Skip to main content
SpringerLink
Log in

Internet-of-Things Security and Vulnerabilities: Taxonomy, Challenges, and Practice

  • Published:
Journal of Hardware and Systems Security Aims and scope Submit manuscript

Abstract

Recent years have seen rapid development and deployment of Internet-of-Things (IoT) applications in a diversity of application domains. This has resulted in creation of new applications (e.g., vehicle networking, smart grid, and wearables) as well as advancement, consolidation, and transformation of various traditional domains (e.g., medical and automotive). One upshot of this scale and diversity of applications is the emergence of new and critical threats to security and privacy: it is getting increasingly easier for an adversary to break into an application, make it unusable, or steal sensitive information and data. This paper provides a summary of IoT security attacks and develops a taxonomy and classification based on the application domain and underlying system architecture. We also discuss some key characteristics of IoT that make it difficult to develop robust security architectures for IoT applications.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

References

  1. Iqbal MA, Olaleye OG, Bayoumi MA (2017) A review on Internet of Things (IoT): security and privacy requirements and the solution approaches, Global Journal of Computer Science and Technology

  2. Arias O, Ly K, Jin Y (2017) Security and privacy in IoT era. In: Smart Sensors at the IoT Frontier. Springer, pp 351–378

  3. Halperin D, Heydt-Benjamin TS, Ransford B, Clark SS, Defend B, Morgan W, Fu K, Kohno T, Maisel WH (2008) Pacemakers and implantable cardiac defibrillators: software radio attacks and zero-power defenses. In: IEEE Symposium on Security and Privacy, 2008. SP 2008. IEEE, pp 129–142

  4. Checkoway S, McCoy D, Kantor B, Anderson D, Shacham H, Savage S, Koscher K, Czeskis A, Roesner F, Kohno T et al (2011) Comprehensive experimental analyses of automotive attack surfaces. In: USENIX Security Symposium San Francisco

  5. Ray S, Peeters E, Tehranipoor M, Bhunia S (2017) System-on-chip platform security assurance: architecture and validation. In: Proceedings of the IEEE

  6. Ray S (2017) System-on-chip security assurance for IoT devices: cooperations and conflicts. In: IEEE Custom Integrated Circuitsx Conference

  7. Farooq MU, Waseem M, Khairi A, Mazhar S (2015) A critical analysis on the security concerns of Internet of Things (IoT). Int J Comput Appl 111:7

    Google Scholar 

  8. Khan R, Khan S, Zaheer R, Khan S (2012) Future internet: the Internet of Things architecture, possible applications and key challenges. In: 2012 10th International Conference on Frontiers of Information Technology (FIT). IEEE, pp 257–260

  9. Wu M, Lu T-J, Ling F-Y, Sun J, Du H-Y (2010) Research on the architecture of Internet of Things. In: 2010 3rd International Conference on Advanced Computer Theory and Engineering (ICACTE), vol 5. IEEE, pp V5–484

  10. Zhang W, Qu B (2013) Security architecture of the Internet of Things oriented to perceptual layer. Int J Comput, Consum Control (IJ3C) 2(2):37–45

    Google Scholar 

  11. Cui A, Stolfo SJ (2010) A quantitative analysis of the insecurity of embedded network devices: results of a wide-area scan. In: Proceedings of the 26th Annual Computer Security Applications Conference. ACM, pp 97–106

  12. Mattern F, Floerkemeier C (2010) From the internet of computers to the Internet of Things, From active data management to event-based systems and more, pp 242–259

  13. Jia X, Feng Q, Fan T, Lei Q (2012) RFID technology and its applications in Internet of Things (IoT). In: 2012 2nd International Conference on Consumer Electronics, Communications and Networks (CECNet). IEEE, pp 1282–1285

  14. Li L (2012) Study on security architecture in the Internet of Things. In: 2012 International Conference on Measurement, Information and Control (MIC), vol 1. IEEE, pp 374–377

  15. Pateriya R, Sharma S (2011) The evolution of RFID security and privacy: a research survey. In: 2011 International Conference on Communication Systems and Network Technologies (CSNT). IEEE, pp 115–119

  16. Mitrokotsa A, Rieback MR, Tanenbaum AS (2010) Classification of RFID attacks. Gen 15693:14443

    Google Scholar 

  17. Yampolskiy M, Horvath P, Koutsoukos XD, Xue Y, Sztipanovits J (2013) Taxonomy for description of cross-domain attacks on CPS. In: Proceedings of the 2nd ACM International Conference on High Confidence Networked Systems. ACM, pp 135–142

  18. Zhu B, Joseph A, Sastry S (2011) A taxonomy of cyber attacks on SCADA systems. In: Internet of Things (Ithings/CPSCom), 2011 international conference on and 4th international conference on Cyber, Physical and Social Computing. IEEE, pp 380–388

  19. Simmons C, Ellis C, Shiva S, Dasgupta D, Wu Q (2009) AVOIDIT: a cyber attack taxonomy

  20. Jia YJ, Chen QA, Wang S, Rahmati A, Fernandes E, Mao ZM, Prakash A, Unviersity SJ (2017) ContexIoT: towards providing contextual integrity to appified IoT platforms. In: Proceedings of the 21st Network and Distributed System Security Symposium (NDSS’17)

  21. Fernandes E, Jung J, Prakash A (2016) Security analysis of emerging smart home applications. In: 2016 IEEE Symposium on Security and Privacy (SP). IEEE, pp 636–654

  22. Fernandes E, Paupore J, Rahmati A, Simionato D, Conti M, Prakash A (2016). In: USENIX Security Symposium, pp 531–548

  23. Nan Y, Yang M, Yang Z, Zhou S, Gu G, Wang X (2015) UIPicker: user-input privacy identification in mobile applications. In: USENIX Security Symposium, pp 993–1008

  24. Thakur BS, Chaudhary S (2013) Content sniffing attack detection in client and server side: a survey. Int J Advan Comput Res 3(2):7

    Google Scholar 

  25. Alqassem I, Svetinovic D (2014) A taxonomy of security and privacy requirements for the Internet of Things (IoT). In: 2014 IEEE International Conference on Industrial Engineering and Engineering Management (IEEM). IEEE, pp 1244–1248

  26. Babar S, Mahalle P, Stango A, Prasad N, Prasad R (2010) Proposed security model and threat taxonomy for the Internet of Things (IoT). In: 2010 Recent Trends in Network Security and Applications, pp 420–429

  27. Chang C-C, Hwang K-F (2003) Some forgery attacks on a remote user authentication scheme using smart cards. Informatica 14(3):289–294

    MathSciNet  MATH  Google Scholar 

  28. Bugiel S, Heuser S, Sadeghi A-R (2013) Flexible and fine-grained mandatory access control on Android for diverse security and privacy policies. In: USENIX Security Symposium, pp 131–146

  29. Gruschka N, Jensen M (2010) Attack surfaces: a taxonomy for attacks on cloud services. In: 2010 IEEE 3rd International Conference on Cloud Computing (CLOUD). IEEE, pp 276–279

  30. Jensen M, Schwenk J, Gruschka N, Iacono LL (2009) On technical security issues in cloud computing. In: 2009 IEEE International Conference on Cloud Computing. CLOUD’09. IEEE, pp 109–116

  31. Padhy RP, Patra MR, Satapathy SC (2011) Cloud computing: security issues and research challenges. International Journal of Computer Science and Information Technology & Security (IJCSITS) 1(2):136–146

    Google Scholar 

  32. Zhang Q, Wang X (2009) SQL injections through back-end of RFID system. In: 2009 International Symposium on Computer Network and Multimedia Technology. CNMT 2009. IEEE, pp 1–4

  33. Dorai R, Kannan V (2011) SQL injection—database attack revolution and prevention. J Int’l Com L & Tech 6:224

    Google Scholar 

  34. Sastry AS, Sulthana S, Vagdevi S (2013) Security threats in wireless sensor networks in each layer. Int J Advan Netw Appl 4(4):1657

    Google Scholar 

  35. Babar S, Stango A, Prasad N, Sen J, Prasad R (2011) Proposed embedded security framework for Internet of Things (IoT). In: 2011 2nd International Conference on Wireless Communication, Vehicular Technology, Information Theory and Aerospace & Electronic Systems Technology (Wireless VITAE). IEEE, pp 1–5

  36. Douceur JR (2002) The Sybil attack. In: International Workshop on Peer-to-Peer Systems. Springer, pp 251–260

  37. Ahmed N, Kanhere SS, Jha S (2005) The holes problem in wireless sensor networks: a survey. ACM SIGMOBILE Mobile Comput Commun Rev 9(2):4–18

    Article  Google Scholar 

  38. Welch D, Lathrop S (2003) Wireless security threat taxonomy. In: 2003 IEEE Systems, Man and Cybernetics Society and Information Assurance Workshop. IEEE, pp 76–83

  39. Padmavathi DG, Shanmugapriya M et al (2009) A survey of attacks, security mechanisms and challenges in wireless sensor networks. arXiv:0909.0576

  40. Ding Z-h, Li J-t, Feng B (2008) A taxonomy model of RFID security threats. In: 2008 11th IEEE International Conference on Communication Technology. ICCT 2008. IEEE, pp 765–768

  41. Cho J-S, Yeo S-S, Kim SK (2011) Securing against brute-force attack: a hash-based RFID mutual authentication protocol using a secret value. Comput Commun 34(3):391–397

    Article  Google Scholar 

  42. Hossain MM, Fotouhi M, Hasan R (2015) Towards an analysis of security issues, challenges, and open problems in the Internet of Things. In: 2015 IEEE World Congress on Services (SERVICES). IEEE, pp 21–28

  43. Papp D, Ma Z, Buttyan L (2015) Embedded systems security: threats, vulnerabilities, and attack taxonomy. In: 2015 13th Annual Conference on Privacy, Security and Trust (PST). IEEE, pp 145–152

  44. Khoo B (2011) RFID as an enabler of the Internet of Things: issues of security and privacy. In: 2011 International Conference on Internet of Things (ithings/CPSCom) and 4th International Conference on Cyber, Physical and Social Computing. IEEE, pp 709–712

  45. Bhattasali T, Chaki R, Sanyal S (2012) Sleep deprivation attack detection in wireless sensor network. arXiv:1203.0231

  46. Da Xu L, He W, Li S (2014) Internet of Things in industries: a survey. IEEE Trans Ind Inf 10 (4):2233–2243

    Article  Google Scholar 

  47. Ray S, Chen W, Bhadra J, Al Faruque MA (2017) Extensibility in automotive security: current practice and challenges. In: Proceedings of the 54nd Annual Design Automation Conference

  48. Koscher K, Czeskis A, Roesner F, Patel S, Kohno T, Checkoway S, McCoy D, Kantor B, Anderson D, Shacham H et al (2010) Experimental security analysis of a modern automobile. In: 2010 IEEE Symposium on Security and Privacy (SP). IEEE, pp 447– 462

  49. Qin E, Long Y, Zhang C, Huang L (2013) Cloud computing and the Internet of Things: technology innovation in automobile service. In: International Conference on Human Interface and the Management of Information. Springer, pp 173–180

  50. Francillon A, Danev B, Capkun S (2011) Relay attacks on Passive Keyless Entry and Start Systems in modern cars. In: Proceedings of the 18th Annual Network and Distributed System Security Symposium. The Internet Society. Citeseer

  51. Qiuping W, Shunbing Z, Chunquan D (2011) Study on key technologies of Internet of Things perceiving mine. Procedia Eng 26:2326–2333

    Article  Google Scholar 

  52. Hernandez G, Arias O, Buentello D, Jin Y (2014) Smart Nest thermostat: a smart spy in your home, Black Hat USA

  53. Ling Z, Liu K, Xu Y, Jin Y, Fu X An end-to-end view of IoT security and privacy

  54. Kumar JS, Patel DR (2014) A survey on Internet of Things: security and privacy issues. Int J Comput Appl 90:11

    Google Scholar 

  55. Bai X, Xing L, Zhang N, Wang X, Liao X, Li T, Hu S-M (2016) Staying secure and unprepared: understanding and mitigating the security risks of Apple ZeroConf. In: 2016 IEEE Symposium on Security and Privacy (SP). IEEE, pp 655–674

  56. Arias O, Wurm J, Hoang K, Jin Y (2015) Privacy and security in Internet of Things and wearable devices. IEEE Trans Multi-Scale Comput Syst 1(2):99–109

    Article  Google Scholar 

  57. Ray S, Yang J, Basak A, Bhunia S (2015) Correctness and security at odds: post-silicon validation of modern SoC designs. In: Proceedings of the 52nd Annual Design Automation Conference

  58. Liu J, Xiao Y, Li S, Liang W, Chen CP (2012) Cyber security and privacy issues in smart grids. IEEE Commun Surv Tutorials 14(4):981–997

    Article  Google Scholar 

  59. Shepard DP, Bhatti JA, Humphreys TE, Fansler AA (2012) Evaluation of smart grid and civilian UAV vulnerability to GPS spoofing attacks. In: Proceedings of the ION GNSS Meeting, vol 3, pp 3591–3605

  60. Zhou H, Liu B, Wang D (2012) Design and research of urban intelligent transportation system based on the Internet of Things. Internet of Things, pp 572–580

  61. Zhang Y, Chen B, Lu X (2011) Intelligent monitoring system on refrigerator trucks based on the Internet of Things. In: International Conference on Wireless Communications and Applications. Springer, pp 201–206

  62. Gill S, Sahni P, Chawla P, Kaur S (2017) Intelligent transportation architecture for enhanced security and integrity in vehicles integrated Internet of Things. Indian J Sci Technol 10:10

    Article  Google Scholar 

  63. Tyagi P, Dembla D (2014) Investigating the security threats in Vehicular ad hoc Networks (VANETs): towards security engineering for safer on-road transportation. In: ICACCI 2014 International Conference on Advances in Computing, Communications and Informatics. IEEE, pp 2084– 2090

  64. Ray S (2017) Transportation security in the era of autonomous vehicles: challenges and practice. In: Proceedings of International Conference on Computer-Aided Design

  65. Atzori L, Iera A, Morabito G (2010) The Internet of Things: a survey. Comput Netw 54(15):2787–2805

    Article  MATH  Google Scholar 

  66. Hanna S, Rolles R, Molina-Markham A, Poosankam P, Blocki J, Fu K, Song D (2011) Take two software updates and see me in the morning: the case for software security evaluations of medical devices in HealthSec

Download references

Acknowledgements

This paper is partially supported by the National Key Research and Development Program of China under grant no. 2016YFC0801607, the National Natural Science Foundation of China (NSFC) under grant no. 61602104, the National Science Foundation (DGE-1802701, CNS-1739736), and Cisco.

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering School, Northeastern University, Shenyang, Liaoning, China

    Kejun Chen, Shuai Zhang, Zhikun Li & Qingxu Deng

  2. Department of Sino-Dutch Biomedical and Information Engineering School, Northeastern University, Shenyang, Liaoning, China

    Yi Zhang

  3. Department of Electrical and Computer Engineering, University of Florida, Gainesville, FL, 32611, USA

    Sandip Ray & Yier Jin

Authors
  1. Kejun Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shuai Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Zhikun Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yi Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Qingxu Deng
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Sandip Ray
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Yier Jin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yier Jin.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Chen, K., Zhang, S., Li, Z. et al. Internet-of-Things Security and Vulnerabilities: Taxonomy, Challenges, and Practice. J Hardw Syst Secur 2, 97–110 (2018). https://doi.org/10.1007/s41635-017-0029-7

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s41635-017-0029-7

Keywords

Search

Navigation