International Journal of Computer Science and Information Security (IJCSIS),

Vol. 14, No. 11, November 2016

INTERNET OF THINGS (IOT): ON-GOING SECURITY CHALLENGES

AND RISKS
Azeem Iqbal Rabia Saleem
Department of Information Technology Department of Information Technology
G.C University G.C University
Faisalabad, Pakistan Faisalabad, Pakistan
azeem.wasa@gmail.com rabiasaleem@gcuf.edu.pk

Muhamamd Asif Suryani

Muhammad Arif Suryani
Department of Computer Science Department of Information Technology,
COMSATS, Institute of Information Technology, Sahiwal GC, University, Faisalabad.
Sahiwal, Pakistan. Faisalabad, Pakistan
asifsuryani@ciitsahiwal.edu.pksuryanipk@msn.com

Abstract—Internet of Things (IoT) is the future of In next era of computing, it’s not only people who will access
Internet and it has emerged as a field with immense information or communicate over the networks. It will be an
potential. Internet of Things (IoT) has provided a era of M2M (machine to machine) communication, in which
promising opportunity to develop important machines will be sharing information to each other on the
behalf of humans. We are going to realize the meaning of
industrial systems and applications by exploiting
“ubiquity” in the fields of communication and computing,
static and moving wireless sensors and RFID. In past where not only humans and things but things and things are
few years security and privacy issues attracts the going to communicate to each other. This connectivity of
intentions and still both these issues keep its anything, for anyone, from anywhere and any anytime is going
importance due to increase in requirements of IoT to add a new dimension in the communication technology [2].
applications. In order to facilitate this emerging Basically, Internet of Things is the integration of sensors
domain, the brief review of on-going research networks, communication technology and Radio Frequency
progress of IoT has been performed while Identification (RFID). IoT enables the physical objects and
considering security and privacy issues. This study things to connect to internet and allows them to corporate and
will enable us to highlight the suitable security communicate to each other in order to achieve a common goal
[3].
architecture and risk management approaches by
Internet of Things can be defined as global inner-connected
analyzing features and security requirements in network of physical objects and things which enables the
various IoT paradigms. It will also provide a road remote connection and control of those things. The increasing
map for better implementation of IoT in smart cities use of WSN and RFID is making easy to connect more and
and smart homes. more things to the network [4][5][21].
Keywords: Internet of Things, Security Framework, IoT Future of IoT
Privacy, Smart Cities and Home.
Significant attention of industries and academia is the result of
I. INTRODUCTION promising capabilities of Internet of Things. IoT has ability to
create a smart world, in which things (objects of our physical
Responsiveness is the property that can be very important for environment) will be connected to internet and will be able to
any human being as well as any device. Hence it is a very big communicate to each other with minimum interference of
question to make the things responsive, as it will enable us to humans [6]. A smart world is the destiny of IoT where smart
have the latest information about any on-going work, and the objects will be aware of our needs, likings and disliking and
responsiveness will decide the next process i.e. actuation. without explicit instructions, they will perform functions
Hence in computing paradigm the most important thing is the accordingly [7][8].
response or actuation. Wireless Sensors are the essential part Currently, there are approximately five billion smart gadgets
in any of the sensing environment due to its effectiveness. which are connected and it has been predicted that by 2020,
These approaches and ability to make things responsive and there will be 50 billion smart things which will be connected.
ubiquitous computing gave birth to a new and exciting domain Moreover, it is also possible that we may experience a
i-e. Internet of Thing.IoT is the domain in with all available network of trillion nodes in our life[9][10].
devices is connected through and can provide its information
which can be used for some tasks[1][2]. Security Challenges and Risks in IoT

671 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 11, November 2016

If we talk about the risks and security challenges in Internet of New security and privacy threats of Internet of Things can
Things, we can say that IoT will be more prone to risks and it change the risk profile of overall information security. In spite
will face much severe and more security and privacy of technological solutions which may have ability to respond
challenges. New challenges of security and privacy will arise to security threats, Security and privacy in Internet of Things
in IoT because of its following features: is basically a management issue. A thorough assessment of
• Sensor networks, traditional internet, mobile risks and mitigation plan is required for effective risk
networks and many other will be used in IoT, thus it management in Internet of Things [12].
will expand the internet. There are many available technologies which are not suitable
• This internet will provide connection to every smart for industrial use, as these technologies do not fulfil the
object. security and privacy criteria of industries. While developing
• These smart objects will have ability to communicate the IoT, encryption technologies must be reviewed in order to
to each other. ensure the security and privacy. In IoT personal and private
information can be collected automatically because the objects
Presently, Internet of Things does not cover the autonomous have capabilities of sensing, monitoring and communication
control and ambient intelligence. Integration of Internet of [6].
Things and autonomous control can result in an evolution of In comparison to traditional ICT, security and privacy are
machine to machine communication in the form of Cyber much serious issues in IoT because IoT is more prone to
Physical System. Cloud computing, development of advanced attacks and contains personal and private information so it is
network techniques and distributed multi-agent control will likely that it will be an interesting target for attackers
make it possible. To meet the higher needs in terms of [14][15][16].
security, privacy and reliability in Cyber Physical System new For example if a heart patient is under observation with use of
methodologies and technologies must be introduced [11]. sensors, his information of heart rate and blood pressure will
It is predicted that in 2017, 7 trillion wireless devices will be be monitored by the sensors and this information will be
connected to internet to serve 7 billion people. New trend of forwarded to doctor. There is possibility that this information
use of micro devices and tools is the reason behind increasing may be compromised or stolen from the network [17].
these numbers. Devices, communication and computing There are many other issues of security and privacy in Internet
technology is becoming ubiquitous. Trend of computing and of Things. Still the definition of privacy is still not clear in IoT
communication technology is shifting towards Internet of and its legal interpretation is also still ambiguous. In spite of
Things (IoT) as the devices are equipped with capabilities like provision of security and privacy in IoT by existing network
low consumption of energy, increased computational power security technologies, there is a big scope of work in the field
and they are becoming miniaturized. of information security and privacy in IoT. A trustworthy
Security and privacy are the most challenging topics in this security management framework is required. This security
interconnected world of smart things. New challenges of mechanism must be researched with following aspects
security and privacy will arise in confidentiality, integrity and [18][20]:
authentication of this data[12]. 1. With the legal, social and cultural viewpoint, a
Some properties of Internet of Things which can lead to some comprehensive definition of security and privacy.
security and privacy issues are listed as under: 2. Trust management mechanism
• Mobility: there are many service providers, who 3. End to end encryption in order to ensure
provide service of internet access for mobile devices communication security.
of Internet of Things. 4. Privacy of generated data and its communication.
• Wireless: mostly these devices use wireless services 5. Secure applications and services.
like 4G-LTE, Zigbee, 802.11 and Bluetooth to
connect to the rest of the internet. II. RELATED WORK
• Embedded Use: Majority of Internet of Things It has been forecasted that soon mostly machine, equipment,
devices are embedded, so they have a single use, gadgets and many other things will have their own unique
which makes the detection of communication patterns identification and could be addressed, making these things
possible. able to connect to internet. These machines will not only be
• Diversity: IoT devices are diverse in range in terms of able to communicate with each other but also with humans.
computational capabilities so this point must be This ubiquitous computing and communication will bring a
considered in designing privacy and security for such revolutionary change in human’s life[23].
devices and design must accommodate even simplest
devices like RFID Tags. Security Challenges and Risks in IoT
• Scale: it is difficult for users to monitor security and Network and devices of IoT must be secured in order to tackle
privacy concerns as these devices are convenient, security problems in Internet of Things (IoT). Considering the
growing in number on daily basis and increasing factor of ubiquity in IoT domain, it can be said that tiny
embed network connectivity into everyday settings devices of Internet of Things (IoT) are much more vulnerable
[13]. to security attacks. If an embedded system cannot resist to a

672 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 11, November 2016

potential security attack, which could compromise its security, been proposed and their supporting IoT layers have been
the provided security processing cannot be considered useful. indicated by emphasizing vertical trust management is crucial
To determine the level of attack resistance in embedded for achieving trustworthy IoT. Then these objectives were
systems, risk and cost analyses become essential. applied as criteria to survey the literature advances towards
Development of security measures has become much more trust management by reviewing the existing work which is
challenging and an ongoing exercise as attacks are becoming based on eight taxonomies. Then to find out open issues and
more and more sophisticated. Moreover, countermeasures suggest future research trends, versatility of eight taxonomies
should be system specific. Because it is quite possible that was compared for trust management. Unsolved issues have
countermeasures designed for one embedded system may not been discussed and finally a research model for holistic trust
work for another system (e.g., countermeasures designed for management is proposed to indicate research trends of future
smart cards may not work for PDA’s) [24][25]. [29][30].
There is problem of processing power in these devices to
satisfy the security requirements of these systems. Correlation III. METHODOLOGY
between data values and side channels must be reduced In order to ensure the implementation of IoT application,
susceptibility to side channel attacks [19]. security must be defined and tested. Because security is the
The provision of services of IoT (Internet of Things) is most important key factor in the Internet of Things paradigm.
possible in various approaches. We can use a centralized In last few years, IoT have been a major focus for research and
architecture for said purpose. In this approach application a lot of work have been done on the IoT security related
platform is located on internet. This central platform acquire challenges and risks. Many solutions have been proposed
data from different entities via network and provide services focusing on different areas of IoT security challenges and
and raw data to other entities. Alternative of centralized risks. But most of the works are focused on some specific
architecture is the distributed architecture. In distributed areas of security. Still there is a plenty of room to research in
architecture, provision of the service is located at the edge of this field. As the IoT applications have lot of variation in their
network. Entities dynamically collaborate with each other and scope, so a generic model for IoT security is very important,
exchange information at the edge of the network. It is which can tackle number of security challenges and risks in
necessary to assess the features and challenges of security and different types of IoT applications. In this work I will propose
privacy to the advantages and disadvantages of distributed an IoT Security Framework to tackle the challenges and risks
architecture to determine its applicability and viability. of security in IoT. This framework will cover the different
It has been observed that as distributed architecture is aspects and areas of IoT security. This framework will be able
decentralized and heterogeneous in nature so the complexity to ensure the IoT security in means of Authentication,
of many security mechanisms (access control, trust Confidentiality and Access control. It will also address the
management, identity and authentication, protocol and issues of Privacy, Trust, policies, secure middleware and
network security and fault tolerance) is increased. But at the mobile security. This framework could be implemented by
same time distributed architecture approach provides using the combination of different security protocols, best
interesting features and both approaches compliment to each practices and solutions as per demands of specific IoT
other in some security mechanisms like privacy, trust application.
management and governance, fault tolerance[27][28].
Security in IoT: Authentication, Confidentiality and
Trust Management in IoT Access Control
In future IoT (Internet of Things) is going to provide In this section we have analyze security requirements of IoT,
intelligent and most advanced services to mankind by which are authentication, continuously generate and share
integrating physical objects (sensors, devices etc.) into data. Authorization, authentication, non-repudiation and
information networks. These interconnected objects of IoT or access control are very much important considerations in order
things will collect, senses and monitor all the data of a man’s to ensure the security of communication in said type of data
social life. This information is further used to provide sharing atmosphere. In this situation, ad-hoc nature of
ubiquitous services to human. For security of information, networks and lack of computing resources requires major
privacy of user, reliable fusion and mining of data and changes in existing techniques.
qualified services with context awareness, trust management
plays a major role in IoT (Internet of Things). People have Authentication and confidentiality
perceptions of uncertainty and risks to their privacy and DTLS (datagram transport layer security) protocol was the
security of personal information in adoption and consumption first fully implemented two way authentication security
of services of IoT. Trust management in IoT can help people scheme which is placed between transport layer and
to overcome these uncertainties and doubts. Currently the application layer. This scheme is based on RSA encryption
study on trust management in IoT is not adequate. and authentication technique. This scheme is designed for
In this study properties of trust have been investigated and 6LoWPANs (for IPv6 over Low power wireless Personal Area
classified in five categories. Based on general IoT system Networks). Based on real Internet of Things system, a broad
model, ten objectives for holistic trust management in IoThave assessment, shows that this scheme is capable to provide

673 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 11, November 2016

integrity of message, authenticity and confidentiality with Two identified subjects are the data holders and data
affordable energy. collectors. Objects and users must transmit data to data
Focusing on the integrity and confidentiality, how can we collectors only data which is relevant to target and data
apply the existing KMS to the Internet of Things context?Most collectors must authenticate objects and users as authentic data
of the key management systems are not suitable for Internet of holders.
Things. Let’s discuss frameworks one by one. Not only discrete data but processing of streaming data is also
Key pool: insufficient connectivity. deal in Internet of Things. Performance and progressive
Mathematical: make use of the deployment knowledge to constraints are the main critical issues in this perspective.
optimize the construction of their data structures. But such Therefore Access Control is more computational rigorous in
approach cannot be used in Internet of Things because client streaming data in comparison to traditional DBMS. Incoming
and server nodes are usually located in different locations. data streams can be made of large data and their arrival rate
Negotiation: make use of the wireless channel and its inherent can be unpredictable. Queries have to be directly executed on
features to negotiate a common key. But they are not suitable these incoming data streams.
for Internet of Things because client and server nodes usually Let’s focus on the layer which is responsible for acquirement
belong to different networks. In order to be able to talk with of data. In accordance with security and privacy, a large
each other, they should route the information through the number of sensing nodes are required to acquire data of
Internet. different types for authentic users. A hierarchical Access
It seems that still there is no well-defined solution which can Control method for this layer was introduced. Computational
assure the confidentiality in Internet of Things. A lot of work and storage capacity constraints of sensing nodes have been
have been done in the field of WSN but still there are many considered in this scheme. A single key is passed to each node
questions as following: and user. A key derivation algorithm is used to drive the other
• As the devices of Internet of things are heterogeneous necessary keys. As the key exchange is limited, this enhances
and applications are different in context, still the the security and reduce the cost.
application of WSN is adaptable? Location of user must be confidential in normal situation but
• It is still not clear that which layer of network will in an emergency situation his location can be made available.
handle the authentication and how will it handle? For example is an accident occurs, and a doctor must reach
• Which is the most appropriate security mechanism, there. An identity based system for personal location was
traditional or new solution? established for an emergency situation. Registration,
• How the different encryption keys will be handled? authentication, client sub-system and polices are the parts of
• Suitable key distribution mechanism? this system. In this system, user is identified by his subsystem
• How the system can be made more resilient? How to of authentication. Policy subsystem provide the level of the
ensure end-to-end integrity verification. emergency. Now it can be assured that the information of
location of the user can be acquired only by an authorized user
Recently there is some working to address these questions. An and only in emergency situation.
authentication protocol for Internet of Things is an example. A “Continuous Authentication on Data Streams” (CADS) was
light weight encryption method have been used in this presented to address the issues of authentication in outsourced
protocol. Encryption is based on XOR manipulation for data streams. Presence of a service provider is assumed. This
privacy protection in constrained IoT devices. service provider collects data from different owners. Also
In authentication and key agreement scheme for acquire authentication information. At the same time process
heterogeneous WSN, a lean key agreement protocol is used. the queries of many clients. Not only the query results, are
This allows a remote user to securely negotiate a session key returned by the service provider to clients but verification
with sensor node. That is how it ensure authentication between information also. Provided authentication information is a base
users, sensor nodes and GWN (Gateway Nodes). In a resource to make the clients able to verify the completeness and
constrained environment, this scheme can be implemented by authenticity of received data.
only using the simple hash and XOR. A Capability Based Access (Cap-BAC) is capable to manage
In another lightweight encryption scheme session key is the access control process to services and information with
established based on the ECC (elliptic Curve Cryptography). least privilege operations. User has to present his authorization
Access control policies are defined in this scheme. These capability in CapBAC. In Access Control Lists (ACL) services
policies are based on attributes which are managed by an provider had to check his authority. In CapBAC the owner
attribute authority. This enhances authentication between users give the certain resources to desired users, who can prove their
and sensor nodes. It also solve the issue of constrained capability to access the resources. There should be more stress
resources at application in Internet of Things. These on relevance of security mechanisms usability and access
preliminary answers are focused on problem of lightweight rights delegation. It also has to be taken into account that they
encryption in IoT. should be useable by those users, who do not have ICT skills.
Following are the major access control challenges emerged
Access ControlIt refers to rights to use the resources of an from the discussion about above stated works:
Internet of Things network assigned to actors of this network.

674 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 11, November 2016

• How the access control can be guaranteed in IoT A data tagging to ensure privacy in Internet of Things has
environment, where not only users but objects will been taken from Information Flow Control. Data representing
also be interacting. network events can tagged with some properties of privacy.
• To manage a scalable IoT architecture, which These tags enables the system to reason about the flow of
approach is more suitable? Centralized, distributes or information and manage the privacy of users. As the tags may
a semi-distributed approach? be too large because of large data size so they may generate an
• How to manage the identification of entities? excessive overhead, so it may not be a viable solution. So it is
• In a common recognized representation, how to not suitable for Internet of Things.
handle big transmitted data like stream data? A user-controlled privacy-preserved access control protocol is
based on the context-aware anonymity privacy policy. In this
To deal with access control of heterogeneous devices, a few approach, user have control on that which of his data can be
new solutions have been proposed. A subscriber method and accessed, who can access his data and when his data can be
group membership scheme have been suggested for the accessed.
purpose. This authorization scheme of constrained devices CASTLE (Continuously Anonymizing Streaming data via
comprises of PUF (Physical Uncloneable Functions) with Adaptive Clustering) is a cluster based scheme. Anonymity,
eSIM. Physical Uncloneable Functions provides cheaper in freshness and delay constraints are ensured in this scheme. In
price, secure and tamper-proof secret keys. These keys can be this way it improves those privacy management techniques
used to authentify constrained IoT devices. Embedded which are established for static data sets. This scheme is not
Subscriber Identity Module (eSIM) provide mobile suitable for continuous, transient and unbounded streams.
connectivity. It also guarantee scalability, interoperability and Traditional privacy mechanisms are divided into Discretionary
amenability with security protocols. Access and Limited Access. To prevent the leak of sensitive
A common secret key can be adopted, donated as group key data, Discretionary Access addresses the minimum privacy
and shared by multiple communication end points, in order to risks. In Limited Access, security access is limited to prevent
secure multicast communication. Batch-based centralized malicious attacks.
approach provide basis for management and distribution of A fully decentralized anonymous authentication protocol for
such keys. This mechanism reduce the computational privacy protection is based on a multi-show credential system.
overhead and network traffic. Because just like a typical IoT In this system different showings of same credential cannot be
context, users joins and leaves. linked together. As a result generated keys are secure and their
This protocol can be applied in: disclosure is avoided. It’s the system who defines the possible
1. Secure data aggregation in IoT roles of participant nodes. These two roles are: users and data
2. V2V communications in VANETs (Vehicular Ad-hoc collectors. With owning of AAC (Anonymous Access
Networks) Credential) user can authenticate himself anonymously. A
valid AAC is encoded with a particular set of attributes. These
attributes are developed by the system itself. There are three
phases of this mechanism.
1. Set-up
2. User registration (user obtain AAC)
3. Credential proving (user prove owning of valid AAC)
In this approach problem of SPOF (single point of failure) do
not exist, as it relies on fully distributed approach.
KP-ABE (Key-Policy Attribute-Base Encryption and) and CP-
ABE (Policy Attribute-Based Encryption) are two major types
of Attribute-Based Encryption (ABE). Researchers carried out
simulation on mobile devices to reveal that in what conditions
Figure 1. Security Related Solutions Attribute-Based Encryption is best suitable for Internet of
Things. Results showed that ABE can provide viable key
Privacy in Internet of Things (IoT) management, fine grained access control and flexible data
Application of Internet of things is in different fields. Few distribution. Because ABE provides a Public Key Encryption
examples of IoT applications are patient monitoring, energy Scheme.
consumption control, smart vehicle parking, traffic control, ePASS is an Attribute-Based signature (ABS) Scheme. It is
inventory control, production line management and civil capable to guarantee privacy in Internet of Things. An
protection system. Personal information of users is involved in attribute tree is used in it. ePASS expresses any policy
all of above said applications. This personal information of consisting of AND/OR which cannot be exploited by
users must be protected and privacy should be guaranteed. computational Diffie-Hellman assumptions.
Some work has already been done to address this issue of Key changed mutual authentication is a protocol for Radio
privacy in IoT. Frequency Identification (RFID) and Wireless Sensor Network
(WSN), which integrates a random number generator in tag

675 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 11, November 2016

and reader. It adopts a one way hash function. The refresh in A hierarchical trust mode is capable to effectively detect
real time. This protocol is capable to prevent the system from malicious communities by the observation of their neighboring
risks like DOS (Denial of Service), replay, replication, nodes. A VCID (verifiable caching interaction digest) was
spoofing and tracking of tag. introduced. Purpose of VCID was to monitor object reader
PPDM (Privacy Preserving Data Mining) are the techniques interaction.
which can reduce the risks like disclosure of sensitive data and An attack resistant trust management model for distributed
sensitive content analysis. A privacy management scheme is routing in Internet of Things, is capable to evaluate publicize
proposed in this technique. This scheme makes a user able to repute in distributed routing. Then it proposes establishment of
understand the risks in sharing sensitive information. trusted relations between self-organized nodes. So it it prevent
Moreover, it also develops a robust sensitivity detection disturbed routing systems from probable attacks.
system. To tackle the trust issues in Internet of Things, above stated
models use different techniques including include hierarchical
model, reputation mechanisms, fuzzy techniques, routing
strategies mechanisms and based on nodes past behavior
mechanisms. It seems that there is enough work regarding
trust in Internet of things but for scalable Internet of Things
paradigm, a fully distributed and dynamic approach has not be
defined yet.

Figure 2. Privacy Related Solutions

Trust in Internet of Things (IoT)

IoT devise or smart objects are vulnerable to malicious attacks
because most of these devices are human-carried or related to
humans and they are exposed to public networks. In these
malicious attacks, malicious nodes try to break the basic
functionality of IoT devices by means of trust related attacks.
A distributed, encounter based and activity based trust Figure 3. Trust Related Solutions
management protocol has been proposed to develop trust in
Internet of Things. In this scheme two nodes which are in Policy Enforcement in Internet of Things
mutual interaction can share evaluation of trust about other Policy languages are classified in two categories.
nodes. This sharing is like a recommendation. Honesty, 1. Policy Enforcement Languages
interest of community and cooperation are the parameters for 2. Policy Analysis Languages
this sharing of information regarding trust of other nodes. Former simplify the interpretation of polices. But they lack
A similar technique has been introduced for trust in SIoT formal semantics. Which allow the verification of polices
(social internet of things). The integration of social networks themselves. Second category allow the formal policy analysis
in Internet of Things have derived SIoT. A reputation based and the expression of a large variety of compulsions.
trust mechanism for Social Internet of Things was the aim of Aiming on the combining the benefits of both policy
the work. This mechanism is capable to tackle malicious languages, a policy language was introduced. There are many
behaviors aimed to misleading other nodes. advantages of formalizing policy enforcement. It reduce the
As identities are not known in advance in Internet Of things so gap between specified polices and deployment of those
the traditional access control models are not useful. FTBAC specified polices. In this way it ensures that polices are
(fuzzy approach to the trust based access control) is properly applied in the system. A model of target system must
framework which calculate the trust scores. Experience, be prepared and then possible effects of application of polices
knowledge and recommendations are the factors for this must be designated in order validate policy enforcement.
calculation. After calculation these scores are mapped to Reference monitors are used to enforce polices. In some
permissions. Access requests are accompanied by a set of conditions, a set of actions must be executed if some events
credentials. These together establish a proof for decision of are detected. This policy language is not capable to provide
access. The fuzzy approach to the trust based access control operational semantics, which are required to enforce and
framework comprises of three layers as following: manage obligations in a policy managed system, dynamically.
• Device layer OWL (Web Ontology Language) is capable of modeling both
• Request layer the policy languages and enforcement mechanisms. Let’s
• Access Control layer discuss an example of health care environment. In such
environment communication and corporation between

676 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 11, November 2016

hospital, pharmacy, lab and Medical College is essentially

required. To secure their patients record and their secret Secure Middleware in Internet of Things
information, they use their own policy enforcement Otsopack is a proposed Aml framework. There are two core
mechanisms. Problem in this scenario is that these are features of this framework: (i) simple, extensible and modular
different domains and there is always communication in these in design. (ii) it is compatible with several computational
all domains. So in this scenario a cross domain policy platforms including Android and Java. HTTP provides basis to
enforcement is essentially needed. But it has been observed the underlying interface. A Representational State Transfer
that in mostly these domains have different policy languages (REST) interface is used. Only a few features are provided by
to define their policies. When there is a new communication different applications. So there is a possibility to embed it in
between two domains who are stranger to each other. It is not other devices. It needs a partial ad-hoc implementation and
clear that how many policy rules from stranger domain will be only supports Python. Triple space Computing (TSC) is used
enforced by current enforcement mechanism. Therefore the in it.
ICT departments of both domains must work together to figure As a middleware, capable to bridge different platforms of
out if there is any possibility to make their system Internet of Things, NAPS (Naming, Addressing and Profile
interoperable. Social networks are facing the same problem. Server) was introduced. As there are many heterotopous
Almost every social networking site have his own enforcement devices deployed across different platforms, the service of
mechanisms which provide basis for their privacy Naming, Addressing and Profile Server is as key module at the
configurations. If two different social networking sites needs back end data center. This data center aid the upstream,
to communicate to each other, they must reconfigure their content based data filtering and matching and also the
systems to ensure that these activities are compatible with downstream applications. A naming conversion for devices
polices of other social networking site. and their groups across different platforms was also proposed.
HiPoLDS (Hierarchical Policy Language for Distributed Its design was focused on a middleware component, which can
Systems) was introduced for distributed systems. It is capable serve dynamic applications requirements. This resulted in
to enable the specifications of security polices in a concise designing of IoT-AI (Internet of things Application
way. Its aim was to decentralized execution atmosphere under Infrastructure). Application gateway, service registration
the control of many stakeholders. It uses the distributed portal and RODB are its components. It relies on protocols
reference monitors for policy enforcement. These control the like UPnP (Universal Plug and Play). Data is transmitted with
flow of information between services. It is also responsible to the use of standard HTTP requests and response. Interfaces are
activate the directives output by the decision engines. based on RESTful design. On the recording of a device profile
In e-commerce applications like eBay, there are two paradigm information, an identifier is automatically generated.
to prevent the privacy of the user, user trustworthiness and Aimed at unifying the global machine to machine communal,
user anonymity. In this paradigm the actual identity of user is a global service layer platform was introduced. It enabled the
open. Only his actual resources of areas of interest are interoperability of different machine to machine systems
circulated. This data will be dispersed so that potential across multiple networks. This platform is capable to support
matches can found. Then certified e-mail is used by the each secure end to end information transfer between the M2M
to send him matching offers. devices. While performing this function, authentication,
A semantic web framework and meta-control model can encryption, buffering, aggregation and device management are
compose policy reasoning with identification. It can also the aspects which are considered.
access of the source of information. It should be considered For Internet of Things transparent middleware a security
that application logic should separated from related polices. architecture was introduced with protection measures based on
Although there is considerable work in policy enforcement in latest security technologies. AES, TLS and oAuth are some of
Internet of Things but still a suitable policy enforcement such technologies. This architecture integrated the data
mechanisms is missing, which can perfectly fit in the privacy, authenticity, integrity and confidentiality for Internet
paradigm of Internet of Things. For IoT paradigm, a proper of Things environment.
language for specification of privacy policies must be defined.

Figure 4. Solutions for Policy Enforcement in IoT

Figure 5. Middleware Security Related Solution

677 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 11, November 2016

IoT Middleware Security Solutions MOSDEN (Mobile Sensor Data Processing Engine) is a plug
in based Internet of Things middleware. This system is for
Mobile Security in Internet of Things resource constrained mobile devices. These device do not
In making efforts towards a Secure IoT environment, a model require any programming to collect and process data. Both
was introduced for the privacy and the security of “Radio type of streaming mechanisms (push & Pull) are supported by
Frequency Identification” (RFID). This model is not only it.
capable to ensure the privacy and security of tags and readers. Identification and authentication of device and key and
It is also capable to tackle the tags corruption, reader credential storage and their exchange are some of the security
corruption, multiple readers and mutual authentication key issues of mobile devices. These issues are already under
exchange protocols. consideration by many researchers. But known solutions are
As it has been already discussed that IoT systems can violate not capable enough to meet these needs. Therefore further
the privacy of users, especially their privacy of information of efforts are required for suitable solution.
location in order to enable a systematic surveillance. Some of
the currently faced location privacy issues have been reviewed
which are faced in smart mobile devices like Android and
IPhone. For mobile security a secure handshake approach was
introduced. In this scheme a mobile device verifies over an
unsecure channel, validity of an ordinary sensor node. This
verification is performed by a private negotiation of handshake
attributes. For the purpose, a mobile hierarchy is established to
contact a deployed Wireless Sensor Network in a secure way.
Healthcare services is a very much important application of
IoT. Security in such service is one of the emerging demand
for mobile solutions. A security and privacy approach was
introduced to ensure the privacy and security of the Figure 6. Mobile Security Related Solutions
information of the patient, as such information is very much
sensitive and personal. In this mechanism, service provider Proposed Security Framework Diagram
have to obtain authentication from a public authority. To In order to propose an IoT security framework, possible IoT
ensure the security of the communication between end devices security challenges and risks and their solutions have been
and applications, they must handover cryptography. Aim of discussed in study. As there is a lot of variation in IoT
this approach is to create a trusted IoT application market. applications and their scope, I have proposed a generic
There is an exploitation of Radio Frequency Identification to security framework for Internet of Things paradigm.
get the solutions of some security and privacy issues. Hash
function is not supported by all existing tags, only some of the
tags support them in designing RFID protocols. In mobile
perspective, channels among readers and servers are always
secure. To tackle this issue an ultra-light weight and privacy
securing authentication protocol was introduced for mobile
RFID. Only bitwise XOR and some pseudo-random number
generators are used in this system. Tag anonymity, privacy of
tag location and privacy of reader are some of the privacy
features of this system. Moreover, this system is also resilient
to different type of attacks like replay attacks and
desynchronization attacks.
In human centric computing, m-IPS (mobile-intrusion
prevention system) was introduced. This system is considered
as an efficient and secure system, which was aimed for using a
mobile for business activities. Spatial information, time-based
information, profiles and role information of the user is
verified to grant access control.
Use of firewalls to secure the data can lead to a challenging
encounter among data security and usability. Today it can be
seen that a massive number of products are becoming mobile.
To provide generic and standard interface, a messaging
standard was introduced namely QLM (Quantum Lifecycle Figure 7. Proposed IoT Security Framework
Management). Aim of this standard was to ensure a two way
communication through every type of firewall.

678 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 11, November 2016

Attention is focused on establishment of a generic framework, At first we there must be some authentication protocol that will
with capability to address maximum types of IoT applications. authenticate all the authorized devices. In this model the
I have already discussed the solutions for different areas of authorized devices are the deployed sensor nodes. These
IoT security. These areas include IoT Security (authentication devices must have controlled access to each other and towards
and confidentiality and access control), Privacy in IoT, Trust the communication end. As in sensor deployment there must be
in IoT, Policy Enforcement in IoT, security of Middleware in need of some access control protocol. All these security
IoT and Mobile Security in IoT. Proposed framework is an features proposed in our framework will definitely made this
integration of all these security challenges and risks and their application worthy.
possible solutions. There is a lot of variation in the different
Communication
IoT applications and their scope. So, their security related
requirements cannot be the same. Depending on the Here the next model is the communication model,
functionality of the IoT application, they require different type communication model have the most importance in an IoT
of security solutions, which can address their specific security based applications. As all the transmission must take place via
issues. For example security requirements of an “IoT based some communication medium. So for the effective
Healthcare system” cannot be same as the security implementation of IoT application, there must be need of
requirements of a “Smart Home”. So a combination of proper communication protocol and other relevant protocol that
possible security solutions can be implemented in order to can provide best service in the application. Here the
address the specific security needs of an IoT application. implementation of our proposed model seems to be worthy
task. The proposed framework for security will be a best fit
Lab Environment Monitoring a Testbed for Security here.
Framework
The proposed security framework in the previous has been well In every communication task there must be need of certain
explained and moreover it can be assumed that the successful parameters, i.e. Data Integrity, Data Confidentiality, DoS
implementation of this security framework will definitely Attacks and Privacy.
improve the overall security in the targeted applications. All these above stated parameters are very essential in
As IoT have various applications in numerous domains, providing a state of the art model for communication. At first
ranging from Smart Cities to automation of industrial issue. In the sensed data must be transmitted to the receiver in an
every IoT application the most common and sensitive part is efficient and secure way. This activity will enable us to validate
the sensing unit. All the module and decision will be based on two or three main properties in this regard.
the sensing of the required parameters. As IoT comprise of These factors are data integrity and confidentiality. This will
three basics parts, sensing, communication and actuation. In all enable us to have the data at the receiving end without any
three parts are the essential and work in coordination with each interruption. Moreover it will also help us to prevent the system
other. In all these portions there has been involvement of IoT from any external attacks, i.e. DoS attacks. In addition to all
Security Framework. these factor successful implementation of all these factor will
The proposed security framework for IoT can be applied in this help in maintaining the over privacy communication approach.
application so that it application can be presented as testbed for Moreover the data will be transmitted to the targeted location
IoT security framework. via using security framework.
In IoT application the implementation of security framework is Actuation
very important, our framework consist of six state of the art
approaches that could lead towards providing the secure mode The final part in this application is the actuation part, this
in the execution of any application based on IoT. portion is responsible to the actuation process as indicated by
the system by seeing the gathered information from the sensors.
Sensing This is very integral part of this application. All the actuation
will result in providing a suitable environmental condition
The sensing is the most important part in any application of
around to the employees.
wireless sensor network and IoT. As all the future decision and
direction will be depended on the information gathered from This actuation model also need some the proposed approaches
the sensor deployed for any application. in the security framework. These factors are policy
enforcement and SecKit approach. Moreover before going into
In this application the sensors were deployed at the targeted
the details of these approaches, there might be inclusion of
areas just to have the idea about the environment. This
Smart Phones and Secure middleware in this domain.
deployment of sensors will certainly help us in providing the
suitable environment to the employee in order to have Policy enforcement is the approach that will enable all the
maximum productivity. For that application based on IoT devices to work under the strict rules so that the complete
environment, there need to address certain parameters mechanism works in efficient way. Moreover SecKit is the
regarding our proposed framework. approach that will also help in regulating the things at that end.

679 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 11, November 2016

Hence this will help us to control all the unit of this portion 1st Berlin Symposium on Internet and Society,
efficiently.
Berlin, 2011.
Additionally in this domain there have been involvements of
two other factors. These factors are as there must be [4] Y. Wu, Q. Z. Sheng and S. Zeadally, Next-
involvement of smart phones and middleware. So these two
things must be well secure so to have a model that can provide Generation Wireless Technologies, Springer-Verlag
best effort services in this regard. London: London, 2013, pp. 105-129.
The actuation processes mainly depend on the sensor and
communication parts, if both these two parts will provide the [5] E. Ilie-Zudor, Z. Kemeny, F. v. Blommestein, L.
services according to proposed security model. This will ensure Monostori and A. v. d. Meulen, "A survey of
the effectiveness of this proposed model. applications and requirements of unique
In conclusion it should be assumed that in an effective identification systems and RFID techniques,"
application of IoT, there must be need of some security Computers in Industry, vol.62, no.3, pp. 227-252,
framework that can kept all the aspect in the mind and provide
a state of the art approach that can deal with the current issue in
2011.
the IoT paradigm. Our proposed security model is the state of
the art model that will provide all the security need in all these [6] L. Atzori, A. Iera and G. Morabito, "The Internet of
portions of IoT applications. Things: A survey," Computer Networks, p. 2787–
2805, 2010.
IV. CONCLUSION
[7] A. Dohr, R. Modre-Opsrian, M. Drobics, D. Hayn
Internet of Things is the vast field and it has emerged and
attract the researcher. The study done in this work is about the and G. Schreier, "The internet of things for ambient
security concerns and risks in IoT infrastructure. As IoT is the assisted living," in Information Technology: New
combination of various networks and all devices are sink to Generations (ITNG), 2010 Seventh International
each other in order to provide a model that can provide users a Conference, Graz, 2010.
state of the art IoT service. But Security concerns are the most
important factor here.
In this study it has been found that there have been various [8] D. Le-Phuoc, A. Polleres, M. Hauswirth, G.
models for security enhancements but due to sensitivity of the Tummarello and C. Morbidoni, "Rapid prototyping
applications in IoT, security cannot be compromised. There of semantic mash-ups through semantic web pipes,"
should be evolution in this domain with the passage of time
which will enhance the security modules. So security issues in in 18th international conference on World wide
IoT is quite addressable but not controllable due to expanding web, ser. WWW 2009, Madrid, 2009.
nature of IoT. One model proposed for certain application
cannot perform better on other applications. J. Chase, "The Evolution of the Internet of Things,"
Texas Instruments, Dallas, 2013.
REFERENCES [9]

[1] M. Zorzi, A. Gluhak, S. Lange and A. Bassi, "From [10] H. Ning and Z. Wang, "Future Internet of Things
Today‘s Intranet of Things to a Future Internet of Architecture: Like Mankind Neural System or
Things: A Wireless- and Mobility-Related View," Social Organization Framework?," IEEE
IEEE Wireless Communications, p. 43–51, 2010. Communications Letters (Volume:15 , Issue: 4 ), pp.
461 - 463, 2011.
[2] L. Tan and N. Wang, "Future Internet: The Internet
of Things," in international Conference on [11] G. Yang, J. Xu, W. Chen, Z. H. Qi and H. Y. Wang,
Advanced Computer Computer Theory and "Security characteristic and technology in the
Engineering, Shanghai, 2010. internet of things," Journal of Nanjing University of
Posts and Telecommunications, vol. 30, no. 4, 2010.
[3] R. v. Kranenburg, E. Anzelmo, A. Bassi, D. Caprio,
S. Dodson and M. Ratto, "The Internet of things," in

680 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 11, November 2016

[12] S. B. and H. J., "Developing network software and Engineering, Hangzhou, 2012.
communications protocols towards the internet of
things," in Fourth International ICST Conference [22] Y.-J. Joung, "RFID and the Internet of Things,"
on Communication System Software and National Taiwan University, Taipei, 2009.
MiddlewaRE, COMSWARE 2009, Dublin, 2009.
[23] J. Gubbi, a. R. Buyya, b. S. Marusic and a.
[13] S. Babar, P. Mahalle, A. Stango, N. Prasad and R. Palaniswami, "Internet of Things (IoT): A Vision,
Prasad, "Proposed Security Model and Threat Architectural Elements, and Future Directions,"
Taxonomy for the Internet of Things (IoT)," in Future Generation Computer Systems, p. 1645–
Recent Trends in Network Security and 1660, 2013.
Applications, Heidelberg, Springer Berlin
Heidelberg, 2010, pp. 420-429. [24] K. Ashton, "Internet of Things," RFID Journal,
2009.
[14] L. Li, "Technology designed to combat fakes in the
global supply chain," Business Horizons, vol.56, [25] A. Balte, A. Kashid and B. Patil, "Security Issues in
no.2, pp. 167-177, 2013. Internet of Things (IoT): A Survey," International
Journal of Advanced Research in Computer Science
[15] S. Ting and W. Ip, "Combating the counterfeits with and Software Engineering, pp. 450-455, 2015.
web portal technology," Enterprise Information
Systems, pp. 661-680 , 2013. [26] G. Broll, E. Rukzio, M. Paolucci, M. Wagner, A.
Schmidt and H. Hussmann, "Perci: Pervasive
[16] R. Roman, P. Najera and J. Lopez, "Securing the Service Interaction with the Internet of Things,"
Internet of Things," Computer, vol.44, no.9, pp. 51- IEEE Internet Computing , pp. 74-81, 2009.
58, 2011.
[27] M. Turkanovic, B. Brumen and M. Holbl, "A novel
[17] D. Miorandi, S. Sicari, F. D. Pellegrini and I. user authentication and key agreement scheme for
Chlamtac, "Internet of things: vision, applications heterogeneous ad hoc wireless sensor networks,
and research challenges," Ad Hoc Networks, vol.10, based on the Internet of Things notion," Ad Hoc
no.7, pp. 1497-1516, 2012. Networks, pp. 96-112, 2014.

[18] L. D. Xu, W. He and S. Li, "Internet of Things in [28] I. Pranata, R. I. Athauda and G. Skinner, "Securing
Industries: A Survey," IEEE Transactions on and Governing Access in Ad-Hoc Networks of
Industrial Informatics, pp. 2233 - 2243, 2014. Internet of Things," in In Proceedings of the
IASTED International Conference on Engineering
[19] A. Ukil, J. Sen and S. Koilakonda, "Embedded and Applied Science, Colombo, 2012.
Security for Internet of Things," in Emerging
Trends and Applications in Computer Science [29] M. Nitti, R. Girau, L. Atzori, A. Iera and G.
(NCETACS), Shillong, 2011. Morabito, "A subjective model for trustworthiness
evaluation in the social internet of things," in IEEE
[20] C. Sun, "Application of RFID technology for 23rd International Symposium on Personal, Indoor
logistics on Internet of Things," AASRI Procedia, and Mobile Radio Communications-(PIMRC),
vol.1, pp. 106-111, 2012. Sydney, 2012.

[21] H. Suoa, J. Wan, C. Zoua and J. Liu, "Security in [30] P. N. Mahalle, P. A. Thakre, N. R. Prasad and R.
the Internet of Things: A Review," in International Prasad, "A fuzzy approach to trust based access
Conference on Computer Science and Electronics control in internet of things," in Wireless

681 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 11, November 2016

Communications, Vehicular Technology, Systems (VITAE), Atlantic City, 2013.

Information Theory and Aerospace & Electronic

682 https://sites.google.com/site/ijcsis/
ISSN 1947-5500