See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/351849644

Cyber Security and the Internet of Things : vulnerabilities and Security

requirements

Article · January 2019

CITATIONS READS

4 325

3 authors, including:

Abderrahim Maizate Siham Aouad

Université Hassan II de Casablanca National School of Computer Science and Systems Analysis
75 PUBLICATIONS 330 CITATIONS 22 PUBLICATIONS 61 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Abderrahim Maizate on 31 May 2021.

The user has requested enhancement of the downloaded file.

 Cyber Security and the Internet of Things :
vulnerabilities and Security requirements
Siham Aouad, Abderrahim Maizate, Abdelouahed Zakari

To cite this version:

Siham Aouad, Abderrahim Maizate, Abdelouahed Zakari. Cyber Security and the Internet of
Things : vulnerabilities and Security requirements. Revue Méditerranéenne des Télécommunica-
tions/Mediterranean Telecommunication Journal, 2019, 9 (2). �hal-03233370�

HAL Id: hal-03233370

https://hal.univ-lorraine.fr/hal-03233370
Submitted on 24 May 2021

HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est

archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents
entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non,
lished or not. The documents may come from émanant des établissements d’enseignement et de
teaching and research institutions in France or recherche français ou étrangers, des laboratoires
abroad, or from public or private research centers. publics ou privés.
S. Aouad Cyber Security and the Internet of Things 1

Cyber Security and the Internet of Things :

vulnerabilities and Security requirements
S. Aouad, A. Maizate, A. Zakari
Lab. RITM/ESTC. CED Science de l’ingénieur, ENSEM, Université Hassan II
Casablanca, Morocco.
[email protected]

Abstract— The Internet of Things (IoT) enables billions of The IoT presents many challenges. This article provides
embedded computing devices to connect to each other. It an overview of the main issues related to the security of IoT.
includes various kinds of devices, e.g., sensors, actuators, RFID We first recall the major vulnerabilities related to IoT. We
tags, or smartphones, which are very different in terms of size, are interested in the security of a connected object. Finally
weight, functionality and capabilities. we introduce the minimum safety requirements specific to
Their success is very noticed and the number of threats and IoT ;
attacks against IoT devices and services are on the increase as
well.
In IoT, The objects can be discovered, controlled and managed II. THE VARIOUS VULNERABILITIES RELATED TO IOT
from the Internet. This articulation, which represents a strong
point of the IoT, also inherit all the problematic of the security Vulnerabilities are weaknesses in a system or its design
already present in the Internet. The latter rests even with that allow an intruder to execute commands, access
renewed acuteness in this new environment, because of its unauthorized data, and/or conduct denial-of-service
characteristics special. It is important to analyze how attacks [3,4]. Vulnerabilities can be found in variety of areas
conventional security requirements (CIA, AAA, etc.) as well as in the IoT systems. In particular, they can be weaknesses in
those related to respect for privacy can be broken down in this
system hardware or software, weaknesses in policies and
new environment.
procedures used in the systems and weaknesses of the system
This paper is an attempt to classify different vulnerabilities, users themselves [5].
besides analyze and characterize security requirements.
Une étude réalisée par HP [6] sur les problèmes de
sécurité de l'IoT, en s'appuyant sur l'analyse de 10
Keywords— The Internet of Things (IoT),AAA,IoT security . équipements parmi les plus populaires dans les plateformes
IoT les plus répandues, montre que :
I. INTRODUCTION  90% of the devices collect at least one personal
The Internet of Things (IoT) is designed as a network of information via the equipment, the cloud, or the
highly connected devices (things). In today’s perspective, mobile application. These informations can be a user
The smart things cover our everyday friendly devices, such name, his address, his date of birth, health
as, thermostats, fridges, ovens, washing machines, and TV information, and even credit card numbers.
sets. IoT devices are increasingly deployed.  Six out of 10 devices offer user interfaces. These
Several studies show that the number of connected devices all have vulnerabilities, including XSS
objects deployed on the Internet will experience a vulnerabilities and weak identifiers.
exponential growth in the coming years [1], thus leading to  70% of devices do not encrypt their outbound
an architecture of IoT complex and subject to significant communications.
traffic. From a qualitative point of view, the IoT has the
characteristics following [2]:  70% of devices associated with a cloud and a mobile
application allow an attacker to know if a user
account is valid via the enumeration of accounts.
1. IoT is an uncontrolled environment mainly because
 80% of devices associated with a cloud and a mobile
of the mobility of objects and possibilities extended
application do not require a password of sufficient
to physically access them.
length and complexity, therefore there are likely to
2. Heterogeneity: an IoT environment can integrate use weak passwords.
entities of very variable origins (different platforms,
According to HP these problems are mainly related to
communication protocols, suppliers ...). Scalability
insufficient authentication or authorization, a lack of
related to the amount of objects that can be
message transfer encryption, an insecure web interface and
interconnected.
vulnerable software / firmware.
3. Limited resources in energy, computing capacity
and storage space

Mediterranean Telecommunications Journal Vol. 9, N° 2, July 2019 ISSN: 2458-6765

S. Aouad Cyber Security and the Internet of Things 2

III. PRIMARY SECURITY AND PRIVACY GOALS IV. ATTACKS

An attacker who has physical access to a connected Attacks are actions taken to harm a system or disrupt
object is able to collect a lot of his sensitive information. For normal operations by exploiting vulnerabilities using various
example, if he managed to recover his encryption keys, he techniques and tools.
could access all incoming and outgoing traffic, and could
also inject malicious code for other network objects. Each An attack itself may come in many forms, including
connected object thus appears as a critical point in the active network attacks to monitor unencrypted traffic in
architecture of the IoT. In the following we list the various search of sensitive information; passive attacks such as
security and privacy features that should be guaranteed in monitoring unprotected network communications to decrypt
order to secure a connected object.[7]. weakly encrypted traffic and getting authentication
information; close-in attacks; exploitation by insiders, and so
a) Confidentiality on. Common cyber-attack types are:
Confidentiality is an important security feature in IoT,  DoS: DoS attempts to make the IoT devices
but it may not be mandatory in some scenarios where data is inaccessible to its intended users through temporary
presented publicly[8]. However, in most situations and or indefinite interruption [20]. The different types of
scenarios sensitive data must not be disclosed or read by DoS attacks that can be launched against the IoT
unauthorized entities. For instance patient data, private include jamming, collision, and malicious internal
business data, and/or military data as well as security attacks; the last type can create more havoc because it
credentials and secret keys, must be hidden from controls part of the infrastructure[21].
unauthorized entities.
 Cyber-crimes: The Internet and smart objects are
b) Integrity used to exploit users and data for materialistic gain,
To provide reliable services to IoT users, integrity is a such as intellectual property theft, identity theft,
mandatory security property in most cases. Different systems brand theft, and fraud [22, 5 , 23].
in IoT have various integrity requirements [9]. For instance,
a remote patient monitoring system will have high integrity  Device end-point: Smart applications on the IoT
checking against random errors due to information domain include smart city items (e.g., e-governance,
sensitivities. Loss or manipulation of data may occur due to street lighting, and water and waste management),
communication, potentially causing loss of human lives [10] SG items (e.g., smart meters and smart energy),
smart health-care items (e.g., smart health cards),
c) Authentication and authorization and intelligent transportation of items (e.g., traffic
Authentication and authorization are essential parts of control, parking, and public transportation), which
basic security processes and are sorely needed in the Internet are physically situated in a specific domain. An
of Things (IoT). Different authentication requirements active attacker can easily hack these items, extract
necessitate different solutions in different systems. Some information, and target other infrastructure that store
solutions must be strong, for example authentication of bank information as alternatives to destroying these items
cards or bank systems. On the other hand, most will have to [24].
be international, e.g., ePassport, while others have to be
local [10]  Supervisory Control and Data Acquisition (SCADA)
Attacks: As any other TCP/IP systems, the
d) Availability SCADA [25] system is vulnerable to many cyber
The vision of IoT is to connect as many smart devices as attacks 26, 27]. The system can be attacked in any of
possible. The users of the IoT should have all the data the following ways:
available whenever they need it. However data is not the  Using denial-of-service to shut down the
only component that is used in the IoT; devices and services system.
must also be reachable and available when needed in a
timely fashion in order to achieve the expectations of IoT.  Using Trojans or viruses to take control of the
[11] system. For instance, in 2008 an attack
launched on an Iranian nuclear facility in
e) Accountability Natanz using a virus named Stuxnet [28].
When developing security techniques to be used in a
secure network, accountability adds redundancy and  Access attacks – unauthorized persons gain access to
responsibility of certain actions, duties and planning of the networks or devices to which they have no right to
implementation of network security policies. Accountability access. There are two different types of access
itself cannot stop attacks but is helpful in ensuring the other attack: the first is physical access, whereby the
security techniques are working properly. Core security intruder can gain access to a physical device. The
issues like integrity and confidentiality may be useless if not second is remote access, which is done to IP-
subjected to accountability. Also, in case of a repudiation connected devices.
incident, an entity would be traced for its actions through an  Physical attacks: This sort of attack tampers with
accountability process that could be useful for checking the hardware components. Due to the unattended and
inside story of what happened and who was actually distributed nature of the IoT, most devices typically
responsible for the incident.[12] operate in outdoor environments, which are highly
susceptible to physical attacks.

Mediterranean Telecommunications Journal Vol. 9, N° 2, July 2019 ISSN: 2458-6765

S. Aouad Cyber Security and the Internet of Things 3

 Reconnaissance attacks – unauthorized discovery V. IOT SECURITY REQUIREMENTS

and mapping of systems, services, or vulnerabilities. We take inspiration from [2], which elegantly organizes
Examples of reconnaissance attacks are scanning security requirements into three categories: Network
network ports [29], packet sniffers [30], traffic Security, Authentication, Authorization, Accounting (AAA)
analysis, and sending queries about IP address and Privacy.
information.
Network security
 Counterfeiting attacks: Counterfeiting simply means Data exchanged over the Internet between two objects, or
imitation or forgery. The IoT devices, such as smart between an object and a user, is exposed to various attacks
watches and smart lighting systems, are fragile and such as eavesdropping, falsification and denial of service,
require lightweight security. However, an active hence the importance of securing the network. These attacks,
attacker can easily duplicate and modify the contents which have a direct impact on the confidentiality and
of the IoT devices because of the security nature of integrity of the data, can be countered by establishing secure
these devices [31]. channels between the various IoT entities.
 Attacks on privacy: Privacy protection in IoT has Traditionally, several technologies based on encryption
become increasingly challenging due to large such as IPSec or TLS have proved their effectiveness to
volumes of information easily available through ensure the confidentiality of data exchanged over the
remote access mechanisms. The most common Internet. They also guarantee the integrity of the data.
attacks on user privacy are: However, these techniques require significant cryptographic
 Data mining: enables attackers to discover computations that often exceed the limited capabilities of
information that is not anticipated in certain connected objects. The ideal network protocol stack for IoT
databases. should provide robust encryption protocols with low
computing requirements. Most current solutions tend to
 Cyber espionage: using cracking techniques and offload constrained nodes by using an intermediate trust
malicious software to spy or obtain secret node with sufficient processing capacity to perform
information of individuals, organizations or the computational tasks.
government.
Finally, whatever the circumstances, the availability of
 Eavesdropping: listening to a conversation objects must always be preserved. A secure routing protocol
between two parties [32]. such as RPL [13] allows for example to obtain this by
 Tracking: a users movements can be tracked by guaranteeing the resilience of connected objects.
the devices unique identification number (UID). AAA
Tracking a users location facilitates identifying Authentication relies on identity management and is one
them in situations in which they wish to remain of the most important operations, and probably the first to be
anonymous. performed by a node when it joins a new network, for
 Password-based attacks: attempts are made by example for a first deployment or in case of mobility from
intruders to duplicate a valid user password. This one network to another. Often, authentication is done via an
attempt can be made in two different ways: 1) authentication server with an access protocol such as PANA
dictionary attack – trying possible combinations of [14] or EAP [15].
letters and numbers to guess user passwords; 2) Access control to resources associated with connected
brute force attacks – using cracking tools to try all objects can rely on mechanisms such as DCAF (Delegated
possible combinations of passwords to uncover CoAP Authentication Authorization Framework) [16] or
valid passwords. OAUTH 2.0 [17]. More generally, access control solutions
 MitM attack: MitM attacks create challenges in can be declined in two ways, either via an intermediary
maintaining data security and privacy. Given the located between the object and the access requester, or by the
different attacks on the IoT devices, the security object itself, often through a simple control of access. access
problem in the IoT involves the active interference token provided by an authorization server.
of intruders on the devices (i.e., allowing Private life
unauthorized users to spy on data through a Direct access by connected objects to the personal
backdoor). Lightweight cryptographic protocols information of individuals and organizations raises issues of
are considered to provide communication security privacy. IoT must provide data protection transmitted traffic
for the IoT devices over a computer network as over the Internet, so that captured traffic does not expose the
part of the DTLS. Nevertheless, MitM attacks take content of this data. For this reason, mechanisms for data
advantage of the weaknesses in the authentication anonymity, pseudonymity and non-traceability must be used
protocols utilized by the communicating to ensure both the protection of private data as well as the
parties[33]. protection of the entities themselves [18].

Mediterranean Telecommunications Journal Vol. 9, N° 2, July 2019 ISSN: 2458-6765

S. Aouad Cyber Security and the Internet of Things 4

VI. CONCLUSION [16] S. Gerdes, O. Bergmann et C. Bormann « Delegated CoAP

authentication and authorization framework (DCAF) », IETF Draft,
Expire: 21 avril 2016.
The security and privacy protection of connected objects, [17] D. Hardt, « The OAuth 2.0 Authorization Framework », IETF RFC
however, raises several issues that may pose serious 6749, octobre 2012.
obstacles to the deployment or acceptance of IoT. The [18] A. Pfitzmann et M. Hansen, « A terminology for talking about
security and privacy protection of connected objects, privacy by data minimization: Anonymity, Unlinkability,
Undetectability, Unobservability, Pseudonymity, and Identity
however, raises several issues that may serious obstacles to Management » , 2010.
deploying or accepting IoT. The main cause lies in the
[19] S. Raza, S. Duquennoy, T. Chung, D. Yazar, T. Voigt and U. Roedig,
weakness of computing capabilities of connected objects, « Securing communication in 6LoWPAN with compressed IPsec »,
which prevents them from using traditional security 2011 International Conference on Distributed Computing in Sensor
techniques implemented in the Internet. In this paper, Systems and Workshops (DCOSS), Barcelona, 2011, pp. 1-8.
vulnerabilities related to IoT and security requirements were [20] Wood, A. D., and Stankovic, J. A. (2012). Denial of service in sensor
introduced. The relationship between IPv6 and IoT is another networks. Computer, 35(10), 54–62.
point to note. The security of the communication between the [21] Kasinathan, P., Pastrone, C., Spirito, M. A., and Vinkovits, M.
different IoT objects via IPv6 is reinforced by the IPSec (2013). Denial-of-Service detection in 6LoWPAN based Internet of
Things. International Conference on Wireless and Mobile Computing,
protocol. However, the implementation of IPSec for Networking and Communications, (October), 600–607.
6LoWPAN type equipment, characterized by energy and [22] B. Schneier, Secrets and lies: digital security in a networked world.
resource constraints, still poses problems. For this reason, John Wiley & Sons, 2011.
several works have been done to obtain a version of IPSec [23] C. Wilson, “Botnets, cybercrime, and cyberterrorism: Vulnerabilities
light and especially compatible with the constrained nodes of and policy issues for congress.” DTIC Document, 2008.
the IoT, such as that proposed in [19] [24] Porambage, P., Schmitt, C., Kumar, P., Gurtov, A., and Ylianttila, M.
(2014). Two-phase authentication protocol for wireless sensor
networks in distributed IoT applications. IEEE Wireless
REFERENCES Communications and Networking Conference, WCNC, 2014, 2728–
[1] D. Evans, « The internet of things: How the next evolution of the 2733.
internet is changing everything », CISCO, 2011. [25] A. Daneels and W. Salter, “What is scada,” in International
[2] E. Vasilomanolakis, J. Daubert, M. Luthra, V. Gazis, A. Wiesmaier et Conference on Accelerator and Large Experimental Physics Control
P. Kikiras,« On the Security and Privacy of Internet of Things Systems, 1999, pp. 339–343.
Architectures and Systems », International Workshop on Secure [26] A. Nicholson, S. Webber, S. Dyer, T. Patel, and H. Janicke, “Scada
Internet of Things, Vienna, Austria, septembre 2015. security in the light of cyber-warfare,” Computers & Security, vol. 31,
[3] D. L. Pipkin, Information security. Prentice Hall PTR, 2000. no. 4, pp. 418–436, 2012.
[4] E. Bertino, L. D. Martino, F. Paci, and A. C. Squicciarini, “Web [27] V. M. Igure, S. A. Laughter, and R. D. Williams, “Security issues in
services threats, vulnerabilities, and countermeasures,” in Security for scada networks,” Computers & Security, vol. 25, no. 7, pp. 498–506,
Web Services and Service-Oriented Architectures. Springer, 2010, pp. 2006.
25–44. [28] M. Kelleye, “Business Insider. The Stuxnet attack on Irans Nuclear
[5] J. M. Kizza, Guide to Computer Network Security. Springer, 2013. Plant was Far more Dangerous Than Previously Thought,”
[6] « Internet of things research study 2015 report », Hewlett Packard, http://www.businessinsider.com/stuxnet-was-far-more-dangerous-
2015. than-previous-thought-2013-11/,2013, [Online; accessed 03-Sep-
2014].
[7] A. F. Skarmeta, J. Luis Hernández Ramos et J. Bernal Bernabe, « A
required security and privacy framework for smart objects », ITU [29] S. Ansari, S. Rajeev, and H. Chandrashekar, “Packet sniffing: a brief
Kaleidoscope: Trust in the Information Society, Barcelona, Spain, introduction,” Potentials, IEEE, vol. 21, no. 5, pp. 17–19, 2002.
décembre 2015 [30] M. De Vivo, E. Carrasco, G. Isern, and G. O. de Vivo, “A review of
[8] J. Lopez, R. Roman, and C. Alcaraz, “Analysis of security threats, port scanning techniques,” ACM SIGCOMM Computer
requirements, technologies and standards in wireless sensor Communication Review, vol. 29, no. 2, pp. 41–48, 1999.
networks,” in Foundations of Security Analysis and Design [31] Whitmore, A., Agarwal, A., and Da Xu, L. (2014). The Internet of
V.Springer, 2009, pp. 289–338. Things: A survey of topics and trends. Information Systems Frontiers,
[9] B. Jung, I. Han, and S. Lee, “Security threats to internet: a korean 17(2), 261–274.
multi-industry investigation,” Information & Management, vol. 38, [32] I. Naumann and G. Hogben, “Privacy features of european eid card
no. 8, pp. 487–498, 2001. specifications,” Network Security, vol. 2008, no. 8, pp. 9–13, 2008.
[10] B. Schneier, Secrets and lies: digital security in a networked world. [33] Mahmood, K., Ashraf Chaudhry, S., Naqvi, H., Shon, T., and Farooq
John Wiley & Sons, 2011. Ahmad, H. (2016). A lightweight message authentication scheme for
[11] R. Mahmoud, T. Yousuf, F. Aloul, I. Zualkernan, "Internet of Things Smart Grid communications in power sector. Computers and
(IoT) security: Current status challenges and prospective Electrical Engineering, 52, 114–124.
measures", Proc. 10th Int. Conf. Internet Technol. Secured Trans.
(ICITST), pp. 336-341, Dec. 2015.
[12] Abomhara M, Kien G (2015) Cyber security and the internet of
things: vulnerabilities, threats, intruders and attacks. J Cyber Secur
4:65–88.
[13] T. Tsao, R. Alexander, M. Dohler, V. Daza, A. Lozano et M.
Richardson, «A Security Threat Analysis for the Routing Protocol for
Low-Power and Lossy Networks (RPLs)», RFC 7416, IETF, janvier
2015.
[14] D. Forsberg, Y. Ohba, B. Patil, H. Tschofenig et A. Yegin, « Protocol
for Carrying Authentication for Network Access (PANA) », RFC
5191, IETF, mai 2008.
[15] B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson et H. Levkowetz, «
Extensible Authentication Protocol (EAP) », RFC 3748, IETF, juin
2004.

Mediterranean Telecommunications Journal Vol. 9, N° 2, July 2019 ISSN: 2458-6765

View publication stats