privacy, and applications," IEEE Internet Things J., vol. 4, no. 5, pp. 1125-1142, Oct. 2017.
11. K. Fu et al., "Afety, security, and privacy threats posed by accelerating trends in the Internet of Things," Comput. Community Consortium, Washington, DC, USA, Rep., 2017. [Online]. Available: http://cra.org/ ccc/wp-content/uploads/sites/2/2017/02/Safety-Security-and-Privacy-Threats-in-IoT.pdf
12. R. Roman, J. Zhou, and J. Lopez, "On the features and challenges of security and privacy in distributed Internet of Things," Comput. Netw., vol. 57, no. 10, pp. 2266-2279, 2013.
13. S. Sicari, A. Rizzardi, L. A. Grieco, and A. Coen-Porisini, "Security, privacy and trust in Internet of Things: The road ahead," Comput. Netw. Int. J. Comput. Telecommun. Netw., vol. 76, pp. 146-164, Jan. 2015.
14. Y. Yang, L. Wu, G. Yin, L. Li, and H. Zhao, "A survey on security and privacy issues in Internet-of-Things," IEEE Internet Things J., vol. 4, no. 5, pp. 1250-1258, Oct. 2017.
15. W. Trappe, R. Howard, and R. S. Moore, "Low-energy security: Limits and opportunities in the Internet of Things," IEEE Security Privacy, vol. 13, no. 1, pp. 14-21, Jan./Feb. 2015.
16. L. Tibbets and J. Tane. (2012). IFTTT. [Online]. Available: https://platform.ifttt.com/
17. Samsung. (2014). SmartThings. [Online]. Available: https://www.smartthings.com/
18. Apple. (2014). HomeKit. [Online]. Available: https://developer.apple.com/homekit/
19. Amazon. (2012). Alexa. [Online]. Available: https://developer.amazon.com/alexa
20. E. Fernandes, J. Jung, and A. Prakash, "Security analysis of emerging smart home applications," in Proc. IEEE Security Privacy, San Jose, CA, USA, 2016, pp. 636-654.
21. T. Yu et al., "Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the Internet-of-Things," in Proc. ACM Workshop Hot Topics Netw., 2015, p. 5.
22. Y. J. Jia et al., "ContexIoT: Towards providing contextual integrity to appified IoT platforms," in Proc. Netw. Distrib. Syst. Security Symp., 2017, pp. 1-15.
23. JD Alpha. (2015). Joylink. [Online]. Available: http:// smartdev.jd.com/
24. Alibaba. (2015). Alink. [Online]. Available: https:// open.aliplus.com/docs/open/
25. Alibaba. (2015). Internet of Things Security Report. [Online]. Available: https://jaq.alibaba.com/community/art/show?articleid=195
26. Network Working Group Internet-Draft. (2017). Secure IoT Bootstrapping: A Survey. [Online]. Available: https://tools.ietf.org/ html/draft-sarikaya-t2trg-sbootstrapping-03
27. H. Liu et al., "Smart solution, poor protection: An empirical study of security and privacy issues in developing and deploying smart home devices," in Proc. IoT Security Privacy Workshop, Dallas, TX, USA, 2017, pp. 13-18.
28. Y. Yang. BadTunnel: NetBIOS Name Service Spoofing Over the Internet. [Online]. Available: https://www.blackhat.com/docs/us-16/materials/us-16-Yu-BadTunnel-How-Do-I-Get-Big-Brother-Power-wp.pdf
29. J. Rubio-Hernan, J. Rodolfo-Mejias, and J. Garcia-Alfaro, "Security of cyber-physical systems," in Proc. Conf. Security Ind. Control Cyber Phys. Syst., 2016, pp. 3-18.
30. D. Davidson, B. Moench, S. Jha, and T. Ristenpart, "FIE on firmware: Finding vulnerabilities in embedded systems using symbolic execution," in Proc. USENIX Security Symp., 2013, pp. 463-478.
31. J. Zaddach, L. Bruno, A. Francillon, and D. Balzarotti, AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares, Nat. Down Synd. Soc., New York, NY, USA, 2014.
32. D. D. Chen, M. Egele, M. Woo, and D. Brumley, "Towards automated dynamic analysis for Linux-based embedded firmware," in Proc. Netw. Distrib. Syst. Security Symp., 2016, pp. 1-16.
33. D. Hadẑiosmanovic, R. Sommer, E. Zambon, and P. H. Hartel, "Through the eye of the PLC," in Proc. Comput. Security Appl. Conf., New Orleans, LA, USA, 2014, pp. 126-135.
34. D. T. Sullivan and E. J. Colbert, "Network analysis of reconnaissance and intrusion of an industrial control system," Comput. Inf. Sci. Directorate, U.S. Army Res. Lab., Adelphi, MD, USA, Rep. ARL-TR-7775, 2016.
35. L. Zhao, G. Li, B. D. Sutter, and J. Regehr, "ARMor: Fully verified software fault isolation," in Proc. IEEE Int. Conf. Embedded Softw., Taipei, Taiwan, 2011, pp. 289-298.
36. P. Schulz, S. Koeberl, A.-R. Sadeghi, and V. Varadharajan, "TrustLite: A security architecture for tiny embedded devices," in Proc. ACM EuroSys, Amsterdam, The Netherlands, 2014, pp. 1-14.
37. A. A. Clements et al., "Protecting bare-metal embedded systems with privilege overlays," in Proc. IEEE Security Privacy, San Jose, CA, USA, 2017, pp. 289-303.
38. C. H. Kim et al., "Securing real-time microcontroller systems through customized memory view switching," in Proc. Netw. Distrib. Syst. Security Symp., 2018.
39. F. Guo, Y. Mu, W. Susilo, D. S. Wong, and V. Varadharajan, "CPABE with constant-size keys for lightweight devices," IEEE Trans. Inf. Forensics Security, vol. 9, no. 5, pp. 763-771, May 2014.
40. Y. Shi, W. Wei, Z. He, and H. Fan, "An ultra-lightweight white-box encryption scheme for securing resource-constrained IoT devices," in Proc. ACM Conf. Comput. Security Appl., 2016, pp. 16-29.
41. J. Buchmann, F. Göpfert, T. Güneysu, T. Oder, and T. Pöppelmann, "High-performance and lightweight lattice-based public-key encryption," in Proc. 2nd ACM Int. Workshop IoT Privacy Trust Security, 2016, pp. 2-9.
42. T. Rauter, A. Höller, N. Kajtazovic, and C. Kreiner, "Privilege-based remote attestation: Towards integrity assurance for lightweight clients," in Proc. ACM Workshop IoT Privacy Trust Security, 2015, pp. 3-9.
43. M. Majzoobi, M. Rostami, F. Koushanfar, D. S.Wallach, and S. Devadas, "Slender PUF protocol: A lightweight, robust, and secure authentication by substring matching," in Proc. IEEE Security Privacy Workshops, San Francisco, CA, USA, 2012. pp. 33-44.
44. M. Hiller, A. G. Önalan, G. Sigl, and M. Bossert, "Online reliability testing for PUF key derivation," in Proc. Int. Workshop Trustworthy Embedded Devices, 2016, pp. 15-22.
45. W. Xu et al., "KEH-Gait: Towards a mobile healthcare user authentication system by kinetic energy harvesting," in Proc. Netw. Distrib. Syst. Security Symp., 2017.
46. R. A. Scheel and A. Tyagi, "Characterizing composite user-device touchscreen physical unclonable functions (PUFs) for mobile device authentication," in Proc. Int. Workshop Trustworthy Embedded Devices, 2015, pp. 3-13.
47. Checkpoint Research. (2017). IoTroop Botnet: The Full Investigation. [Online]. Available: https://research.checkpoint.com/iotroop-botnet-fullinvestigation/
48. Y. M. P. Pa et al., "IoTPOT: Analysing the rise of IoT compromises," in Proc. USENIX Conf. Offensive Technol., 2015, p. 9.
49. C. Kolias, G. Kambourakis, A. Stavrou, and J. Voas, "DDoS in the IoT: Mirai and other botnets," Computer, vol. 50, no. 7, pp. 80-84, Jul. 2017.
50. C. Zhang and R. Green, "Communication security in Internet of Thing: Preventive measure and avoid DDoS attack over IoT network," in Proc. Symp. Commun. Netw. Soc. Comput. Simulat. Int., 2015, pp. 8-15.
51. Z. Lu, W. Wang, and C. Wang, "Camouflage traffic: Minimizing message delay for smart grid applications under jamming," IEEE Trans. Dependable Secure Comput., vol. 12 no. 1, pp. 31-44, Jan./Feb. 2015.
52. P. Kasinathan, G. Costamagna, H. Khaleel, C. Pastrone, and M. A. Spirito, "DEMO: An IDS framework for Internet of Things empowered by 6LoWPAN," in Proc. ACM Sigsac Conf. Comput. Commun. Security, 2013, pp. 1337-1340.
53. K. E. Defrawy, A. Francillon, D. Perito, and G. Tsudik, "SMART: Secure and minimal architecture for (establishing a dynamic) root of trust," in Proc. Netw. Distrib. Syst. Security Symp., 2012.
54. J. Noorman et al., "Sancus: Low-cost trustworthy extensible networked devices with a zero-software trusted computing base," in Proc. 22nd USENIX Conf. Security, 2013, pp. 479-494.
55. E. A. Moore and USA Today. (2016). Woman Sues Sex-Toy Maker for Invading Privacy. [Online]. Available: http://www.usatoday.com/ story/news/2016/09/15/womansues-sex-toy-maker-invading-privacy/ 90400592/
56. B. Copos, K. Levitt, M. Bishop, and J. Rowe, "Is anybody home? Inferring activity from smart home network traffic," in Proc. IEEE Security Privacy Workshops, San Jose, CA, USA, 2016, pp. 245-251.
57. M. Conti, M. Nati, E. Rotundo, and R. Spolaor, "Mind the plug! Laptop-user recognition through power consumption," in Proc. ACM Int. Workshop IoT Privacy Trust Security, 2016, pp. 37-44.
58. Volansys. (2016). Connecting Devices to Cloud IoT Platform-As-A-Service: Challenges and Solution. [Online]. Available: https://volansys. com/connecting-devices-cloud-iot-platform-service-challenges-solution/
59. MarketsandMarkets. (Dec. 2015). Insurance Telematics Market Worth 2.21 Billion USD by 2020. [Online]. Available: http://www.prnewswire.com/news-releases/insurance-telematics-marketworth-221-billion-usd-by-2020-561817961.html
60. W. Yang et al., "Minimizing private data disclosures in the smart grid," in Proc. ACM Conf. Comput. Commun. Security, 2012, pp. 415-427.
61. E. M. Chan, P. E. Lam, and J. C. Mitchell, "Understanding the challenges with medical data segmentation for privacy," in Proc. USENIX Conf. Safety Security Privacy Interoperability Health Inf. Technol., 2013, p. 2.
62. L. Guo et al., "A secure mechanism for big data collection in large scale Internet of Vehicle," IEEE Internet Things J., vol. 4, no. 4, pp. 601-610, Apr. 2017.
63. G. Barthe, G. Danezis, B. Grégoire, C. Kunz, and S. Zanella-Béguelin, "Verified computational differential privacy with applications to smart metering," in Proc. IEEE Comput. Security Found. Symp., New Orleans, LA, USA, 2013, pp. 287-301.
64. L. Yang, A. Humayed, and F. Li, "A multi-cloud based privacypreserving data publishing scheme for the Internet of Things," in Proc. ACM Conf. Comput. Security Appl., 2016, pp. 30-39.
65. S.-Y. Chang, Y.-C. Hu, H. Anderson, T. Fu, and E. Y. Huang, "Body area network security: Robust key establishment using human body channel," in Proc. USENIX Conf. Health Security Privacy, 2012, p. 5.
66. I.-R. Chen, F. Bao, and J. Guo, "Trust-based service management for social Internet of Things systems," IEEE Trans. Dependable Secure Comput., vol. 13, no. 6, pp. 684-696, Nov./Dec. 2016.
67. Govtech. (2015). FutureStructure: The New Framework for Communities (Infographic). [Online]. Available: http://www.govtech.com/ dc/articles/FutureStructure-The-NewFramework-for-Communities.html
68. WeLiveSecurity. (Oct. 2016). 10 Things to Know About the October 21 IoT DDoS Attacks. [Online]. Available: https://www.welivesecurity.com/2016/10/24/10-things-know-october-21-iot-ddos-attacks/
69. C. Miller and C. Valasek, "Remote exploitation of an unaltered passenger vehicle," in Proc. Black Hat USA, Las Vegas, NV, USA, 2015.
70. A. Wright, "Mapping the Internet of Things," Commun. ACM, vol. 60, no. 1, pp. 16-18, 2016.
71. Z. Bi, L. D. Xu, and C. Wang, "Internet of Things for enterprise systems of modern manufacturing," IEEE Trans. Ind. Informat., vol. 10, no. 2, pp. 1537-1546, May 2014.
72. OWASP. (2014). OWASP Internet of Things Top Ten. [Online]. Available: https://www.owasp.org/images/7/71/InternetofThingsTopTen2014-OWASP.pdf
73. L. Guan et al., "From physical to cyber: Escalating protection for personalized auto insurance," in Proc. 14th ACM Conf. Embedded Netw. Sensor Syst. (SenSys), 2016, pp. 42-55.
74. L. Guan et al., "TrustShadow: Secure execution of unmodified applications with ARM TrustZone," in Proc. 15th Annu. Int. Conf. Mobile Syst. Appl. Services, 2017, pp. 488-501.