IoT: Internet of Threats?

A Survey of Practical

Security Vulnerabilities in Real IoT Devices

By

Aman Kumar Roy

2020UEC1629

Under the supervision

of Dr. Rajesh Saha

DEPARTMENT OF ELECTRONICS AND COMMUNICATION MALAVIYA

NATIONAL INSTITUTE OF TECHNOLOGY JAIPUR
March,2023

(i)

1
Certificate by the Supervisor:

Certificate of Approval

I hereby certify that I have reviewed and approved the report and PowerPoint
presentation submitted by Aman Kumar Roy on 24/02/2023 as part of
Technical seminar(ECS318).

Throughout the project, Aman Kumar Roy demonstrated a strong work ethic
and attention to detail. They incorporated feedback effectively and showed a
high level of commitment to producing a quality final product.

I am confident that the insights and findings presented in the report and
presentation will be beneficial to our organization. I would like to express my
appreciation for the opportunity to mentor Aman Kumar Roy during this
project and to contribute to their professional development.

Signed,

Dr. Rajesh Saha

(ii)

2
 Table of Contents:

1. Abstract 05

2. Index Terms 05

3. Introduction 06

4. Security Challenges in the IoT Domain 09

5. Main Security Mechanisms for IoT 12

Services
6. Security of Popular IoT Communication 16
Technology
7. Examples of Implementation in 25
Commercial Devices
8. Conclusion 26

9. References 27

(iii)

3
Abstract:-

The Internet of Things (IoT) is rapidly spreading, reaching a multitude of

different domains, including personal health care, environmental
monitoring, home automation, smart mobility, and Industry 4.0. As a
consequence, more and more IoT devices are being deployed in a variety of
public and private environments, progressively becoming common objects
of everyday life. It is hence apparent that, in such a scenario, cybersecurity
becomes critical to avoid threats like leakage of sensible information, denial
of service (DoS) attacks, unauthorized network access, and so on.
Unfortunately, many low-end IoT commercial products do not usually
support strong security mechanisms, and can hence be target of-or even
means for-a number of security attacks. The aim of this article is to provide
a broad overview of the security risks in the IoT sector and to discuss some
possible counteractions. To this end, after a general introduction to security
in the IoT domain, we discuss the specific security mechanisms adopted by
the most popular IoT communication protocols. Then, we report and analyze
some of the attacks against real IoT devices reported in the literature, in
order to point out the current security weaknesses of commercial IoT
solutions and remark the importance of considering security as an integral
part in the design of IoT systems. We conclude this article with a reasoned
comparison of the considered IoT technologies with respect to a set of
qualifying security attributes, namely integrity, anonymity, confidentiality,
privacy, access control, authentication, authorization, resilience, self
organization.

Index Terms — Internet of Things(IoT), Security Levels, Encryption,

Cryptography, Random Number Generator, ZigBee, Bluetooth Low Energy(BLE).

4
INTRODUCTION:-

The Internet of Things (IoT) is a growing communication paradigm

that aims to connect various objects to the internet to gather
data generated by sensors, control appliances and machines
remotely, monitor environments, vehicles, buildings, and more.
The number and variety of IoT devices have rapidly grown in recent
years, with a prediction of over 50 billion devices connected to
the internet by 2020. However, security and privacy should be
of primary importance in the design of IoT technologies and
services, which unfortunately is not the case for many
commercial IoT products that are provided with inadequate or
ill-designed security mechanisms.

Attention has been drawn to the risks related to the use of simple
IoT devices in services that have access to sensitive information or
critical controls such as private video recording, real-time personal
localization, health monitoring, building access control, industrial
processes, and traffic lights. In order to make commercial IoT
devices more resilient to cyber attacks, security should be
considered from the design stage of new products. However, the
wide heterogeneity of IoT devices hinders the development of well-
established security-by-design methods for the IoT.
The world is experiencing a profound shift towards sustainability. In
recent years, more and more people have begun to recognize the
importance of reducing our impact on the environment and
preserving natural resources for future generations. This shift
towards sustainability is being driven by a number of factors,
including technological advancements, changing consumer
preferences, and government policies.

One of the most important drivers of sustainability is technology.

Advances in renewable energy, electric vehicles, and smart home

technology have made it easier and more affordable than ever before to
live sustainably. Solar panels and wind turbines have become
increasingly efficient and cost-effective, allowing more people to
generate their own clean energy. Electric cars are becoming more
popular, and the cost of batteries is decreasing, making them more
accessible to a wider range of consumers. Smart home technology, such
as thermostats and lighting systems that can be controlled remotely,
help people reduce energy consumption and save money on their bills.

5
Another key factor driving the shift towards sustainability is changing
consumer preferences. As people become more aware of the
environmental impact of their choices, they are choosing to support
companies that prioritize sustainability. This has led many businesses to
adopt sustainable practices, such as using renewable energy, reducing
waste, and sourcing materials responsibly. Consumers are also
increasingly interested in buying products that are made from
sustainable materials, such as bamboo, recycled plastic, and organic
cotton.

Government policies have also played a role in driving the shift towards
sustainability. Many countries have introduced regulations and
incentives to encourage businesses and individuals to reduce their
environmental impact. For example, some governments offer tax
incentives for companies that use renewable energy or reduce their
carbon emissions. Others have introduced regulations that require
companies to report on their environmental impact or to take steps
to reduce their carbon footprint. These policies have helped to create
a more sustainable business environment and have encouraged
individuals to make more sustainable choices.

Overall, the shift towards sustainability is a positive development

for the world. By reducing our impact on the environment and

preserving natural resources, we can ensure that future generations will
be able to enjoy a healthy and prosperous planet. This shift is being
driven by a combination of technological advancements, changing
consumer preferences, and government policies, and is likely to continue
in the years to come. As more people recognize the importance of
sustainability, we can expect to see even more innovation and progress
towards a greener future.

6
Security Challenges in the IoT Domain :-

As discussed in the remainder of this article, the attacks against IoT

devices are often simple and easy to conduct. They could be performed
in order to break user privacy and leak personal sensible information.
The collected data can indeed range from simple room temperature and
humidity measurements, to more sensible information such as the heart-
rate signal, or the user’s location and living habits. Another common
attack strategy consists in compromising one device in the IoT network
and use it as a beachhead to perform fraudulent acts toward another
network node [16].

7
In order to set a common ground for the discussion that will follow in the
next sections, here we provide a broad overview of the IoT security
requirements and of the related challenges.

A. Security Requirements
To begin with, we present a taxonomy of the security requirements for
an IoT system with respect to the different operational levels, that is to
say, at the Information, Access, and Functional level [17], [18].

Information Level: At this level, security should guarantee the following

requirements.

1. Integrity: The received data should not been altered during

the transmission.
2. Anonymity: The identity of the data source should remain hidden
to third parties.
3. Confidentiality: Data cannot be read by third parties. A
trustworthy relationship should be established between IoT devices
in order to exchange protected information. Replicated messages
must also be recognizable.
4. Privacy: The client’s private information should not be disclosed
during the data exchange. It must be hard to infer identifiable
information by eavesdroppers.

Access Level: It specifies some security mechanisms to control the

access to the network. More specifically, it provides the following
functionalities.

1. Access Control: It guarantees that only legitimate users can

access to the devices and the network for administrative tasks
(e.g., remote reprogramming or control of the IoT devices and
network).
2. Authentication: It checks whether a device has the right to
access a network and whether a network has the right to connect
the device. This is likely the first operation carried out by a node
when it joins a new network [19]. Note that devices have to
provide strong authentication procedures in order to avoid security
threats. For example, if all the IoT devices produced by the same
manufacturer are configured with the same authentication
credentials, then the hacking of one device may compromise all of
the security aspects at the information level.
3. Authorization: It ensures that only the authorized devices and the
users get access to the network services or resources.

8
Functional Level: This level defines the security requirements in terms of

9
the following criteria.

1. Resilience: It refers to network capacity to ensure security for its

devices, even in case of attacks and failures.
2. Self Organization: It denotes the capability of an IoT system
to adjust itself in order to remain operational even in case of
failure of some parts due to occasional malfunctioning or malicious
attacks.

B. Taxonomy of Security Attacks

Besides the requirements and mechanisms at the information, access,
and functional levels, it is important to understand which are the
vulnerabilities and the possible attacks at the different layers of the
communication stack. As explained in [20], the communication
architecture of an IoT system can be roughly divided in Edge, Access,
and Application layers. The edge layer provides PHY and MAC
functionalities for local communications. The access layer grants the
connection to the rest of the world, usually through a gateway device
and a Middleware Layer that acts as intermediary between the IoT world
and the standard Internet. Finally, the Application Layer takes care of
the service-level data communications. In the following we present a
possible taxonomy of the attacks that can target these communication
layers.

Edge Layer: One of the main threats at this level is represented by the
side channel attacks [21]. The goal of these attacks is to leak
information from the analysis of side signals, such as power
consumption, electromagnetic emissions, and communication timing,
while nodes are performing encryption procedures. Among them, the
power consumption of the devices is widely exploited to guess and
recover the encryption secret keys. For each encryption operation, a
power trace can be captured: the power data is generally computed
from the voltage difference across a resistor inserted in series with the
power supply. Simple power analysis attacks try to directly interpret the
power traces related to a small number of encryption rounds. Instead,
the differential power analysis is a more effective and advanced
approach: a bigger amount of traces are statistically analyzed in order
to extract additional encryption information [22].

Access/Middleware Layer:At this level the main attacks are

eavesdropping (also called sniffing), injection of fraudulent packets and
nonauthorized conversations. Even routing attacks have to be taken
into account: an attacker may use this kind of attack to spoof, redirect,
misdirect, or drop data packets.

1
Application Layer: Attacks at the Application Layer are quite different
from

1
the previous ones, since they directly target the software running on the
devices rather than the communication technology. Such attacks may
address the integrity of, e.g., machine learning algorithms, where the
attacker manipulates the training process of the learning algorithm to
induce misbehaviors. There can also be attacks on the login and
authentication phases.

Ignoring the Functionality: This class includes all the attacks in which the
specific functionalities of the IoT device are ignored, and only its
capability to connect to the local area network (LAN) or to the Internet is
exploited. For example, IoT devices can be used to create a bot-net (a
network completely controlled by the attacker) or to penetrate the victim’s
home network and infect his/her computers.

Reducing the Functionality: In this case, the attacker tries to kill or limit
the functionalities of the device, in order to annoy the victim or
create malfunctions in a wider system. For example, this type of attack
may be directed to IoT devices like smart TVs or smart refrigerators,
with the aim of blocking or limiting their functioning in order to extort
money from the victim for restoring their normal behavior.

Misusing the The normal functionalities of the IoT

Functionality:
devices are used to create discomfort to its owner. For example, an
attacker may tamper a heating, ventilation, and air-conditioning
(HVAC) control unit and make a certain environment uncomfortable
by excessively increasing or decreasing the temperature. Similarly,
the attack may target a smart light system, getting remote control
over the lights in a room or building, overwriting the victims’
commands.

Extending the Functionality: The IoT device is used to achieve

completely different functionalities. For example, a presence sensor of
an alarm system may be used to track the position of the victims in their
living environment, even when the alarm system is off.

Main Security Mechanisms for IoT

Services:-
In this section, we present standard security mechanisms that have
been designed to satisfy the requirements described in the
previous section.

Encryption is a crucial step in maintaining confidentiality during

communication. It involves transforming the original message
(plaintext) into a different form (ciphertext) using a hash function
1
that

1
can only be reversed with a secret key. This prevents eavesdroppers
from interpreting the message content, as they can only access the
ciphertext. Encryption can be either symmetric or asymmetric. In
symmetric encryption, the same secret key is used for both
encryption and decryption, requiring both sender and receiver to
know the key. Asymmetric encryption, on the other hand, requires each
endpoint to have their own unique pair of keys: a public key and a private
key. The public key can be shared freely, while the private key must be
kept secret. Messages are encrypted with the receiver's public key and can
only be decrypted by the receiver's private key, ensuring confidentiality.

Standard Encryption Mechanisms:

The article discusses standard encryption mechanisms used in IoT systems,

including symmetric and asymmetric encryption, message
authentication codes, digital signatures, and hash functions. Encryption can
be performed through stream or block cipher. Block ciphers are
commonly used in IoT systems and can be operated in different modes,
such as ECB, CBC, CFB, OFB, and counter. The AES block cipher is a
commonly used symmetric encryption mechanism that employs a
cascade of N successive series of three elementary block ciphers.
Depending on the key length, the algorithm is named AES-128, AES-192, or
AES-256.

Asymmetric encryption systems, such as RSA, McEliece, and Elgamal,

are also commonly used in IoT systems. Encryption can also provide
authentication and integrity protection, which require additional
mechanisms in most cases. These mechanisms include message
authentication codes, digital signatures, and hash functions. In message
authentication codes and digital signatures, a tag is computed from the
plaintext using a private key, and the transmitted message is the result of
concatenating the plaintext and the tag. At the receiver side, a tag is
computed using a public key (for asymmetric processes) or a private
key (for symmetric processes) and compared with the transmitted tag.

AES Block
Light Weight Cryptography:-

With the proliferation of low-complexity IoT devices, there has been a

1
growing need to develop security algorithms for resource and

1
energy-constrained devices. Lightweight cryptography is a new area of
cryptography that addresses these requirements by designing encryption
block and stream ciphers, message authentication codes, and hash
functions that can be executed by devices with limited computation,
communication, and storage capabilities. In 2012, ISO and IEC introduced
the ISO/IEC 29192 standard that specified lightweight encryption
mechanisms, including the block ciphers PRESENT and CLEIFA. PRINCE is
another lightweight block cipher not included in the standard. Additionally,
the Simon and Speck families of lightweight block ciphers were introduced
by Beaulieu et al. In terms of lightweight hash functions, ISO/IEC 29192
standard proposed PHOTON and SPONGENT. In 2013, NIST launched a
lightweight cryptography project to explore and develop real-world
solutions. In early 2019, NIST called for algorithms for lightweight
cryptography, which will undergo a standardization process after discussion
and evaluation.

Random Number Generators :-

Generating random numbers is crucial for secure communication protocols

as they are used to create nonces, avoid replay attacks, and generate
asymmetric keys. Cryptographically secure random number generators
must produce sequences that cannot be predicted by an algorithm in
polynomial time with a probability greater than (1/2). T he entropy of the
sequence must be as close as possible to the number of bits in the sequence.

Two types of random number generators are commonly used for

cryptographic applications: true random number generators (TRNG)
and pseudo-random number generators (PRNG). TRNGs use physical
noise sources to generate random numbers, while PRNGs expand a short
key into a long sequence of seemingly random bits using a deterministic
algorithm. PRNGs are typically used in real applications, but since the
algorithms are known, the seed must be properly selected to provide
randomness.

Secure Hardware:-

The previous section highlighted that IoT devices are prone to edge
layer attacks due to their deployment in remote and low-security areas.
To mitigate such attacks, various encryption schemes have been
proposed, which can be implemented using both hardware and software
solutions. One promising approach is to use physically unclonable functions
(PUFs) to improve hardware security. PUFs exploit small differences in
the chip fabrication process to generate a unique signature for each
device. The responses generated by a PUF are chip-specific, making
them resistant to reverse engineering attacks. PUFs can be categorized
into strong and weak, with strong PUFs used for authentication protocols
and weak PUFs used for cryptographic key generation. Other hardware
1
solutions, such as

1
randomizing instruction execution cycles and implementing the SIMON
algorithm, have also been proposed to prevent side channel attacks.
However, these techniques can increase power consumption and chip area,
which may not be feasible for resource-constrained IoT devices.

Intrusion Detection System :-

As mentioned earlier, various security mechanisms have been proposed to

safeguard IoT devices against attacks at different levels. However,
detecting ongoing attacks is also crucial, in addition to preventing them.
Due to limitations in resources and energy, complex anti-virus software and
traffic analyzers cannot be employed in IoT devices. As a result, in recent
years, lightweight intrusion detection methods have been developed [54].
For instance, anomalies in system parameters such as CPU usage, memory
consumption, and network throughput can indicate an ongoing attack [55].
A similar approach is suggested in [56], where anomalies in power
consumption are analyzed to identify different types of attacks. In [57],
signatures of various attacks are created based on relevant features like
packet dropping/send rate and signal strength intensity, and comparing the
traffic pattern with these signatures helps detect attacks with a high
probability. Machine learning can also be used for intrusion detection
purposes. In [58], a random forest classification algorithm is used to group
traffic flows into different categories based on selected features. An attack
is identified when some flows exhibit nonstandard patterns and are
classified as anomalous.

Security of Popular IoT Communication

Technology :-
As mentioned earlier, traditional security protocols used in the Internet are
not suitable for IoT due to the limitations of many devices in terms of
computation, power, and communication capabilities. Hence, specific
security mechanisms have been proposed and implemented in commercial
IoT systems. This section focuses on security mechanisms implemented by
popular transmission technologies used in IoT, including ZigBee, BLE,
6LoWPAN, and LoRaWAN. Additionally, this section reviews the security
vulnerabilities of these technologies, highlighting various attack vectors
found in the literature.

A. ZigBee
ZigBee is a wireless communication standard developed by the ZigBee
Alliance, which is widely used in IoT devices due to its low cost and
power consumption. The standard defines the application and network
layers, while the link and physical layers are taken from the IEEE 802.15.4
standard. ZigBee includes different application profiles that ensure

1
vendor

1
interoperability. Preinstallation, key transport, and key establishment.
ZigBee is vulnerable to plaintext attacks, which can be prevented by
changing the network key periodically. ZigBee is also vulnerable to a
sinkhole attack, where a malicious entity joins the network and pretends to
be the best route for messages.

Fig. 3. ZigBee protocol stack. The technical specifications for ZigBee can
be found in [60].

Attack Surface: A possible attack vector in ZigBee network

consists in discovering the keys used to secure the communi-
cations. For example, the repeated encryption of known and
fixed messages (e.g., control messages defined in the stan-
dard) makes the system vulnerable to plaintext
attacks [62].
This technique enables the recovery of a cryptographic key by
having access to both the encrypted and decrypted messages.

2
 B. Bluetooth Low Energy

Bluetooth is a widely used wireless communication protocol. Its low energy

and IoT-tailored version, called Bluetooth Low Energy (BLE), was introduced
in Bluetooth core specification version 4.0. BLE networks consist of two
types of devices: masters and slaves. Masters initiate communication
setup, and slaves associate with them. These entities are connected in a
star topology, where each slave is associated with a single master. BLE
operates in the unlicensed 2.4 GHz ISM band and uses 40 channels with
a 2 MHz spacing. The physical layer data rate is 1 Mb/s, and the
coverage range is typically over tens of meters. BLE MAC layer is split
into advertising and data communication. During data transmission, 37 of
the available channels are used, and the remaining 3 are used by
unconnected entities to broadcast device information and establish
connections.

Besides physical and MAC layers, the stack entails other protocols such as
the logical link control and adaptation protocol (L2CAP) and the low energy
attribute protocol (ATT). BLE encryption and authentication processes
are based on AES-CCM with 128-bit keys, similar to ZigBee. The symmetric
key for a master-slave link is generated during the pairing procedure.
Starting from BLE version 4.2, a new pairing procedure has been put in
place, using elliptic curve cryptography. Each device generates an elliptic
curve Diffie-Hellman (ECDH) public-private key pair. Then, they exchange
the public key with each other and derive a key, called DHKey, from their
secret key and the public key of the other device, using elliptic curve
functions. The devices use one of the available pairing methods to confirm
that DHKey is the same for both of them and to generate a long-term key
(LTK) that will be used to symmetrically encrypt the data stream.

The available pairing methods are Just Works, Out of Band, and
Passkey. Just Works sets the TK to 0 and provides no security. Out of
Band exchanges the TK out-of-band, e.g., using near field
communication, but can be inconvenient for the user. Passkey uses a six-
digit number that the user passes between the devices. In this case, the
security level is high, but the devices need to be equipped with user

2
interfaces that make it possible to read and type-in the TK, which may
be impractical for miniaturized IoT devices. The pairing methods have
been updated with the introduction of a new option and the hardening of
the methods in the previous version.

C. 6LoWPAN and CoAP

2
6LoWPAN and CoAP are two protocols that facilitate interaction between
IoT devices and standard IP-based systems. 6LoWPAN is an IPv6 adaptation
protocol used by resource-constrained devices that communicate over low
power and lossy links. It uses compression and fragmentation mechanisms
to reduce the size of IP datagrams and remove redundant fields. On the
other hand, CoAP is a RESTful protocol at the Application Layer, built on top
of the UDP transport protocol. It supports retransmissions, sleepy devices,
and resource discovery. Networks employing 6LoWPAN and CoAP typically
rely on protocols from the IEEE 802.15.4 family at the PHY and MAC layers.
Routing within IoT networks is usually based on the IPv6 routing protocol
for low-power and lossy networks (RPL), which creates a destination-
oriented directed acyclic graph (DODAG) tree. A hypothetical attacker can
target RPL or operate at the adaptation layer, depending on the level of
control over the network they want to achieve.

Many attacks on 6LoWPAN focus on redirecting traffic and disrupting the

routing tree. For instance, attackers can clone the identity of another node
(clone ID attack) or use the identity of several entities at the same time
(sibyl attack). They can also declare efficient routing paths towards other
nodes, gaining control over a large part of the traffic flows (sinkhole attack)
or discard some or all of the traffic passing through a node (selective
forwarding and black hole attacks). Other attacks include broadcasting
Hello messages to be considered as a neighbor (hello flooding attack) or
forcing repeated updates of the network topology (local repair attack) by
maliciously sending local repair messages. Finally, attackers can increment
the version number of DODAG messages (version number attack), forcing
the whole DODAG to be unnecessarily rebuilt.

2
 D. LoRaWAN

LoRaWAN, a link layer protocol introduced in 2015 by the LoRa Alliance, is

optimized for battery-powered end-devices and has a star-of-stars topology
that includes end-devices, gateways, and network servers. In LoRaWAN,
end-devices communicate via single-hop links to one or more gateways,
which are connected to a single network server via IP technologies. LoRa
communication uses channels in the 868/900 MHz ISM band, with a data
rate ranging from 0.3 Kb/s to 50 Kb/s and a communication range of many
kilometers. The communication is bidirectional and always initiated by the
end-device. LoRa end-devices can belong to three different classes: A, B,
and C, each associated with different operation modes.

The commissioning procedure for an end-device to join an LoRaWAN

network is named over the air activation (OTAA) and leverages information
stored on the device, such as the device identifier (DevEUI), application
identifier (AppEUI), and application key (AppKey). The uniqueness of the
key is needed to ensure security, as traffic eavesdropping becomes
possible if the key is shared between devices. Once the end-device has
joined the LoRaWAN network, all future messages are encrypted using a
combination of NwkSKey and AppSKey. However, the protocol has a
weakness related to key management as the keys are stored in end-
devices and the network server. Using a side-channel analysis attack, it
may be possible to recover
2
the keys by exploiting variations in power consumption or electromagnetic
emissions from the transceiver during the encryption. Also, the
protocol's design requires nodes to share the same NwkSKey and
AppSKey if they need to support multicast messages, so discovering the
keys from one node can give access to all the nodes in the network.

Examples of Implementation in
Commercial Devices :-
This passage discusses the microcontrollers used in IoT devices, specifically
focusing on the microcontrollers responsible for connectivity and their
security features. The ARM Cortex-M series is the most commonly used
microcontroller series in IoT devices, with the M0, M0+, and M23
models designed for applications that require minimal cost, power, and
size. The M3 and M4 models offer a balance between performance and
energy efficiency, while the M7 model is designed for high-performance
embedded applications. Microcontrollers from the Cortex-M series only
provide memory protection, and do not integrate any hardware
pseudorandom number generator or cryptographic algorithm module.
Instead, cryptographic algorithm support is implemented via software or
dedicated co-processors. The performance of different cryptographic
algorithms implemented in software in the M0/M0+ and M3/M4
microprocessors can vary widely between different microcontrollers,
even within the same family. The optimal tradeoff between RAM usage and
performance must be reached, and increased performance is usually
worth the additional RAM usage.

Conclusion :-
The widespread adoption of IoT solutions for various applications has made
secure communications in IoT networks a critical issue. It is essential to
provide end-to-end security to protect sensitive personal information
and prevent malicious attacks that can disrupt IoT network operations.
The limited computational capabilities and the need for low energy
consumption also limit the cryptographic functionalities that can be
2
installed in IoT devices.

While ZigBee and BLE implementations prioritize ease-of-use over

strong security, LoRaWAN and 6LoWPAN adopt complementary security
strategies. LoRaWAN has been designed with strong security in mind,
with mandatory packet encryption and authentication, while 6LoWPAN
and CoAP delegate security aspects to other layers and only focus on
aspects strictly connected to the protocol operation.

Various security extensions have been proposed in the literature, such

as CryptoCoP and decentralizing computationally intensive tasks to a
trusted node of the network. Time-based secure key generation
approaches and the use of timestamps and nonces have also been
proposed to efficiently manage and renew keys while guaranteeing the
integrity of data transmitted over an insecure channel.

Despite the existence of proposed security extensions, they have not been
adopted by standardization entities and in commercial devices yet. It is
crucial to prioritize the security of IoT networks, and standardization
entities and manufacturers should consider implementing stronger
security measures in their devices and protocols. End-users should also
be made aware of the security issues related to IoT devices and take
necessary precautions to protect their personal information. Only
through collective efforts can we ensure a secure and safe IoT environment
for everyone.

Reference :-
[0] https: //ieeexplore.ieee.org/document/8796409- IoT: Internet of Threats? A
Survey of Practical Security Vulnerabilities in Real IoT Devices

Authors :-
Francesca Meneghello, Daniel Zucchetto, Michele Polese, Matteo Calore,
Andrea Zanella

Other References :-
1. A. Zanella N. Bui A. Castellani L. Vangelista and M. Zorzi "Internet of
Things for smart cities" IEEE Internet Things J. vol. 1 no. 1 pp. 22-32 Feb.
2014.

2. D. Evans The Internet of Things. How the next evolution of the Internet
is changing everything San Jose CA USA Apr. 2011
[online] Available:
https://www.cisco.com/c/dam/en_us/about/ac79/docs/innov/IoT_IBSG_0411F
I NAL.pdf.

2
3. H. Almuhimedi et al. "Your location has been shared 5398 times! A field
study on mobile app privacy nudging" Proc. 33rd Annu. ACM Conf. Human
Factors Comput. Syst. pp. 787-796 2015.

2
4. S. Misbahuddin J. A. Zubairi A. Saggaf J. Basuni S. A-Wadany and A. Al-
Sofi "IoT based dynamic road traffic management for smart cities" Proc.
12th Int. Conf. High Capacity Opt. Netw. Enabling Emerg. Technol. pp. 1-5
Dec. 2015.

5. M. R. Warner "Internet of Things cybersecurity improvement act of 2017"

Proc. 115th U.S. Congr. pp. 1691 Sep. 2017.

6. J. Granjal E. Monteiro and J. S. Silva "Security for the Internet of Things:

A survey of existing protocols and open research issues" IEEE Commun.
Surveys Tuts. vol. 17 no. 3 pp. 1294-1312 3rd Quart. 2015.

7. M. M. Hossain M. Fotouhi and R. Hasan "Towards an analysis of security

issues challenges and open problems in the Internet of Things" Proc. IEEE
World Congr. Services pp. 21-28 Jun. 2015.

8. Y. B. Saied "Collaborative security for the Internet of Things" Jun. 2013.

9. C. Kolias G. Kambourakis A. Stavrou and J. Voas "DDoS in the IoT: Mirai

and other botnets" Computer vol. 50 no. 7 pp. 80-84 Jul. 2017.

10. T. Xu J. B. Wendt and M. Potkonjak "Security of IoT systems: Design

challenges and opportunities" Proc. IEEE/ACM Int. Conf. Comput.-Aided
Design pp. 417-423 Nov. 2014.

11. K. Zhao and L. Ge "A survey on the Internet of Things security" Proc.
9th Int. Conf. Comput. Intell. Security pp. 663-667 Dec. 2013.

12. Z. Yan P. Zhang and A. V. Vasilakos "A survey on trust management

for Internet of Things" J. Netw. Comput. Appl. vol. 42 pp. 120-134 Jun. 2014.

13. M. Ammar G. Russello and B. Crispo "Internet of Things: A survey on

the security of IoT frameworks" J. Inf. Security Appl. vol. 38 pp. 8-27 Feb.
2018.

14. M. Frustaci P. Pace G. Aloi and G. Fortino "Evaluating critical security

issues of the IoT world: Present and future challenges" IEEE Internet
Things J. vol. 5 no. 4 pp. 2483-2495 Aug. 2018.