The current issue and full text archive of this journal is available on Emerald Insight at:
www.emeraldinsight.com/2056-4961.htm
ICS
27,2
292
Received 11 July 2018
Revised 1 January 2019
Accepted 3 January 2019
Information & Computer Security
Vol. 27 No. 2, 2019
pp. 292-323
© Emerald Publishing Limited
2056-4961
DOI 10.1108/ICS-07-2018-0084
A survey on the Internet of
Things security
State-of-art, architecture, issues and
countermeasures
Omerah Yousuf and Roohie Naaz Mir
Department of Computer Science and Engineering,
National Institute of Technology Srinagar, Srinagar, India
Abstract
Purpose – Internet of Things (IoT) is a challenging and promising system concept and requires new types
of architectures and protocols compared to traditional networks. Security is an extremely critical issue for IoT
that needs to be addressed efficiently. Heterogeneity being an inherent characteristic of IoT gives rise to many
security issues that need to be addressed from the perspective of new architectures such as software defined
networking, cryptographic algorithms, federated cloud and edge computing.
Design/methodology/approach – The paper analyzes the IoT security from three perspectives: three-
layer security architecture, security issues at each layer and security countermeasures. The paper reviews the
current state of the art, protocols and technologies used at each layer of security architecture. The paper
focuses on various types of attacks that occur at each layer and provides the various approaches used to
countermeasure such type of attacks.
Findings – The data exchanged between the different devices or applications in the IoT environment
are quite sensitive; thus, the security aspect plays a key role and needs to be addressed efficiently. This
indicates the urgent needs of developing general security policy and standards for IoT products. The
efficient security architecture needs to be imposed but not at the cost of efficiency and scalability. The
paper provides empirical insights about how the different security threats at each layer can be
mitigated.
Originality/value – The paper fulfills the need of having an extensive and elaborated survey in the field of
IoT security, along with suggesting the countermeasures to mitigate the threats occurring at each level of IoT
protocol stack.
Keywords Attacks, Internet of things, Security, IoT layered architecture
Paper type Literature review
1. Introduction
Since its introduction in the year 1999 by Kevin Ashton, IoT has turned out to be one of
the most common buzzwords we come across in the research community these days.
There is no standard definition as of now for the IoT because it is such an evolving field
that we actually do not know what things will be covered under it in the near future.
One of the most common definitions accepted widely for the Internet of Things (IoT)
can be as: “Collection of ‘things’ embedded with electronics, software, sensors and
actuators and connected via the internet to collect and exchange data with each
other”(Yang et al., 2017). The IoT devices are equipped with sensors and processing
power that enable them to be deployed in many environments. The impact of human
role has been minimized in the IoT. IoT can possibly cover all the fields of research
nowadays but we majorly focus on the areas of sensing, heterogeneous access,
information processing, applications and services and additional components such as Internet of
security and privacy. The IoT connects objects from different environments into a Things
single large network based on the Internet Protocol and is the basis for the development
of the so-called smart environments, such as smart houses, factories or even cities. The
security
IoT can be envisioned as set of interconnected objects that allows people and things to
be connected anytime, Anyplace, with Anything and Anyone, using Any path/network
and Any service as shown in Figure 1 (Balte et al., 2015). The composition of IoT
consists of various elements: 293
 Everyday devices.
 Smart homes and cities.
 Machine-to-machine (M2M) and wireless sensor networks.
 Telemedicine and Healthcare.
 Embedded Mobile.
 Management and automation of everyday services.
 Controlling and securing the services provided.
 Management of energy consumption.

IoT at times is interchangeably used with M2M (communication) systems but

essentially, they are not identical, although they may largely overlap with one other. A
shared characteristic of both can be remote access to devices. However, there are some
essential differences between them. M2M connects “things” with a computer. M2M
refers to communication between two or more devices by means of a mobile or fixed
network and is vertical point-to-point communication. M2M applications consist of a
hardware module embedded into a device on the user side and its main objective is to
reduce management and maintenance costs. In contrast to M2M, IoT is a broader
concept than M2M and connects a computer with “things”. IoT is based on the IP for
horizontal connection of devices to a cloud or user platform. IoT is more oriented
toward software solution or IP network while M2M is mainly oriented toward the
installation of SIM cards or drawing a fixed line (Weber, 2016).

Anything
Any Device

Anytime
Anyone
Any Context
Anybody
INTERNET
OF
THINGS
Any Service
Any Place
Any Business
Anywhere

Any Path
Any Network
Figure 1.
IoT envisioning
ICS 1.1 Background
27,2 The challenge of securing the IoT has emerged as one of the prominent aspects in the field of
IoT development. The IoT introduces a wide range of new security risks and challenges to
the IoT devices themselves, their platforms and operating systems, their communications
and even the systems to which they are connected (such as using IoT devices as an attack
channel). Security technologies will be required to protect IoT devices and platforms from
294 both information attacks and physical tampering to encrypt their communications and to
address new challenges such as impersonating things or denial-of-sleep attacks that drain
batteries.
1.1.1 Current state-of-art. The power of IoT lies both in the physical world and in the
virtual world. Things are digitized and we send the digital information over the network to
the distant controller to turn a machine on or off depending upon the scenario (Kranz, 2017).
Today, leading organizations will treat security as a manageable risk to be considered and
countered, along with all of the other risks they manage. The process for managing IoT
security risks is the same as that for any other risk: identify the likely individual threats,
assess each threat in terms of its likelihood of occurring and the damage it can cause,
identify and deploy defensive measures appropriate to each risk's likelihood and potential
damage. Different vulnerability types produce different threats with the potential for
different damage. A threat that can potentially shut down a factory assembly line or an oil
rig is a different magnitude than a threat that can interfere with an inventory stocking
process. By assessing the value at risk, we can make informed decisions about how much to
invest in defensive measures. In this way, investing in IoT security is no different from
buying any of the different types of insurance the organization needs. The investment in all
cases should be commensurate with the likelihood of the risk and the potential value of the
loss or damage. The scope and variety of its solutions effectively prevent the emergence of
no-fail security defense. Its technology is constantly changing, the solutions are continually
evolving, and so, too, are the threats and attack vectors. Risk management is an ongoing
process that must be revisited at least yearly, perhaps even more often, as different
solutions' change and new threats emerge. The key for all of us is to be smart and aware of
its risks and not to be afraid. The old way of thinking about security and secure systems
was to keep the bad thing out and the bad guys away. This was often referred to as “security
by isolation” or a “perimeter defense.”A new approach treats security compromises as a
normal part of life. It recognizes that security cannot be flawless without completely
shutting down the systems that a user may not want to do. Instead, use risk assessments to
determine how much risk we can afford to tolerate for each system and business process.
Then use policies, analytics and automation to enable the systems to automatically prioritize
and defeat attacks based on these assessments. Aim for a proper balance between the
benefits of safe, uninterrupted system operation and the risks of any potential security
failure. This new approach applies to both IoT users and vendors. Specifically, users need to
take an architectural approach, break the current silos, and not live in denial. Vendors need
to take an architectural approach, too, and drive industry collaboration and interoperability.
Most importantly, they need to design security into everything, right from the start. Another
issue to consider is the fact that physical separation as a security defense practice does not
work. It does not mean that suddenly we need to go to another extreme and open up all your
data and move everything to the cloud far from it. Therefore, the industry is implementing
hybrid approaches and policy-based data architectures. Christian Christiansen, the program
vice president for International Data Corporation’s (IDC’s) Security Products, believes that
90 per cent of the current IoT security offerings are just repackaged general-purpose
security technologies. Some vendors, for example, offer a generic gateway for it with the
promise that it will work across a broad range of technologies. They also offer a generic Internet of
firewall housed in a ruggedized enclosure with any additional signatures and support for Things
industrial protocols. Such offerings simply miss the point and are ineffective in meeting IoT
security challenges. A large part of the problem, according to IDC, is the difficulty in finding
security
experienced security staff. IDC reports that trying to recruit security professionals with five
to 10 years of experience is a far bigger problem than hiring entry-level IT security
employees. The solution, IDC suggests, lies with meeting the continuing need for more
intelligent orchestration and automation to reduce the reliance on and need for more human 295
interactions in the security workflow. Analytics, and especially predictive analytics
incorporated into orchestration and automation processes, can go a long way toward
overcoming the shortage of skilled security personnel. Good software as expensive as it may
seem is still cheaper than hiring more people. Meanwhile, April 25, 2016, press release from
Gartner predicted that by 2020, more than 25 per cent of identified attacks in enterprises
would involve it. As a result, the research firm expects worldwide spending on its security to
reach 348m in 2016, a 23.7 per cent increase from 2015 spending of 281.5m. Furthermore,
this number is expected to reach 547m in 2018. Although overall spending will be moderate
initially, Gartner also predicts that the IoT security market will increase at a faster rate after
2020, as improved skills, organizational change, and more scalable service options improve
execution and drive IoT expansion (Hung and President, 2017).The press releases quoted
Gartner Research Director Ruggero Contu, who predicted that despite the fact that by 2020,
more than 25 per cent of identified attacks in enterprises will involve IoT, it would account
for less than 10 per cent of IT security budgets. Such limited IT budgets, combined with the
decentralized approach to early IoT implementations, will prove challenging for security
vendors struggling to justify the prioritization of IoT capabilities in their portfolios. The
county also expects many vendors to prioritize spotting vulnerabilities and exploits, rather
than the segmentation and other long-term measures that will provide a more sustainable
and architecturally sound approach to IoT security. Contu went on to say that “the effort of
securing IoT is expected to focus more and more on the management, analytics, and
provisioning of devices and their data. Its business scenarios will require a delivery
mechanism that can also grow and keep pace with requirements in monitoring, detection,
access control, and other security needs.” The future of cloud-based security services is, in
large part, linked with the future of IoT. In fact, its fundamental strength in scale and
presence will not be fully realized without cloud-based security services that can cost-
effectively deliver an acceptable level of operation to many organizations. Hung (2017)
predicts that by 2020, more than half of all IoT implementations will use some form of cloud-
based security service. Maciej Kranz writes in his book (Kranz, 2017) that my own
experience and observations generally concur with the conclusions of both IDC and Gartner.
However, IoT security is not solely a technology challenge. The researchers should invest in
tools to address specific security concerns. However, more importantly, you need to engage
the entire organization in the security effort – starting with top management and insist that
decisions be made based on informed risk management, threat assessment, and security
policies. From there, we can determine which security technologies are needed and which
damage mitigation tools to implement (Westervelt and Dugar, 2017).
1.1.2 Research problem. The problem of IoT security needs to be addressed efficiently
from the perspective of the current challenges and the new paradigms that can be exploited
to provide better, less-resource-consuming security solutions. The paper discusses the
challenges in IoT security and provides the means that can be used to address the issue.
IoT has achieved a lot of success in the IT world and is finding its application in every
field. IoT-based systems have to manage a huge amount of data and the issue of providing
ICS security in the IoT is posing a major challenge to the researchers in the current era. An
27,2 attacker may be interested in stealing sensitive information, e.g. account passwords, credit
card numbers and patient’s information, or may compromise the IoT components. There are
many critical situations where a user needs to deliver an authenticated message to the
receiver without the intervention of an attacker. Consider a remote health monitoring, an
important application of the IoT. Every day, lots of people die because they do not get
296 proper medical attention. With the help of IoT technology, devices fitted with sensors are
kept on the patient’s body that monitors the condition of a patient. The information collected
from these sensors is fed to a smart-phone that notifies about the condition of a patient to a
doctor. If, however, an attacker will intercept this collected information, the doctor will not
get an authenticated message from a patient and hence can have a serious effect on the
health of a person. Therefore, securing the information becomes a serious issue in the field of
IoT that need to be addressed efficiently.

1.2 Scope of applications

Applications of IoT in various areas in day-to-day life are described in Table I (Matharu,
2014).
Rest of the paper is organized as follows:
Section 2 discusses the need for additional survey article. Section 3 discusses the various
challenges in the development of IoT. Section 4 presents the security architecture of IoT
along with the protocols and technologies used at each layer. We present the various
security principles of IoT in Section 5 and detailed discussion of various types of attacks at
each layer of IoT in Section 6. An analysis of various security countermeasures is presented
in Section 7. Finally, we highlight the open questions, lessons learned and future research
directions in Section 8, and conclusions are drawn in Section 9. References are listed at the
end.

2. Need for additional survey article

The survey paper – “Survey on the Internet of Things Security: State-of-Art, Architecture,
Issues and Countermeasures” – is quite novel, comprehensive and detailed in its approach as
compared to other survey articles published in the recent past because:
 The paper builds on exploiting the background of the IoT and eliciting the current
state-of-art which constitutes the work of the prominent authors from both the
research and industry domain. Many of the prominent surveys and the reports by
the top industrial giants are considered. From the recommendations and the work is
done so far in the field of the IoT security, the paper aims at classifying the different

Area of Area of
application Examples application Examples

Home and Personal computers, intrusion Smart cities Smart parking, smart lighting
building detection system
Health Patients surveillance, ultraviolet Security and Liquid presence, perimeter access control
radiation emergencies
Smart Green houses, meteorological Logistics Storage incompatibility detection, quality
agriculture station network of shipment conditions
Table I. Smart Air pollution, forest fire Smart industry Temperature monitoring, vehicle auto-
Applications of IoT environment detection diagnosis
 attacks and the countermeasures that can be undertaken to provide the security Internet of
against these attacks. Things
 The paper discusses the various challenges in the development of IoT and explains security
why security is one of the main challenges that need to be addressed. Apart from it,
the security protocol stack is discussed from the perspective of three-Layer IoT
architecture.
 Security issues at each and every level of IoT security protocol stack – perception 297
layer, networking layer, and application layer – are discussed. The different attacks
at each layer are identified and classified. Apart from this, each attack is being
supported by its description and the possible way in which the attack is carried out.
The possible solutions suggested by the prominent researchers are provided.
 Most importantly, the security countermeasures that can prevent almost each and
every kind of attack is provided along with advantages and disadvantages which
leaves it to the researchers to implement and use these techniques depending upon
the problem at hand.

3. Various challenges in iot development

The various challenges in the development of IoT are discussed as follows (Lee and Lee,
2015).

3.1 Data management challenge

IoT-based systems gather a large amount of data from the heterogeneous environment that
need to be processed and stored. All the data collected by the user from various networks
may not be useful for future purpose and need not be stored for backup. Consequently, few
organizations are trying to prioritize data for operations or backup based on needs and
value. The present architecture of IoT is not efficient to deal with all the problems related to
gathering and storage of data and hence need to be addressed.

3.2 Data mining challenge

As more and more data is available to the user for processing and analysis, data mining
tools are becoming the need of an hour. Data mining allows enterprises to predict future
trends by sorting through large data sets to identify the patterns and solve problems
through data analysis. Researchers use various data mining approaches like multi-
dimensional databases, machine learning, soft computing etc for processing their data.
Therefore, it is becoming necessary to incorporate the use of data mining techniques in the
field of IoT and also there is a need for more competent data analysts.

3.3 Security challenge

With the growing development in the field of IoT, more and more devices are getting
connected to it. But each new device connected increases the security concerns surrounding
IoT. Ten years ago, we had to worry about protecting our computers only. Five years ago,
we had to worry about protecting our smartphones. Now we have to worry about protecting
our car, our home appliances, our wearables and many other IoT devices. In the year 2014, a
study by Hewlett-Packard revealed that 70 per cent of the most commonly used IoT devices
contain serious vulnerabilities. The authors in (Chetan and Shahabadkar, 2018) discussed
the various existing security challenges – interoperability, resource constraints, privacy
ICS protection and scalability. Therefore, security in IoT is the biggest concern at present and
27,2 needs the attention of researchers.

3.4 Privacy challenge

As IoT is dealing with a large amount of data, this creates more entry points for hackers and
leaves sensitive information vulnerable. Solving IoT privacy problems has a long way to go.
298 An unauthorized person can track the personal details of a user and can make the
unnecessary changes to it. Thus, the issue of privacy in the IoT motivates the researchers to
design new threat and attacker models that can be applied to IoT architectures and design
methods for ensuring the privacy of IoT applications and architectures.

3.5 Chaos challenge

IoT is in a period of chaos as there are too many standards, ecosystems to connect billions of
devices and applications together. In a hyper-connected world, a single error can disrupt the
working of the whole system. For example, medical monitoring systems consist of a large
number of interconnected sensors, controller and communication devices. If a controller will
receive an incorrect signal which may prove fatal to the patient. To prevent such chaos in
the hyperactive connected world, we need to make every effort to reduce the complexity of
connected systems and enhance the security and standardization of applications.

4. Security architecture
Generally, the security architecture of IoT is divided into three layers as shown in Figure 2
(Zhao and Ge, 2013), (Suo et al., 2012). The various layers are discussed as follows.

4.1 Perception layer

(1) It is also known as the “Sensors” layer in IoT.
(2) It is divided into two parts:
 Perception node (data acquisition and data control).
 Perception network (sends collected data to the gateway or to the controller)
(Vasilakos and Wan, 2015).
(3) It is a key component is sensors for capturing and representing the physical world
in the digital world (Atzori et al., 2012).
(4) It collects, detects and processes information and then transmits it to Network
layer.
(5) It performs IoT node collaboration in local and short-range networks.

4.2 Network layer

 It serves function of data routing and transmission to different IoT hubs and
devices over the internet (Yousuf et al., 2015).

Application Layer
(Smart city, Smart car, Smart home etc.)
Figure 2. Network Layer
Security architecture (Mobile communication network,Internet etc.)
of IoT Perception Layer
(RFID, Bluetooth,Wi-Fi, ZigBee etc.)
  Cloud computing platforms, internet gateways, switching and routing devices, etc. Internet of
operate by using technologies, e.g. Wi-Fi, LTE, 3G and ZigBee. Things
 Network gateways serve as the mediator between different IoT nodes by security
aggregating, filtering, transmitting data to and from different sensors (Leo et al.,
2014).

299
4.3 Application layer
 It is the topmost and terminal layer (Atzori et al., 2012).
 It guarantees authenticity, integrity, confidentiality of data.
 The main feature of this layer is data sharing (Alaba et al., 2017).
 Purpose of IoT or creation of a smart environment is achieved on this layer
(Leo et al., 2014).
 It provides personalized services according to the needs of users (Matharu, 2014).

4.4 Protocols and technologies used at each layer

This section describes the various protocols and technologies used at each layer of the
security architecture of IoT as given in Table II (Sain et al., 2017), (Al-fuqaha et al., 2015)
(Triantafyllou et al., 2018).

4.5 IEEE 802.15.4

It is the largest standard which defines the operation of low-rate wireless personal area
networks (LR-WPANs). It is used at the perception layer, which defines frequency, power,
modulation and other wireless conditions of the link. Most frequently used frequency is a
2.4-GHz band and uses carrier sense multiple access with collision avoidance for channel
access. It defines two network topologies: star and peer-to-peer.

4.6 Routing protocol for low power and lossy networks

It is a distance vector and source routing protocol which allows a sender to partially or
completely specify the route the packet takes through the network. A destination-oriented
directed acyclic graph (DODAG) represents the core of routing protocol for low power and
lossy networks (RPL). A DAG is rooted at a single destination at a single DAG root
(DODAG root) with no outgoing edges. RPL routers use two modes of operation:
(1) Non-storing mode – routes messages toward lower level based on IP source
routing; and
(2) Storing mode – downward routing based on destination IPv6 addresses.

Layer Protocols used at each layer Technologies used at each layer

Perception IEEE 802.15.4 RFID and WSN Table II.

Network IPv6, RPL, 6LoWPAN Wi-Fi, 3G, ZigBee Protocols and
Application Constrained application protocol IoT application software technologies
ICS 4.7 IPv6 over low-power wireless personal area networks
27,2 The low-power wireless personal area networks (6LoWPAN) protocol is an open IoT
networking protocol, which defines a fragmentation scheme to handle the total packet size of
1,280 bytes of the IPv6 frame. It was originally built on top of IEEE 802.15.4, but nowadays
it is developed and adapted to operate with other wireless standards including Bluetooth
smart, low power Wi-Fi, PLC etc. It is used for a variety of applications including wireless
300 sensor networks, which rely on IEEE 802.15.4 link layer mechanisms for encryption and
authentication based on Advanced Encryption Standrad (AES).

4.8 Constrained application protocol

It is a specialized Web transfer protocol for use with constrained nodes and constrained
networks. This protocol is designed for M2M applications such as smart energy and
building automation. It enables tiny devices with low power, computation and
communication capabilities to utilize RESTful interactions. It is divided into two sub-layers:
(1) the messaging sub-layer, which detects duplications and provides reliable
communication; and
(2) the request/response sub-layer, which handles REST communications.

4.9 Radio frequency identification

Radio frequency identification (RFID) is a technology in which the information stored on a
tag is read and captured by means of radio waves attached to an object. An RFID system
consists of two parts: a tag or a label and a reader. RFID tags are embedded with a
transmitter and a receiver. A two-way radio transmitter-receiver called an interrogator or
reader is used to read the information encoded on a tag. An antenna emits a signal to tag,
information is written in its memory bank, and the read results are sent to an RFID
computer program.

4.10 Bluetooth
Bluetooth is the foundation for transformative wireless connectivity. It is a wireless
technology standard for transmission of data over a short range (8-10 m). It is based on
IEEE 802.15.1 standard and operates at frequencies between 2,402 and 2,408 MHz or 2,400
and 2,483.5 MHz including guard bands. There are two flavors of Bluetooth technology:
(1) basic rate/enhanced data rate (BR/EDR), which enables continuous wireless
connections and uses a point-to-point topology; and
(2) low energy (LE), which enables short-burst wireless connections and uses multiple
network technologies.

4.11 Wi-Fi (wireless networking)

Wi-Fi is a technology for wireless local area networking based on IEEE 802.11 standards
and uses radio waves to provide wireless high-speed Internet and network connections. The
wireless network is based on access point or hotspot, which broadcast a wireless signal that
can be detected and tuned by computers within the range of 20 m. It commonly uses the
2.4-GHz UHF and 5.8-GHz SHF ISM radio bands and is most vulnerable to eavesdropping.
4.12 ZigBee Internet of
It is a communication protocol used to create personal area networks with small, low-power Things
digital radios and is based on IEEE 802.15.4 specification. It is less expensive than wireless
personal area networks (WPANs), such as Bluetooth or Wi-Fi and has a transmission range
security
of 10-100 meters. It is typically used in low data rate applications which require long battery
life and secure networking.
301
4.13 Key technologies for Internet of Things security
The various key technologies used for providing IoT security are described in Table III
given below (Xiaohui, 2013).

5. Security principles
The main security principles for IoT include the following (Leo et al., 2014).

5.1 Confidentiality
Confidentiality, in the context of information security, allows only authorized users to access
sensitive and protected data. Specific mechanisms ensure confidentiality and safeguard data
from harmful intruders. In IoT, it is very important to ensure that data is secure and is
available to authorized users only. The data collected by the sensors must not be revealed to
the neighboring nodes. Protection of data throughout the process of data collection and data
aggregation is an important requirement.

Key Technology Description Problem Solution

Certification and Certification – refers to a way of ensuring the true identity Difficult to derive key
access control of parties involved in communication information
Access control – refers to the blocking of an illegal entity Node design’s validity
access to resources authentication
Data encryption The main aim is to protect the confidentiality and integrity Data security
of data
Two ways of encryption i.e., node to node and end to end Solves the problem of
encryption eavesdropping
Key management
Middleware The interface between components of IoT Simplifying the development
of new services
Aims at hiding the details of different technologies Integration of legacy
technologies
Must include functions – trust, privacy and security of Effective communications
data among software
Provides API management,
messaging and routing
Cloud computing Cloud computing offers a pathway for the data being Intelligent processing
generated by IoT to reach its destination in an efficient
way
Two key conditions while integrating cloud computing Increases speed and agility
and IoT: Table III.
(i) Scale (ii) Appropriate business model and practical Decreases cost for operating Key technologies in
services data centers IoT
ICS 5.2 Integrity
27,2 Integrity is concerned with ensuring that data are real, accurate and safeguarded from
unauthorized user modification. This feature can be imposed by maintaining end-to-end
security in IoT. Data should come from the right sender and must be transmitted to the
intended receiver. Also, the data should not be altered during the process of transmission.

302 5.3 Availability

Availability is mainly concerned with that the user to access information or resources in a
specified location and in the correct format. Anytime and anywhere availability of data is
very important to the users of IoT. Devices and services must also be reachable and
available when needed in a timely fashion.

5.4 Authentication
Authentication in computer systems context is concerned with – protecting the integrity of a
message, validating the identity of the originator, non-repudiation of origin (dispute
resolution). As many users are involved in the IoT and they need to interact with each other
to exchange the information between them, it is necessary to have a mechanism to mutually
authenticate entities in every interaction. Identification and authentication of other objects
by a particular sensor or object are one of the main characterizations of IoT objects. The
authors in (Ferrag et al., 2017) presented a comprehensive survey of authentication protocols
for IoT based on the target environment and the various ways in which the authentication
protocols for IoT may be improved.

5.5 Lightweight solutions

Lightweight solutions aim at using the lesser resources of the devices. As IoT devices have
inherent power and computational limitations, this kind of unique security feature was
introduced in IoT. It is a restriction that must be considered while designing and
implementing protocols. Device capabilities decide the type of algorithms is meant to be run
on IoT devices (Katagi and Moriai, 2008).

5.6 Heterogeneity
Heterogeneity is kind of an inherent characteristic feature of IoT as it aims at the connecting
device-to-device, human to device and human-to-human. IoT provides a connection between
heterogeneous things and networks. Protocols must be designed to connect different entities
with different capabilities, complexity, and vendors.

5.7 Policies
Policies and standards must be designed to ensure that data will be managed, protected and
transmitted in an efficient way. The policies that are used currently in computer and
network security are not applicable to IoT due to its heterogeneous and dynamic nature.

5.8 Key management systems

There must be a lightweight key management system for all frameworks that can enable
trust between different things and can distribute keys by consuming minimum resources.
5.9 Non-repudiation Internet of
It is important to ensure that someone cannot deny the authenticity of their signature or Things
message originated by them. A device cannot deny that it had not sent the previous
message.
security

5.10 Freshness/no reply

It is important to ensure that the data are recent and not that the old messages have been 303
replaced. There are two types of freshness:
(1) weak freshness – required by sensor measurements; and
(2) strong freshness – used for time synchronization within the network.

6. Security issues at each layer

IoT generally consists of three layers, namely, perception, network and an application layer
that plays an important role in IoT. All of these layers are responsible for performing certain
tasks and need to incorporate with each other for the proper working of IoT. As more and
more devices get connected to IoT, there are possibly the greater chances of security threats
and attacks at each layer. Taxonomy of security attacks in IoT has been developed by the
researchers for better understanding of various security risks in IoT and for incorporating
the better security countermeasures(Hossain et al., 2015), (Nawir et al., 2016), (Alaba et al.,
2017). Table IV summarizes the different types of attacks that occur at different layers of
IoT and their possible solutions to mitigate such types of attacks to make IoT more secure
and reliable.
With the advent of new threats and attacks, it has become quite a challenging task for the
researchers to mitigate these threats. Researchers face an ever-growing and daunting task of
mitigating the challenges of the attacks that occur every single day in the field of the IoT.
The very common question that arises in the mind of every researcher working in the IoT
security field is that, are we prepared well enough to deal with an attack? This is because
of the fact that there is very little possibility of stopping the attacks to occur. We need to
design the IoT Security framework which has two-fold characteristics – it must be able to
identify the attacks/threats at the first place and – it must be equipped enough to deal with
these kinds of attacks. Thus, to develop the framework essentially equipped to deal with all
kinds of attacks, we need to go deep down the basic architecture of the IoT to identify what
kind of attacks are possible and which layer of the architecture stack they occur. The
various security features are being analyzed by researchers at each layer of the security
architecture of IoT along with the requirements needed to meet the required security
concerns (Gupta, 2017). This work provides a comprehensive survey about the different
kinds of attacks occurring at different levels of network architecture stack of the IoT. At the
same time, the paper provides the possible remedies to mitigate these attacks.
The attacks occurring at different levels of the network architecture stack of IoT
applications are given below.

6.1 Perception layer

Also called as the recognition layer, the perception layer being the lowest layer of IoT
architecture stack is responsible for collecting data from things or the environment (WSN,
heterogeneous devices, sensors type real-world objects, humidity, etc.) and transform them
in a digital setup. Being the direct physical layer of contact, the perception layer is
vulnerable to direct physical access through the following types of attacks and threats:
 ICS

stack
27,2

304

Table IV.

each layer of IoT-

security attacks at

layered architecture
Summary of various
Layer Type of attack Description Possible solutions

Perception Tampering Varga An attacker performs physical modifications on the Tamper resistant Packaging, Hossain et al. (2015)
layer et al. (2017) device or communication link
DOS, Abomhara and An attacker seeks to make a device or resources No general solution to mitigate this type of attack.
Koien, (2014) unavailable to its intended users Spread spectrum techniques can avoid wireless jamming,
Occur in the form of signal distortion or jamming Zhang and Green, (2015)

Sensors as security IoT sensors are great source for DDoS attacks Detect the DDos attack early
threat, Varga et al. Use packet filters
(2017) Configuring web server
Eavesdropping, Sensors that are compromised can send notifications RFID private authentication protocol
SaiKiran et al. (2017) to users and try to steal their private information RWP, Yao et al. (2009)
AFMAP
Sniffing attack, An attacker can put malicious sensors close to the VPNs
Kumar et al. (2016) normal sensors of IoT devices and acquire their Security solution includes-Vulnerability-scanners, penetration tests
information
Noise in data, Kumar Noise in data can lead to incomplete or false Local signal and noise orthogonalization algorithm to avoid the
et al. (2016) information being send from sender to receiver damages to signals
Timing attack, An attacker can obtain key information by Make sure that time taken to execute cryptographic operations does
Systems and Kocher, determining the time required for executing not depend on any secret information
(1996) encryption
Unauthorized access An unauthorized person may gain access to tag, Secure Data Exchange Protocol which provides privacy and prevent
to the tags, SaiKiran which can read alter, access, modify or delete the information leakage, Zhang et al., 2012)
et al. (2017) data, thus violating confidentiality
Tag cloning, SaiKiran An attacker can create replica of original tag A mechanism to secure RFID systems based on EPS tags (Lehtonen,
et al. (2017) Uses compromised tags to intercept, modify the data, et al. (2009)
which violates the integrity
RF jamming Deliberate jamming, blocking or interference with Narrow bandwidth
(SaiKiran et al. (2017) authorized wireless communications Dynamic reconfiguration
Disrupt information flow
Spoofing (SaiKiran Attacker broadcasts fake information to the RFID Filtering mechanism that filters the outgoing packets and incoming
et al. (2017) systems by creating fake IP packet, which behaves traffic of the network
like original IP packet Network access control list ACLs that avoid spoofing without
permitting misrepresented IP locations into network
SSL authentications mechanism used to decrease the risk of spoofing
(continued)
Layer Type of attack Description Possible solutions

Networking Exhaustion, Varga Networking resources like throughput, buffers etc Limiting the MAC admission control rate, Yu and Tsai, (2008)
layer et al. (2017) may get exhausted Time-Division multiplexing
limiting the extraneous responses, Nandal, (2014)
Collision, Varga et al.Jamming type attack All countermeasures of jamming attack
(2017) Decrease the good-put or makes the communication Error correction codes (such as CRC codes)
impossible Time diversity, Nandal, (2014)
Unfairness Type of DOS attack Use of small frames
(Veijalainen et al. Exhausting available resources e.g. bandwidth,
(2012) energy etc.
Spoofed routing An attacker may spoof, alter or change the IP Active firewalls
information, addresses Encryption
Veijalainen et al. Results in routing loops, extended (or shortened)
(2012) routes, fake error messages etc.
Selective forwarding, Malicious or tampered node may alter the traffic Passive monitoring
Veijalainen et al. Joining the topology
(2012)
Sinkhole attack, Messages dropped, content changed, or altered Message digest Algorithm that makes use of cryptography
SaiKiran et al. (2017) Dynamic trust elimination, Kibirige and Sanga (2015)
Wormhole attack, An attacker receives packet at one point of network Intrusion Detection Nodes
Varga et al. (2017) and tunnels them to another point Designing proper routing protocols
DAWWSEN protocol, Nandal, (2014)
Sybil attack, SaiKiran Nodes with multiple identities Douceur’s approach-
et al. (2017) Single adversary controlling multiple nodes in certification approach that depends on a centralized authority
network
Sleep deprivation Keeps all the nodes alive, leading to decrease in Random Vote Cluster Head
attack, SaiKiran et al. lifetime of battery Selection Round Robin Cluster Head Selection
(2017) Increases the power consumption sensor nodes Hash-Based Cluster Head Selection, Pirretti et al. (2006)
Malicious code Can effect secrecy, the data, control flow and Analysis Technique that consists of two phases i.e, signature based
injection (SaiKiran functionality of system and Anomaly based, Swathigavaishnave, (2012)
et al. (2017) Results in network failure or more worse conditions
Authentication, and
Tamper detection
(continued)

Table IV.
305
Things
Internet of

security
 ICS
27,2

306

Table IV.
Layer Type of attack Description Possible solutions

Man in the middle An attacker impersonates Authentication guarantees that message secrecy
attack, SaiKiran et al. between two parties, and gains access to information Tamper detection provides evidence that message may have been
(2017) between them altered, Conti et al. (2016)
Gateway Attacks, Cut off the connection between sensors and internet Identify a DDos attack early, Kanuparthi, (2013)
Zhang and Green, infrastructure Increase bandwidth
(2015)
Storage attacks, Huge amount of data stored on storage devices or on Backup for storage systems
Kumar et al. (2016) cloud may get compromised or changed
Unauthorized access, Devices left open are free to be used by anyone Set up a password
Kumar et al. (2016) Unattended embedded devices used for control e.g. Backup frequently
pacemaker implants are very risky for users, Build Firewall
compromising such devices can have serious effect
on the user
Acknowledgment An attacker may spoof an acknowledgment of a Encryption of messages
spoofing (Gupta, node which may not be alive or in range Sequence number verification
2017) Not easy to prevent
Hello flood attack Attacker broadcasts hello messages to a node which Bi-directional verification
(Gupta, 2017) is not in a radio range of a network Node added only after verifying whether it is in radio range or not
Higher transmission power than the base station
Application Issues with the Client Attacker can have access to local client Malware detection
layer Application, Varga Attackers eavesdrop and continuously monitor Anti-virus
et al. (2017) status, usage of system
Issues with IoT system normally has VPN access Avoiding attacks like DDos for maintaining availability
communication VPNs have issue of availability
channel, Varga et al.
(2017)
Issues with system Key property for reliable working of IoT Requires careful and complex testing
integrity, Varga et al. Leads to safety risks and security threats
(2017)
Minor modifications, Unexpected and minor modifications lead to various Minimized by validation
Varga et al. (2017) types of side effects to the system Complex testing
Continuous monitoring
(continued)
Layer Type of attack Description Possible solutions

Multi-user access and When multiple users access the system and make the Careful process planning
concurrent editing, changes to the system simultaneously, it can lead to Design for multi-user environment
Varga et al. (2017) unstable system status
Data access, Varga Data is accessed by different users from Traceability
et al. (2017) heterogeneous environments, thus security measures
must be applied to continuously monitor the change
of system status
Malicious code Such type of attacks spread worm on internet and Static code Analysis (SCA)
attacks, Kumar et al. attack embedded devices running a particular Scanning and testing should be performed as early as possible
(2016) operating system
Hacking into the Attack on smart grid to steal the information during A smart meter must be secured
smart meter/grid, data transmission can have serious effect on the
Kumar et al. (2016) system
Increases the maintenance cost
Inability to receive Software bug constantly moving and not updated Updating with software patches
security patches, with software patches
Kumar et al. (2016)

Table IV.
307
Things
Internet of

security
ICS 6.1.1 Tampering. It is a kind of node capturing attack where an attacker performs physical
27,2 modification and can destroy the sensor nodes, which eventually can violate the basic
principles of security – confidentiality, availability and integrity (Mosenia and Jha, 2017).
6.1.2 Denial of service. Denial of service (DOS) attack mainly aims at rendering the
services unavailable to the intended users by destroying or destructing the sensor nodes or
by making the sensor nodes incapable of performing the requisite task. DOS attacks may
308 occur in the form of signal distortion or jamming. This kind of attack is usually difficult to
counter (Abomhara and Koien, 2014).
6.1.3 Sensors as a security threat. Sensors can act as a security threat because there are
not sophisticated techniques used for authenticity in the sensor-to-sensor communication.
This renders the IoT sensors a source of DDoS attacks (Varga et al., 2017).
6.1.4 Eavesdropping. In eavesdropping, the attacker alters/changes the information and
can damage the network too. The confidential and critical information like passwords or any
other data flowing information is at greater risk (SaiKiran et al., 2017). Also, the
compromised nodes can send the false notification to users and try to collect private
information from the users (U.Farooq et al., 2015; Kumar et al., 2016).
6.1.5 Sniffing attack. By putting the malicious devices/sensors in the close vicinity of the
actual/normal sensor nodes, an attacker can acquire any kind of information from the
actual/normal sensor nodes in a network (Kumar et al., 2016).
6.1.6 Noise in data. To make the reliable transmission of data over a network, it is
necessary that the data must not contain any type of noise that can lead to incomplete
information, false information or can even be worse in some scenarios where the critical
information is at stake (Kumar et al., 2016).
6.1.7 Timing attack. In this type of attack, an attacker attempts to compromise a
cryptosystem by analyzing the time taken to execute cryptographic algorithms. For
example, Kocher (Kocher, 1996) designed a timing attack to expose secret keys used for RSA
decryption. It is usually used to attack weak computing devices such as smart cards. Timing
attacks are a form of side channel attack where an attacker gains information from the
implementation of a cryptosystem.
6.1.8 Unauthorized access to the tags. RFID is an evolving technology which opens new
challenges for data threats and data security measures. A fake reader can record
confidential information from the tag, which can read, modify, access and delete the data. A
rogue reader can read a tag and gain access to the information that may be confidential. It
can write new, damaging information or can kill the tag. In each of these cases, the tags
respond as if the RFID reader was authorized (Vatsa and Singh, 2015).
6.1.9 Tag cloning. In tag cloning, the attacker creates a clone/replica of the original tag
and renders it extremely difficult to distinguish between the original and the compromised
tag. Using these compromised tags, the attacker can sense the data and intercepts, modifying
the data which violates the integrity. It leads to a financial loss in commercial applications
and is usually seen in access or asset management operations (SaiKiran et al., 2017).
6.1.10 Spoofing. It is one of the DoS attacks where an attacker broadcasts fake
information to the RFID systems by creating fake IP packet, which behaves like original IP
packet and gains unauthorized access to the system, creating security loophole in the
system. Spoofing attacks can be carried out by two ways:
(1) IP spoofing used in DoS attacks.
(2) A man in the middle attacks (SaiKiran et al., 2017).
In IP spoofing, an attacker sends a packet to the target host with a forged IP address. The targeted Internet of
host sends ACK and waits for the response. The response never comes and remains in the buffer. Things
As the buffers used in the networking are of limited capacity, this will lead to the buffer overflow
problem, thereby rendering the network device unstable and sometimes crash too.
security
In the Man in the middle attacks, an attacker intercepts traffic heading between two devices
on the network and monitor information or alter the data as it passes through the network.
6.1.11 Radio frequency jamming. Radio jamming is the deliberate jamming, blocking or
interference with authorized wireless communications. Originally the terms jamming and
309
interference was used interchangeably but nowadays the term jamming is used to describe
the deliberate use of radio noise or signals to disrupt communications whereas the term
interference is used to describe unintentional forms of disruption. RF jamming prevents the
data exchange by jamming frequencies (SaiKiran et al., 2017).

6.2 Networking layer

Many researchers quote that the Networking Layer is the most developed layer of the
conventional IoT architecture. This layer is a convergence of internet and communication-
based networks. This layer also ensures unique addressing and routing abilities to the
unified integration of uncountable devices in a single cooperative network. All the tasks
performed by the conventional networking layer of the TCP IP model are inbuilt in the IoT
networking layer. Thus, this layer is more susceptible to the attacks – both the conventional
networking layer attacks and the specific attacks related to IoT architecture. The various
threats and attacks that may significantly affect this layer are as follows (Varga et al., 2017),
(SaiKiran et al., 2017), (Kumar et al., 2016), (Gupta, 2017):
6.2.1 Exhaustion. Exhaustion attack is with reference to the resources in a network. It is
a kind of DoS attack, in which an attacker causes repeated collisions leading to resource
exhaustion.
6.2.2 Collision. It is the type of DoS attack, in which two nodes attempt to transmit on the
same frequency simultaneously. It is jamming type attack where an attacker does not jam
the full signal but decrease the good-put or makes the communication impossible. Error
correcting codes used to defend against collisions.
6.2.3 Unfairness. It is a type of DoS attack, which includes – exhausting of targeted IoT
sensor resources or – collision. The rule is that every node has the same priority to get the
common channel. If a node gets hold of the channel, any other nodes trying to transmit
the packets have to wait for the random length of time. It is similar to the deadlock in the
operating systems. Adversaries use these characteristics to attack the network and can use
these common channels more than normal nodes.
6.2.4 Spoofed routing information. It is a most common type of attack against the
routing protocol where every node acts as a router and can therefore directly affect routing
information. As IP provides the best possible service without guaranteeing about the
occurrence of errors, that is, the routing and other header information are not encrypted,
attackers may spoof, alter or replay IP addresses to disrupt traffic in the network. It may
result in routing loops, shortened routes, fake error messages etc.
6.2.5 Selective forwarding. In this type of attack a malicious or tampered node may alter
the traffic by dropping some packets. It can degrade the performance of the network in
terms of packet loss and prevent data collected by certain nodes from reaching the base
station. When all the packets are dropped out, this attack can be called a black hole attack
solely. Passive monitoring is a technique to avoid such types of attack by capturing traffic
from a network by copying traffic from a span port or mirror port or network tap.
ICS 6.2.6 Sinkhole attack. Nodes in an IoT network may act as either source nodes or the sink
27,2 nodes. Both are susceptible to attacks. Attracting traffic to a specific node (sink node
preferably) is called a sinkhole attack. In this attack, the adversary’s goal is to attract nearly
all the traffic from a particular area through a compromised node. When reaching the
sinkhole node, the messages may get dropped, forwarded with changed content or altered in
other ways.
310 6.2.7 Wormhole attack. In the wormhole attack, an attacker records packets or bits at one
location in the network, tunnels them to another location, and transmits them into the
network, thereby being able to get any kind of information, which may be critical in nature
too.
6.2.8 Sybil attack. A single node duplicates itself and presented in the multiple locations.
The Sybil attack targets fault tolerant schemes such as distributed storage, multipath
routing, and topology maintenance. In this attack, a single node presents multiple identities
to other nodes in the network. It corrupt fairness resource usage, redundancy or voting
concepts originally present in the infrastructure.
6.2.9 Sleep deprivation attack. In this type of attack all the nodes are kept alive thereby
decreasing the lifetime of the battery and increasing the power consumption of nodes, as a
result, nodes will get shut down.
6.2.10 Malicious code injection. Malicious code is a piece of code that can affect the
privacy, functionality and flow control of a system. An adversary can inject malware into
the target program which can result in the network failure or in the worst situation.
6.2.11 Man in the Middle attack. It is the type of eavesdropping attack, where an
attacker inserts him/herself into a conversation between two parties, impersonates both
parties and gains access to information transmitted between them. An attacker intercepts,
send and receive the data that is meant for other users.
6.2.12 Gateway attacks. These attacks cut off the connection between the sensors and the
internet infrastructure. These attacks include DoS attack or routing attacks that can result
in no or wrong information being transmitted from the internet to the sensors thereby
affecting the working of networks.
6.2.13 Storage attacks. An attacker may compromise or change the data that includes
the vital information of the user, which is stored on storage devices or on the cloud. An
adversary may replicate the data, uses for his purpose leading to the serious effects on the
user.
6.2.14 Unauthorized access. Devices left open are free to be used by anyone leading to
serious effects, e.g. the personal information related to any individual or the health report of
the patient is available at a node, which can be easily misused.
6.2.15 Hello flood attack. An attacker broadcasts a hello message to the neighboring
nodes in the network and a node, which receives such a message, assumes that it is in radio
range of sender. But in reality, this assumption may be false, i.e. the sender is not in a radio
range of a node, and hence, the packets with higher transmission power are re-broadcasted.
6.2.16 Acknowledgment spoofing. An acknowledgment is highly important to have
reliable communication within a network. However, an attacker spoofs the acknowledgment
to gain an illegitimate advantage within the network and masquerades as another by
sending packets to a node which may not be alive or within the range.

6.3 Application layer

This is the top layer of the conventional IoT architecture. This IoT layer combines the
industry to attain the high-level intelligent applications type solutions such as the disaster
monitoring, health monitoring, transposition, fortune, medical and ecological environment
and handled global management relevant to all intelligent type applications. It is divided Internet of
into three sub-layers – business, application and service management layers. The service Things
management layer’s main responsibilities are facilitating information processing, decision-
making, and control of pairing requestor information processing for relevant tasks. The
security
application layer provides the customers with smart high-quality facilities according to the
pre-request of the customers. The Business layer represents the business model and data
that has been received from the application layer. The various types of threats and attacks
at this layer are described as follows (Varga et al., 2017), (Kumar et al., 2016), (Veijalainen 311
et al., 2012).
6.3.1 Issues with the client application. The machine that has access to the IoT system
configurations is usually an HTTP-connectable device, which makes it vulnerable to attacks
over the Web. Here, the attacker can have access to the local client HW, together with the
control of the applications running over that. Such attackers often remain hidden (non-
intrusive), while their malware application keeps eavesdropping and continuously reporting
about the IoT system status, its usage, or even its authentication information to the attacker.
Malware detection and anti-virus solutions are recommended to filter such applications.
6.3.2 Issues with the communication channel. The application that allows remote
configuration of the IoT system normally has VPN (Virtual Private Network) access to the
systems that it configures. VPNs usually have some security measures associated with, such
as confidentiality through data encryption throughout the channel; integrity of information
content through detecting tampering of messages; and availability, which may open
possibilities for various attacks, including DDoS.
6.3.3 Issues with system integrity of the client application. System integrity is a key
property of reliably working IoT systems. Losing the integrity of the system easily leads to
safety risks and security threats. The system should not fail during high activity stress or
abnormal process situations, network or computer failures, multiple alarms, executing
previously unexecuted error path code or system recovery code, or incorrectly executed
commands. This requires careful and complex testing.
6.3.4 Minor modifications. Unexpected environmental change together with minor
system modifications and configuration changes can have unexpected side effects. Such
effects and propagations can be minimized by validation of the system elements, complex
testing and continuous monitoring of the overall system.
6.3.5 Multi-user access and concurrent editing of configuration. Systems should be
robust against multi-user access. When many users are able to change the configurations of
various parts of the IoT systems, concurrent editing of configuration files and concurrent
execution of configuration changes easily lead to unstable system status. This should be
eliminated by careful process planning and design for the multi-user environment.
6.3.6 Data access. Data are accessed by different users from heterogeneous
environments; thus, data access security measures should be applied in the application
layer. Also, traceability of any configuration change and change of system status should be
provided by design.
6.3.7 Malicious code attacks. Malicious code is a code in part of a software system that
causes undesired effects such as security breaches or damage to the system. It includes
viruses, worms, Trojan horses, backdoors and malicious active content, e.g. a malicious
worm spreading on the internet attack embedded devices running a particular operating
system, e.g. Linux.
6.3.8 Hacking into the smart meter/grid. Here an attacker will steal the information
during data transmission from a smart meter, can have a serious effect on the system. It
increases the maintenance cost and is more catastrophic.
ICS 6.3.9 Inability to receive security patches. Considering a nuclear reactor where a software
27,2 bug is constantly moving and not updated with software patches, it may result in
catastrophic consequences.

7. Countermeasures to prevent the attacks

Lot of work has been done in the area of IoT security issues and countermeasures by the
312 prominent authors in the recent past. It is possibly one of the hot research areas of
the twenty-first century. Various security countermeasures were identified by reviewing the
various journals and conferences. Table V summarizes various security countermeasures
and their existing proposed scheme, including the advantages and disadvantages of these
methods.
Zhao et al. (2011) proposed a mutual authentication scheme for IoT between platforms
and terminal nodes based on hashing and feature extraction. The proposed method
provided a good solution for authentication for IoT and improved the security to a great
extent. However, the scheme does not work practically and has been a theoretical concept
only.
Wen et al. (2013) proposed one-time one cipher method which is based on a request-reply
mechanism for ID authentication at sensor nodes. Here, the dynamic cipher was
implemented by sharing a pre-shared matrix between the two parties that are interested in
communication. A user will generate a key from key coordinate i.e. a random coordinate
generated from this matrix. All the messages are then encrypted and sent along with – the
key, key coordinate, and timestamp. The communication between the two parties occurs by
validating the timestamp. However, installation of this method is very difficult in an
environment having large number of IoT devices. Also, this method can be implemented
only where securing IoT devices is not so critical.
Mahalle et al. (2013) proposed identity authentication and capability-based access control
for access control for IoT. The proposed scheme is based on public key encryption and is
compatible with all the existing technologies, e.g. Bluetooth, Wi-Fi and WiMAX. This
scheme prevented the man-in-middle attack by using message authentication code (MAC).
This scheme works in the following stages:
 secret key generation using Elliptical Curve Cryptography-Diffie Hellman
algorithm; and
 identity establishment using one-way and authentication protocols and access
control.

However, this scheme does not completely prevent the DoS attacks but minimizes it to a
great extent by granting only one ID at a time.
Yi and Dong (2014) developed an item-level-access control framework for inter-system
security for trust establishment in IoT. The proposed scheme establishes trust by two
mechanisms: key creation and the token. Any new device created is assigned a key which is
provided by the manufacturer of the device. This token is then combined with the RFID
identification of the device. Using this scheme, the device is allowed to change the
permissions of the device itself if a new owner is assigned or an owner is going to operate
from another department. However, owners can change the tokens only if the old token is
provided to replace it.
Anggorojati et al. (2012) suggested a federated architecture definition for IoT. Based on
this definition an access control delegation model was developed. A federated architecture
was proposed to overcome the problem of heterogeneity of various devices, software etc. in
IoT by providing the centralized control unit. This architecture provides us the benefits of
Security
countermeasures Proposed scheme
Authentication Mutual authentication scheme
measures between IoT platform and terminal
nodes, Zhao et al. (2011)
One-time one cipher method based
on request-reply mechanism for ID
authentication at sensor nodes of
IoT, Wen et al. (2013)
Identity authentication and
capability-based Access control for
access control for IoT, Mahalle
et al. (2013)
Trust Item-level-access control
establishment framework developed for inter-
system security which establishes
trust by two mechanisms –
Creation key and Token, Yi and
Dong, (2014)
Federated Access control delegation model
architecture was proposed, Anggorojati et al.
(2012)
Secure Mediation Gateway
(SMGW) for critical
infrastructures, Castrucci et al.
(2012)
Framework of Smart Home based
on the SMGW, Leo et al. (2014)
Summary of various
Table V.
countermeasures
security
Advantages Disadvantages
Feature Extraction combined with hash Works on theory only
functions No practical proof
Avoids Collision attacks
Irreversibility to ensure security
Lightweight
Improved Security
Dynamic variable cipher implemented Cipher used only where securing IoT is not
using pre-shared matrix very sensitive and crucial
Two devices communicate by validating Installation of pre-shared matrix needs to be
timestamps secure
Uses public key approach Does not completely prevent Dos attacks
Compatible with lightweight mobile,
existing technologies like Bluetooth, 4G etc
Prevents man-in-middle attack by using
timestamp
Any new device created is assigned a key Tokens can be changed by the owners,
which is applied by the manufacturer of the provided that old token is provided
device
Ensures the change of permissions by the
device itself, reducing the overhead of the
new owner
Takes into consideration the flexibility and Works on theory only
scalability
Abstraction of IoT Works on theory only
Discover all the relevant distributed
information from different node
overcome the heterogeneity of
heterogeneous nodes
Good impact in ensuring the security of the Introduced additional delay in the process
IoT Current policies not efficient in IoT because
of its dynamic nature
(continued)
313
Things
Internet of
security
 ICS
27,2

314

Table V.
Security
countermeasures Proposed scheme Advantages Disadvantages

Cryptographic Advanced Encryption Standard Block size of 128-bit. Computationally expensive due to their
algorithm (AES). (Wang et al. (2014) Key length of 128,192,256 bits with 10, 12, complexity and requires many rounds to
14 rounds encrypt, essentially wasting the constrained
Faster encryption and decryption energy of the devices
Attribute Based Encryption(ABE) was
optimal for IoT
Data Encryption Standard (DES), Key length of 56 –bit Moderate speed for encryption
Singh and Supriya, (2013) Used for protecting the unclassified data Uses 64-bit block size
from being attacked Sluggish in software
Uses same key for encryption and
decryption
Rivest-Shamir-Adleman (RSA), Public key is shared with every one Slower encryption and decryption
Hussain, (2015) whereas the private key is maintained in Obtained security level not satisfactory
secrecy
Prevents multiple attacks.
Faster and more secure than AES and DES
Trust-based Ant colony algorithm, Suryani Trustable object selection to improve Needs to improve security model for trust
privacy et al. (2016) privacy value scoring
Based on prior knowledge for calculating Improvements for better resistance against
trust values attacks
Important to secure the communication
between objects
Based on parameter-Reputation for
assessing the level of trust
SDN, Al Shuhaimi – Used to increase the performance Scalability
et al. (2016) Reducing the cost and hardware of network Security
Separating the data plan from the control Larger Latency of the first packet in the
plan flow
Monitors the traffic between machine-to-
machine
(continued)
Security
countermeasures Proposed scheme Advantages Disadvantages

Secure digital Developed without modular inversion in Implemented poorly in signature generation
Signature scheme Signature generation and Verification
based on elliptic algorithms
curves, Koppula Implemented in software and hardware
and Muthukuru, Software implementation gurantees
(2016) moderate speed and higher power
consumption
Hardware implementation improves
performance
Best suitable for IoT
Secure and efficient as compared to existing
scheme due to reduced key size
Risk assessment, Autonomic assessment algorithm Solved the problem of system security The generated self-assessment errors of
Zheng et al. (2013) performance security risk tend to be relatively larger
Based on three dimensional normal cloud when the situation of one-dimension
Three-tier security criterion is analyzed corresponding and three-dimensional error
Considers the dynamic changes of resources appears simultaneously
Minimizing user intervention
Security – Awareness among human users Unawareness among users can cause harm
awareness, Patton to the network
et al., 2014) Hackers can conduct attacks against the
whole network
Anonymization – Used for preserving the privacy of the data Reliance on pre-defined generalization
technique, Pawar, Based on quasi-identifiers (QID) hierarchies
(2016) Anonymized the personal data Generation of anonymized data with high
Prevents data from malicious users information loss and with high
classification errors
(continued)

Table V.
315
Things
Internet of

security
 ICS
27,2

316

Table V.
Security
countermeasures Proposed scheme Advantages Disadvantages

Automata-based Extension of labeled transition Detect the intrusions in IoT networks Needs to improve Standard Protocol
intrusion detection systems Map the IoT system to an abstract space Library and fuzzy method
method, Fu et al. Graphically analyzed the abstract action Develop a suitable method to describe and
(2017) flows and intrusions evaluate the contents of translating packets
Examined the attack of RADIUS
application
Blockchain – Managing, controlling and securing IoT Blockchain systems are vulnerable to
solutions, Ahmad devices attacks
and Salah, (2018) Uses elliptic curve cryptography Miner’s hashing power can be compromised
More scalable than IPv6 Private keys with limited randomness
Trustworthy, governance and tracking Race attacks which result in double-
securely spending during transactions
Data authentication and integrity
Secure communications
operational independence where we can operate the systems without relying on the Internet of
knowledge of others. It also provides the benefit of platform independence, i.e. it can work Things
well with all computer languages. This scheme focused on the flexibility and scalability, i.e.
the capability of a computer to adapt to the changes in size or volume.
security
Castrucci et al. (2012) proposed another framework called Secure Mediation Gateway
(SMGW) for critical infrastructures. This approach is an abstraction of IoT as it can work in
all infrastructures. It also overcomes the problem of heterogeneity in IoT by discovering all
its information from various distributed nodes and exchanges that information over a
317
network that is not trustworthy.
Leo et al. (2014) proposed another framework for smart home based on SMGW. The
proposed procedures and policies used in the framework were not effective in handling the
dynamic nature of IoT. The proposed mechanism can have a good impact in assuring
security to IoT; however, it introduced the additional delay in the process.
Wang et al. (2014) suggested various cryptographic algorithms for addressing the
security challenges of IoT. The survey, based on three cryptographic algorithms, AES, Data
Encryption Standard (DES) and Rivest – Shamir – Adleman (RSA), proved that as compared
to AES and DES algorithms, the RSA prevents different types of attacks, faster and is more
secure in protecting the data. Based on this survey, an asymmetric key cryptography storage
system was proposed where the data is encrypted before the transmission.
Singh and Supriya (2013) proposed software defined network (SDN) as a solution to
overcome security challenges in IoT. SDN is proposed to monitor the network traffic by
separating data plan from a control plan. It is either software or hardware used to increase
the performance of the network by reducing the cost and hardware. The SDN is integrated
with IoT to manage, control, monitor and secure the network. This architecture consists of
three parts:
(1) IoT agent is responsible for collecting the data from the surroundings.
(2) IoT controller receives the request connection and takes a decision based on SDN
controller.
(3) SDN controller establishes the path between the IoT controller and SDN objects.

The authors also proposed cluster head selection algorithm, which is based on SDN. This
algorithm can be used to prevent different attacks in IoT. In future, this algorithm will be
implemented by the authors to avoid different types of attacks including black hole,
neighbor attack etc.
Hussain (2015) discussed the consequences of not securing the IoT. Security awareness
among the IoT users can be another countermeasure for ensuring security to IoT. If the
users will provide the default password then anybody can access the network causing harm
to the network. So it becomes important to create awareness among the users.
Suryani et al. (2016) developed a modified ant colony algorithm for determining trust
values of objects in IoT to secure the communication between objects. Trust plays an
important role in the reliability, integrity, privacy and security of the data being transmitted
across the network. Reputation is used as a parameter for determining the level of trust of
objects and is based on prior knowledge of the interactions with other objects.
Al Shuhaimi et al. (2016) suggested SDN as a possible solution to overcome the security
challenges in IoT. SDN is a technology for increasing the performance of network by
separating the data plan from the control plane and thus helps in reducing cost and
hardware. The authors have proposed an integrated model of IoT and SDN which can be
used to prevent different types of attacks in the environment of IoT.
ICS Koppula and Muthukuru (2016) designed an authentication mechanism for securing
27,2 digital signature based on Elliptic Curves for IoT. The benefit of using elliptic curve
cryptography is that the key size is reduced considerably as compared to traditional
cryptosystems such as RSA and Diffie-Hellman to improve network security. Digital
signature plays an important role in attaining integrity, non-repudiation, and authentication
of the data transmitted across the network. The proposed scheme was developed without
318 modular inversion in the signature generation and verification algorithms, which is time-
consuming for the devices with limited capabilities. The performance of the proposed
scheme was compared with the original Elliptic Curve Digital Signature Algorithm
(ECDSA) over elliptic curve.
Zheng et al. (2013) proposed an IoT Security risk autonomic assessment algorithm.
Focusing on self-assessment of security risk, the self-assessment algorithm of IOT security
risk based on the three-dimensional normal cloud was studied based on the dynamic fusion
result of heterogeneous security factors. We strive to make a breakthrough in the research of
autonomic security mechanism of heterogeneous security of IoT.
Pawar (2016) have discussed one of the most important applications of IoT – health
monitoring. Health monitoring security challenges include privacy, trust, confidentiality,
authentication, etc. The authors have suggested various methods to handle these challenges
in the IoT such as cryptographic algorithms (AES, DES, and RSA) and anonymization
techniques.
Patton et al. (2014) have evaluated the various types of vulnerabilities and threats in the
development of IoT due to which the services become inaccessible to intended users. It is
becoming an important issue for organizations and individuals for securing the internet and
creating awareness among the users about the various attacks and threats. Hackers are
always available and conduct the attacks against users.
Fu et al. (2017) proposed an automata-based intrusion detection method for the
heterogeneous environment in IoT. This method used an extension of labeled transition
systems and can detect possibly the three kinds of attacks in IoT, including replay-attack,
jam-attack and fake-attack. The intrusion detection system is an efficient technique for
providing security in IoT networks by examining all the traffic that is coming in or leaving
the network.
Ahmad and Salah (2018) described Blockchain as a key technology for providing
security in IoT. The blockchain is a decentralized, distributed, shared and immutable
database ledger that plays an important role in managing, controlling and securing IoT
devices. It uses the concept of cryptography, including digital signatures and hash functions
for providing data authentication and integrity. The authors have discussed the various
features that are useful for IoT security – address space, identity of things and governance,
data authentication and integrity, authentication, authorization and privacy and secure
communications.

8. Open questions, lessons learned and future research directions

8.1 Open questions
With IoT evolving rapidly, the researchers, as well as experts from the industry, keep on
asking the questions regarding the various concerns of the IoT, ranging from – the effective
and efficient use of the IoT paradigm to security threats. Among these questions,
approximately eight out of ten researchers/experts from the industry would definitely pick
the privacy and security as the area of concern. One of the most common questions that
definitely tops the charts is: “What is the biggest risk associated with the IoT?,” and the
answer most of the times is security. Thus, the security in the IoT should be a prime focus for
most of the review papers being published in this field. In the paper, we have tried to Internet of
identify and ask what possibly can go wrong if a particular attack occurs at some particular Things
level of the security protocol stack of IoT. Furthermore, how the possible solutions are
security
advantageous or disadvantageous in terms of implementation in the future.

8.2 Lessons learned

IoT is going to dictate terms in the field of research for a few upcoming decades for sure. 319
Being a very promising field, it is quite challenging too. It will require the new and scalable
architectures and protocols, which need to be quite the efficient ones. One of the prime
aspects from the many challenging issues is Security. The data exchanged between
the different devices or applications are quite sensitive; thus, the security aspect plays a key
role and needs to be addressed efficiently. Being heterogeneous in nature, IoT security
architecture is vulnerable to different types of attacks at every layer. This indicates the
urgent needs of developing general security policy and standards for IoT products. The
efficient security architecture needs to be imposed but not at the cost of efficiency and
scalability. We need to solve one issue keeping in mind the second one at the same time. We
have recommended a detailed and extensive survey regarding the different types of attacks
that can possibly attack at each layer of IoT security protocol stack. One of the important
things concluded in the paper is that there are numerous kinds of attacks that affect the
privacy and security of the private and critical data. Thus, the countermeasures are required
to be taken so that the privacy and security of the data and the data exchanging processes
are ensured.

8.3 Future directions of research

The future research directions mainly consist of dealing with the mitigation of the different
security challenges at each layer of the security protocol of IoT. It is recommended to
implement the upcoming proposals for IoT security using Wi-Fi Harlow with 6LOWPAN-
IPSec in low equipment for security test. Also, the future cloud-based security services can
improve the security of the IoT.

9. Conclusion
Research in the field of security in the IoT is still in the conceptual stage, which needs to be
explored further to develop innovative, new security solutions and applications. In recent
years, the research on this topic is very active, as the issue of security in IoT must be
considered first during the development of IoT. In this survey paper, we presented an
extensive and comprehensive survey on the current state of the art in the IoT security along
with the layered security stack of IoT. In addition, the various types of attacks that occur at
the three layers of IoT security protocol stack – perception, networking and application
layers – are elicited and explained in detail along with the possible solutions that can be
immediately applied at each layer. Futhermore, the countermeasures at each layer along
with the prospective advantages and disadvantages are proposed so that the researchers
can get a clue in implementing the particular strategy.

References
Abomhara, M. and Koien, G.M. (2014), “Security and privacy in the internet of things: current status
and open issues”, 2014 International Conference on Privacy and Security in Mobile Systems
(PRISMS), pp. 1-8, available at: https://doi.org/10.1109/PRISMS.2014.6970594
ICS Ahmad, M. and Salah, K. (2018), “IoT security: review, blockchain solutions, and open challenges”,
Future Generation Computer Systems, Vol. 82, pp. 395-411, available at: https://doi.org/10.1016/j.
27,2 future.2017.11.022
Al Shuhaimi, F., Jose, M. and Singh, A.V. (2016), “Software-defined network as solution to overcome
security challenges in IoT”, 2016 5th International Conference on Reliability, Infocom
Technologies and Optimization, ICRITO 2016: Trends and Future Directions, pp. 491-496,
available at: https://doi.org/10.1109/ICRITO.2016.7785005
320 Alaba, F.A., Othman, M., Hashem, I.AT. and Alotaibi, F. (2017), “Internet of things security: a survey”,
Journal of Network and Computer Applications, Vol. 88, pp. 10-28.
Al-fuqaha, A., Member, S., Guizani, M., Mohammadi, M. and Member, S. (2015), “Internet of things: a
survey on enabling”, Vol. 17 No. 4, pp. 2347-2376, available at: http://ieeexplore.ieee.org.proxy.
queensu.ca/document/7123563/
Anggorojati, B. Mahalle, P.N. Prasad, N.R. and Prasad, R. (2012), “Capability-based access control
delegation model on the federated IoT network”, in The 15th International Symposium on
Wireless Personal Multimedia Communications, IEEE, pp. 604-608.
Atzori, L., Iera, A., Morabito, G. and Nitti, M. (2012), “The social internet of things (SIoT) – when social
networks meet the internet of things: concept, architecture and network characterization”, Computer
Networks, Vol. 56 No. 16, pp. 3594-3608, available at: https://doi.org/10.1016/j.comnet.2012.07.010
Balte, A., Kashid, A. and Patil, B. (2015), “Security issues in internet of things (IoT): a survey”,
International Journal of Advanced Research in Computer Science and Software Engineering,
Vol. 5 No. 4, pp. 450-455.
Castrucci, M., Neri, A., Caldeira, F., Aubert, J., Khadraoui, D., Aubigny, M. and Capodieci, P. (2012),
“Design and implementation of a mediation system enabling secure communication among
critical infrastructures”, International Journal of Critical Infrastructure Protection, Vol. 5 No. 2,
pp. 86-97, available at: https://doi.org/10.1016/j.ijcip.2012.04.001
Chetan, R. and Shahabadkar, R. (2018), “A comprehensive survey on exiting solution approaches
towards security and privacy requirements of IoT”, International Journal of Electrical and
Computer Engineering (IJECE), Vol. 8 No. 4, pp. 2319-2326, available at: https://doi.org/10.11591/
ijece.v8i4.pp2319-2326
Conti, M., Dragoni, N. and Lesyk, V. (2016), “A survey of man in the middle attacks, (c)”, IEEE
Communications Surveys and Tutorials, Vol. 18 No. 3, pp. 2027-2051, available at: https://doi.org/
10.1109/COMST.2016.2548426
Ferrag, M.A., Maglaras, L.A., Janicke, H., Jiang, J. and Shu, L. (2017), “Authentication protocols for
internet of things: a comprehensive survey”, Security and Communication Networks, Vol. 2017.
Fu, Y., Yan, Z., Cao, J., Koné, O. and Cao, X. (2017), “An automata based intrusion detection method for
internet of things”, Vol. 2017, pp. 6-10.
Gupta, V.A.B.B. (2017), “Security in internet of things: issues, challenges, taxonomy, and architecture”,
Telecommunication Systems, available at: https://doi.org/10.1007/s11235-017-0345-9
Hossain, M.M., Fotouhi, M. and Hasan, R. (2015), “Towards an analysis of security issues”, Challenges,
and Open Problems in the Internet of Things. 2015 IEEE World Congress on Services, pp. 21-28,
available at: https://doi.org/10.1109/SERVICES.2015.12
Hossain, M., Fotouhi, M. and Hasan, R. (2015), “Towards an analysis of security issues”, Challenges,
and Open Problems in the Internet of Things, available at: https://doi.org/10.1109/
SERVICES.2015.12
Hung, M. (2017), “Gartner research vice president”, Leading the IoT, Gartner Insights on How to Lead in
a Connected World, available at: www.gartner.com/imagesrv/books/iot/iotEbook_digital.pdf
Hussain, A.K. (2015), “A modified RSA algorithm for security enhancement and redundant messages
elimination using K-nearest neighbor algorithm”, IJISET – International Journal of Innovative
Science, Engineering and Technology, Vol. 2 No. 1, pp. 159-163.
Kanuparthi, A., Karri, R. and Addepalli, S. (2013), “Hardware and embedded security in the context of Internet of
internet of things”, in Proceedings of the 2013 ACM Workshop on Security, Privacy and
Dependability for Cyber Vehicles, ACM, pp. 61-64.
Things
Katagi, M. and Moriai, S. (2008), Lightweight Cryptography for the Internet of Things, Sony Corporation,
security
pp. 7-10, available at: https://doi.org/10.1109/JIOT.2014.2323395
Kibirige, G.W. and Sanga, C. (2015), “A survey on detection of sinkhole attack in wireless sensor
network”, arXiv preprint arXiv:1505.01941.
321
Koppula, S. and Muthukuru, J. (2016), “Secure digital signature scheme based on elliptic curves for
internet of things”, International Journal of Electrical and Computer Engineering (IJECE), Vol. 6
No. 3, pp. 1002-1010, available at: https://doi.org/10.11591/ijece.v6i3.9420
Kranz, M. (2017), Building the Internet of Things: Implement New Business Models, Disrupt
Competitors, Transform Your Industry, John Wiley and Sons, 21 November 2016.
Kumar, S.A., Vealey, T. and Srivastava, H. (2016), “Security in internet of things: challenges,
solutions and future directions”, Proceedings of the Annual HI International Conference on
System Sciences, 2016–March, pp. 5772-5781, available at: https://doi.org/10.1109/
HICSS.2016.714
Lee, I. and Lee, K. (2015), “The internet of things (IoT) : applications, investments, and challenges for
enterprises”, Business Horizons, Vol. 58 No. 4, pp. 431-440, available at: https://doi.org/10.1016/j.
bushor.2015.03.008
Lehtonen, M. Ostojic, D. Ilic, A. and Michahelles, F. (2009), “Securing RFID systems by detecting tag
cloning”, in International Conference on Pervasive Computing, Springer, Berlin, Heidelberg,
pp. 291-308.
Leo, M., Battisti, F., Carli, M. and Neri, A. (2014), “A federated architecture approach for internet of things
security”, 2014 Euro Med Telco Conference – From Network Infrastructures to Network Fabric:
Revolution at the Edges, EMTC 2014, available at: https://doi.org/10.1109/EMTC.2014.6996632
Mahalle, P.N., Anggorojati, B., Prasad, N.R. and Prasad, R. (2013), “Identity authentication and
capability based access control (IACAC) for the internet of things”, Journal of Cyber Security and
Mobility, Vol. 1 No. 4, pp. 309-348.
Matharu, G.S. (2014), “The internet of things: challenges and security issues”, pp. 54-59, available at:
https://doi.org/10.1109/ICET.2014.7021016
Mosenia, A. and Jha, N.K. (2017), “A comprehensive study of security of internet-of-things”, IEEE
Transactions on Emerging Topics in Computing, Vol. 5 No. 4, pp. 586-602, available at: https://
doi.org/10.1109/TETC.2016.2606384
Nandal, V. (2014), “Comparison of attacks on wireless sensor networks”, Vol. 3 No. 7, pp. 208-213.
Nawir, M., Amir, A., Yaakob, N., Lynn, O.B. and Engineering, C. (2016), “Internet of things (IoT) :
taxonomy of security attacks”, pp. 321-326.
Patton, M. Gross, E. Chinn, R. Forbis, S. Walker, L. and Chen, H. (2014), “Uninvited connections a study
of vulnerable devices on the internet of things (IoT)”, pp. 1-4, available at: https://doi.org/
10.1109/JISIC.2014.43
Pawar, A.B. and Ghumbre, S. (2016), “A survey on IoT applications, security challenges and counter
measures”, in 2016 International Conference on Computing, Analytics and Security Trends
(CAST), IEEE, pp. 294-299.
Pirretti, M., Zhu, S., Vijaykrishnan, N. and Daniel, P.M.C. (2006), “The sleep deprivation attack in sensor
networks: analysis and methods of defense”, pp. 267-287, available at: https://doi.org/10.1080/
15501320600642718
SaiKiran, P., SureshBabu, E., Padmini, D., SriLalitha, V. and Krishnanand, V. (2017), “Security issues
and countermeaaures of three tier architecture of IOT – a survey”, International Journal of Pure
and Applied Mathematics, Vol. 115 No. 6, pp. 49-57.
ICS Sain, M., Kang, Y.J. and Lee, H.J. (2017), “Survey on security in internet of things: state of the art and
challenges”, 2017 19th International Conference on Advanced Communication Technology
27,2 (ICACT), 699-704, available at: https://doi.org/10.23919/ICACT.2017.7890183
Singh, G. and Supriya, S. (2013), “A study of encryption algorithms (RSA, DES, 3DES and AES) for
information security”, International Journal of Computer Applications, Vol. 67 No. 19, pp. 33-38,
available at: https://doi.org/10.5120/11507-7224
Suo, H., Wan, J., Zou, C. and Liu, J. (2012), “Security in the internet of things: a review”, Proceedings –
322 2012, International Conference on Computer Science and Electronics Engineering, ICCSEE
2012, 3, pp. 648-651, available at: https://doi.org/10.1109/ICCSEE.2012.373
Suryani, V., Sulistyo, S. and Widyawan, W. (2016), “Trust-based privacy for internet of things”,
International Journal of Electrical and Computer Engineering (IJECE), Vol. 6 No. 5,
pp. 2396-2402, available at: https://doi.org/10.11591/ijece.v6i5.9678
Swathigavaishnave, D. (2012), Detection of Malicious Code-Injection Attack Using Two Phase Analysis
Technique, Vol. 45 No. 18, pp. 8-14.
Kocher, P.C. (1996), “Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other
systems”, in Annual International Cryptology Conference, Springer, Berlin, Heidelberg,
pp. 104-113.
Triantafyllou, A., Sarigiannidis, P. and Lagkas, T.D. (2018), “Network protocols, schemes, and
mechanisms for internet of things (iot): features, open challenges, and trends”, Wireless
Communications and Mobile Computing.
U.Farooq, M., Waseem, M., Khairi, A. and Mazhar, S. (2015), “A critical analysis on the security
concerns of internet of things (IoT)”, International Journal of Computer Applications, Vol. 111
No. 7, pp. 1-6, available at: https://doi.org/10.5120/19547-1280
Varga, P., Plosz, S., Soos, G. and Hegedus, C. (2017), “Security threats and issues in automation IoT”,
IEEE International Workshop on Factory Communication Systems – Proceedings, WFCS,
available at: https://doi.org/10.1109/WFCS.2017.7991968
Vasilakos, A. and Wan, J. (2015), “Security of the internet of things: perspectives and challenges
security of the internet of things: perspectives and challenges”, (November 2014), available at:
https://doi.org/10.1007/s11276-014-0761-7
Vatsa, V.R. and Singh, G. (2015), “A literature review on internet of things (IoT)”, Vol. 2 No. 8,
pp. 355-358.
Veijalainen, J., Kozlov, D. and Ali, Y. (2012), “Security and privacy threats in IoT architectures”,
Proceedings of the 7th International Conference on Body Area Networks, available at: https://doi.
org/10.4108/icst.bodynets.2012.250550
Wang, X., Zhang, J., Schooler, E.M. and Ion, M. (2014), “Performance evaluation of attribute-based
encryption: toward data privacy in the IoT”, 2014 IEEE International Conference on
Communications, ICC, pp. 725-730, available at: https://doi.org/10.1109/ICC.2014.6883405
Weber, M. (2016), “Security challenges of the internet of things”, pp. 638-643.
Wen, Q., Dong, X. and Zhang, R. (2013), “Application of dynamic variable cipher security certificate in
internet of things”, Proceedings – 2012 IEEE 2nd International Conference on Cloud Computing
and Intelligence Systems, IEEE CCIS 2012, Vol. 3, pp. 1062-1066, available at: https://doi.org/
10.1109/CCIS.2012.6664544
Westervelt, R. and Dugar, A. (2017), “IDC’s worldwide internet of things security products taxonomy”,
available at: www.idc.com/getdoc.jsp?containerId=US44282518
Xiaohui, X. (2013), “Study on security problems and key technologies of the internet of things”, 2013
International Conference on Computational and Information Sciences, pp. 407-410, available at:
https://doi.org/10.1109/ICCIS.2013.114
Yang, Y., Wu, L., Yin, G., Li, L. and Zhao, H. (2017), “A survey on security and privacy issues in internet-of-
things”, Vol. 4662 No. c, pp. 1-10, available at: https://doi.org/10.1109/JIOT.2017.2694844
Yao, Q., Qi, Y., Han, J., Zhao, J., Li, X. and Liu, Y. (2009), “Randomizing RFID private authentication”, in Internet of
2009 IEEE International Conference on Pervasive Computing and Communications, IEEE,
pp. 1-10 Things
Yi, X. and Dong, W. (2014), “An item-level access control framework for inter-system security in the security
internet of things”, Applied Mechanics and Materials, 548-549, pp. 1430-1432, available at:
https://doi.org/10.4028/www.scientific.net/AMM.548-549.1430
Yousuf, T., Mahmoud, R., Aloul, F. and Zualkernan, I. (2015), “Internet of things (IoT) security: current
status”, International Journal for Information Security Research, Vol. 5 No. 4, pp. 608-616. 323
Yu, Z. and Tsai, J.J.P. (2008), “A framework of machine learning based intrusion detection for wireless
sensor networks 2”, Challenges on Intrusion Detection in 3. Our Framework of Machine Learning
Based ID for WSNs, pp. 272-279, available at: https://doi.org/10.1109/SUTC.2008.39
Zhang, Y., Bo, L. and Ma, Q. (2012), “A secure data exchange protocol for the internet of things”,
pp. 224-225.
Zhang, C. and Green, R. (2015), “Communication security in internet of thing: preventive measure and
avoid DDoS attack over IoT network”.
Zhao, G., Si, X., Wang, J., Long, X. and Hu, T. (2011), “A novel mutual authentication scheme for
internet of things”, pp. 563-566.
Zhao, K. and Ge, L. (2013), 2013 Ninth International Conference on Computational Intelligence and
Security A Survey on the Internet of Things Security, available at: https://doi.org/10.1109/
CIS.2013.145
Zheng, R., Zhang, M., Wu, Q. and Yang, C. (2013), “An IOT security risk autonomic assessment
algorithm”, Indonesian Journal of Electrical Engineering and Computer Science, Vol. 11 No. 2,
pp. 819-826, available at: www.iaesjournal.com/online/index.php/TELKOMNIKA/article/view/2030

About the authors

Omerah Yousuf is a PhD Scholar in the Department of Computer Science and
Engineering at NIT Srinagar, J&K (India). She received BTech in Computer Science
and Engineering from Islamic University of Science and Technology Awantipora,
Pulwama (India), in 2011, and MTech in Computer Science and Engineering from
Visvesvaraya Technological University Belagavi, Karnataka (India), in 2014. Her
current research interests include security in Internet of Things and wireless sensor
networks. Omerah Yousuf is the corresponding author and can be contacted at:
omerahyousuf@nitsri.net
Roohie Naaz Mir is a Professor and HoD in the Department of Computer Science and
Engineering at NIT Srinagar, INDIA. She received BE (Hons) in Electrical
Engineering from University of Kashmir (India) in 1985, ME in Computer Science
and Engineering from IISc Bangalore (India) in 1990 and PhD from University of
Kashmir (India) in 2005. She is a fellow of IEI and IETE India, senior member of
IEEE and a member of IACSIT and IAENG. She is the author of many scientific
publications in international journals and conferences. Her current research interests
include reconfigurable computing and architecture, mobile and pervasive computing
and security and routing in wireless ad hoc and sensor networks.

For instructions on how to order reprints of this article, please visit our website:
www.emeraldgrouppublishing.com/licensing/reprints.htm
Or contact us for further details: permissions@emeraldinsight.com