2.1 Introduction

The rapid proliferation of the Internet of Things (IoT) into diverse application areas such as building and home automation, smart transportation systems, wearable technologies for healthcare, industrial process control, and infrastructure monitoring and control is changing the fundamental way in which the physical world is perceived and managed. It is estimated that there will be approximately 30 billion IoT devices by 2020. Most of these IoT devices are expected to be of low‐cost and wireless communication technology based, with limited capabilities in terms of computation and storage. As IoT systems are increasingly being entrusted with sensing and managing highly complex eco‐systems, questions about the security and reliability of the data being transmitted to and from these IoT devices are rapidly becoming a major concern.

It has been reported in several studies that IoT networks are facing several security challenges [1–7] including authentication, authorization, information leakage, privacy, verification, tampering, jamming, eavesdropping, etc. IoT provides a network infrastructure with interoperable communication protocols and software tools to enable the connectivity to the internet for handheld smart devices (smart phones, personal digital assistants [PDAs] and tablets), smart household apparatus (smart TV, AC, intelligent lighting systems, smart fridge, etc.), automobiles, and sensory acquisition systems [1]. However, the improved connectivity and accessibility of devices present major security concerns for all the parties connected to the network regardless of whether they are humans or machines. The infiltration launched by the Mirai malware on the Domain Name System (DNS) provider Dyn in 2016 through a botnet‐based Distributed Denial of Service (DDoS) attack to compromise IoT devices such as printers, IP cameras, residential gateways, and baby monitors represents the fertile ground for cyber threats in the IoT domain [82]. Moreover, the cyber‐attack launched at the Ukrainian power grid in 2015 targeting the Supervisory Control and Data Acquisition (SCADA) system caused a blackout for several hours and is a prime example of the gravity of resulting devastation possible through modern day attacks [2]. The main reasons for the security challenges of current information‐centric automated systems is their insecure unlimited connectivity with the internet and the non‐existent access control mechanisms for providing secure and trustworthy communication. Furthermore, the problem of vulnerabilities in IoT systems arises because of the physical limitations of resource‐constrained IoT devices (in terms of computing power, on‐board storage and battery‐life), lack of consensus/standardization in security protocols for IoT, and widespread use of third‐party hardware, firmware, and software. These systems are often not sufficiently secure; especially when deployed in environments that cannot be secured/isolated by other means. The resource constraints on typical IoT devices make it impractical to use very complex and time‐consuming encryption/decryption algorithms for secure message communication. This makes IoT systems highly susceptible to various types of attacks [1,3–7]. Furthermore, addressing the security vulnerabilities in the protocols designed for communication is critical to the success of IoT [8–12,97,98].

This chapter focuses on security threats, attacks, and authentication in the context of the IoT and the state‐of‐the‐art IoT security. It presents the results of an exhaustive survey of security attacks and access control mechanisms including authentication and authorization issues existing in IoT systems, its enabling technologies and protocols, while addressing all levels of the IoT architecture. We surveyed a wide range of existing works in the area of IoT security that use a number of different techniques. We classify the IoT security attacks and proposed countermeasures based on the current security threats, considering all three layers: perception, network, and application. This study aims to serve as a useful manual of existing security threats and vulnerabilities within the IoT heterogeneous environment and proposes possible solutions for improving the IoT security architecture. State‐of‐the‐art IoT security threats and vulnerabilities have also been investigated, in terms of application deployments such as smart utilities, consumer wearables, intelligent transportation, smart agriculture, industrial IoT, and smart city have been studied. The insights presented on authentication and authorization aspects for the comprehensive IoT architecture are the prime contributions of this chapter.

The remainder of this chapter is organized as follows. Section 2.2 provides the IoT classification of attacks and their countermeasures according to the IoT applications and different layers of the IoT infrastructure. Section 2.3 addresses the importance of authentication with respect to security in IoT and presents in detail the existing authentication and authorization issues at all layers. Section 2.4 introduces other security features and their related issues. Additionally, solutions for remediation of the compromised security, as well as methods for risk mitigation, with prevention and suggestions for improvement discussed in the same section. A discussion on the authentication mechanisms in the IoT domain, considering the most recent methodologies, has been presented in Section 2.5. Section 2.6 introduces future research directives such as blockchain, 5G, fog and edge computing, quantum, AI and network slicing. Finally, Section 2.7 concludes this study.

2.2 Attacks and Countermeasures

Security is defined as a process to protect a resource against physical damage, unauthorized access, or theft, by maintaining a high confidentiality and integrity of the asset's information and making information about that object available whenever needed. The IoT security is the area of endeavor concerned with safeguarding connected devices and networks in the IoT environment. IoT enables the improvement of several applications in various fields, such as, smart cities, smart homes, healthcare, smarts grids, as well as other industrial applications. However, introducing constrained IoT devices and IoT technologies in such sensitive applications leads to new security challenges.

IoT is relying on connectivity of myriads of devices for its operation. Hence, the possibility of being exposed to a security attack is highly probable. In Information Technology (IT), an attack is an attempt to destroy, expose, alter, disable, steal, or gain unauthorized access to an asset. For example, cryptographic security protocols are key components in providing security services for communication over networks [10]. These services include data confidentiality, message integrity, authentication, availability, nonrepudiation, and privacy [3]. The proof of a protocol flaw is commonly known as an “attack” on a protocol and it is generally regarded as a sequence of actions performed by a dishonest principal, by means of any hardware or software tool, in order to subvert the protocol security goals. An IoT attack is not much different from an assault against an IT asset. What is new is the scale and relative simplicity of attacks in the IoT – millions and billions of devices are a potential victim of traditional style cyber‐attacks, but on a far greater scale and often with limited or no protection.

The most prevalent devices connected to serving IoT applications for infotainment purposes are smart TVs, webcams, and printers. A vulnerability analysis has been conducted in [81] on these devices using Nessus1 tool to observe that approximately 13% of the devices out of 156 680 were vulnerable which were further classified as critical, high, medium, and low. The vulnerabilities that exist, for example, MiniUPnP, Network Address Translation Port Mapping Protocol (NAT‐PMP) detection, unencrypted telnet, Simple Network Management Protocol (SNMP) agents, Secure Shell (SSH) weak algorithms and File Transfer Protocol (FTP) inherited by webcams, smart TVs and printers are further identified based on manufacturer models.

In this section, we present the results of our study on the existing vulnerabilities, exploitable attacks and possible countermeasures in the context of the IoT and the state‐of‐the‐art IoT security. We surveyed a wide range of existing work in the area of IoT security that use different techniques. We classified the IoT security attacks and the proposed countermeasures based on the current security threats, considering all three layers: Perception, Network, and Application. Figure 2.1 illustrates the typical architecture of IoT and entities which are considered under each layer. Table 2.1 summarizes the taxonomy of attacks and viable solutions of IoT categorized under each layer. These attacks and their corresponding solutions will be further discussed below.

2.2.3 Application Layer

As illustrated in Figure 2.2, possible applications for IoT are expanded into every industry available in the current era, in addition to myriads of non‐industrial applications developed for automation purposes. In general, feasible attacks on the IoT application layer could be represented in two forms. They are software‐based and encryption‐based attacks. In the software attacks, most attacks are based on malicious software agents, apart from the phishing attacks, where the attacker reveals the authentication credentials of the user by impersonating as a trusted authority. Malware, worms, adware, spyware, and Trojans are highly probable occurrences with the heterogeneity of IoT applications and their broader services [6]. Encryption‐based attacks are the approaches taken to exploit the procedural nature of the cryptographic protocols and their mathematical model through extensive analysis. Cryptanalytic attacks, ciphertext only attacks, known plaintext attacks, and chosen plaintext attacks exemplify such possible threats [18].

There are several solutions proposed in the literature for the security of IoT applications such as authentication, key agreement and protection of user privacy across heterogeneous networks [1], DTLS for end‐to‐end security [36], and information flow control [28]. The countermeasures for software‐based authentication should be taken for mitigating attacks such as phishing attacks; through the verification of the identity of malicious adversaries before proceeding.

2.2.3.1 Smart Utilities – Smart Grids and Smart Metering

Smart Grids are the future of energy distribution for all industrial and residential sectors. IoT plays a major role in smart grids for establishing the communication and monitoring protocols with consumers of energy. Smart grid is a decentralized energy grid with the ability to coordinate the electricity production in relation to the consumption or consumption patterns of the consumer. These systems are featuring monitoring technology called as Advanced Metering Infrastructure (AMI)/smart metering/net metering; which can measure and update the power consumption parameters to both entities in real time [39]. Additionally, smart grids are incorporating renewable energy sources commissioned in the vicinity of the consumer to cater the bidirectional energy flow for mitigating energy deficiencies [1].

Figure 2.3 illustrates a Smart Grid Architectural Model (SGAM) proposed by the coordinated group of European Committee for Standardization – European Committee for Electrotechnical Standardization – European Telecommunications Standards Institute (CEN‐CENELEC‐ETSI), which offers a framework for smart grid use cases [76]. This architecture formulates three dimensions which amalgamate five functional interoperability layers with energy sector domains and zones that account for power system management [77]. This holistic framework is capable of reinforcing the design stages of the smart energy systems. The IoT technologies could be amalgamated with the SGAM framework to establish the bi‐directional communication.

All the monitoring applications are developed with IoT infrastructure, with grid controlling access granted to the grid, controlling officers for pursuing configurations while the consumers can only visualize the consumption details via a mobile device. The information circulated through the AMI may pose a privacy concern for consumers for disseminating information regarding their habits and activities, where the impact could be severe for industries. Due to the heterogeneous nature of communication equipment deployed with IoT, and rapidly increasing population and industries, it would cause scalability issues for security. Smart grids are distributed across the power serving area and are, therefore, exposed to adversaries.

As the energy distribution system is the most critical infrastructure that exists in an urban area, the tendency to convert prevailing wired power‐line communication (sending data over existing power cables) based controlling and monitoring channels to the wireless medium, with the introduction of IoT technologies, would expose the entire system to unintended security vulnerabilities. The intruders, using the proper techniques, could perpetuate AMI interfaces stationed at every household or industrial plant. Once access is granted to the hostile operators, potential outcomes can be devastating from disrupting the level of energy flow from a local grid substation to overloading the nuclear reactor of a power station. The availability of the grid could be compromised from IP spoofing, injection, and DoS/DDoS attacks [39]. Thus, access controlling for devices used in AMI and grid‐controlling systems should be secured with extra countermeasures.

2.2.3.2 Consumer Wearable IoT (WIoT) Devices for Healthcare and Telemedicine

IoT‐based healthcare systems are the most profitable and funded projects in the entire world. This is mainly due to the higher aggregate of aging people and the fact that health is the most concerning aspect of human life. A sensory system embedded with actuators is provided for individuals to use as a wearable device (i.e. wearable Internet of Things [WIoT] device), illustrated in Figure 2.4. A WIoT device can be used for tracking and recording vitals such as blood pressure, body temperature, heart rate, blood sugar, etc., [39]. This data can be conveyed and stored in a cloud as a Personal Health Record (PHR) to be accessed by the user and the assigned physicians.

Since the data handled in IoT‐based healthcare is personal, privacy is the most demanding security issue. Hence, the access control mechanism for wearable devices as well as for PHRs must be well secured. However, employing strong crypto primitives for enhancing the authentication protocols of PHRs is possible as they are also stored in cloud environments. Hence, the same privacy concerns presented in Section 2.3.2.2 under cloud computing apply. Moreover, a method for assuring anonymity of patients should be developed in case the PHRs are exposed to external parties, because they are stored in Cloud Service Providers (CSPs). Wearable devices also face the resource scarcity issues for battery power, memory, and processing level [39]. Thus, a lightweight protocol for authentication and access control should be employed [101]. Similar to all other IoT applications, heterogeneous wearable devices produced by different manufacturers would employ diverse technologies for developing communication protocols. Thus, developing a generic access control policy would be extremely challenging.

2.2.3.3 Intelligent Transportation

Intelligent Transportation Systems (ITS) are introduced to improve transportation safety and decrease traffic congestions while minimizing environmental pollution. In an ITS system, there are four main components; vehicles, roadside stations, ITS monitoring centers and security systems [39]. All information extracted from vehicular nodes and roadside stations are conveyed to the ITS monitoring center for further processing; while the security subsystem is responsible for maintaining overall security. The entire system could be considered as a vehicular network, where the communication channels are established between Vehicle‐to‐Vehicle (V2V), Vehicle‐to‐Infrastructure (V2I), Vehicle‐to‐Pedestrian (V2P), and Vehicle‐to‐Grid (V2G) [39]. These communication links are implemented using technologies like RFID and Dedicated Short Range Communication (DSRC) for launching a large Wireless Sensor Network (WSN) [1]. The vehicular nodes and the entire data storing and monitoring infrastructure form a viable IoT deployment.

Figure 2.5 illustrates an ITS model, which enables communication among vehicular entities traveling through different mediums (airborne, land, and marine) with various technologies such as satellite, mobile, Wireless Local Area Network (WLAN), etc. Such a system would enable services like real‐time updated navigation, roadside assistance, automated vehicular diagnostics, accident alerting system and self‐driving cars [78]. Thus, massive divergence in the applicability of ITS deployment raises the requirement for a ubiquitous wireless connectivity with access points.

As mentioned above, a larger number of entry points to a vehicular network makes it vulnerable to diverse attacks which can be targeted toward many sources [39]. At the same time, the privacy of drivers should be ensured from external observers, though drivers are not participating in any authentication activity. Authentication mechanisms are initiated between V2V interfaces where they can be exploited by an invader impersonating another vehicle or a roadside station. Therefore, a mechanism to verify the identity of the vehicles or roadside stations should be developed with a proper authentication mechanism employing a Trusted Third Party (TTP).

In some V2V communication systems, an On Board Diagnostic (OBD) unit is utilized to extract information directly from the Engine Control Unit (ECU) [1]. The OBD port could be used to manipulate the engine controls of a vehicle and could then be remotely accessed via the systems being developed. Thus, securing the access to the OBD port is vital.

2.2.3.4 Smart Agriculture

Agriculture is the most crucial industry in the world as it produces food and beverages by planting crops such as corn, rice, wheat, tea, potatoes, oats, etc. With the rapid worldwide population growth accounting for resource depletion, pollution, as well as the scarcity of human labor; agriculture is becoming an demanding industry. Automation is the most probable alternative for improving the effectiveness of the agriculture industry. Thus, IoT could play a vital role in such automation. IoT infrastructure could be deployed to perform climate/atmospheric, crop‐status monitoring and livestock tracking. Climatic sensors, water/moisture level sensors and chemical concentration/acidity sensors along with visual sensors could be deployed for crop‐status monitoring, while automated water and fertilizer dispersing mechanisms are in place within the bounds of the plantation. Additionally, livestock tracking is another aspect of smart farming implemented through the deployment of Local Positioning Systems (LPSs) on farm animals.

This type of a smart system would provide benefits such as the ability to utilize the fertilizer and water usage while maximizing crop production through mitigated effects of climatic deficiencies. The fruition science and “Hostabee” are two live cases of smart agriculture solutions used currently by the plantation industry [78].

Because of the diverse nature of sensor devices used in smart agriculture applications, integrating them into a holistic system may raise concerns about the compatibility of technologies among the variety of manufacturers and those protocols in which communication is established. As the plantations or fields are extending to larger areas, the number of IoT‐enabled sensory systems to be deployed will be immense. Handling the data flow of such a large number of individual sensors with different data representations dispersed throughout a broad geographical region exerts the requirement for a communication technology with a higher coverage and moderate data rates which could not be satisfied by low‐range communication technologies such as Bluetooth or NFC. However, DSRC would be a suitable technology to create a WSN with smart agriculture sensors, as it is compatible with ITSs.

As the IoT devices are disseminated across a larger geographical extent, the probability of any IoT device being compromised is high as they are exposed. Perception level attacks are probable with these devices as they are sensory nodes and would have limited resources for both processing and storing information. The spoofing, impersonation, replay and Man‐in‐the‐Middle (MiM) attacks are probable with this application [80]. This raises the requirement for a proper authentication scheme as all perception level attacks could be mitigated using such a countermeasure.

2.2.3.5 Industrial IoT (IIoT)

M2M‐based automation systems are quite common for industries such as oil and gas manufacturers. These industries are vast and the machinery employed is massive, expensive, and poses a significant risk to machine operators. Functions such as oil exploration by drilling, refining, and distributing are all conducted using automated machinery controlled through Programmable Logic Controllers (PLCs) based on SCADA systems. Although, the current M2M infrastructure is ideal for controlling the machinery, remote monitoring and accessibility is limited while a proper data storage and processing mechanism for decision making is not yet available. Thus, the requirement for IoT arises to improve operational efficiency by optimizing control of robots, reducing downtime through predictive and preventive maintenance, increasing productivity and safety through real‐ time remote monitoring of assets [78]. IoT sensor nodes could be deployed at the machinery while monitoring tools could be integrated without affecting the operation of SCADA systems. Hence, SCADA systems could be optimized to enhance productivity.

The Smart Factories term is an adaptation of Industrial Internet of things (IIoT), introduced as “Industry 4.0” to represent the Fourth Industrial Revolution (4IR) [79]. This standard signifies a trend of automation and data exchange in manufacturing industries which integrate Cyber‐Physical Systems (CPS), IoT, and Cloud Computing based Data analytics [78,79]. The interoperability, information transparency, technical assistance and decentralized decision making are the design principles of Industry 4.0 standard. BOSCH has developed connected hand‐held tools which could monitor location, current user, and task‐at‐hand; analyzed and utilized for improving the efficiency in industrial labor [78]. Thus, the deployment of IoT across industry is imminent.

The security of industrial applications is a major concern, as any hostile intrusion could result in a catastrophic occurrence for both machinery and human operators. The SCADA systems are no longer secure (e.g. Considering the recent events [2]) due to their isolated localization and operation. However, main controlling functions are maneuvered within the control station located inside the industrial facility, while limited egress connectivity is maintained via satellite links with VSAT (Very Small Aperture Terminal) or microwave in the case of offshore or any other industrialized plants of such nature.

Due to their offline nature, the probability of any online intrusion is minimal. Though, any malicious entity such as a worm or a virus injected to the internal SCADA network could compromise the entire factory. Once inserted into the system, the intention of the malicious entity would be to disrupt the operations of the facility and its machinery. Thus, limiting the possibility for any malicious insurgence from the internal network and employing effective Intrusion Detection System (IDS) to detect malicious entities, would be the most suitable countermeasure for this application.

2.2.3.6 Smart Buildings, Environments, and Cities

Smart city is a holistically expanded inclusion of smart buildings and smart environments along with other smart automation systems formed to improve the quality of life for residents in a city. This is, in fact, the most expandable version of any IoT application in terms of cost for infrastructure deployment and geographical extent. In this concept, as shown in Figure 2.6, sensors are deployed throughout the building, environment, or the city for the purpose of extracting data of varied parameters such as temperature, humidity, atmospheric pressure, air density/air quality, noise level, seismic detection, flood detection, and radiation level. CCTV streams and LPSs would be a valuable input for smart building and smart cities to detect intrusions, monitor traffic and emergencies. All other smart systems explained in the previous sections are, in fact, subsystems of a functional smart city.

Due to various parameters to be gathered from the sensory acquisitions, heterogeneity is immense and the implementation is arduous [39]. At the same time, management of the gathered Big Data content is not scalable. Thus, providing security for all the applications in smart cities would be extremely challenging. Most of the Big Data content extracted from the sensors is forwarded to clouds through M2M authentication. Because of large data transmissions, cryptographic schemes should be lightweight and the authentication mechanism should be dynamic. DoS or DDoS attacks are most probable and could be mitigated with a strong authentication mechanism [1]. Individual sensors could be compromised resulting in the initiation of fake emergencies and access control methods should be improved to avoid such inconsistencies at the sensor level.

The paper [40] introduces applications of IoT with specific focus on smart homes. The study presented in [40] claims that although smart homes are offering comfortable services, security of data and context‐oriented privacy are also a major concern of these applications. The security and privacy issues in IoT applications have also been studied in [41].

2.3 Authentication and Authorization

Authentication and access control mechanisms hold a great deal of significance in IoT. Without a proper mechanism for access control, entire IoT architecture could be compromised, as IoT devices are highly reliant on the trustworthiness of the other components to which they are connected. Thus, a proper access control mechanism is paramount to mitigate the flaws in the current IoT infrastructure.

Access control mechanisms are comprised of two stages (Figure 2.7) [1]: (i) Authentication and (ii) Authorization.

2.4 Other Security Features and Related Issues

IoT systems have their own generalized features and requirements regardless of the diversified nature of its applications such as heterogeneity, scalability, Quality of Service (QoS)‐aware, cost minimization due to large‐scale deployment, self‐management including self‐configuration, self‐adaptation, self‐discovery, etc. The last, but not least, general feature/requirement of an IoT system is to provide a secure environment to gain robustness against communication attacks, authentication, authorization, data‐transfer confidentiality, data/device integrity, privacy, and to form a trusted secure environment [43]. IoT systems are fundamentally different from other transitional WSN systems [44] in many ways. (i) The diversity of the types of applications, the capabilities, and attributes of the IoT devices and deployed environments (ii) The holistic design of the system is mostly driven by the applications and it is essential to consider who the users are, what are the purposes and expected outcomes of the applications, etc. An IoT system is required to manage a large variety of devices, technologies, and service environments as the system itself is highly heterogeneous, where the connected IoT devices or equipment can range from simple temperature sensors to high‐resolution smart cameras. The communication, computing, and power capability of each device can be unique and unique from others. These resource and interoperability constraints limit the feasibility for a standard security solution.

2.5 Discussion

Authentication for IoT is a paramount necessity for securing and ensuring the privacy of users, simply due to the fact that an impregnable access control scheme would be impervious for any attack vector originating outside of the considered trust domain, as explained in the previous sections of this chapter. Authentication schemes in IoT applications are generally implemented at the software level, where it exposes unintentional hardware and design vulnerabilities [82]. This fact constitutes the requirement of a holistic approach for securing access to the systems via the employment of impregnable authentication schemes. However, developing a generic authentication scheme to counter all possible attack scenarios would be improbable and an arduous attempt due to the heterogeneity of the IoT paradigm. A layered approach that identifies the distinct authentication requirement is desired to formalize a holistic trust domain.

For perception level entities, IBE or ECC would be ideal authentication schemes to generate commendable cryptographic credentials with available resources. The mobile entities, where actual users are interfacing to IoT systems are storing personalized credentials such as photos, medical stats, access to CCTV systems, GPS location (GPS), daily routines, financial statistics, banking credentials, emergency service status and online account statistics, are emphasizing the need for privacy preservation at this level. As proposed in Section 2.3.3.1.1, adopting IBE, ABE, ECC, or biometric‐based mechanisms should ensure security. Novel mechanisms such as CapBAC could be employed to launch a scalable access control scheme for cloud computing platforms for IoT applications. However, the potential for deploying edge computing paradigms in the edge of the network indemnifies the cloud computing services from external direct access, as the access control would be migrated to the edge along with the service platform. The internet technologies of IoT‐enabled systems are more secured than the perception level and mobile level entities with the deployed protocols such as DTLS, SSL, and IPSec. Due to the dependency of a CA or TTP for employing such strong and secure protocols, the future of Internet security enhancements would be focused on developing distributed access control schemes to eliminate the single point of failure. Each IoT application composes different devices and systems to accomplish the intended outcome which attributes diverse protocols in hardware and software. Thus, the authentication schemes should be application specific and context aware of resource constraints associated with the diversified deployments. As privacy is the main concern on IoT to be ensured through impregnable access control schemes, the GDPR initiative is a timely solution established to constrict the IoT service providers (both software and hardware) from developing and marketing products with vulnerabilities.

Current researches have focused on developing novel methods for authentication in the IoT domain. We are briefly introducing a few of these recent approaches to demonstrate the state‐of‐the‐art technologies.

In [86], Ning et al. has proposed an aggregated proof‐based hierarchical authentication (APHA) scheme to be deployed on existing Unit IoT and Ubiquitous IoT (U2IoT) architecture. Their scheme employs two cryptographic primitives; homomorphic functions and Chebyshev polynomials. The proposed scheme has been verified formally using Burrows‐Abadi‐Needham (BAN) logic. However, the scalability of the scheme with the extent of multiple units has not been verified with a physical prototype.

There are various initiatives on Physical Unclonable Functions (PUF) to be used for IoT device authentication. A PUF is an expression of an inherent and unclonable instance‐specific unique feature of a physical object which serves as a biometric for non‐human entities, such as IoT devices [89]. Hao et al. are proposing a Physical Layer (PHY) End‐to‐End (E2E) authentication scheme which generates an IBE‐based PHY‐ID which acts as a PUF with unclonable PHY features RF Carrier Frequency Offset (CFO) and In‐phase/Quadrature‐phase Imbalance (IQI) extracted from collaborative nodes in a Device to Device (D2D) IoT deployment [87]. This mechanism is ideal for perception‐level nodes to be impervious to impersonation or malicious node injection attacks, as it is using physical measurements which are unique for each entity and for its location of operation in generating an identity for devices. However, the proposed scheme relies on a TTP called Key Generation Center (KGC). KGC generates the asymmetric key credentials for the nodes in its contact. The reachability of a certain KGC is limited due to the low power D2D connectivity. Thus, multiple KGCs deployed to accomplish the coverage should be managed with a centralized control entity. This enables the attack vectors on decentralized KGC entities. Moreover, the reliance on CFO and IQI features require the nodes to be stationary. This would be an issue considering most IoT devices are mobile and their RF‐based characteristics vary in a timely manner. Aman et al. proposed a PUF‐based authentication protocol for scenarios when an IoT device is connecting with a server and a D2D connectivity focused on its applicability in vehicular networks. Authentication is based on a Challenge Response Pair (CRP), where the outcome of the CRP is correlated with the physical microscopic structure of the IoT device, which emphasizes its unique PUF attributes with the inherent variability of the fabrication process in Integrated Circuits (ICs). The proposed protocol was analyzed using Mao and Boyd logic, while Finite State Machine (FSM) and reachability analysis techniques have been adopted for formal verification. Even though the performance of the protocol has been analyzed in terms of computational complexity, communication overhead and storage requirement, its scalability with simultaneous multiple IoT device connections to the server have not been addressed. However, this approach would be a feasible solution for V2E applications as the PUF could be successfully integrated with vehicles.

A human‐gait pattern based on the biometric extraction scheme WifiU has been proposed in [88] as a case study that uses Channel State Information (CSI) of the received Wi‐Fi signals for determining the gait pattern of the person carrying the transmitter. The gait patterns are becoming a novel biometric mode and this solution is a cost‐effective approach which does not employ any floor sensors or human wearables. However, the applicability of WifiU for IoT devices raises concerns over scalability, accuracy of the gait‐pattern extraction from CSI, reliability of CSI measurement and Wi‐Fi interference. Chauhan et al. in [90] proposes a Recurrent Neural Network (RNN) based on human breath print authentication system for mobile, wearable, and IoT platforms employing a derived breath print as a biometric through acoustic analysis. Even though this approach depicts a viable biometric solution for human interfacing IoT applications, the breath print extraction would be dependent on the health, climatic circumstances and physical stability of the user.

If the proposed authentication schemes are not fully holistically applicable for IoT deployments, optimum solutions at different layers and specific applications could be aggregated to form an impregnable access control system, where the interconnectivity across them should be maintained by decentralized trust domain managers. However, the access control mechanism optimum for each application should be investigated for each case in order to ensure robustness.

2.6 Future Research Directions

This section proposes several new research approaches and directions that could have a high impact for the future of the IoT security.

2.7 Conclusions

IoT technology is the most discussed paradigm in the research community these days. Its potential to connect all the devices in the world and to create a large information system that would offer services to improve the quality of human beings exponentially has made the concept much more popular. The integration of various technologies and devices with different architectures are creating interoperability issues with the components in the IoT architecture. These issues and the highly diversified type of services are creating security concerns which disperse into all three layers of IoT architecture: Perception, Network, and Application. Hence, the security measures to be taken should be developed while analyzing the threats and vulnerabilities at each layer.

Mitigating risks associated with security breaches are possible, if security receives consideration from early product planning and design, and if some basic prevention mechanisms are in place. Enactment and standardization will simplify the manufacturing and development processes, give the market an incentive for mass‐adoption and also increase the security posture of IoT products and services. Security will have to be inbuilt so that IoT can withstand a chance against the threats that technological advancements will bring.

References

1. 1 Alaba, F., Othman, M., Hashem, I., and Alotaibi, F. (2017). Internet of things security: a survey. Journal of Network and Computer Applications 88: 10–28.
2. 2 Kim, H. and Lee, E.A. (2017). Authentication and authorization for the internet of things. IT Professional 19 (5): 27–33.
3. 3 Jurcut, A., Coffey, T., Dojen, R., and Gyorodi, R. (2008). Analysis of a key‐establishment security protocol. Journal of Computer Science and Control Systems 2008: 42–47.
4. 4 Jurcut, A.D., Coffey, T., and Dojen, R. On the prevention and detection of replay attacks using a logic‐based verification tool. In: Computer Networks, vol. 431 (eds. A. Kwiecień, P. Gaj and P. Stera), 128–137. Switzerland: Springer International Publishing.
5. 5 Jurcut, A.D., Liyanage, M., Chen, J. et al. (2018). On the security verification of a short message service protocol. Presented at the. In: 2018 IEEE Wireless Communications and Networking Conference (WCNC). Barcelona, Spain: (April, 2018).
6. 6 Deogirikar, J. and Vidhate, A. (2017). Security attacks in IoT: a survey. In: 2017 International Conference on I‐SMAC (IoT in Social, Mobile, Analytics and Cloud). Coimbatore, India: (February 2017).
7. 7 Pasca, V., Jurcut, A., Dojen, R., and Coffey, T. (2008). Determining a parallel session attack on a key distribution protocol using a model checker. In: ACM Proceedings of the 6th International Conference on Advances in Mobile Computing and Multimedia (MoMM '08) Linz, Austria (24–26 November). New York, USA: ACM.
8. 8 Jurcut, A.D., Coffey, T., and Dojen, R. (2017). A novel security protocol attack detection logic with unique fault discovery capability for freshness attacks and interleaving session attacks. IEEE Transactions on Dependable and Secure Computing https://doi.org/10.1109/TDSC.2017.2725831.
9. 9 Liyanage, M., Braeken, A., Jurcut, A.D. et al. (2017). Secure communication channel architecture for software defined Mobile networks. Journal of Computer Networks 114: 32–50.
10. 10 Jurcut, A., Coffey, T., and Dojen, R. (2014). Design requirements to counter parallel session attacks in security protocols. Presented at the. In: 12th IEEE Annual Conference on Privacy, Security and Trust (PST'14). in Toronto Canada (July 2014).
11. 11 Jurcut, A.D., Coffey, T., and Dojen, R. (2014). Design guidelines for security protocols to prevent replay & parallel session attacks. Journal of Computers & Security 45: 255–273.
12. 12 Jurcut, A.D., Coffey, T., and Dojen, R. (2012). Symmetry in security protocol cryptographic messages – a serious weakness exploitable by parallel session attacks. Presented at the . In: 7th IEEE International Conference on Availability, Reliability and Security (ARES'12). Prague, Czech Republic: (August 2012).
13. 13 Jing, Q., Vasilakos, A.V., Wan, J. et al. (2014). Security of the internet of things: perspectives and challenges. Wireless Networks 20 (8): 2481–2501.
14. 14 Zhao, K. and Ge, L. (2013). A survey on the internet of things security. Presented at the. In: 2013 9th International Conference on Computational Intelligence and Security (CIS). in Leshan, China (December 2013).
15. 15 Weis, S.A., Sarma, S.E., Rivest, R.L., and Engels, D.W. (2004). Security and privacy aspects of low‐cost radio frequency identification systems. In: Security in Pervasive Computing (eds. D. Hutter, G. Muller, W. Stephan and M. Ullmann), 201–212. Springer.
16. 16 Kumar, T., Liyanage, M., Ahmad, I. et al. (2018). User privacy, identity and trust in 5G. In: A Comprehensive Guide to 5G Security (eds. M. Liyanage, I. Ahmad, A.B. Abro, et al.), 267. Wiley.
17. 17 Kavun, E.B. and Yalcin, T. (2010). A lightweight implementation of keccak hash function for radio‐frequency identification applications. In: International Workshop on Radio Frequency Identification: Security and Privacy Issues. New York, USA (23–24 June 2015): Springer.
18. 18 Zhang, Y., Shen, Y., Wang, H. et al. (2015). On secure wireless communications for IoT under eavesdropper collusion. IEEE Transactions on Automation Science and Engineering 13 (3): 1281–1293.
19. 19 Massis, B. (2016). The internet of things and its impact on the library. New Library World 117 (3/4): 289–292.
20. 20 Liu, Y., Cheng, C., Gu, T. et al. (2016). A lightweight authenticated communications scheme for a smart grid. IEEE Transactions on Smart Grid 7 (3): 1304–1313.
21. 21 Kumar, T., Porambage, P., and Ahmad, I. (2018). Securing gadget‐free digital services. Computer 51 (11): 66–77.
22. 22 Horrow, S. and Anjali, S. (2012). Identity management framework for cloud based internet of things. In: Proceedings of the First International Conference on Security of Internet of Things, SecurIT' 12. Kollam, India (17–19 August 2012): ACM.
23. 23 Lin, X., Sun, X., Wang, X. et al. (2008). TSVC: timed efficient and secure vehicular communications with privacy preserving. IEEE Transactions on Wireless Communications 7 (12): 4987–4998.
24. 24 Lin, X. and Li, X. (2013). Achieving efficient cooperative message authentication in vehicular ad hoc networks. IEEE Transactions on Vehicular Technology 62 (7): 3339–3348.
25. 25 Zhou, J., Dong, X., Cao, Z. et al. (2015). 4S: a secure and privacy‐preserving key management scheme for cloud‐assisted wireless body area network in m‐healthcare social networks. Information Sciences 314: 255–276.
26. 26 Sen, J. (2011). Privacy preservation Technologies in Internet of things. In: Proceedings of International Conference on Emerging Trends in Mathematics, Technology, and Management, (18–20 November 2011).
27. 27 Zhou, J., Dong, X., Cao, Z. et al. (2015). Secure and privacy preserving protocol for cloud‐based vehicular DTNs. IEEE Transactions on Information Forensics and Security 10 (6): 1299–1314.
28. 28 Roman, R., Alcaraz, C., Lopez, and Sklavos, N. (2011). Key management systems for sensor networks in the context of the internet of things. Computers and Electrical Engineering 37 (2): 147–159.
29. 29 Zhou, J., Cao, Z., Dong, X. et al. (2015). TR‐MABE: White‐Box Traceable and Revocable Multi‐Authority Attribute‐Based Encryption and Its Applications to Multi‐Level Privacy‐Preserving e‐Heathcare Cloud Computing Systems. IEEE INFOCOM.
30. 30 Lu, R., Lin, X., Zhu, H. et al. (2010). Pi: a practical incentive protocol for delay tolerant networks. IEEE Transactions on Wireless Communications 9 (4): 1483–1492.
31. 31 Paillier, P. (1999). Public key cryptosystems based on composite degree residuosity classes. In: Eurocrypt '99 Proceedings of the 17^th international conference on Theory and application of cryptographic techniques. Prague, Czech Republic (2–6 May 1999): ACM.
32. 32 Groth, J. and Sahiai, A. (2008). Efficient noninteractive proof systems for bilinear groups. In: Advances in Cryptology®EUROCRYPT. Istanbul, Turkey (13–17 April 2008): Springer.
33. 33 Akhunzada, A., Gani, A., Anuar, N.B. et al. (2016). Secure and dependable software defined networks. Journal of Network and Computer Applications 61: 199–221.
34. 34 Miorandi, D., Sicari, S., De Pellegrini, F., and Chlamtac, C. (2012). Internet of things: vision, applications and research challenges. Ad Hoc Networks 10 (7): 1497–1516.
35. 35 Porambage, P., Okwuibe, J., Liyanage, M. et al. (2018). Survey on multi‐access edge computing for internet of things realization. IEEE Communication Surveys and Tutorials 20 (4): 2961–2991.
36. 36 Garcia‐Morchon, O., Hummen, R., Kumar, S. et al. (2012) Security considerations in the ip‐based internet of things, draft‐garciacore‐security‐04.
37. 37 Singh, J., Pasquier, T., Bacon, J. et al. (2015) Twenty security considerations for cloud‐supported internet of things.
38. 38 Bekara, C. (2014). Security issues and challenges for the IoT‐based smart grid. Procedia Computer Science 34: 532–537.
39. 39 Kouicem, D., Bouabdallah, A., and Lakhlef, H. (2018). Internet of things security: a top‐down survey. Journal of Computer Networks 141: 199–121.
40. 40 Desai, D. and Upadhyay, H. (2014). Security and privacy consideration for internet of things in smart home environments. International Journal of Engineering Research and Development 10 (11): 73–83.
41. 41 Kumar, J.S. and Patel, D.R. (2014). A survey on internet of things: security and privacy issues. International Journal of Computer Applications 90 (11).
42. 42 Stamp, M. (2011). Information Security, 2e. Hoboken, N.J: Wiley.
43. 43 Borgia, E. (2014). The internet of things vision: key features, applications and open issues. Computer Communications 54: 1–31.
44. 44 Xu, L., Collier, R., and O'Hare, G.M.P. (2017). A survey of clustering techniques in wsns and consideration of the challenges of applying such to 5g iot scenarios. IEEE Internet of Things Journal 4: 1229–1249.
45. 45 Wu, M., Lu, T.‐J., Ling, F.‐Y. et al. (2010). Research on the architecture of internet of things. In: 2010 3rd International Conference on Advanced Computer Theory and Engineering (ICACTE). Chengdu, China: (20–22 August 2010).
46. 46 Feki, M.A., Kawsar, F., Boussard, M., and Trappeniers, L. (2013). The internet of things: the next technological revolution. Computer 46: 24–25.
47. 47 Contiki. http://www.contiki-os.org (accessed 16 July 2019).
48. 48 Brillo. https://developers.google.com/brillo (accessed 16 July 2019).
49. 49 Tinyos. http://www.tinyos.net (accessed 16 July 2019).
50. 50 Openwsn. http://openwsn.atlassian.net (accessed 16 July 2019).
51. 51 Riot. http://www.riot-os.org (accessed 16 July 2019).
52. 52 Porambage, P., Manzoor, A., Liyanage, M. et al. (2019). Managing Mobile Relays for Secure E2E Connectivity of Low‐Power IoT Devices. IEEE Consumer Communications & Networking Conference, Las Vegas, USA (11–14 January 2010). IEEE.
53. 53 Perera, C., Jayaraman, P.P., Zaslavsky, A. et al. (2014). Mosden: an internet of things middleware for resource constrained mobile devices. In: 47th Hawaii International Conference on System Sciences. Hawaii, USA (6–9 January 2014): IEEE.
54. 54 Zhou, H. (2012). The Internet of Things in the Cloud: A Middleware Perspective, 1e. Boca Raton, FL, USA: CRC Press, Inc.
55. 55 Xu, L., Lillis, D., O'Hare, G.M., and Collier, R.W. (2014). A user configurable metric for clustering in wireless sensor networks. In: SENSORNETS. Lisbon, Portugal (7–9 January 2014): SciTePress.
56. 56 Ngu, A.H., Gutierrez, M., Metsis, V. et al. (2017). Iot middleware: a survey on issues and enabling technologies. IEEE Internet of Things Journal 4: 1–20.
57. 57 Srivastava, V. and Motani, M. (2005). Cross‐layer design: a survey and the road ahead. IEEE Communications Magazine 43: 112–119.
58. 58 Zhang, Q. and Zhang, Y.Q. (2008). Cross‐layer design for qos support in multihop wireless networks. Proceedings of the IEEE 96: 64–76.
59. 59 Zanella, A., Bui, N., Castellani, A. et al. (2014). Internet of things for smart cities. IEEE Internet of Things Journal 1: 22–32.
60. 60 Roman, R., Zhou, J., and Lopez, J. (2013). On the features and challenges of security and privacy in distributed internet of things. Computer Networks 57 (10): 2266–2279.
61. 61 Lin, I., I.C. and Liao, T.C. (2017). A survey of blockchain security issues and challenges. International Journal of Network Security 19: 653–659.
62. 62 Underwood, S. (2016). Blockchain beyond bitcoin. Communications of the ACM 59: 15–17.
63. 63 How blockchain can change the future of IoT (2016). https://venturebeat.com/2016/11/20/how-blockchain-can-change-the-future-of-iot (accessed 16 July 2019).
64. 64 Chiang, M. and Zhang, T. (2016). Fog and iot: an overview of research opportunities. IEEE Internet of Things Journal 3: 854–864.
65. 65 Liyanage, M., Ahmad, I., Abro, A.B. et al. (eds.) (2018). A Comprehensive Guide to 5G Security. Wiley.
66. 66 Munoz, R., Mangues‐Bafalluy, J., Vilalta, R. et al. (2016). The cttc 5g end‐to‐end experimental platform: integrating heterogeneous wireless/optical networks, distributed cloud, and iot devices. IEEE Vehicular Technology Magazine 11: 50–63.
67. 67 Fantacci, R., Pecorella, T., Viti, T., and Carlini, C. (2014). A network architecture solution for efficient iot wsn backhauling: challenges and opportunities. IEEE Wireless Communications 21: 113–119.
68. 68 Ahmad, I., Kumar, T., Liyanage, M. et al. (2018). Overview of 5G security challenges and solutions. IEEE Communications Standards Magazine 2 (1): 36–43.
69. 69 Xu, L., Xie, J., Xu, X., and Wang, S. (2016). Enterprise lte and wifi interworking system and a proposed network selection solution. In: 2016 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS). Santa Clara, USA (17–18 March 2016): ACM/IEEE.
70. 70 Liyanage, M., Gurtov, A., and Ylianttila, M. (eds.) (2015). Software Defined Mobile Networks (SDMN): Beyond LTE Network Architecture. New York: Wiley.
71. 71 Liyanage, M., Abro, A.B., Ylianttila, M., and Gurtov, A. (2016). Opportunities and challenges of software‐defined mobile networks in network security. IEEE Security and Privacy 14 (4): 34–44.
72. 72 Tehrani, M.N., Uysal, M., and Yanikomeroglu, H. (2014). Device‐to‐device communication in 5g cellular networks: challenges, solutions, and future directions. IEEE Communications Magazine 52: 86–92.
73. 73 Shariatmadari, H., Ratasuk, R., and Iraji, S. (2015). Machine‐type communications: current status and future perspectives toward 5g systems. IEEE Communications Magazine 53: 10–17.
74. 74 Fog Computing and the Internet of Things: Extend the Cloud to where the Things Are. http://www.cisco.com/c/dam/en_us/solutions/trends/iot/docs/computing-overview.pdf (accessed 25 June 2019).
75. 75 Rouse, M. (2016). Edge computing. http://searchdatacenter.techtarget.com/definition/edge-computing. (accessed 25 June 2019).
76. 76 CEN‐CENELEC‐ETSI Smart Grid Coordination Group. (2014). SGCG/M490/G Smart Grid Set of Standards Version 3.1, Oct‐2014. ftp://ftp.cencenelec.eu/EN/EuropeanStandardization/HotTopics/SmartGrids/SGCG_Standards_Report.pdf (accessed 25 June 2019).
77. 77 Ahmad, I., Kumar, T., Liyanage, M. et al. (2018). Towards gadget‐free internet services: a roadmap of the naked world. Telematics and Informatics 35 (1): 82–92.
78. 78 Rajakaruna, A., Manzoor, A., Porambage, P. et al. (2018). Lightweight Dew Computing Paradigm to Manage Heterogeneous Wireless Sensor Networks with UAVs. arXiv preprint arXiv:1811.04283.
79. 79 Rahimi, H., Zibaeenejad, A. and Safavi, A.A. (2018). A Novel IoT Architecture based on 5G‐IoT and Next Generation Technologies. GlobeCom‐IoT. https://arxiv.org/ftp/arxiv/papers/1807/1807.03065.pdf (accessed 25 June 2019).
80. 80 Srilakshmi, A., Rakkini, J., Sekar, K.R., and Manikandan, R. (2018). A comparative study on internet of things (IoT) and its applications in smart agriculture. Pharmacognosy Journal 10 (2): 260–264.
81. 81 Williams, R., McMahon, E., Samtani, S. et al. (2017). Identifying vulnerabilities of consumer internet of things (IoT) devices: a scalable approach. In: 2017 IEEE International Conference on Intelligence and Security Informatics (ISI). Beijing, China (22–24 July 2017): IEEE.
82. 82 Frustaci, M., Pace, P., Aloi, G., and Fortino, G. (2018). Evaluating critical security issues of the IoT world: present and future challenges. IEEE Internet of Things Journal 5 (4): 2483–2495.
83. 83 Fiore, U., Castiglione, A., De Santis, A., and Palmieri, F. (2017). Exploiting battery‐drain vulnerabilities in mobile smart devices. IEEE Transactions on Sustainable Computing 2 (2): 90–99.
84. 84 Xiao, Q., Gibbons, T., and Lebrun, H. (2009). RFID technology. Security Vulnerabilities, and Countermeasures https://doi.org/10.5772/6668 : https://www.researchgate.net/publication/221787702_RFID_Technology_Security_Vulnerabilities_and_Countermeasures (accessed 25 June 2019).
85. 85 Khalajmehrabadi, A., Gatsis, N., Akopian, D., and Taha, A. (2018). Real‐time rejection and mitigation of time synchronization attacks on the global positioning system. IEEE Transactions on Industrial Electronics 65 (8): 6425–6435.
86. 86 Ning, H., Liu, H., and Yang, Y. (2015). Aggregated‐proof based hierarchical authentication scheme for the internet of things. IEEE Transactions on Parallel and Distributed Systems 26 (3): 657–667.
87. 87 Hao, P., Wang, X., and Shen, W. (2018). A collaborative PHY‐aided technique for end‐to‐end IoT device authentication. IEEE Access 6: 42279–42293.
88. 88 Shahzad, M. and Singh, M.P. (2017). Continuous authentication and authorization for the internet of things. IEEE Internet Computing 21 (2): 86–90.
89. 89 Aman, M.N., Chua, K.C., and Sikdar, B. (2017). Mutual authentication in IoT systems using physical unclonable functions. IEEE Internet of Things Journal 4 (5): 1327–1340.
90. 90 Chauhan, J., Seneviratne, S., Hu, Y. et al. (2018). Breathing‐based authentication on resource‐constrained IoT devices using recurrent neural networks. Computer 51 (5): 60–67.
91. 91 Ni, J., Lin, X., and Shen, X.S. (2018). Efficient and secure service‐oriented authentication supporting network slicing for 5G‐enabled IoT. IEEE Journal on Selected Areas in Communications 36 (3): 644–657.
92. 92 Ravindran, R., Chakraborti, A., and Amin, S. (2017). 5G‐ICN: delivering ICN services over 5G using network slicing. IEEE Communications Magazine 55 (5): 101–107.
93. 93 Harel, R., and Babbage, S. (2016). 5G Security Recommendations Package #2: Network Slicing, published by NGMN Alliance, Ver. 01. https://www.ngmn.org/fileadmin/user_upload/160429_NGMN_5G_Security_Network_Slicing_v1_0.pdf (accessed 25 June 2019).
94. 94 Siriwardhana, Y., Porambage, P., Liyanage, M. et al. (2019). Micro‐Operator driven Local 5G Network Architecture for Industrial Internet. IEEE Wireless Communications and Networking Conference, Marrakech, Morocco (15–18 April 2019). IEEE.
95. 95 Dotaro, E. (2018). 5G Network Slicing and Security. IEEE SDN newsletter, https://sdn.ieee.org/newsletter/january-2018/5g-network-slicing-and-security (accessed 25 June 2019).
96. 96 Yao, X., Chen, Z., and Tian, Y. (2015). A lightweight attribute‐based encryption scheme for the internet of things. Future Generation Computer Systems 49: 104–112.
97. 97 Kumar, T., Braeken, A., Liyanage, M., and Ylianttila, M. (2017). Identity privacy preserving biometric based authentication scheme for naked healthcare environment. In: 2017 IEEE International Conference on Communications (ICC). Paris, France (21–25 May 2017): IEEE.
98. 98 Braeken, A., Liyanage, M., and Jurcut, A.D. (2019). Anonymous lightweight proxy based key agreement for IoT (ALPKA). Wireless Personal Communications 106 (2): 1–20.
99. 99 Manzoor, A., Liyanage, M., Braeken, A. et al. (2018). Blockchain based Proxy Re‐Encryption Scheme for Secure IoT Data Sharing. IEEE International Conference on Blockchain and Cryptocurrency (ICBC 2019), Seoul, South Korea (14–17 May 2019). IEEE.
100. 100 Liyanage, M., Salo, J., Braeken, A. et al. (2018). 5G privacy: scenarios and solutions. In: 2018 IEEE 5G World Forum (5GWF). Silicon Valley, USA (9–11 July 2018): IEEE.
101. 101 Kumar, T., Braeken, A., Jurcut, A.D., Liyanage, M., and Ylianttila, M. (2019). AGE: Authentication in Gadget-Free Healthcare Environments. Information Technology and Management Journal, Springer US.
102. 102 Xu, L., Jurcut, AD., and Ahmadi, H. (2019). Emerging Challenges and Requirements for Internet of Things in 5G. 5G‐Enabled Internet of Things. CRC Press.