See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/342052404

An overview of the Internet of Things (IoT) and IoT Security

Technical Report · June 2020

DOI: 10.13140/RG.2.2.31975.06564

CITATIONS READS

0 123

1 author:

Md. Humayun Kabir

International Islamic University Chittagong
19 PUBLICATIONS   5 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Power Line Communication View project

Performance Investigation of three Precoding Methods for Massive MIMO technique in Wireless Communication System View project

All content following this page was uploaded by Md. Humayun Kabir on 09 June 2020.

The user has requested enhancement of the downloaded file.

 An overview of the Internet of Things (IoT) and IoT Security
Md. Humayun Kabir
Dept. of Electronic and Telecommunication Engineering
International Islamic University Chittagong

Keyword: Internet of Things (IoT), IoT Security

Introduction:
The internet of things (IoT) is a computing concept that describes the idea of everyday physical objects being
connected to the internet and being able to identify themselves to other devices. The term is closely identified
with RFID as the method of communication, although it also may include other sensor technologies, wireless
technologies or QR codes.
The IoT is significant because an object that can represent itself digitally becomes something greater than the
object by itself. No longer does the object relate just to its user, but it is now connected to surrounding objects
and database data. When many objects act in unison, they are known as having "ambient intelligence."

Expanded IoT definition

The expanded definition of IoT is the upgrade of mobile, home and embedded applications to become part
of a network of connected physical devices that all have sensors that both import and export data. The
devices, using embedded sensors, gather data about the environment in which they are operating and how
they are being used. The sensors are integrated into every physical device from electrical appliances (fridges,
stoves, furnaces) to lights (home lighting, traffic lights, car lights) to smartphones and tablets (TVs too) to
barcodes on non-electrical items (pill bottles, boxes). The devices then share the data in real time about their
operational state through the Cloud to an IoT platform where there is a universal language by which all IoT
devices communicate. The gathered data is then dumped, or integrated, and data analytics is performed.
Data analytics is drawing valuable insights and information from masses of raw data. Data analytics is now
mostly automated, with algorithms performed by Artificial Intelligence (AI) software that clean, sort, and
generally make sense of the vast amounts of data that IoT devices provide. With a far higher capacity for
computation than humans, Internet of Things technologies can analyze in enormous amounts of data in
seconds. Valuable information and insights are then pulled from the data without the aid of human beings.
The information is then shared with human users and other IoT devices.
The Internet of Things creates an extensive system of information, comprised of smaller systems of
information; smart devices are connected to smart home systems which are connected to smart city systems.
Significant changes come when data from one end of a large system of systems, to the other end of a large
system, can be analyzed. Through the mass sharing of information from other devices, an extensive network
of data is created that benefits and betters all user experiences. The Internet of Things leads to better
healthcare outcomes, more efficient manufacturing, optimizing energy production and consumption, more
effective use of natural resources and lowered waste production in addition to a host of other benefits.

Internet of Things (IoT) Security:

Security is the key to the success of any digital project, whether you are connecting critical infrastructure,
industrial Internet of Things (IoT), or delivering data and telemetry to reduce costs and increase revenue. We
have long advocated the need for a holistic approach to IoT security, and with it, shared the vital role the
network plays in embedding security. To further demonstrate the network’s role, let’s explore how it can
help us tackle a series of IoT-related security challenges.

Page 1 of 7
Internet of Things Security (IoT Security) comprises protecting the internet-enabled devices that connect on
wireless networks. IoT security is the safety component tied to the Internet of Things, and it strives to protect
IoT devices and networks against cybercrime.
The data collected from IoT sensors contain a large amount of private information and needs to be preserved.
There are two key issues privacy and security that need attention when it comes to IoT security.

Security Basics- Fundamentals:

IoT security threats differ significantly from security threats in traditional IT environments: in traditional IT,
security concerns are focused first and foremost on protecting data. Attackers can steal data, compromise
data, and hold it ransom. Recently, they are just as interested in stealing compute power for malicious
cryptomining activities.
There are 5 major components of IoT:
✓ Sensors
✓ Devices
✓ Data processing
✓ Feedback and control
✓ Cloud/Server (IoT platform)
Security and privacy are considered essential components and must be added to this list of components.
IoT security has been introduced to the industry and is used in various ways:
✓ Cyber-Physical Systems (CPS)
✓ Cyber Transportation Systems (CTS)
✓ Machine-to-Machine(M2M) Interaction

Figure 1: The security architecture comprises of four fundamental layers for security analysis.

1. Perceptual Layer
This layer is also referred to as the recognition layer, is the most basic level, which gathers all types of
information with the help of physical equipment(sensors) and identifies and reads the external world. The
information from the device's sensors includes the properties of the objects, or the things, the environment
condition, and more. The physical equipment like RFID reader, GPS, all kinds of sensors, and other
equipment comes under this layer. Though there are different components involved, the critical component
in this layer is the sensors that use for capturing and representing the physical world, i.e., the data given by
sensors connect to this layer.
Page 2 of 7
 2. Network Layer
The layer connected to broadcast data and data collected on numerous essential networks like mobile
communication network, or the WiFi network, satellite network, and more. This layer is responsible for
providing the dependable broadcast of data that we get from the previous layer. Most importantly, the data
gathered from sensors broadcasts to the next level for it to be processed. The initial handling of data collected
through the sensors, cataloguing, and polymerization.
3. Support Layer
The layers act as the mediator between the upper layer and the lower layer. Consider it as the platform for
setting up a proper application layer as it helps with merging the application layer upward and network
layer downward. Grid and cloud computing use all kinds of creative computing powers.
4. Application Layers
In this layer, the personalized delivery of application happens, whatever application the user wants,
whatever application the user is presented with is taken care of in this layer. It can be from smart water,
smart transportation, smart environment support, smart air system, and more. It can be done through
computers, mobile devices, television and more.
Challenges in IoT Security:

Figure 2: IoT Security.

1. Security approaches heavily relying on encryption is not a good fit for constrained devices as they
cannot perform sophisticated encryption and decryption quickly. These protect with constrained
resources are most vulnerable to side-channel attacks, and reverse engineering of the algorithm is
possible.
2. Device authorization, along with authentication, is critical when it comes to securing IoT products
and systems.
➢ They must establish their identity before proceeding further with gateway access and other
cloud-related activities.
➢ IoT platform with two-factor authentication and usage of strong passwords or certificates can
help to solve this issue.
➢ They also help to determine which services or apps that each device has access to throughout
the system.

Page 3 of 7
 3. Device updates need to be managed effectively as well. Security patches to firmware or software
would have several challenges, so they need to be updated effectively. Air updates may not be
possible with all kinds of IoT devices. Device owners as well may not show much interest in applying
an update to the system.
4. The communication channel needs to be secured, as well. Using transport encryption and adopting
standards like TLS is better than encrypting messages before transfer.
5. The sensor data should be stored and proceed securely. Data integrity, including checksums or
signatures, can help to make sure that the original raw data does not modify during transmission.
Data that is not required should be disposed of or detected in a better way and should not be retained
in any part of the system. Maintaining complaints about legal and regulatory frameworks is another
challenge in this project.
6. All applications and services should also be secured as the manager, process access IoT devices along
with the sensor data.
Security vulnerabilities and breaches are inevitable, but measures need to be taken as much as possible to
avoid conflicts of interest.
Best IoT Security Technologies:
Mentioned below are the most popular IoT security technologies based on Forrester's analysis
1. IoT Network Security
IoT network security is challenging than traditional network security as communication protocols, standards,
and device capabilities have a more extensive range, all of which pose significant issues and increased
complexity. It involves securing the network connection that connects the IoT devices with the back-end
systems on the internet. Capabilities include traditional endpoint security features like antivirus and
antimalware as well as firewalls and intrusion prevention and detection systems. Sample vendors are Cisco,
Darktrace, and Senior.
2. IoT authentication
It grants users to authenticate IoT devices, including managing multiple users for a single device, ranging
from multiple static passwords to more robust authentication mechanisms like two-factor authentication,
digital certificates, and biometrics. Unlike most enterprise networks where authentication processes involve
a human being entering a credential, many IoT authentication scenarios ar M2M based and do not involve
any human intervention. Sample vendors: Baimos Technologies, Covisint, Entrust Datacard, and Gemalto.
3. IoT Encryption
Encrypting data at rest and transit between IoT edge devices and back-end systems using standard
cryptographic algorithms, maintaining data integrity, and preventing data sniffing by hackers. Several IoT
devices and hardware profiles limit the ability to have standard encryption processes and protocols. Further,
all IoT encryption must be accompanied by equivalent full encryption key lifecycle management processes,
since poor key management would reduce overall security. Sample vendors: Cisco, HPE.
4. IoT Security Analytics
This technology involves collecting, aggregating, monitoring, and normalizing data from IoT devices and
providing actionable reporting and alerting on suspicious activity or when activity falls outside established
policies.
These solutions add sophisticated machine learning, artificial intelligence, and big data techniques providing
more predictive modeling and anomaly detection, but such capabilities are still emerging. IoT security
analytics would increasingly be required to detect IoT-specific attacks and intrusions that are not identified
by traditional network security solutions such as firewalls. Sample vendors: Cisco, Indegy, Kaspersky Lab,
SAP, and Senrio.
Page 4 of 7
 5. IoT API Security
This technology enables us to authenticate and authorize data movement between IoT devices, back-end
systems, and applications using documented REST-based APIs. API security protects the integrity of data
transiting between edge devices and back-end systems, and applications using documented rested APIs as
well as detecting potential threats and attacks against APIs. Sample vendors: Akana, Apigee/Google, Axway,
CA Technologies, Mashery/TIBCO, MuleSoft, and more.

Over View of CISCO IoT Device Security:

Figure 4: CISCO IoT Authentication.

In Figure 4 we see cisco IoT Home Gateway provide WEP, WPA-PSK, WPA2-PSK, and WPA, WPA2 as
options.
Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and Wi-Fi Protected Access II (WPA2) are
the primary security algorithms you will see when setting up a wireless network. WEP is the oldest and has
proven to be vulnerable as more and more security flaws have been discovered. WPA improved security but
is now also considered vulnerable to intrusion. WPA2, while not perfect, is currently the most secure choice.
Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES) are the two different
types of encryption you will see used on networks secured with WPA2. Let us look at how they differ, and
which is best for you.

AES vs. TKIP

TKIP and AES are two different types of encryption that can be used by a Wi-Fi network. TKIP is actually an
older encryption protocol introduced with WPA to replace the very-insecure WEP encryption at the time.
TKIP is actually quite similar to WEP encryption. TKIP is no longer considered secure and is now deprecated.
In other words, you shouldn’t be using it.
AES is a more secure encryption protocol introduced with WPA2. AES isn’t some creaky standard developed
specifically for Wi-Fi networks, either. It’s a serious worldwide encryption standard that’s even been adopted
by the US government. For example, when you encrypt a hard drive with TrueCrypt, it can use AES
encryption for that. AES is generally considered quite secure, and the main weaknesses would be brute-force
attacks (prevented by using a strong passphrase) and security weaknesses in other aspects of WPA2.

Page 5 of 7
The short version is that TKIP is an older encryption standard used by the WPA standard. AES is a newer
Wi-Fi encryption solution used by the new-and-secure WPA2 standard. In theory, that’s the end of it. But,
depending on your router, just choosing WPA2 may not be good enough.
While WPA2 is supposed to use AES for optimal security, it can also use TKIP where backward compatibility
with legacy devices is needed. In such a state, devices that support WPA2 will connect with WPA2 and
devices that support WPA will connect with WPA. So “WPA2” doesn’t always mean WPA2-AES. However,
on devices without a visible “TKIP” or “AES” option, WPA2 is generally synonymous with WPA2-AES.
And in case you’re wondering, the “PSK” in those names stands for “pre-shared key” — the pre-shared key
is generally your encryption passphrase. This distinguishes it from WPA-Enterprise, which uses a RADIUS
server to hand out unique keys on larger corporate or government Wi-Fi networks.

The History of Security Protocols:

Wireless security has evolved over time to get stronger and easier to configure. Since the beginning of WiFi,
we’ve transitioned from WEP protocol to WPA3 protocol. Read through to learn about the history of how
these security protocols evolved.
1. Wired Equivalent Privacy (WEP)
The first security protocol was named Wired Equivalent Privacy or WEP. It was the standard protocol from
1999 to 2004. While this version was made to protect, it had poor security and was hard to configure.
Cryptographic technology imports were restricted at the time, meaning that more manufacturers could only
use 64-bit encryption. This is a very low bit encryption compared to the 128-bit or 256-bit options available
today. Ultimately, WEP was abandoned for a more advanced solution.
Systems that still use WEP aren’t secure. If you have a system with WEP, it should be upgraded or replaced.
When connecting to WiFi, if an establishment has WEP, your Internet activity will not be secure.
2. WiFi Protected Access (WPA)
To improve the functions of WEP, WiFi Protected Access or WPA was created in 2003. This temporary
enhancement still has relatively poor security but is easier to configure. WPA uses Temporal Key Integrity
Protocol (TKIP) for more secure encryption than WEP offered.
As the WiFi Alliance made this transition to a more advanced protocol, they had to keep some of the same
elements of WEP so older devices would still be compatible. Unfortunately, this means vulnerabilities, such
as the WiFi Protected Setup feature which can be hacked relatively easily, are still present in the updated
version of WPA.
3. WiFi Protected Access 2 (WPA2)
A year later, in 2004, WiFi Protected Access 2 became available. WPA2 has stronger security and is easier to
configure than the prior options. The main difference with WPA2 is that it uses the Advanced Encryption
Standard (AES) instead of TKIP. AES is able to secure top-secret government information, so it’s a good
option for keeping a personal device or company WiFi safe.
The only notable vulnerability of WPA2 is that once someone has access to the network, they can attack other
devices connected to the network. This is an issue if a company has an internal threat, such as an unhappy
employee, who hacks into the other devices on the company’s network.
➢ WPA-PSK (TKIP): This uses the original version of the WPA protocol (essentially WPA1). It
has been superseded by WPA2 and isn’t secure.
➢ WPA-PSK (AES): This uses the original WPA protocol, but replaces TKIP with the more
modern AES encryption. It’s offered as a stopgap, but devices that support AES will almost
always support WPA2, while devices that require WPA will almost never support AES
encryption. So, this option makes little sense.

Page 6 of 7
 ➢ WPA2-PSK (TKIP): This uses the modern WPA2 standard with older TKIP encryption. This
isn’t secure, and is only a good idea if you have older devices that can’t connect to a WPA2-
PSK (AES) network.
➢ WPA2-PSK (AES): This is the most secure option. It uses WPA2, the latest Wi-Fi encryption
standard, and the latest AES encryption protocol. You should be using this option. On some
devices, you’ll just see the option “WPA2” or “WPA2-PSK.” If you do, it will probably just
use AES, as that’s a common-sense choice.

Conclusion:
No doubt, IoT would change the development services process. Although moving with the latest technology
is encouraged, but it's also advisable to study and analyze the negative aspect and be prepared for the
outcome. Digital businesses need to understand that though the IoT-connected products provide effortless
support, the same devices have become an attractive attack plane for hackers and cybercriminals seeking to
cause disruption and exfiltrate sensitive data.

Acknowledgement
In this report, I was just collecting the IoT and IoT Security-related information and data following the
website [1-7]. After collect, the information, and data here I summarize that information and data.

Reference:
[1]. What is the Internet of Things (IoT)? - Definition from Techopedia. (2020). Retrieved 1 March 2020,
from https://www.techopedia.com/definition/28247/internet-of-things-iot
[2]. Internet of things (IoT): definition. (2020). Retrieved 2 March 2020, from
https://www.strate.education/gallery/news/iot-definition
[3]. Finn, S. (2020). The Criticality of the Network in Securing IoT and Critical Infrastructure - Cisco Blogs.
Retrieved 5 March 2020, from https://blogs.cisco.com/security/the-criticality-of-the-network-in-
securing-iot-and-critical-infrastructure
[4]. What is IoT Security (Internet of Things)? - Tools & Technologies. (2020). Retrieved 6 March 2020,
from https://hackr.io/blog/what-is-iot-security-technologies
[5]. Szigeti, T. (2020). Unpacking IoT, a series: The security challenge and what you can do about it - Cisco
Blogs. Retrieved 10 March 2020, from https://blogs.cisco.com/internet-of-things/unpacking-iot-a-
series-the-security-challenge-and-what-you-can-do-about-it
[6]. WPA vs WPA2: Which WiFi Security Should You Use? - Panda Security Mediacenter. (2020).
Retrieved 16 April 2020, from https://www.pandasecurity.com/mediacenter/security/wpa-vs-
wpa2/#:~:text=WPA2%20is%20an%20updated%20version,or%20not%20work%20at%20all.
[7]. Wi-Fi Security: Should You Use WPA2-AES, WPA2-TKIP, or Both?. (2020). Retrieved 20 May 2020,
from https://www.howtogeek.com/204697/wi-fi-security-should-you-use-wpa2-aes-wpa2-tkip-or-
both/

Page 7 of 7

View publication stats