Alaba Othman Et Al 2017 Internet of Things - Survey

Download as pdf or txt
Download as pdf or txt
You are on page 1of 19

Journal of Network and Computer Applications 88 (2017) 1028

Contents lists available at ScienceDirect

Journal of Network and Computer Applications


journal homepage: www.elsevier.com/locate/jnca

Review

Internet of Things security: A survey MARK


a, a, a b
Fadele Ayotunde Alaba , Mazliza Othman , Ibrahim Abaker Targio Hashem , Faiz Alotaibi
a
Faculty of Computer Science and information Technology, University of Malaya, 50603 Kuala Lumpur, Malaysia
b
Faculty of Computer Science and information Technology, Universiti Putra Malaysia, 43400 Serdang, Selangor, Malaysia

A R T I C L E I N F O A BS T RAC T

Keywords: The Internet of things (IoT) has recently become an important research topic because it integrates various
IoT sensors and objects to communicate directly with one another without human intervention. The requirements
Security for the large-scale deployment of the IoT are rapidly increasing with a major security concern. This study
Privacy focuses on the state-of-the-art IoT security threats and vulnerabilities by conducting an extensive survey of
existing works in the area of IoT security. The taxonomy of the current security threats in the contexts of
application, architecture, and communication is presented. This study also compares possible security threats in
the IoT. We discuss the IoT security scenario and provide an analysis of the possible attacks. Open research
issues and security implementation challenges in IoT security are described as well. This study aims to serve as a
useful manual of existing security threats and vulnerabilities of the IoT heterogeneous environment and
proposes possible solutions for improving the IoT security architecture.

1. Introduction needs. However, security is not guaranteed. The privacy of users may
be compromised and the information on users may be leaked when
The Internet of things (IoT) provides an integration of various user signal is interrupted or intercepted. To extensively adopt the IoT,
sensors and objects that can communicate directly with one another this issue should be addressed to provide user condence in terms of
without human intervention. The things in the IoT include physical privacy and control of personal information (F Li et al., 2016; S Li
devices, such as sensor devices, which monitor and gather all types of et al., 2016). The development of IoT greatly depends on addressing
data on machines and human social life (Yan et al., 2014). The arrival security concerns (Sicari et al., 2015).
of the IoT has led to the constant universal connection of people, This study focuses on security threats and vulnerabilities in the
objects, sensors, and services. The main objective of the IoT is to context of the IoT and the state-of-the-art IoT security. We survey a
provide a network infrastructure with interoperable communication wide range of existing works in the area of IoT security that use
protocols and software to allow the connection and incorporation of dierent techniques. We present an IoT security taxonomy based on
physical/virtual sensors, personal computers (PCs), smart devices, the current security threats in the contexts of application, architecture,
automobiles, and items, such as fridge, dishwasher, microwave oven, and communication. Possible security threats and vulnerabilities of the
food, and medicines, anytime and on any network (Aazam et al., 2016). IoT are also compared. We propose a new security scenario for the IoT
The development of smartphone technology allows countless objects to structure and provide an analysis of the possible threats and attacks to
be a part of the IoT through dierent smartphone sensors. However, the IoT environment.
the requirements for the large-scale deployment of the IoT are rapidly This study aims to serve as a useful manual of existing security
increasing, which then results in a major security concern (Gu et al., threats and vulnerabilities of the IoT heterogeneous environment and
2012). proposes possible solutions for improving the IoT security architecture.
Security issues, such as privacy, authorization, verication, access State-of-the-art IoT security threats and vulnerabilities in terms of
control, system conguration, information storage, and management, application deployments, such as smart environment, intelligent
are the main challenges in an IoT environment (Jing et al., 2014). For transportation, smart grid, and healthcare system, have been studied.
instance, IoT applications, such as smartphone and embedded devices, The IoT security, particularly the IoT architecture, such as authentica-
help provide a digital environment for global connectivity that sim- tion and authorization, has also been investigated.
plies lives by being sensitive, adaptive, and responsive to human The most relevant work is a secure IoT architecture for smart cities


Corresponding authors.
E-mail addresses: [email protected] (F.A. Alaba), [email protected] (M. Othman), [email protected] (I.A.T. Hashem),
[email protected] (F. Alotaibi).

http://dx.doi.org/10.1016/j.jnca.2017.04.002
Received 3 December 2016; Received in revised form 14 March 2017; Accepted 4 April 2017
Available online 07 April 2017
1084-8045/ 2017 Elsevier Ltd. All rights reserved.
F.A. Alaba et al. Journal of Network and Computer Applications 88 (2017) 1028

that uses the black SDN proposed by Chakrabarty and Engels (2016). surrounding and delivering them to users and for accessing connected
However, the proposed architecture does not support a full SDN IoT devices remotely. They comprise an extensive number of small
implementation due to the constrained nature of the IoT nodes, which nodes that can detect, compute, and communicate with other devices
makes IoT nodes vulnerable and causes new types of threats and (Bi, and Frizzo-barker et al., 2016, 2016). The communication between
attacks, including node capturing, eavesdropping, and tampering. The the Internet and the sensor nodes should satisfy secrecy, trustworthi-
architecture also decreases the network eciency and leads to compli- ness, verication, and non-revocation (Li, and Gluhak et al., 2016,
cated routing. The current study proposes a possible solution to the 2011). The privacy and security issues in the IoT dier from those in
security problem based on the weaknesses and limitations of the conventional and other wireless networks in terms of deployment and
existing approaches in a comprehensive way. Other related works technology (Yinbiao et al., 2014). The IoT networks are deployed on
include the end-to-end (E2E) secure key-managing protocol for e- low-power and lossy networks (LLN). LLNs are networks constrained
health applications by Abdmeziem and Tandjaoui (2015). The security by energy, memory, and processing power. Hence, lightweight encryp-
protocol is limited to ooading heavy cryptographic primitives to third tion technology, which includes lightweight cryptographic algorithm, is
parties and does not specify the necessary trade-o between the used for securing the IoT environments. These aspects have not been
communication overhead and the number of third parties. Flauzac considered for conventional and other wireless networks (Suo et al.,
et al. (2015) proposed a novel SDN-based security architecture for the 2015).
IoT using border controllers. However, the use of border controllers
has many drawbacks, such as securing both wanted and unwanted 2.1. IoT Security versus conventional security
trac and enterprise protection. These challenges were not addressed
by the authors. Hernndez-Ramos et al. (2015) focused on a light- Several key dierences exist between the IoT and conventional
weight authentication and authorization framework for constrained wireless networks in terms of dealing with security and privacy. For
smart objects. Nevertheless, the proposed framework was not inte- example, the deployment of the IoT is unique compared to that of the
grated into the constrained IoT environments for authentication, normal Internet. The IoT devices are set up on LLNs, whereas others
authorization, and dening some alternative methods to evaluate its have extremely dynamic topologies that rely on the application. LLNs
suitability. are strained by dynamism, memory, and processing power (Lu, 2014).
The remainder of this paper is organized as follows. Section 2 These aspects are not considered for the standard Internet. LLNs
presents an overview of the IoT and the dierence between IoT security experience great data losses due to node impersonation. For instance,
and conventional wireless network security. Section 3 provides the IoT in the process of data transmission, if an attacker can connect to the
classication. Section 4 discusses the threats and vulnerabilities of the network using any identity, the attacker can be assumed an authentic
IoT. Section 5 describes the IoT security taxonomy. Section 6 provides node. In the case of smart meter applications, the readings can be
an IoT security scenario. Section 7 presents the discussions on possible manipulated by an attacker to send erroneous control messages (Lu,
attacks posed by the threats and vulnerabilities on the IoT. Section 8 2014).
oers future directions. Finally, Section 9 concludes the study. The security features and requirements of both the IoT and
conventional network devices are also dierent (Suo, and Yan et al.,
2. Overview of IoT 2015, 2014). In the IoT perception layer, sensor nodes have limited
computational power and low storage capacity, which make the
The IoT has drawn attention recently because of the expansion of frequency hopping communication application and public key encryp-
appliances connected to the Internet (Whitmore, and Atzori et al., tion to secure the IoT devices impossible. Lightweight encryption
2015, 2010). IoT simply means the interconnection of vast hetero- technology, which includes lightweight cryptographic algorithm, is
geneous network frameworks and systems in dierent patterns of used for the IoT devices. The IoT network has security issues, such
communication, such as human-to-human, human-to-thing, or thing- as man-in-the-middle and counterfeit attacks, in the network layer.
to-thing (Horrow and Anjali, and Al-Fuqaha et al., 2012, 2015). Both attacks can capture from and send fake information to commu-
Moreover, the IoT is a realm where physical items are consistently nicating nodes in the network (Zhao, 2013). Identity authentication
integrated to form an information network with the specic end goal of and data condentiality mechanism are used to prevent unauthorized
providing advanced and smart services to users (Botta, and Da et al., nodes. At the application layer, data sharing is the main feature. Data
2016, 2014). The connected things (for example, sensors or mobile sharing creates security problems in data privacy, access control, and
devices) monitor and collect all types of environment data. They enable disclosure of information (Zhang, 2015). The security requirements for
the collection of real-time data about properties, individuals, plants, the application layer include authentication, key agreement, and
and animals. protection of user privacy across heterogeneous networks.
In the IoT model, sensor-equipped devices know how to deliver Furthermore, the communication protocols in both networks dier.
lightweight data around the physical world, authorizing cloud-based Each layer in the networks has its own communication protocol. For
resources to extract data and make choices from the extracted data by example, IPv6 is used over low-power wireless personal area networks
using actuator-equipped devices (Borgia, and Weber et al., 2016, in the IoT perception/physical layer, whereas wireless delity is used in
2010), which enhance the communication among nodes. With the the physical layer in conventional networks. In the IoT network layer,
degree and size of the IoT components, the IoT applications have been Datagram Transport Layer Security (DTLS) is used as a communication
improved using dierent methods, techniques, and models derived protocol, whereas conventional network uses a transmission control
from device-driven-embedded frameworks (Manseld-Devine, 2016). protocol (TCP). Constrained Application Protocol (CoAP) is used in the
The IoT is required to address the problems related to the IoT IoT application layer for communication, whereas Hypertext Transport
application environments, such as real-time communication (Jutila, Protocol (HTTP) is used in the application layer of conventional
2016), the presence of both sensor and actuator, and the distributed networks (Milbourn, 2016).
heterogeneous nature of the IoT. Dierent research groups have In summary, the conventional security architecture is designed
investigated the method of securing a wireless sensor network based on the perspective of users and not applicable for communica-
(WSN), which is a major component for developing constrained devices tion among machines. The security issues in both networks may be
in the IoT (Borgia et al., 2016; Zhu et al., 2015a; and Roman et al., similar, but dierent approaches and techniques are used in handling
2011). each network security issue (Kai, 2016). In this survey, the security
WSNs are ad hoc networks that are considered the major building threats and vulnerabilities discussed are specic to the IoT devices.
blocks for the IoT devices. They are used for gathering data from their (Figs. 1 and 2).

11
F.A. Alaba et al. Journal of Network and Computer Applications 88 (2017) 1028

3.1.1. Smart environment


The integration of the IoT applications enables the conception of
smart surroundings, such as smart cities. A smart environment
combines the services provided by multiple shareholders and scales
to support numerous users in a dependable and distributed way
(Kotsev et al., 2016). They should be capable of working in both wired
and wireless system environments and manage limitations, such as
data access with restricted control and untrustworthy network.
Numerous strategies, techniques, models, functionalities, frameworks,
applications, and middleware solutions are identied with context
awareness in an IoT smart environment (Ning and Liu, 2015). The
M2M communication among the IoT devices is thus less demanding
and provides more important data that help in recognizing a situation
or data (Perera et al., 2014). However, smart city devices are exposed to
various threats and attacks, including smart city Denial-of-Service
(DoS) attack, data manipulation, fake seismic detection, and fake ood
detection (Zhu et al., 2015a).

3.1.2. Smart grid


A smart grid is an electrical grid that comprises dierent opera-
tional and energy measures, such as smart meters, smart appliances,
renewable energy resources, and energy-ecient resources (Mahmood
et al., 2016). The high demand for extended energy sources has led to
Fig. 1. Landscape of IoT. the modernization of the traditional electrical distribution system that
is benecial to energy distribution. Smart grid is dened as a smart
3. Classication of IoT electrical distribution system that involves a wide range of electrical
power functions, such as smart meters, smart machines, sustainable
The IoT can be classied into three layers (Zhao and Ge, 2013), energy resources, and eective energy properties, which distribute
namely, application, perception, and network protocol, as shown in energy ows from manufacturers to users in a bidirectional way. Smart
Fig. 3. grids serve as building blocks for energy management for a sustainable
environment (Borgia, 2014). Smart grids are reliable, improve cost and
savings, and enhance energy independence. Smart grid is vulnerable to
dierent attacks and threats, such as customer security, physical
3.1. Application layer
security, trust among traditional power devices, endpoints on devices,
and malicious attacks.
No universal standard for constructing the IoT application layer
currently exists (Zhao and Ge, 2013). The application layer can be
structured in several ways based on the service it oers. The application 3.1.3. Healthcare system
layer is the uppermost layer and is visible to the end user. Applications, The increasing cost of health maintenance and the frequency of
such as smart grid, smart city, healthcare system, and intelligent prolonged diseases worldwide earnestly demand the reconstruction of
transportation protocols, constitute this layer (Jing et al., 2014). An healthcare services from the doctor facility-focused framework to an
application layer protocol is distributed over multiple end systems, in individual-focused environment, with attention on controlling the
which the application in one end system uses a protocol to exchange diseases and the health condition of patients (Moosavi et al., 2015).
information packets with an application in another end system (Oen, The framework is based on radio frequency technology that delivers
and Nolin and Olson, 2015, 2016). An application layer typically general networking performances. E-health depends on the interrela-
comprises a middleware, a machine-to-machine (M2M) communica- tionship of tiny nodes developed using sensing (detecting) and actuat-
tion protocol, cloud computing, and a service support platform (Yaqoob ing (activating) capacities embedded inside or outside the human body
et al., 2017). The security issues dier depending on the industry and (Abdmeziem and Tandjaoui, 2015). The applications are connection
environment (Valmohammadi, 2016). mindful, active, and personalized, and they depend on trusted channels

Fig. 2. IoT Network vs. Conventional network.

12
F.A. Alaba et al. Journal of Network and Computer Applications 88 (2017) 1028

Fig. 3. IoT classication.

for communication with connected devices. The rapid increase in the principle is one of the main reasons for the incompatibility in the
IoT services has prompted the requirement for modern approaches to classication parameters used and how the fee is calculated (i.e.
handle heterogeneous devices, uctuating availability, and data-creat- whether it is based on network, distance or zone/congestion). For
ing behavior (Abdmeziem and Tandjaoui, and Aazam et al., 2015, example, with respect to security, the use of dierent security
2016). Smart healthcare involves the use of smart health cards that mechanisms to protect the integrity of the data stored in OBU (Li,
protects the security and privacy of patients. However, smart health 2015). Hence, standardization is important in order to ensure inter-
cards are vulnerable to threats and attacks, such as theft, loss, insider operability, particularly for EFC applications, for which the European
misuse, unintentional actions, hacking, internal attack, and cyber- imposes a need for interoperability of systems.
attack (Aman and Snekkenes, 2016). Intelligent transportation deploys large scale WSNs to observe
travel time online (i.e., from the starting point to the endpoint), routing
decisions, queue lengths, air pollutants, trac congestions, and noise
3.1.4. Intelligent transportation emissions. Intelligent transportation involves trac control, parking,
Information technology, vehicle manufacturers, and industries are and public transportation. Its ease-of-use enables dierent individuals
a part of the IoT revolution through the creation of new types of to be well-informed and the secure, organized, and smooth use of
products and systems by integrating several technologies and commu- intelligent transportation systems (Mishra, 2015 and Miorandi, 2012).
nication solutions, which include radio frequency identication (RFID) However, intelligent transportation is also exposed to several types of
tags, sensors, and actuators, into newly developed systems (Kanuparthi threats and attacks, such as DoS, improper congurations, insecure
et al., 2013). The incorporation of detection innovations in passive transmission channel, congestion control, security and spectrum shar-
RFID tags would enable completely novel functions in the IoT ing. Table 1 compares the possible security threats in the IoT devices
application domain, particularly in tracking locations and movement and the enabling communication technologies deployed in the applica-
and monitoring temperature (Atzori et al., 2010). Dedicated Short tion domain. The application domain includes smart environment,
Range Communication (DSRC) is communication system that consists smart grid, healthcare system, and smart transportation.
of RSU and On Board Units (OBUs) with transceivers and transpon-
ders. It is mainly used for frequent data communication between
3.2. Perception layer
vehicles-to-vehicle or vehicle-to-roadside infrastructure, for example,
toll collection, and operate between the radio frequencies of 5.725 MHz
The perception layer involves the collection of information. This
and 5.875 MHz. Moreover, DSRC provides support for intelligent
layer is classied into two sections, namely, the perception node
transport system through Electronic Fee Collection (EFC) application
(sensors, controllers, and so on) and the perception network that
for toll collection. EFC is mostly used in United States and European
interconnects the network layer (Tsai et al., 2014). Data are acquired
Union countries such as Switzerland, Germany, Austria etc., (Bansal
and controlled at the perception node, while control instructions for
et al., 2013).
sending and controlling data are carried out at the perception network
EFC deployment in Europe is primarily based on the European
layer. Perception layer technologies include all types of sensors, such as
DSRC 5.8 GHz technology, a standard developed by Comit Europen
RFID, ZigBee, sensor nodes, and sensor gateways (Jing et al., 2014).
de Normalization (CEN) which is based on the European
Telecommunications Standards Institute (ETSI) and the security
standard is IEEE 1609.2. But these systems are currently incompatible 3.2.1. RFID
in terms of technology, security, and charging principles. The tari RFID technology is the main revolution in the embedded commu-

Table 1
Comparison of security threat and communication channel in IoT application domain.

Applications Network communication IoT devices Type of threat

Smart environment Wi-Fi, Ultra-wideband, ZigBee, Bluetooth, LTE, LTE-A, buildings, people Authentication, Privacy, Eavesdropping, Authorization
Smart grid Wi-Fi, ZigBee, Z-Wave Smart meters and Smart readers Privacy, Eavesdropping, Physically attack, tampering
Health cares system Bluetooth and ZigBee Sensors, Smart wearable devices Privacy, authentication authorization, DoS,
Intelligent transportation DSRC 5.8 GHz EFC, RSU, OBUs Jamming, Congestion, security and spectrum sharing

13
F.A. Alaba et al. Journal of Network and Computer Applications 88 (2017) 1028

nication model that facilitates the conguration of microprocessors for perspective with focus on the most common technologies used in the
wireless communication. Two types of RFID tags exist, namely, active IoT, such as RFID, sensor nodes, and sensor gateways.
and passive (Atzori et al., 2010). Active RFID tags have their power
source. They are almost the same as the lower end nodes of WSNs in 3.3. Network layer
terms of limited processing capability and storage. These tags provide
signals to readers regardless of their distance and their battery supply The network layer provides network transmission and information
is capable of providing instant communication. Active RFID devices security and delivers pervasive access environment to the perception
have constrained life spans. On the contrary, passive RFID tags are not layer, that is, data transmission and storage awareness. The network
powered by battery. They use the power from the inquiry signal of the layer includes mobile devices, cloud computing, and the Internet
reader to establish communication from the tag to the RFID reader. (Pongle and Chavan, 2015).
They are used in many applications, such as bank cards and road toll
tags. Passive RFID tags are tiny and have a virtually unconstrained life 3.3.1. Mobile device
span. The major features of RFID tags are auto identication and the A mobile device (e.g., tablet or laptop) is a portable device with an
unique identity that includes the rapid exchange of information operating system (OS) that can run applications, such as business,
between tags and readers through wireless connections. The possible enterprise resource-planning, and nance applications. Most portable
threats to and attacks on RFID include tracking, DoS, repudiation, devices are equipped with Wi-Fi, Bluetooth, Near-Field
spoong, eavesdropping, data newness, accessibility, self-organization, Communication (NFC), and Global Positioning System (GPS) capabil-
time management, secure localization, tractability, robustness, survi- ities that allow connections to the Internet and other devices. Mobile
vability, and counterfeiting (Jing et al., 2014). devices can also be used to provide location-based services (Bohge and
Trappe, 2013). Smartphones and personal digital assistants are
suitable for users who want to utilize some of the conveniences of a
3.2.2. Sensor nodes
traditional PC at a location where moving one would be impractical.
A sensor node can gather and process sensory data and intercon-
Digital business partners can further enhance the accessible compo-
nect with other nodes in the network. Sensor nodes have the following
nents for business users by integrating data capture devices, such as
components: (i) a controller that executes data processing and controls
barcode, RFID, and smart card readers (Laghari and Niazi, 2016).
the performance of other parts in the node, (ii) a transceiver that
Nevertheless, mobile devices are vulnerable to threats and attacks, such
transmits and receives radio frequencies, (iii) a program memory that
as tracking, eavesdropping, DoS, bluesnarng, bluejacking, bluebug-
is used for programming the device, (iv) a power source that supplies
ging alteration, corruption, and deletion (Bekara, 2014).
power to the nodes, and (v) hardware that is used to capture data from
the environment (Wu et al., 2014). The major components of a sensor
3.3.2. Cloud computing
node are the sensors and actuators that are used for sensing and
Cloud computing is Internet-based distributed computing that
activating devices based on the commands sent from the nodes. The
provides common data processing for dierent devices based on a set
sensor node is exible and has high latency in communication.
of requirements. This distributed computing is a model for enabling
Nonetheless, sensor nodes are vulnerable to dierent threats and
pervasive, suitable on-demand network access to a common pool of
attacks, which include node subversion, node failure, node outage,
developing computing properties (e.g., servers, systems, storages,
passive information gathering, false node message corruption, exhaus-
functions, and utilities). In the IoT, cloud computing technology has
tion, unfairness, Sybil, jamming, tampering, and collisions (Zhang, and
made the task of processing the large amount of data produced by
Massis et al., 2015, 2016).
communicating devices easy and provides the IoT devices with
resources on-demand (Horrow and Anjali, 2012). This technology also
3.2.3. Sensor gateways provides high computing power, low-cost services, high performance,
Sensor gateways deal with wireless network and collective data versatility, and openness for device accessibility (Botta et al., 2016).
from various distributed WSN nodes. Every gateway includes a However, cloud users face many security threats and vulnerabilities,
2.4 GHz IEEE 802.15.4 radio for communication. WSN involves the including identity management, dynamic change in the IoT devices
collection of dedicated transducers with a communication framework (heterogeneity) that makes transmitted data inaccessible to an authen-
for checking and recording the conditions of any sensor device at tic node, data access controls, system complexity, physical security,
dierent positions/locations. The following parameters are checked encryption, infrastructure security, user identity, a management ap-
regularly: temperature, humidity, pressure, wind direction and speed, proach to security, and misconguration of software (Horrow and
light strength, vibration strength, sound strength, power-line voltage, Anjali, 2012).
chemical concentrations, pollutant levels, and dynamic body functions.
The wireless communication channel involves radio communication, 3.3.3. Internet
transmitters, and receivers for the data exchange between two or more The Internet is the global arrangement of interconnected computers
devices. This channel enhances user access, network expansion, that uses the traditional Internet protocol (IP) suite (TCP/IP) to
mobility, and collaboration. Nevertheless, this channel leads to several connect billions of devices globally. This arrangement consists of a
threats and attacks, such as misconguration, hacking, signal lost, DoS, network of networks, such as private, public, academic, business, and
war dialing, protocol tunneling, man-in-the-middle attack, interruption government networks, from a local to a worldwide scope that are
interception, and modication fabrication (Liu et al., 2016). connected by an extensive collection of electronic, wireless, and optical
Table 2 compares the IoT communication channels from a security networking technologies (Bahtiyar and Ufuk alayan, 2012). A broad
range of information and services are provided by the Internet, such as
Table 2 the connection between hypertext les and the World Wide Web
Comparison of IoT communication channel regarding security.
application, e-mail, communication, and distributed systems for docu-
Type of security RFID Sensor nodes Sensor gateways ment sharing (Islam et al., 2015). The Internet communication frame-
work consists of hardware components and software layers that control
Encryption Weak Fair None various aspects of the framework. The Internet serves as a platform for
Authentication Fair Strong Strong
millions of constrained devices connected to communicate and share
Authorization Fair Strong Strong
Privacy Fair Fair Weak resources (Mazlan, 2014). However, the Internet is exposed to several
common security and privacy challenges, such as condentiality,

14
F.A. Alaba et al. Journal of Network and Computer Applications 88 (2017) 1028

encryption, viruses, cyberbullying, hacking, identity theft, reliability, the IoT security engineering tools, add-ons, runtime components, and
integrity, and consent (Akhunzada et al., 2016). extensions to address the security, data protection, trust, and privacy
requirements for the constrained IoT environment. The framework
4. Threats and vulnerabilities of the IoT also enables and enhances cross-domain security conguration and
interoperability. One drawback of this approach is that it does not
In this section, related works that focus on the threats and provide a design analysis on how to deploy security and privacy
vulnerabilities of the IoT are discussed to explore the various types of solutions for devices operating in a dynamic environment. Another
existing security solutions for the IoT. The related works specically drawback is that data safety is not guaranteed as malicious attackers
focused on security solutions for the threats and vulnerabilities of the could easily take over the IoT actuators and send incorrect information
IoT architecture and their applications. to inuence the data transmission process between connected devices.
Several specic solutions for the IoT architecture and applications In this survey, several specic solutions to the threats and
have been proposed in the literature (Granjal, and Guo et al., 2015, vulnerabilities of the IoT architecture and applications are examined
2017). A secure IoT architecture for smart cities that addresses the and discussed. However, instead of developing individual solutions for
vulnerabilities in traditional IoT systems was proposed by Chakrabarty separate architecture and application scenarios, we believe that the IoT
et al. (2016) and Haroon et al. (2016). The architecture comprises applications can be secured through adopting a universal IoT security
black networks and a Key Management System (KMS) that provide architecture by considering the proposed IoT security solutions in this
condentiality, integrity, privacy, and ecient key distribution. The survey. To the best of our knowledge, none of the existing security
aim was to deliver security services that mitigate the vulnerabilities of techniques has the following IoT architecture properties:
the IoT networks at the link and network layers, specically for
mission-critical data. The drawbacks of this approach include lack of A privacy solution for dening node locations and handling new
privacy solution for dening device location and new routing chal- routing challenges created during the header encryption for the IoT
lenges for the IoT nodes created by header encryption that are asleep, nodes that are asleep (i.e., a secure IoT architecture that helps in
which leads to data loss. addressing translations, dening location privacy, and characteriz-
Valdivieso et al. (2014) and Akhunzada et al. (2016) proposed a ing mobility should be designed to achieve this goal)
SDN architecture for developing the IoT applications to eliminate the A simple symmetric cryptography solution to third parties at the
inexible security nature of traditional networks. A SDN architecture constrained nodes for ooading
was adopted to provide a basis for developing a secure network OS that Handling poor performance in packet processing as a result of
allows administrators to have a global view of possible threats to and separating the control and data planes in the SDN (i.e., the only way
attacks on the IoT network and provide them the privilege to control to improve the SDN performance is to ensure the integration of the
the network against the threats. Nevertheless, security, scalability, and control and data planes, so that the SDN technology can use
reliability are some of the drawbacks of SDNs. The separation of the applications, such as encryption, analysis, and trac classication)
control and data planes of a SDN causes poor performance in packet Allowing the constrained nodes to dynamically set up a shared key
processing, which in turn leads to signicant problems, such as packet with any wireless things with which no previous shared knowledge
delay or loss and distributed DoS (DDoS) attack. has been established (third parties are dedicated to supporting the
Similarly, a novel SDN-based security architecture for the IoT, also constrained nodes in this process to reach this goal)
known as the SDN domain using border controllers, was proposed by Guaranteeing an E2E code where no entity has the knowledge of the
Flauzac et al. (2015). The authors described how SDN could be used to exchanged secret apart from the constrained nodes and the wireless
interconnect heterogeneous IoT devices, how the security of each things
domain could be enhanced, and how the security rules could be
distributed without compromising the security of any domain. In fact, developing a generic security solution for a wide range of
However, the authors were not able to address the challenge of IoT applications and that is backward compatible with existing
securing both wanted and unwanted trac and enterprise protection, solutions is safer (Bonetto et al., 2012).
which are the major drawbacks of using border controllers. In the next section, our newly designed IoT security taxonomy that
Abdmeziem and Tandjaoui (2015) proposed a novel lightweight key includes application, architecture, communication, and user is pre-
management protocol. The protocol depends on the association of sented and elucidated.
dierent IoT security components to set up a secure and protected
communication channel for constrained nodes and wireless things. 5. Taxonomy of the IoT security
During data transmission along the channel, the protocol guarantees
data condentiality and constrained node authentication. However, the The existing IoT security approaches discussed in Section 3 indicate
security protocol is limited to ooading heavyweight cryptographic the need to design a new security taxonomy that is simple and more
primitives to unwanted parties and does not specify the necessary specic to categorizing classes of security threats and vulnerabilities in
tradeo between the communication overhead and the number of third each IoT application domain. We therefore specify the functionalities
parties. and performances of each domain on dierent threats and vulnerabil-
Hernndez-Ramos et al. (2015) focused on a lightweight validation ities and explain how security countermeasures may improve the
and authorization security framework for constrained smart objects. security services in any IoT application domain.
The objects/devices in the proposed security framework are compliant The security information prole of the IoT devices always changes
with the recent IoT Architectural Reference Model project presented by as a result of new security threats imposed on the devices. In spite of
the EU FP7 IoT-A Project. The framework subsequently intends to the fact that the implementation of technological solutions may react to
propose a general security method for developing novel lightweight the IoT threats and vulnerabilities, the security for the IoT is a
security protocols in the IoT. Nonetheless, the authors did not integrate signicant management issue. The eective management of the threats
the proposed framework into the constrained IoT environments for related to the IoT requires a sound and thorough evaluation to mitigate
authentication, authorization, and dening alternative procedures to known threats in the IoT environment (Covington, 2013). The taxon-
evaluate its correctness. omy for the IoT security must provide a comprehensive analysis of the
Neisse et al. (2015) proposed SecKit, a security toolkit for integrat- security mechanisms, including the services and the attacks, and how
ing a management framework for the IoT devices. The security toolkit all of their components work to provide system developers and analysts
aims to collect meta-models and provide a foundation for developing the necessary information to design and analyze secured systems

15
F.A. Alaba et al. Journal of Network and Computer Applications 88 (2017) 1028

(Whitmore et al., 2014). validation among routing peers of connected IoT devices before
The IoT security taxonomy presented in this survey is an eort to exchanging the route information (known as peer authentication)
address several of the faults and shortcomings of previous works. and guaranteeing that the source of the route data is the connected
Considering that our taxonomy attempts to map the existing security peer devices (known as data origin authentication). This validation
attacks to security services, we use the list of security services proposed helps enhance the primary element in the IoT vision, which is M2M
by Akhunzada et al. (2016) as one of the axes of our taxonomy. communication (Perera et al., 2014). A broad range of techniques and
The proposed taxonomy helps build a security framework for the middleware solutions that make M2M communication easy are identi-
IoT in a heterogeneous environment. The IoT security taxonomy will ed with framework responsiveness in the IoT.
denitely help in the security evaluation for the IoT, which is a critical Gubbi et al. (2013) focused on a common authentication scheme for
issue (Mahalle, and Babar et al., 2010, 2015). The proposed taxonomy the IoT between dierent layers and terminal nodes. The scheme is
will be used as a framework that will systematically examine some new based on hashing and element extraction. The extracted element is
unknown vulnerabilities and attacks in the IoT networks. This taxon- mutually shared with the hash function to dodge any jamming attacks.
omy will help security developers develop security models for con- This scheme essentially provides a good security solution for the
strained devices and provide a valuable information tool for security authentication in the IoT. The extraction procedure comprises some
analysts. irreversibility properties (which are lightweight) that guarantee the
The rst step in developing our taxonomy is building a new security of connected things in the IoT domain. The scheme empha-
classication of the application domain, architectural domain, com- sizes the authentication process among dierent IoT layers that send
munication channel, and data domain for the IoT. We then introduce a data to terminal nodes and not the reverse. The claim that the scheme
new matrix taxonomy for the IoT security that relates each classica- would enhance data security was based only on theory and no practical
tion to its appropriate components. Finally, we discuss and analyze proof was presented to support it.
each security component, evaluate its impact, and link it to one or more Ndibanje et al. (2014) proposed a security analysis and authentica-
possible security countermeasures, as shown in Fig. 4. tion and access control improvements for the IoT. Their work primarily
broke down current authentication and access control approaches and
5.1. Application proposed a practical protocol for the IoT. A simple, ecient, and secure
key establishment based on Elliptical Curve Cryptography (ECC) for
Numerous application areas will be aected by the IoT develop- the authentication protocol was used to improve device authentication.
ment. Applications are categorized based on the type of network A Role-Based Access Control (RBAC) was also introduced for the access
accessibility, scope, scale, heterogeneity, repeatability, and user invol- control policy on applications associated with the IoT network.
vement (Gubbi et al., 2013). Several security techniques exist, as shown Nevertheless, the communication overhead for the IoT sensor nodes
in the IoT security taxonomy. The most commonly used security was high, and practical experiments on the proposed security valuation
techniques that are considered with the use cases in this application were not performed.
domain are (i) authentication, (ii) authorization, (iii) exhaustion of Ye et al. (2014) introduced an ecient authentication and access
resources, and (iv) trust establishment. The summary is provided in control technique. Their technique was based on a general perspective
Table 3. of the security issues for the IoT perception layer. This technique
creates a session key that is based on ECC, which improves the mutual
authentication between user and sensor nodes. However, this techni-
5.1.1. Authentication
que only solves the authentication issues in the IoT perception layer
In the IoT application domain, authentication allows the integra-
and does not address the attribute-based access control policy among
tion of dierent IoT devices and their deployment to various smart
devices.
environments, such as smart cities. A smart environment can merge
Neisse et al. (2015) proposed an identity authentication model for
dierent services provided by dierent multiple shareholders and
the capability based on access control for the IoT. A public key
scales to support numerous users in a dependable and distributed
technique is employed in the proposed model, which is suitable for
manner (Martn-Fernndez et al., 2016). Authentication involves

Fig. 4. IoT security taxonomy.

16
F.A. Alaba et al.

Table 3
Summary of different IoT security technologies.

Reference Technologies Objectives Advantages Limitations Domain

Gubbi et al. Cloud implementation using Aneka computing To determine the current IoT application trends and It utilizes storage and system resources together Security and personality protection is Smart environment
(2013) platform the requirement for merging different with public (open) and private clouds. a serious issue in hybrid clouds.
interdisciplinary technologies It supports the provision of resources for
public clouds, such as Microsoft Azure, GoGrid
clouds, and Amazon EC2.

Yao et al. Lightweight no-pairing attribute-based To address the security and privacy problems in the ABE is applicable in cipher-text-based access Poor scalability Single-authority
(2014) encryption (ABE) scheme based on elliptic IoT control and broadcast encryption. Poor exibility in revoking applications
curve cryptography (ECC) To reduce computation and communication attribute
overhead

17
Jiang et al. Revised secret-sharing scheme (Shamir's To achieve data scalability Scalability is achieved with Shamir's secret- It generates computational overheads Data mining and
(2015) secret-sharing scheme) To reduce complex key management related to sharing scheme. that bring potential bottlenecks. analytics
conventional cryptographic algorithms Hardware failure leads to the issue
To deliver reliability feature at the data level of fault tolerance.

Aazam et al. Resource estimation and management using To propose a probabilistic resource estimation model Fog permits real-time data delivery. Minimum latency is difficult to Healthcare
(2016) fog computing of customer for fogs Fog brings cloud properties to the edge of the achieve.
basic IoT and other end nodes.

Bose et al. Lightweight scheme to secure channel To regulate the amount of privacy from the fine- It influences the relationship between the It can only consider a single security Smart energy meter
(2015) establishment grained sensor information privacy and the security of sensor datasets. scenario (i.e., sensitivity).
To save the protection content through secure It offers E2E adaptive and improved security
exchange of information with minimum resource consumption.
Journal of Network and Computer Applications 88 (2017) 1028
F.A. Alaba et al. Journal of Network and Computer Applications 88 (2017) 1028

lightweight security approaches, mobile/portable devices, distributed 5.1.3. Exhaustion of resources


devices, and constrained IoT devices using dierent communication The high demand for ubiquitous resources, such as energy sources,
technologies, such as Bluetooth, 4 G, WiMAX, and Wi-Fi. This can add to the current system resources and greatly inuence the
approach uses timestamp as part of the authentication message among performance of dierent applications, which can in turn lead to
communicating devices to prevent MitM attacks. The identity authen- resource leakages and overloading in the IoT (Borgia, 2014). Bekara
tication in this approach is carried out in three sequential phases. (2014) indicated that resource-exhaustion vulnerability is a particular
type of fault that causes the consumption or allocation of some
Key generation phase: In this phase, a secret key that is based on the resources in an undened or unnecessary manner or the incapability
ECC-DieHellman algorithm is generated. to release it when no longer required, which eventually causes its
Establishment phase: This phase involves establishing the device depletion.
identity after generating the secret key. Identity establishment is Resource depletion attacks drain the energy of target IoT nodes by
conducted by either one-way or mutual authentication protocol. introducing routing loops and extending the path during packet
Implementation phase: This nal phase grants access control to transmission. Routing protocols are vulnerable to resource depletion
authenticated devices to communicate with one another. attacks (Raju, 2014).
Resource exhaustion also occurs in places where an attacker
Although the model does not prevent DoS attacks completely, it transmits consistently high volumes of packets from one or more
reduces the risk because resource access is granted to only one ID at a attack nodes. In this case, all the sensor nodes that are within the
time (Mahmood et al., 2016). transmission range of the attack nodes are possible targets and their
Al-turjman and Gunay (2016) introduced a lightweight authentica- batteries are subject to intentional exhaustion. The degradation of
tion protocol to secure RFID tags. The perception layer of the IoT batteries is accelerated if the packets from the attackers elicit a
involves devices, such as RFID and sensors. These devices are transmitted response time from the target nodes. This degradation
constrained in nature, and their computational capability is limited. occurs, for example, when the target nodes choose to forward the
These characteristics pose a problematic issue to the application of any packet to other nodes in the WSN. Resource exhaustion attacks that are
cryptography algorithms to guarantee the IoT network security. When executed in this manner are more severe than other DoS attacks
the RFID is insecure, an attacker can easily gain access to the network because more sensor nodes become unavailable at the same time and
through sning and reprogramming the electronic product code tag of the nodes may be isolated in sub-networks that cannot communicate
the victim. This attack can be avoided by applying an authentication with one another (Botta et al., 2016).
protocol on the tags. The authentication protocol safeguards the
combined authentication between RFID readers and tagged items with 5.1.4. Trust establishment
minimum computation overhead on the devices. A convincing trust mechanism must be available to establish trust
between the IoT physical objects and events, such as interconnected
WSNs, RFID-based systems, and mobile phones (Akhunzada et al.,
5.1.2. Authorization 2016). Sensitive user information that are stored in the application
Authorization involves specifying access rights to resources, such as server can be compromised, which can subsequently lead to forging
healthcare devices, related to information security and access control. legitimate user credentials in the network. Mechanisms to verify
E-health depends on the interrelationship of tiny nodes developed network devices exist. However, convincing mechanisms for establish-
using the sensing (detecting) and actuating (activating) capacities ing trust in verifying network applications do not exist. Therefore, trust
embedded inside or outside the human body. E-health applications establishment is crucial for suitable interoperability among devices.
are connection mindful, dynamic, individual, and dependent on trust. Trust involves the preservation of user privacy, such as personal user
The data should be secure and accessible to authorized users only. data, by the policy and prospect of the IoT users in a exible manner
In the IoT, users can be humans, machines, services, internal objects (Josang et al., 2012). Given that the IoT devices are portable and
(i.e., devices within the network), and external objects (i.e., devices mobile in nature, the devices can be moved physically from one owner
outside the network). For instance, sensors should not expose the to another; thus, trust should be established between both parties to
collected data to an unauthorized neighboring node (Abdmeziem and allow the smooth movement of the devices in terms of access control
Tandjaoui, and Aazam et al., 2015, 2016). One more authorization and authorization. Atzori et al. (2010) introduced a model of mutual
issue that must be addressed is how data is managed and controlled in trust in the system security in the IoT by developing an item-level
a heterogeneous IoT environment. The users of the IoT should know access-control framework. The framework establishes trust among the
about the data management mechanisms that will be applied and the connected IoT devices during data transmission. The authors used key
procedure or administration, and guarantee that the data are protected creation and token as the mechanisms for establishing trust in this
all throughout the procedure (Moosavi et al., 2015). model. The mechanisms guaranteed the authorization among commu-
Gaur et al. (2015) proposed ID authentication at the IoT sensor nicating devices by assigning creation keys and tokens to the IoT
nodes. The approach was based on the one-time cipher requestreply devices during data transmission.
scheme. The scheme uses a pre-shared matrix by applying a dynamic
variable cipher when communication involves multiple parties. The 5.2. Architecture
communication parties create a random coordinate that serves as the
key (i.e., password) coordinate. Every communication (messages) No universally acceptable IoT architecture currently exists (Chen
among parties is encrypted using a key and node ID together with a et al., 2011a, 2011b). Several research types have been conducted on
timestamp. The communicating parties communicate by authenticat- the IoT architecture in dierent scenarios and application domains in
ing the timestamps, and they could also use the timestamp to cancel a terms of authentication and authorization. Table 4 provides a summary
session. However, this approach is only ecient in an IoT domain of existing IoT architectures and application domains.
where securing things is not exceptionally delicate and signicant
because the key can be rehashed for various coordinates. If the 5.2.1. Authentication in IoT architecture
password is changed consistently, then the security could be enhanced Valdivieso et al. (2014) adopted the SDN architecture that helps
for that specic IoT framework. The establishment of the pre-shared eliminate the rigidity in traditional networks. SDNs allow adminis-
matrix needs to be secure for this work to be implemented in an trators to have a global perspective of the system and the ability to
extensive number of IoT devices. control the network according to the requirements of each organiza-

18
F.A. Alaba et al. Journal of Network and Computer Applications 88 (2017) 1028

Table 4
Different IoT security architecture types and application domains.

Reference Architecture Application Domain Objectives

Valdivieso et al. (2014) SDN Architecture Smart environment To eliminate the rigidity present in traditional networks.
Moosavi et al. (2015) SEA Architecture Healthcare To improve the secure and efficient verification and authorization framework for IoT-
based healthcare systems.
Gaur et al. (2015) Smart City Architecture Smart City To ease the interaction of remote sensor systems and data with communication
technologies.

Ramo et al. (2015) Service-Oriented Architecture Smart transportation To define secure the IoT middleware architecture services.
(SOA) To analyze and deliberate on the security services that can be applied to the IoT
middleware.

Vucinic et al. (2015) OSCAR: Object Security Smart grid To introduce a novel scalable security architecture for E2E security and access control in
Architecture the IoT.
To evaluate the architecture in constrained M2M settings.
Vishvakarma et al. (2015) Conceptual Organizations Business organizations To identify the two types of the IoT architectures for an organization: cloud-centric
Framework three-layered and autonomic-oriented, five-layered architectures.
Chakrabarty et al. (2016) Black SDN Architecture Smart City To address the vulnerabilities in traditional IoT systems.

tion. SDNs simplify network utilization and operation by lowering the major challenge in SOA-based methods. Lightweight solutions, such as
total cost of organization networks by providing programmable net- key management, authentication, and access control, are considered as
work services. However, several security vulnerabilities exist in SDNs. critical issues, particularly in IoT resource-constrained environments.
The lack of sophisticated authentication and authorization mechanisms In addition, the authentication protocols among the IoT devices were
makes SDN controllers the fundamental focus of hackers because they not addressed, thus creating a room for unauthorized users to attack
serve both as the central point of control in the network and the the communication channel.
possible central point of disaster. For example, if a user is not focused
on the controller, the controller becomes the target of an attacker who 5.2.2. Authorization in the IoT architecture
can eortlessly compromise it by altering the user's code base. The Authorization in the IoT architecture is attained by exchanging
attacker can also rescript the user's trac control such that condential identied data between connected items. This procedure is vulnerable
data can be snied by the attacker. to eavesdropping, which can lead to a Man-in-the-Middle (MitM)
Moosavi et al. (2015) proposed a type of distributed smart e-health attack that risks the entire IoT framework (Sezer et al., 2013 and
gateway architecture for IoT-based health-care systems. This architec- Karlof, 2013).
ture type depends on the certicate-based DTLS handshake protocol, Vucinic et al. (2015) proposed OSCAR for E2E security in the IoT.
which is the basic IP security solution for the IoT. The proposed OSCAR was evaluated in two ways: (1) utilizing 802.15.4 LLN and
architecture utilizes both public key-based authentication and ECC M2M communication on two dierent hardware types and (2) utilizing
primitives, such as the Elliptic Curve Digital Signature Algorithm MAC layers on a real testbed and applying the Cooja emulator. This
(ECDSA) and the Elliptic Curve DieHellman (ECDH). ECDSA architecture type utilizes authorization servers to grant access to users,
employs the key exchange protocol in the DTLS handshake to provide which permits users to demand resources from the CoAP nodes.
data authentication and integrity, whereas ECDH is adopted in an OSCAR has a security feature that supports multicasting. This feature
unsecure communication environment for condential data exchange. provides authorization for E2E security. However, the drawback of this
ECDH and ECDSA are more ecient in terms of securing constrained framework is the latency of ECDSA authorization, which largely aects
devices than an asymmetric cryptographic algorithm (RSA). This the microcontroller unit and computation capabilities of the IoT
architecture type can adapt to dierent security challenges in general devices. This scenario allows unauthorized users to control the entire
healthcare systems, such as scalability, trust, and consistency. One system.
drawback in the proposed architecture is DoS attacks. A sample
scenario is the IoT heterogeneous medical domain where the IoT-
based healthcare system functionality depends on a centralized dele- 5.3. Communication
gated server. The server can be compromised easily in a DoS attack,
which allows an attacker to access and retrieve all available stored data The IoT communication involves information exchange/sharing
in the constrained medical domains. Another drawback is the issue of among the IoT devices or between dierent IoT layers. With the
privacy in IoT-based healthcare applications. The techniques utilized in enormous potential of the IoT in many domains, the entire IoT
the proposed architecture do not support the privacy assurance re-used communication infrastructure is inconsistent from the security per-
on constrained devices because of the security level requirements. spective and vulnerable to privacy loss from the perspective of end
Ramo et al. (2015) focused on dening a type of classic security users (Hashem et al., 2016). The IoT communication medium serves as
architecture for SOA-based IoT middleware systems, which provide a decision point for attackers. The possible attacks in the channel are
support for the heterogeneity and interoperability of IoT devices, described as follows.
information management, and security. SOA-based procedures also
provide the IoT applications with an identical and organized reection 5.3.1. MitM attacks
of services and conversation with the IoT devices. SOA-based methods Attacks similar to MitM must be prevented to maintain data
provide a uniform and controlled abstraction of services between the integrity during a conversation. In MitM, an attacker silently transmits
IoT devices and guarantee the condentiality, integrity, and protection and probably modies the communication between two IoT devices
of communication channels. The major function of SOA is to prevent that directly communicate with each other. Reliable information, such
unauthorized access through the authentication features, such as trust as patient health status, billing information of smart grids (SGs), or
and identity management, because that are incorporated in the even secret keys of house doors, can be forged and altered by an
architecture. However, lightweight security solution compatibility is a attacker with MitM, thus causing serious security problems (Han et al.,
2015). MitM attacks represent a genuine threat to the IoT security

19
F.A. Alaba et al. Journal of Network and Computer Applications 88 (2017) 1028

because they provide an attacker with the capability to seize and Table 5
control a communication channel. Therefore, attackers can access Summary of security threats within each IoT layer.
sensitive data in real-time communication between nodes and obtain
Layers Threats
control over the channel. The attacker then forms a connection to the
actual node and acts as an intermediary to read, redirect, insert, and Physical Micro-probing, tampering of hard components, jamming
modify the trac between the user and the authentic node. For Link Collision, unfairness, exhaustion, replay, meta-data attacks
Network Neglect, greed, homing, misdirection, traffic analysis, black holes,
example, an attacker may want to fake the temperature information
meta-data attacks
from a monitoring device within the IoT to compel the device to
overheat, which can stop the device from working. This action can
cause inconvenience to the device and can also lead to physical damage know that security and privacy issues must be addressed for the IoT to
and nancial losses (Simko, 2016). be fully deployed in dierent domains at a large scale. The IoT
MitM attacks create challenges in protecting data security and environment involves dierent technologies and communication stan-
privacy. The security problem in the IoT generally involves active dards; no unied standard policy regarding security and privacy
interference by intruders on the devices (i.e., allowing unauthorized requirements currently exists (Chen et al., 2011a, 2011b). A well-
users to spy on data through the backdoor). Lightweight cryptographic dened security and privacy policy must be designed and deployed to
protocols are considered to provide communications security for the guarantee condentiality, access control, and privacy for users and
IoT devices over a computer network as part of the DTLS. However, items. Given the security aws and lack of standardization in the IoT
MitM attacks take advantage of the aws in the authentication environment, we propose a conceptual type of architecture that can
protocols utilized by the communicating parties (Mahmood et al., help mitigate the security challenges posed on items to an extent. Fig. 5
2016). shows a novel type of physical IoT security scenario architecture.
Fig. 5 shows an IoT security scenario where multiple devices and
5.3.2. Eavesdropping sensors communicate with each other in a secure environment. A
Eavesdropping is an interception of information between two virtual healthcare system is considered to illustrate the communication
communicating nodes. Eavesdropping occurs on the network layer in between dierent users. Suppose a user with a healthcare device is at
the IoT and takes the form of data sning. A particular program is home and must contact a hospital to ask for assistance. The user cannot
utilized for sning and recording packets from the network layer, go to the hospital to see the doctor in person because of his/her health
which are subsequently listened to or read utilizing cryptographic tools condition. Thus, the user simply calls or sends an email to the hospital
for analysis and decryption. Privacy is employed as a method for from home to avoid the stress of traveling to the hospital. The home
providing ecient access control and security against eavesdropping and hospital network comprises multiple sensors/wireless devices as
during data communication (Vuini et al., 2015). Eavesdropping also shown in Fig. 5. Given the availability of wireless technologies, such as
poses unique challenges to the IoT architecture, particularly when an imo and Skype, that support video calls, both the user and the doctor
attacker targets the communication channels to extract data from the can now make video call connections that can help the doctor assist the
ow information. This attack type is performed by listening directly to user.
the message or data sning (Pongle and Chavan, 2015). The user mobile device and information and the hospital informa-
Thus, MitM and eavesdropping attacks in the IoT occur among tion that utilize dierent networks and devices are left open or exposed
dynamic sensor nodes that do not require a dedicated centralized to hackers, as shown in Fig. 5. Apart from the available security in
server, unlike the conventional network where a dedicated server is current networks, the security characteristic requirements for resource-
employed for trac control and monitoring (Kothmayr et al., 2013). constrained devices during communication must be focused on.
However, current networks cannot inadequately satisfy the security
5.4. Data requirements of sensitive data applications. Network and device
security are two major requirements that must also be considered
The users privacy and trust must be protected for the IoT to be fully when designing the security architecture for constrained devices
deployed and completely accepted. Data privacy and condentiality for (Akhunzada et al., 2016). Individual wireless devices that are used
business procedures are still critical issues, and nding practical interfaces with the Internet, collections of wireless devices, and
solutions remain challenging (Botta et al., 2013). User data privacy ubiquitous systems and sensor networks are associated with new
must be guaranteed because users require maximum protection for network service requirements in the IoT scenarios (Gaur et al.,
their personal information. Trust involves the preservation of user 2015). Therefore, a secured type of IoT architecture that satises the
privacy, which includes personal user data, by the policy and prospect security standard of new network services must be developed.
of users in a exible manner. Transmitting and computing trust among
dierent nodes in a heterogeneous IoT is a challenging issue because
dierent network nodes have dierent trust criteria (Eschenauer, 7. Discussion on possible attacks posed by threats and
2012). vulnerabilities of the IoT
The security services provided by IEEE 802.15.4 are data authen-
ticity, data condentiality, and replay protection. The main threats to The IoT is a concept that evolves every day. Several technologies,
this protocol are encrypted ACK frames, NO timed frame counters, and which include WSNs, RFIDs, and cloud facilities, are utilized by the IoT
NULL security level. When the ACK frame is unencrypted, an intruder devices. The M2M function is the main building block of the IoT
can intercept a MAC frame and forge an ACK frame with a sequence paradigm (Jing et al., 2014). Moreover, the IoT paradigm is applicable
number, which results in frame loss with no retransmission in many domains, such as smart cities, healthcare, SGs, and intelligent
(Chakrabarty et al., 2015). Table 5 provides a summary of the existing transportation. These devices must communicate with each other and
threats within each IoT security communication layer of the IEEE with dierent objects, including human beings. Every communication
802.15.4-based protocols. type must be secured in one way or another by protecting and
providing users with the condence that their information and com-
6. IoT security scenario munication channels are properly secured. However, the IoT protection
is a challenging and demanding task (Kanuparthi et al., 2013).
After a comprehensive research and survey on the security threats Security is a signicant challenge that must be overcome to realize
and vulnerabilities of the IoT as discussed in the previous sections, we the IoT. The IoT architecture is expected to manage billions of

20
F.A. Alaba et al. Journal of Network and Computer Applications 88 (2017) 1028

Fig. 5. IoT security scenario.

connected items. This scenario will create many paths that can be adapters, and routers for the information exchange between two or
accessed by malicious attackers because global availability and con- more IoT devices. It enhances the security, reliability, and ease of use
nectivity are the basic visions of the IoT. The IoT can be aected by (Liu and Wang, 2010). However, a wired medium is exposed to certain
dierent degrees of threats that range from hardware, network, and threats and attacks, such as data manipulation, extortion hack,
smart application threats that target dierent communication chan- equipment hijacking, Signaling System No. 7, and malicious attacks
nels. Security and privacy issues must be addressed for the IoT to be (Perera et al., 2014). A wireless communication channel utilizes radio
deployed in dierent domains at a large scale (Roman et al., 2013). communication, transmitters, and receivers for the data exchange
between two or more devices (Atzori et al., 2010). It enhances the
7.1. Hardware threats guest access and provides easier network expansion, increased mobi-
lity, and collaboration (Bandyopadhyay and Sen, 2011). Nevertheless, a
The IoT hardware devices include RFID tags, ZigBee, Bluetooth, wireless communication channel is vulnerable to several threats and
and sensor nodes. The RFID tags major features are auto identication attacks, such as misconguration, hacking, signal loss, DoS, war
and unique identity, which perform a rapid exchange of information dialing, protocol tunneling, and MitM (Zhang et al., 2015).
between tags and readers through a wireless connection (Atzori et al.,
2010). However, the possible threats and attacks on RFIDs include 7.3. Smart application threats
tracking, DoS, repudiation, spoong, eavesdropping, and counterfeit-
ing (Jing et al., 2014). ZigBee comprises a radio, a microcontroller, and The IoT can be deployed in several smart application domains, such
a simple protocol. It is small in size, reliable, has limited power as smart city, SG, smart healthcare, and smart transportation. The
consumption, and inexpensive. However, these devices are vulnerable smart city includes e-governance, street lighting, and water and waste
to threats and attacks, such as packet manipulation, hacking, key management. In a smart city, city planning is improved for faster
exchange, KillerBee, and Scapy (Lu, 2014). Bluetooth comprises a service delivery and economic development. However, smart city
frequency-hopping spectrum that allows two devices to connect wire- devices are open to dierent threats and attacks, which include smart
lessly, and it is safe and convenient. However, Bluetooth is exposed to city DoS, information manipulation, fake seismic detection, and fake
threats and attacks, such as eavesdropping, DoS, Bluesnarng, ood detection (Zhu et al., 2015a, 2015b). SGs (i.e., smart meters and
Bluejacking, car whisperer, and Bluebugging (Moosavi et al., 2015). smart energy) are reliable, improve cost and savings, and enhance
The sensor node's major components are sensors and actuators that are energy independence (Bi et al., 2016). Nevertheless, a SG is vulnerable
utilized to sense and activate devices based on commands sent from the to dierent attacks and threats, such as customer security, physical
nodes; it is exible and has high latency in communication (Zhang security, trust between traditional power devices, device endpoints, and
et al., 2015). Nevertheless, sensor nodes are exposed to dierent malicious attacks (Barreto et al., 2015). Smart healthcare involves
threats and attacks, such as DoS, exhaustion, unfairness, Sybil, utilizing smart health cards. It improves the patients security and
jamming, tampering, and collisions (Massis, 2016). privacy in terms of information details. However, smart health cards
are vulnerable to threats and attacks, such as theft and loss, insider
7.2. Network threats misuse, unintentional actions, hacking, internal attacks, and cyber
attacks (Aman and Snekkenes, 2016). Intelligent transportation in-
The communication channels in the IoT can either be a wired or volves trac control, parking, and public transportation. It is easy to
wireless medium. A wired medium involves utilizing cables, network utilize, allows dierent users to be well-informed, and creates a new

21
F.A. Alaba et al.

Table 6
Analysis of the possible attacks posed by threats and vulnerabilities to the IoT hardware, network infrastructure, and smart application environment.

Group Features Benets Threats Vulnerability Attacks Condentiality Integrity Authentication Availability Non-
repudiation

Hardware
RFID Unique identity, Auto Rapid exchange of Tracking, DoS, Alteration, Eavesdropping, +
identification, and information between tags Repudiation, Spoofing Corruption and Counterfeiting,
Unique identity and readers through Deletion
wireless connection
ZigBee Radio, Microcontroller, Reliable, Low power Packet manipulation Hacking Key exchange, + +
Simple protocol and consumption Low Cost KillerBee, and Scapy
Small size
Bluetooth Frequency hopping Allows two devices to Eavesdropping, DoS Bluesnarfing Car Whisperer,
spectrum connect wirelessly, very Bluejacking Bluebugging,
safe and convenient
Sensors node Sensors and Actuators Flexibility, Higher latency DoS, Exhaustion, Flooding, Routing Jamming, Tampering, + + +
in communication Unfairness, Sybil Protocols Collisions

Network Infrastructure
Wired Cable, Network adapters, Enhanced security, Greater Manipulation of data, Signaling system No.7 Weak Link, Malicious + + + +

22
and Router Reliability and Ease of use Extortion hack (SS7), Hijacking of attacks
equipment
Wireless Radio Communication, Enhanced guest access, Rogue access points, Hacking, Signal lost DoS, War dialing, + +
transmitters, and Easier network expansion, Misconfiguration protocol tunneling;
receivers Increased mobility and man-in-the-middle
collaboration

Smart Application
Smart City e-governance, Street Better city planning, Faster Smart City DoS, Fake seismic Mobile apps, Sensors
Lighting, Water and delivery of service, Manipulation of detection, fake flood
Waste Management Economic development information detection
Smart grid Smart meters, Smart Reliability, cost savings, Customer security, trust between End points on devices,
Energy and energy independence Physical security traditional power malicious attacks
devices
Healthcare Smart health cards improves patients security Theft and loss, Insider Hacking Internal attack, cyber
and privacy details misuse, Unintentional attack
actions
Smart Traffic control, Parking, Ease-of-use Smart City DoS Security plagued Cyber-attacks
Transportati- Public Transportation
on
Journal of Network and Computer Applications 88 (2017) 1028
F.A. Alaba et al. Journal of Network and Computer Applications 88 (2017) 1028

secure, organized, and smoother utilization of intelligent transporta- 8.1.1. Secure SG


tion systems. Nonetheless, intelligent transportation is exposed to Bekara (2014) proposed the SG security to examine the security
several threat and attack types, such as smart city DoS, security issues and challenges in the IoT-based SG and describe the main
plagues, and cyber-attacks (Jing et al., 2014). security services that must be considered. However, no in-depth study
The analysis of the possible attacks posed by threats and vulner- has been conducted on the key security element of the SG and the
abilities to the IoT environment is presented in Table 6. secure integration of energy-aware smart homes, which makes end-
users vulnerable to security threats and attacks. These threats and
DoS: DoS attempts to make the IoT devices inaccessible to its attacks include impersonation/identity spoong, data tampering, and
intended users through temporary or indenite interruption (Wood unauthorized control access when utilizing smart meters/smart appli-
and Stankovic, 2012). The dierent types of DoS attacks that can be ances. Hence, an in-depth study on the key security element of SGs and
launched against the IoT include jamming, collision, and malicious an integration of a secure energy-aware smart home must be per-
internal attacks; the last type can create more havoc because it formed before deploying smart meters/smart appliances. Such study
controls part of the infrastructure (Kasinathan, and Kasinathan can help mitigate the vulnerability and security challenges in smart
et al., 2013, 2013). meters/smart appliances. Gupta and Garg (2015) proposed mobile IoT
Eavesdropping: Eavesdropping is an electronic attack on the com- applications with cloud techniques, such as mobile sensor data
munication channel (i.e., wired or wireless networks) where com- processing engine, mobile fog, Embedded Integrated Systems (EIS),
munications are interrupted by an individual to extract data from Mobile Sensor Hub (MosHub), and dynamic conguration that utilizes
the information ow. This attack is conducted by listening directly to MosHub, to illustrate the dierent techniques employed in mobile IoT
the message or data sning (Pongle and Chavan, 2015). applications and the cloud. They discussed the similarities and
Device end-point: Smart applications on the IoT domain include comparisons between the techniques and integrated the IoT applica-
smart city items (e.g., e-governance, street lighting, and water and tions utilizing mobile phones and cloud computing to form the cloud
waste management), SG items (e.g., smart meters and smart IoT. However, an increase in the quantity of sensors associated with a
energy), smart health-care items (e.g., smart health cards), and device or an increment in inquiry demand by GSN aects the CPU
intelligent transportation of items (e.g., trac control, parking, and usage, memory, and energy utilization because of the nature of the IoT
public transportation), which are physically situated in a specic devices.
domain. An active attacker can easily hack these items, extract
information, and target other infrastructure that store information 8.1.2. Lightweight authentication
as alternatives to destroying these items (Porambage et al., 2014). Yao et al. (2014) proposed a lightweight no-pairing Attribute-Based
Counterfeiting attacks: Counterfeiting simply means imitation or Encryption (ABE) scheme based on ECC to address data security and
forgery. The IoT devices, such as smart watches and smart lighting privacy issues. Their approach decreases the computation and com-
systems, are fragile and require lightweight security. However, an munication overhead in the IoT. However, ABE has poor scalability and
active attacker can easily duplicate and modify the contents of the is inexible in revoking attributes, which cannot be applied to multi-
IoT devices because of the security nature of these devices authority applications. Therefore, a lightweight multi-authority-or-
(Whitmore et al., 2014 and Ferati et al., 2016). iented ABE and a exible attribute revoking scheme must be devel-
MitM attack: MitM attacks create challenges in maintaining data oped.
security and privacy. Given the dierent attacks on the IoT devices, Perera et al. (2014) proposed a pervasive lightweight verication
the security problem in the IoT involves the active interference of mechanism for WSNs in distributed IoT applications. The DTLS
intruders on the devices (i.e., allowing unauthorized users to spy on scheme is adopted to conduct a security analysis on the PAuthKey to
data through a backdoor). Lightweight cryptographic protocols are measure the security performance of WSNs. They implemented the
considered to provide communication security for the IoT devices PAuthKey protocol and demonstrated its performance capacities on the
over a computer network as part of the DTLS. Nevertheless, MitM high-resource-constrained sensor nodes. However, many security
attacks take advantage of the weaknesses in the authentication threats and issues, such as access control and multicasting, have been
protocols utilized by the communicating parties (Mahmood, and encountered by the distributed IoT due to network heterogeneity and
Maras et al., 2016, 2015). device mobility. Hence, an implicit certicate scheme for access control
and large-scale multicasting must be developed, and security protocols
that can handle issues of threats in distributed IoT network applica-
8. Future directions tions must be implemented.
Bose et al. (2015) and Raza et al. (2013a), (2013b) proposed a
The IoT development faces many security, trust, and infrastructure lightweight scheme for secure channel establishment to control the
challenges. The aforementioned challenges must be addressed for the condentiality level, evaluate a security score from the ne-grained
IoT to be accepted and fully deployed (Whitmore et al., 2014). Most sensor data, and preserve and protect content over a secure transmis-
IoT devices are typically wireless (Raza et al., 2013b), and securing sion. A lightweight security mechanism can support and measure the
these devices is essential. Security problems are fundamental in the IoT condential value (i.e., aects the secrecy connection) of the sensor
because they can occur at dierent layers. Dierent security properties, dataset (i.e., data in smart meters). Nevertheless, such a scheme can
such as condentiality, integrity, authentication, authorization, non- only consider a single security scenario (i.e., sensitivity) and how to
repudiation, availability, and privacy, must be assured for security to be derive sensitivity analysis and privacy degree based on multivariate
guaranteed in the entire IoT system. This objective is extremely data; it does not address multi-dimensional sensor data. Thus, an
challenging due to the IoT environmental attributes (Abdmeziem and algorithm that can derive sensitivity analysis and privacy measure
Tandjaoui, 2015). based on multivariate and multidimensional sensor data must be
developed to extend the scheme to other IoT cases, especially for
intelligent transportation.
8.1. Security-related challenges
8.1.3. Heterogeneity
This section presents several of the challenges related to security, Billions of connected devices have made the IoT heterogeneous in
which include secure SGs, lightweight authentication, heterogeneity, nature and thus more vulnerable to threats because each device has a
and quality of service (QoS). dierent security measure (Srivastava and Garg, 2015). Constrained

23
F.A. Alaba et al. Journal of Network and Computer Applications 88 (2017) 1028

devices have inconsistencies in memory, energy consumption, and such as connectivity, reliability, and delay. The operating capacity (i.e.,
bandwidth, as well as in their mode of implementation and commu- IEEE 802.11p) must fully support two instances of Roadside Unit
nication. Attaining a secure E2E communication is a challenge that (RSU) deployment to avoid network congestion. However, it only
mostly requires the adaptation of existing solutions or application of supports one RSU deployment that leads to network congestion.
gateways (Bekara, 2014). Therefore, solutions that address the interoperability challenges and
Resource estimation and management that utilize fog computing unsolved QoS metric issues, such as connectivity, reliability, and delay,
for a customer's Probabilistic Resource Estimation (PRE) model were are required.
introduced by Aazam et al. (2016) to implement well-organized, Chakrabarty et al. (2015) also proposed a black SDN to enhance
successful, and reasonable resource management for the IoT. secure communications by encrypting the header and payload at the
Nevertheless, estimating the amount of resources that will be con- network layer. This approach can mitigate a range of attacks and
sumed by each node and determining whether the requesting nodes or improve the overall lifespan and network performance of the IoT
devices will completely utilize the resources they requested are dicult networks. Resource-constrained IoT nodes cannot support a full SDN
because of the heterogeneous devices that are part of the IoT. Attaining implementation and do not address the security of the black link layer
minimum latency is also dicult with devices, such as healthcare and frame. The black network is an application delivery network that
emergency services, because of the unreliable core network of reaching provides a key service method for securing all data, decreases network
the cloud through shared resources. Hence, testing for minimum eciency, and complicates routing. Therefore, sleep synchronization
latency requires the application of the model in other research elds, protocols that are appropriate for black networks are required to
such as smart cities, medical centers, and smart homes. Moreover, ensure packet delivery to all nodes and secure the black link layer
Sicari et al. (2016) analyzed the available solutions identied with frame by multiple methods. This approach allows for a ne-grained
security (i.e., reliability, secrecy, and verication), privacy, and trust in approach to securing the meta-data. These protocols include the
the IoT arena. Nonetheless, the solutions provided by the authors do following: 1) replacing the meta-data elds by Grain-128a IV and a
not properly dene the privacy policies that can manage the adapt- keystream, 2) the AES-EAX mode, and 3) a pre-shared IV to allow for
ability of the IoT devices in the heterogeneous environment. better payload eciency.
Persson and Angelsmark (2015) presented a framework called Homg et al. (2011) proposed an adaptive bandwidth allocation
Calvin, which adopts a unied programming model to combine the algorithm called Adaptive Weighted Fair Queue (AWFQ) for reserva-
IoT and the cloud. This framework attempts to develop a solution that tion protocols to support QoS in the IoT network layer. The proposed
does not allow developers to avoid heterogeneity in the IoT, but utilize algorithm employs the queue status and priority assignment to control
it by hiding the protocol and data transport details. It also renes the bandwidth sharing of dierent Internet services and guarantee that
communication eciency by avoiding a direct device-to-cloud client/ a dened QoS policy is obtained for resource-constrained devices. The
server approach. Calvin is still in its initial phases of development due algorithm mainly focuses on bandwidth utilization (i.e., how network
to the hybrid nature of the framework. No implementation that bandwidth is eectively and eciently utilized among resource-con-
anticipates all security and routing properties required to make strained devices in a exible, fair, and prioritized manner).
autonomous migration for an IoT distributed environment has been Nevertheless, the bandwidth starvation on resource-constrained de-
reported. vices with low priority and queuing congestion was not addressed.
S Li et al. (2016); F Li et al. (2016) recently proposed a practical
access control for sensor networks in the context of the IoT. The 8.2. Trust management
senders in this novel Heterogeneous SignCryption belong to the
Certicate-Less Cryptography (CLC) environment, whereas the recei- The privacy of the nodes and users in the IoT are extremely
vers belong to the Identity-Based Cryptography (IBC) environment. important and must be seriously considered when developing the IoT
The main characteristic of this approach is heterogeneity. In particular, devices. Trust Management (TM) involves the preservation of user
the senders and receivers belong to two dierent cryptographic privacy, such as personal user data, by the policy and prospect of the
environments. It permits a sender in the CLC environment to transmit IoT users in a exible manner. Thus, integrating TM into the IoT RFID
a message to a receiver in the IBC environment. Furthermore, this devices is necessary. Moreover, TM not only occurs between the
approach has ciphertext authenticity that allows the shift of the readers and the RFID tags when communicating, but also between
computational cost of the sensor nodes to the gateway. CLC does not the readers and the base stations. Digital signature technology is
require the utilization of certicates. However, it still requires a trusted employed in the TM domain; it is important in the trust area because
third party called the Key Generating Center, which is responsible for it is utilized for authentication (i.e., both on the IoT devices and the
generating a partial private key that utilizes the user's identity and a data) and during data communication among dierent IoT applications
master key. They also focused mainly on the computational cost and (Jing et al., 2014). However, few research types on TM in the IoT
energy consumption of the sensor node. domain have been performed.
TM attempts to solve issues related to security in a distributed
8.1.4. QoS environment (Gu et al., 2014). Trust is a dynamic concept that can
The QoS design is the fundamental functionality for routing data in safeguard the existing IoT architecture and provide a uniform decision-
resource-constrained devices to allow dierentiated delivery and making scheme for the IoT heterogeneous environment or multi-
ensure quality service. Several solutions have been provided to improve domains. Hence, Josang et al. (2012) considered TM as a possible
the services in constrained nodes and ensure suitable QoS for solution to security-related issues in the IoT. Addressing and comput-
constrained devices. The solutions include adaptive edge (fog) comput- ing the trust between dierent networks in the heterogeneous IoT is a
ing solutions based on REgressive Admission Control (REAC) proposed demanding issue because dierent network nodes have dierent trust
by Jutila (2016) and Fuzzy Weighted Queueing (FWQ) with adaptive criteria. TM provides an eective approach to assessing the trust
computing methods for the IoT networking at the network edges, which relationships between IoT entities and helps users in careful deci-
can be applied to optimize and control trac ows and network sion-making when communicating and cooperating with each other.
resources. The FWQ control with a feedback mechanism provides Liu and Wang (2010) and Yan et al. (2014) concentrated on the
properties related to system stability, short settling times, and fast technologies for controlling heterogeneous connected devices in the
response time. REAC helps in managing the E2E network performance IoT. Their studies primarily focused on a heterogeneous network
at the network edge. However, the solutions focus on only one QoS model, trust directing, and TM technology. Their explorations oer a
metric (i.e., network capacity) and do not address other QoS issues, direction and strategy for developing future IoT devices. However,

24
F.A. Alaba et al. Journal of Network and Computer Applications 88 (2017) 1028

implementing real-life solutions on TM in the IoT domain is necessary. (black packets), route availability, identity management, node authen-
Chen et al. (2011a), (2011b) explained the complexity of trust tication, authorization, availability, ecient key distribution, and
relationship among heterogeneous entities. They analyzed the security secure utilization of symmetric keys by authorized devices. However,
challenges and threats imposed on the IoT based on several practicable Chakrabarty and Engels did not focus on the security architecture and
trust-based ideas they gathered. They then proposed a type of security SDN implementation for the IoT. This scenario causes new attack types
IoT architecture. because the SDN architecture changes the IoT network's communica-
In contrast to Liu and Wang (2010) and Yan et al. (2014) who only tion patterns, which requires a new approach to secure the IoT
provided several non-practicable ideas for handling trust in the IoT, network. Encrypting the header creates routing challenges for the IoT
Bahtiyar and alayan (2012) introduced a trust model that focuses on nodes, which are often asleep. Hence, sleep synchronization protocols
extracting trust data and provides formal security policies for the IoT that are appropriate for black networks to ensure packet delivery to all
devices/entities when required. They attempted to provide a formal nodes and a secure type of IoT architecture that can help address
security policy for an entity on how to extract trust data from a secured translations, dene location privacy, and characterize mobility must be
system for service. Nevertheless, no specic network architecture has developed and designed.
been considered in this model to properly evaluate the authentication Jararweh et al. (2015) proposed a comprehensive software-dened
of the parameters utilized and determine how it can be applied in the framework model (SDIoT) to improve the IoT managing procedure and
IoT. provide a basic solution for threats in the conventional IoT architecture
Autonomic TM (ATM), which provides awless benets and sup- through forwarding, storing, and securing the data created from the
ports HumanComputer Interaction (HCTI) in a reliable manner, was IoT objects. This approach integrates a SDN, SDStore, and SDSec to a
proposed by Yan et al. (2014). However, trust covers a larger extension single software-dened control model. The SDIoT framework result
than security. Therefore, it is complex and dicult to build, guarantee, accelerates and facilitates the control and management processes of the
and maintain. Disseminating and enumerating trust among dierent IoT and covers and tackles the diculties in traditional architecture.
networks in a heterogeneous IoT is a challenging issue because This framework also enables cloud users to utilize the cloud resources
dierent networks nodes have dierent TM criteria. Similarly, ATM in an adequate manner by generating segments/fragments and allow-
is dicult to realize because the nature of the deployment, mobility, ing transparent information ow. Nonetheless, the issues of SDN
and low computation capacity of the cloud of things cannot be easily compatibility, security, and interoperability still persist. No practical
controlled. Performance improvements, such as the most eective and experimental SDIoT framework exists to test dierent forms of the
method to make key dissemination procient, how to implement IoT topologies. Therefore, developing an SDIoT framework to investi-
lightweight security and preserving solutions, and how to avoid gate dierent types of IoT topologies that can address security issues
complex and energy-consuming cryptographic controls, remain as and interoperability in the SDN is necessary.
considerable threats. Hence, lightweight security and trust components
that can be implemented on small items with regard to the IoT must be 8.3.2. Smart e-health
developed and specically centered on preventing possible DoS or Moosavi et al. (2015) developed a secure and ecient type of
DDoS attacks. verication architecture for IoT-based healthcare systems utilizing a
Furthermore, Sicari et al. (2016) analyzed the obtainable solutions type of distributed smart e-health gateway architecture. The gateway
identied with security (i.e., reliability, secrecy, and conrmation), can be abused on medical sensor nodes due to its distributed nature
privacy, and trust in the IoT arena. The trust relationship between two derived from the end-user. Furthermore, can a gateway adapt to
devices will support the communication between these devices in the dierent diculties in pervasive healthcare systems, such as scalability,
future. These devices can always share resources as long as they trust security, and dependability? Abuse or privacy concerns can possibly
each other. However, they did not address the implementation of a limit the public from utilizing IoT-based health care frameworks.
trust negotiation tool that can handle data stream, access control, and a Traditional security and privacy mechanisms and current crypto-
unied vision that concerns the assurance of security and privacy graphic solutions, secure protocols, and privacy assurance cannot be
requirements in such heterogeneous environments. This approach reused because the resources limit the security level requirements and
involves dierent technologies and communication criteria. framework design of IoT-based healthcare applications. Therefore,
Therefore, well-dened privacy policies that deal with scalability and secure network infrastructures for short- or long-range communication
adaptable infrastructure that can manage security threats in a dynamic are required to mitigate risks in the architecture.
IoT environment must be developed. Gaur et al. (2015) proposed custom-built services in a smart city
Many studies have recently been conducted on TM for the IoT, and environment by utilizing semantic web technologies and the
dierent trust models have been proposed (Lopez, and Gu et al., 2010, DempsterShafer uncertainty theory to enable communication be-
2012). These trust models may be included in the TM development for tween WSNs and ICTs. This architecture type helps Alzheimer's
the IoT. No related work that establishes a trust mechanism has been patients and elderly individuals with their everyday breathing exercises
reported and remains an open issue for the IoT. by sending notications to users when they forget or are unable to
nish breathing exercises. This framework can also serve as a smart
8.3. Infrastructure platform for individuals who live in a smart society by networking
information from dierent smart city domains. However, the proposed
This section highlights several challenges related to infrastructure, architecture cannot cover a large area (i.e., it concentrates on the most
which include SDN, smart e-health, and middleware. No unied IoT vital parts of the smart city) and is yet to be tested. Thus, an
infrastructure exists, which makes the IoT devices vulnerable to attacks architecture type that can cover an entire city without neglecting any
and threats (Chen et al., 2011b). area and perform experiments on the idea discussed must be devel-
oped.
8.3.1. SDN
Chakrabarty et al. (2016) proposed a secure IoT architecture for 8.3.3. Middleware
smart cities that addresses the vulnerabilities in traditional IoT Ramo et al. (2015) discussed the advantages of implementing a
systems. The four basic IoT architectural blocks to secure smart cities type of well-dened standard security architecture for SOA-based IoT
are a black network, trusted SDN controller, unied registry, and key middleware and studied the current eort by dierent researchers.
management system. The IoT architectural blocks provide the follow- They also outlined the security facilities that can be utilized when
ing security services: condentiality, integrity, privacy, secure routing dening the IoT security architecture to lower the security threats in

25
F.A. Alaba et al. Journal of Network and Computer Applications 88 (2017) 1028

SOA-based IoT middleware frameworks. SOA-based methods also probabilistic resource estimation at Fog. In: Proceedings of the 13th IEEE Annual
Consumer Communications and Networking Conference (CCNC), 1217.
provide the IoT applications with an inexible and organized reection Abdmeziem, M.R., Tandjaoui, D., 2015. An end-to-end secure key management protocol
of security facilities required for communication by items (i.e., IoT for e-health applications. Comput. Electr. Eng. 44, 184197. http://dx.doi.org/
devices). These methods help ensure high levels of system interoper- 10.1016/j.compeleceng.2015.03.030.
Akhunzada, A., Gani, A., Anuar, N.B., Abdelaziz, A., Khan, M.K., Hayat, A., Khan, S.U.,
ability and provide system services based on devices and utilized by 2016. Secure and dependable software dened networks. J. Netw. Comput. Appl. 61,
applications. Nevertheless, the coexistence of SOA and resource- 199221.
oriented architecture (ROA) creates a new set of traditional security Al-Fuqaha, A., Guizani, M., Mohammadi, M., Aledhari, M., Ayyash, M., 2015. Internet of
things: a survey on enabling technologies, protocols, and applications. IEEE
demands that must be followed for resource-constrained environments Commun. Surv. Tutor. 17 (4), 23472376.
to guarantee system safety. None of the aforementioned studies Al-turjman, F., Gunay, M., 2016. CAR Approach for the Internet of Things approche de la
suggested solutions that outline all of the middleware security require- CAR pour l internet des objcets. Can. J. Electr. Comput. Eng. 39 (1), 1118.
Aman, W., Snekkenes, E., 2016. Managing security trade-os in the internet of things
ments. Hence, a security countermeasures system in the middleware
using adaptive security. In: Proceedings of the 10th International Conference for
architecture must be developed to protect the IoT middleware from Internet Technology and Secured Transactions, ICITST, 362368.
attacks. Atzori, L., Iera, A., Morabito, G., 2010. The internet of things: a survey. Comput. Netw.
Furthermore, OSCAR with CoAP was proposed by Vucinic et al. 54 (15), 27872805.
Babar, S., Stango, A., Prasad, N., Sen, J., Prasad, R., 2015. Proposed embedded security
(2015). OSCAR is a middleware architecture for E2E security in the framework for internet of things (IoT). In: Proceedings of the 2nd International
IoT. OSCAR was evaluated in two cases: 802.15.4 LLN and M2M Conference on Wireless Communication, Vehicular Technology, Information Theory
communication in two hardware environments and MAC layers. This and Aerospace and Electronic Systems Technology, Wireless VITAE 2011, 15.
Bahtiyar, ., Ufuk alayan, M., 2012. Extracting trust information from security system
scheme essentially provides support for multicasting, asynchronous of a service. J. Netw. Comput. Appl. 35 (1), 480490.
data communication, and caching. It handles security and authoriza- Bandyopadhyay, D., Sen, J., 2011. Internet of things: applications and challenges in
tion issues in E2E while safekeeping full data integrity with the plain technology and standardization. Wirel. Personal. Commun. 58 (1), 4969.
Bansal, G., Kenney, J., C. Rohrs, C., 2013. LIMERIC: a linear message rate control
DTLS approach. However, failure in the node that serves as a PAN algorithm for DSRC congestion control. IEEE Trans. Veh. Technol., Appear fall, 2013
coordinator in a beacon-enabled 802.15.4 aects the periodic trans- .
mission of beacons in the network. Existing techniques cannot derive Barreto, L., Celesti, A., Villari, M., Fazio, M., Puliato, A., 2015. An authentication model
for IoT Clouds. Proceedings of the IEEE/ACM International Conference on Advances
lost keys once information is lost in the CoAP header. Zhao and Ge
in Social Networks Analysis and Mining 2015, 10321035.
(2013) illustrated several IoT security issues that occur in a three-layer Bekara, C., 2014. Security issues and challenges for the IoT-based smart grid. Procedia
type of system architecture and generated a solution coupled with the Comput. Sci. 34, 532537.
Bi, Z., Wang, G., Xu, L. Da, 2016. A visualization platform for internet of things in
key technologies involved. Their study identied security problems in
manufacturing applications. Internet Res..
every layer of the IoT architecture, which are the perception, network, Bohge, M., Trappe, W., 2013. An authentication framework for hierarchical ad hoc sensor
and application layers. The main equipment in the perception layer networks. Proc. ACM Workshop Wirel. Secur. - WiSe 13, 79.
includes RFID, ZigBee, and all sensor types. Attackers can easily gain Bonetto, R., Bui, N., Lakkundi, V., Olivereau, A., Serbanati, A., Rossi, M., 2012. Secure
communication for smart IoT objects: protocol stacks, use cases and practical
access, control, or physically harm the hardware. The IoT easily has examples. World Wirel., Mob. Multimed. Netw. (WoW- MoM) 2012 (2012), 17.
security vulnerabilities in the network layer. Heterogeneity generally Borgia, E., 2014. The internet of things vision: key features, applications and open issues.
worsens the security, interoperability, and coordination of the network Comput. Commun. 54, 131.
Borgia, E., Gomes, D. G., Lagesse, B., Lea, R., and Puccinelli, D., 2016. Special issue on
for dierent industries or environments. The security issues in the Internet of Things: Research challenges and Solutions, 90, 14.
application layer are dierent, which makes security more complex and Bose, T., Bandyopadhyay, S., Ukil, A., Bhattacharyya, A., Pal, A., 2015. Why not keep
dicult. A unied IoT security architecture is yet to be formed. your personal data secure yet private in IoT: Our lightweight approach. In:
Proceedings of the IEEE Tenth International Conference on Intelligent Sensors,
Therefore, encrypting the RFID signal through a suitable algorithm Sensor Networks and Information Processing (ISSNIP), April, 16.
for data security is necessary. Furthermore, a precise unied authenti- Botta, A., de Donato, W., Pescap, A., 2013. N/A - On the integration of cloud computing
cation mechanism, E2E authentication, key agreement mechanism, and internet of things. Future Gener. Comput. Syst. 56, 2330.
Botta, A., De Donato, W., Persico, V., Pescap, A., 2016. Integration of cloud computing
Public Key Infrastructure (PKI), wireless PKI, security routing, and and internet of things: a survey. Future Gener. Comput. Syst. 56, 684700.
intrusion detection must be set up for dierent types of network Chakrabarty, S., Engels, D.W., Thathapudi, S., 2015. Black SDN for the Internet of
architectures. Things. In: Proceedings of the IEEE 12th International Conference on Mobile Ad
Hoc and Sensor Systems, MASS 2015, 190198.
Chakrabarty, S., Engels, D. W., and Member, S., 2016. A Secure IoT Architecture for
9. Conclusion Smart Cities.
Chen, D., Chang, G., Jin, L., Ren, X., Li, J., Li, F., 2011a. A novel secure architecture for
The IoT has recently emerged as an important research topic. It the Internet of things. In: Proceedings of the 5th International Conference on
Genetic and Evolutionary Computing, ICGEC 2011, 311314.
provides the integration of dierent sensors and objects to commu- Chen, M., Lai, C.-F., Wang, H., 2011b. Mobile multimedia sensor networks: architecture
nicate specically with each other without human interference. and routing. EURASIP J. Wirel. Commun. Netw. 2011 (1), 159.
Moreover, the requirements for the large-scale deployment of the IoT Covington, M.J., 2013. Threat implications of the internet of things. Econ. Internet
Things Ec. Priv. 7 (4), 6971.
are increasing rapidly with major security concerns. We presented a Da, Xu, L., He, W., Li, S., 2014. Internet of things in industries: a survey. IEEE Trans.
comprehensive review of the state-of-the-art IoT security threats and Ind. Informatics 10 (4), 22332243.
vulnerabilities. We classied the IoT by presenting the taxonomy of the Eschenauer, L., Gligor, V.D., 2012. A key-management scheme for distributed sensor
networks. In: Proceedings of the 9th ACM Conference on Computer and
current security threats and vulnerabilities in the context of its Communications Security, 4147.
application, architecture, and communication. Moreover, we discussed Ferati, M., Kurti, A., Vogel, B., and Rau, B., 2016. Augmenting Requirements Gathering
the current state-of-the-art IoT-enabling communication technologies. for People with Special Needs using IoT: A Position Paper, 4851.
Flauzac, O., Gonzalez, C., Nolot, F., 2015. New security architecture for IoT network.
We also proposed a possible solution structure of the IoT security to Procedia Comput. Sci. 52 (1), 10281033.
overcome the security issues in the IoT environment. Finally, we Frizzo-barker, J., Chow-white, P.A., Mozafari, M., Ha, D., 2016. International Journal of
discussed open research issues and challenges to the IoT security. Information Management An empirical study of the rise of big data in business
scholarship. Int. J. Inf. Manag. 36 (3), 403413.
However, research in the IoT security is in its infancy and is yet to be
Gaur, A., Scotney, B., Parr, G., McClean, S., 2015. Smart city architecture and its
tested (Gaur et al., 2015). The possible solutions to the discussed applications based on IoT. Procedia Comput. Sci. 52 (1), 10891094.
security threats and vulnerabilities need to be implemented/applied for Gluhak, A., Krco, S., Nati, M., Psterer, D., Mitton, N., Raza ndralambo, T., 2011. A
the IoT to be fully adopted by users. survey on facilities for experimental Internet of Things research. IEEE Commun.
Mag. 49 (11).
Granjal, J., Monteiro, E., Silva, J.S., 2015. Security for the internet of things: a survey of
References existing protocols and open research issues. IEEE Commun. Surv. Tutor. 17 (3),
12941312.
Gu, L., Wang, J., Sun, B., 2014. Trust management mechanism for Internet of Things.
Aazam, M., St-Hilaire, M., Lung, C.-.H., Lambadaris, I., 2016. PRE-Fog: IoT trace based

26
F.A. Alaba et al. Journal of Network and Computer Applications 88 (2017) 1028

China Commun. 11 (2), 148156. non-interactive zero-knowledge proofs for the internet of things. Sens. (Switz.) 16
Gu, X., Qiu, J., Wang, J., 2012. Research on trust model of sensor nodes in WSNs. (1).
Procedia Eng. 29, 909913. Massis, B., 2016. The Internet of Things and its impact on the library. New Libr. World
Gubbi, J., Buyya, R., Marusic, S., Palaniswami, M., 2013. Internet of Things (IoT): a 117 (3/4), 289292.
vision, architectural elements, and future directions. Future Gener. Comput. Syst. 29 Mazlan, Abbas, 2014. Internet of Things (IoT) - we are at the tip of An Iceberg.
(7), 16451660. inSlideShare, (978-3-642- 19156-5).
Guo, J., Chen, R., Tsai, J.J., 2017. A survey of trust computation models for service Milbourn, T., 2016. No Title. Retrieved July 15, 2016, from https://www.u-blox.com/
management in internet of things systems. Comput. Commun. 97, 114. en/blog/ip-versus-coap-iot-communications.
Gupta, R., Garg, R., 2015. Mobile applications modelling and security handling in cloud- Miorandi, D., Sicari, S., De Pellegrini, F., Chlamtac, I., 2012. Internet of things: vision,
centric Internet of Things. In: Proceedings of the 2nd IEEE International Conference applications and research challenges. Ad Hoc Netw. 10 (7), 14971516.
on Advances in Computing and Communication Engineering, ICACCE, 285290. Mishra, S., 2015. Network Security Protocol for Constrained Resource Devices in
Han, J., Ha, M., Kim, D., 2015. Practical security analysis for the constrained node Internet of Things, 16.
networks: Focusing on the DTLS protocol. In: Proceedings of the 5th International Moosavi, S.R., Gia, T.N., Rahmani, A.M., Nigussie, E., Virtanen, S., Isoaho, J., Tenhunen,
Conference on the nternet of Things (IOT), 2229. H., 2015. SEA: a secure and ecient authentication and authorization architecture
Hashem, I.A.T., Chang, V., Anuar, N.B., Adewole, K., Yaqoob, I., Gani, A., Chiroma, H., for IoT-based healthcare using smart gateways. Procedia Comput. Sci. 52 (1),
2016. The role of big data in smart city. Int. J. Inf. Manag. 36 (5), 748758. 452459.
Haroon, A., Shah, M.A., Asim, Y., Naeem, W., Kamran, M., Javaid, Q., 2016. Constraints Ndibanje, B., Lee, H.J., Lee, S.G., 2014. Security analysis and improvements of
in the IoT: the world in 2020 and beyond. Constraints 7, 11. authentication and access control in the Internet of Things. Sens. (Basel, Switz.) 14
Hernndez-Ramos, J.L., Moreno, M.V., Bernab, J.B., Carrillo, D.G., Skarmeta, A.F., (8), 1478614805.
2015. SAFIR: secure access framework for IoT-enabled services on smart buildings. Neisse, R., Steri, G., Fovino, I.N., Baldini, G., 2015. SecKit: a Model-based Security
J. Comput. Syst. Sci. 81 (8), 14521463. Toolkit for the Internet of Things. Comput. Secur. 54, 6076.
Homg, M.-.F., Lee, W.-.T., Lee, K.-.R., Kuo, Y.-.H., 2011. An adaptive approach to Ning, H.S., Liu, H., 2015. Cyber-physical-social-thinking space based science and
weighted fair queue with QoS enhanced on IP network. Proceedings of IEEE Region technology framework for the Internet of Things. Sci. China Inf. Sci. 58 (3), 119.
10 International Conference on Electrical and Electronic Technology, TENCON, vol. Nolin, J., Olson, N., 2016. The Internet of Things and convenience. Internet Res. 26 (2),
1 (1), 181186. 360376.
Horrow, S., Anjali, S., 2012. Identity management framework for cloud based Internet of Oen, H. M., 2015. Interoperability at the Application Layer in the Internet of Things,
Things. In: Proceedings of the First International Conference on Security of Internet June.
of Things, SecurIT 12 , 200203. Perera, C., Zaslavsky, A., Christen, P., Georgakopoulos, D., 2014. Context aware
Islam, S.M.R., Kwak, D., Kabir, H., Hossain, M., Kwak, K.-S., 2015. The Internet of computing for the Internet of Things: a survey. IEEE Commun. Surv. Tutor. 16 (1),
Things for health care: a comprehensive survey. IEEE Access 3, 678708. 414454.
Jararweh, Y., Al-Ayyoub, M., Darabseh, A., Benkhelifa, E., Vouk, M., Rindos, A., 2015. Persson, P., Angelsmark, O., 2015. Calvin merging cloud and IoT. Procedia Comput.
SDIoT: a software dened based Internet of Things framework. J. Ambient Intell. Sci. 52, 210217.
Humaniz. Comput. 6 (4), 453461. Pongle, P., Chavan, G., 2015. A survey: attacks on RPL and 6LoWPAN in IoT.
Jiang, H., Shen, F., Chen, S., Li, K.C., Jeong, Y.S., 2015. A secure and scalable storage International Conference on Pervasive Computing: advance Communication
system for aggregate data in IoT. Future Gener. Comput. Syst. 49, 133141. Technology and Application for Society, ICPC 2015, 0(c), 05.
Jing, Q., Vasilakos, A.V., Wan, J., Lu, J., Qiu, D., 2014. Security of the Internet of Things: Porambage, P., Schmitt, C., Kumar, P., Gurtov, A., Ylianttila, M., 2014. Two-phase
perspectives and challenges. Wirel. Netw. 20 (8), 24812501. authentication protocol for wireless sensor networks in distributed IoT applications.
Josang, A., Ismail, R., Boyd, C., 2012. A survey of trust and reputation systems for online IEEE Wireless Communications and Networking Conference, WCNC, 2014, 2728
service provision. Decis. Support Syst. 43 (2), 618644. 2733.
Jutila, M., 2016. An adaptive edge Router Enabling Internet of Things. IEEE Internet Raju, C., 2014. Defending Against Resource Depletion Attacks in Wireless Sensor
Things J., 4662(C.), (11). Networks, 3(11), 590595.
Kai, P., 2016. DEMO: An IDS framework for internet of things empowered by 6LoWPAN. Raza, S., Shafagh, H., Hewage, K., Hummen, R., Voigt, T., 2013a. Lithe: lightweight
Proceedings of the 2016 ACM SIGSAC Conference on Computer and secure CoAP for the internet of things. IEEE Sens. J. 13 (10), 37113720.
Communications Security - CCS 13, October, 2016, 13371340. Raza, S., Wallgren, L., Voigt, T., 2013b. SVELTE: real-time intrusion detection in the
Kanuparthi, A., Karri, R., Addepalli, S., 2013. Hardware and embedded security in the Internet of Things. Ad Hoc Netw. 11 (8), 26612674.
context of Internet of Things. Proceedings of the 2013 ACM Workshop on Security, Roman, R., Alcaraz, C., Lopez, J., Sklavos, N., 2011. Key management systems for sensor
Privacy and Dependability for Cyber Vehicles - CyCAR 13, 6164. networks in the context of the Internet of Things. Comput. Electr. Eng. 37 (2),
Karlof, C., Wagner, D., 2013. Secure routing in wireless sensor networks: attacks and 147159.
countermeasures. Proceedings of the First IEEE International Workshop on Sensor Roman, R., Zhou, J., Lopez, J., 2013. On the features and challenges of security and
Network Protocols and Applications, 2013. , 1(23), 113127. privacy in distributed Internet of Things. Comput. Netw. 57 (10), 22662279.
Kasinathan, P., Pastrone, C., Spirito, M.A., Vinkovits, M., 2013. Denial-of-Service Sezer, S., Scott-Hayward, S., Kaur Chouhan, P., Fraser, B., Lake, D., Systems Jim
detection in 6LoWPAN based Internet of Things. International Conference on Finnegan, C., Layout, S., 2013. Introduction: What is software-dened networking?
Wireless and Mobile Computing, Networking and Communications, (October), 600 Future carrier networks are we ready for SDN? Implementation challenges for
607. software-dened networks background: why SDN?. Future Carr. Netw. 51 (7),
Kothmayr, T., Schmitt, C., Hu, W., Brnig, M., Carle, G., 2013. DTLS based security and 3643.
two-way authentication for the Internet of Things. Ad Hoc Netw. 11 (8), 27102723. Sicari, S., Rizzardi, A., Grieco, L.A., Coen-Porisini, A., 2015. Security, privacy and trust in
Kotsev, A., Schade, S., Craglia, M., Gerboles, M., Spinelle, L., Signorini, M., 2016. Next Internet of Things: The road ahead. Comput. Netw. 76, 146164.
generation air quality platform: openness and interoperability for the internet of Sicari, S., Rizzardi, A., Miorandi, D., Cappiello, C., Coen-Porisini, A., 2016. A secure and
things. Sens. (Switz.) 16 (3), 116. quality-aware prototypical architecture for the Internet of Things. Inf. Syst. 58,
Laghari, S., Niazi, M.A., 2016. Modeling the Internet of Things, self-organizing and other 4355.
complex adaptive communication networks: a cognitive agent-based computing Srivastava, P., Garg, N., 2015. Secure and optimized data storage for IoT through cloud
approach. PLoS ONE 11, 1. framework. International Conference on Computing, Communication and
Li, F., Han, Y., Jin, C., 2016. Practical access control for sensor networks in the context of Automation, ICCCA 2015, 720723.
the Internet of Things. Comput. Commun. 90. Suo, H., Wan, J., Zou, C., Liu, J., 2015. Security in the internet of things: A review.
Li, S., Tryfonas, T., Li, H., 2016. The internet of things: a security point of view. Internet Proceedings 2012 International Conference on Computer Science and Electronics
Res. 26 (2), 337359. Engineering, ICCSEE 2012, 3, 648651.
Li, Y.J., 2015. An overview of the DSRC/WAVE technology (NSW 2015). Eveleigh, Tsai, C.-W., Lai, C.-F., Vasilakos, A.V., 2014. Future internet of things: open issues and
Australia. challenges. Wirel. Netw. 20 (8), 22012217.
Liu, L., Wang, W., 2010. Internet of things: objectives and scientic challenges. J. Valdivieso Caraguay, .L., Benito Peral, A., Barona Lpez, L.I., Garca Villalba, L.J.,
Comput. Sci. Technol. 26 (6), 919924. 2014. SDN: evolution and opportunities in the development IoT applications. Int. J.
Liu, Y., Cheng, C., Gu, T., Jiang, T., Member, S., Li, X., 2016. Scheme Smart Grid 16 (3), Distrib. Sens. Netw., 2014.
836842. Valmohammadi, C., 2016. Examining the perception of Iranian organizations on Internet
Lopez, J., Roman, R., Agudo, I., Fernandez-Gago, C., 2010. Trust management systems of Things solutions and applications. Ind. Commer. Train. 48 (2), 104108.
for wireless sensor networks: best practices. Comput. Commun. 33 (9), 10861093. Vishvakarma, N.K., James, W., Sharma, R.R.K., 2015. Internet of Things applications -
Lu, C., 2014. Overview of Security and Privacy Issues in the Internet of Things, 111. From research and innovation to market deployment. JIMS 15 (1), 3543.
Mahalle, P., Babar, S., Prasad, N.R., Prasad, R., 2010. Identity management framework Vuini, M., Tourancheau, B., Rousseau, F., Duda, A., Damon, L., Guizzetti, R., 2015.
towards Internet of Things (IoT): roadmap and key challenges. Recent Trends Netw. OSCAR: object security architecture for the Internet of Things. Ad Hoc Netw. 32,
Secur. Appl. - Commun. Comput. Inf. Sci. 89, 430439. 316.
Mahmood, K., Ashraf Chaudhry, S., Naqvi, H., Shon, T., Farooq Ahmad, H., 2016. A Weber, R.H., 2010. Internet of Things New security and privacy challenges. Comput.
lightweight message authentication scheme for Smart Grid communications in Law Secur. Rev. 26 (1), 2330.
power sector. Comput. Electr. Eng. 52, 114124. Whitmore, A., Agarwal, A., Da Xu, L., 2014. The Internet of Things: a survey of topics
Manseld-Devine, S., 2016. Securing the Internet of Things. Comput. Fraud Secur. 2016 and trends. Inf. Syst. Front. 17 (2), 261274.
(4), 1520. Wood, A.D., Stankovic, J.A., 2012. Denial of service in sensor networks. Computer 35
Maras, M.-H., 2015. Internet of things: security and privacy implications. Int. Data Priv. (10), 5462.
Law 5 (2), 99104. Wu, J., Dong, M., Ota, K., Liang, L., Zhou, Z., 2014. Securing distributed storage for
Martn-Fernndez, F., Caballero-Gil, P., Caballero-Gil, C., 2016. Authentication based on social Internet of Things using regenerating code and Blom key agreement. Peer-to-

27
F.A. Alaba et al. Journal of Network and Computer Applications 88 (2017) 1028

Peer Netw. Appl. 8 (6), 11331142. Zhang, Y., Shen, Y., Wang, H., Yong, J., Jiang, X., 2015. On secure wireless
Yan, Z., Zhang, P., Vasilakos, A.V., 2014. A survey on trust management for Internet of Communications for IoT Under Eavesdropper Collusion. IEEE Trans. Autom. Sci.
Things. J. Netw. Comput. Appl. 42, 120134. Eng. 13 (3), 12811293.
Yao, X., Chen, Z., Tian, Y., 2014. A lightweight attribute-based encryption scheme for the Zhao, K., Ge, L., 2013. A survey on the Internet of Things security. In: Proceedings of the
Internet of Things. Future Gener. Comput. Syst. 49, 104112. 9th International Conference on Computational Intelligence and Security, CIS 2013,
Yaqoob, Ibrar, et al., 2017. Enabling communication technologies for smart cities. IEEE 663667.
Commun. Mag. 55 (1), 112120. Zhu, C., Leung, V.C.M., Shu, L., Ngai, E.C.H., 2015a. Green Internet of Things for
Ye, N., Zhu, Y., Wang, R.C., Malekian, R., Lin, Q.M., 2014. An ecient authentication SmartWorld. IEEE Access 3, 21512162.
and access control scheme for perception layer of Internet of Things. Appl. Math. Inf. Zhu, S., Setia, S., Jajodia, S., 2015b. LEAP: ecient security mechanisms for large-scale
Sci. 8 (4), 16171624. distributed sensor networks categories and subject descriptors. ACM Trans. Sens.
Yinbiao, S., Lee, K., Lanctot, P., Juanbin, F., Hao, H., Chow, B., Qui, W., 2014. Internet of Netw. (TOSN) 2 (4), 500528.
Things: wireless sensor networks. Int. Electron. Commision, 178.

28