Internet of Things: Systematic literature review of security and future research

(1)

Internet of Things

Systematic literature review of security and future research

Muhammad Aqeel

Subject: Information Systems Corresponds to: 30 hp

Presented: VT 2020 Supervisor: Franck Tetard

Examiner: Mudassir Imran Mustafa

(2)

Abstract

The Internet of Things (IoT) is the network of billions of devices, people and services to Interconnect and exchange information and useful data. The IoT applications are highly affirming to increase the level of comfort, efficiency and automations for the user. The high level of security and privacy, authentication and recovery from the attacks is required to implement IoT automated world. In this thesis I am presenting an overview of IoT layer architecture and attacks regarding security from the layer’s perspective. In addition, this thesis will provide an overview to solve the security and privacy threats. Furthermore, this paper discusses the current state of research on IoT security requirements and future research directions with respect to IoT security and privacy, a detailed review of the security challenges and sources of threat in the IoT applications is presented. Finally, this thesis presents the security issues, various emerging and existing technologies focused on achieving a high degree of trust in the IoT applications.

Keywords: Internet of Things, characteristics of IoT, IoT security, IoT future development.

(3)

ACKNOWLEDGEMENT

I would like to acknowledge everyone who played a role in my academic accomplishment. First of all, my family, who supported me with love and understanding. Without you, I could never have reached current level of success. Secondly, my teachers and particularly my thesis

supervisor Frack Tetard, who guided me throughout the research process. Thank you all for your support.

(4)

1. Internet of Things (IoT) background

This chapter contains a comprehensive introduction to the IoT, IoT layers, IoT architecture. After the introduction of IoT, rest of the chapters contain the detail discussion of the IoT architecture and security.

1.1 Introduction

The concept of IoT was first introduced by a member of the Radio Frequency Identification (RFID) development community in 1999. IoT has become more relevant to the world because of rapid growth of mobile devices, communication, cloud computing and data analytics (Patel and Patel, 2016). Now a days, more than seven billion users are using the Internet to perform different type of tasks like sending and receiving emails, sharing information on social media, reading books, playing games, browsing, online shopping. This wide scale usage of the Internet making possible to introduce new trends, this global communication infrastructure enabling the machines to communicate with each other and take decisions (Cerullo et al., 2018). The IoT is a world where billions of objects can communicate and share information, all of these objects are connected over the Internet protocol (IP). These connected objects generate huge amount of data regularly which is collected, analysed and used to perform actions, provide intelligence for decision making (Patel and Patel, 2016).

(10)

Figure 1-1 shows the implementation of IoT in almost all domains of the world as transportation, agriculture, healthcare, energy production and distribution. IoT is transforming the way we live today by making intelligent devices around us to perform daily tasks, smart homes, smart cities, smart transportation etc. are the few examples which are linked with IoT (Yousuf, Mahmoud, Aloul and Zualkernan, 2015).

The number of connected devices with the IoT environment is increasing every day. Burhan, Rehman, Khan and Kim (2018) explains the reason of this rapid increase is; connected devices provide comfort and produce good results compare to humans. Figure 1-2 shows number of connected IoT devices from 2012 to 2020. The number of connected devices is increasing with enormous speed as shown in the figure 1-2.

Figure 1-2: Number of connected devices from 2012 to 2020 ((Burhan, Rehman, Khan and Kim, 2018)

The IoT applications reduce human efforts because they perform tasks automatically Alongside, the benefits of these devices, they also have to face challenges, one of the biggest challenges is security and privacy. The communication is the most important part of the IoT because all the connected devices must be able to communicate with each other.

Figure 1-3: IoT communication components

Device Mobile

Middleware/C loud

(11)

The main components of IoT for communication are shown in figure 1-3 (a) Hardware: consists of physical components sensors, actuators etc. (b) Middleware: This is used for data storage and contains computation tools which used for data analysis and (c) Presentation: visualization and interpretation tools which can be widely accessed on different platforms (Gubbi, Buyya, Marusic and Palaniswami, 2013).

Alaba, Othman, Hashem and Alotaibi (2017) explains that the IoT has established a universal connection of people, objects, sensors, and services. The main objective of the IoT is to provide a network infrastructure that allows communication protocols, software and incorporation of physical/virtual sensors, personal computers, smart devices, automobiles, and different objects of real life to connect with each other anytime on any network.

The increasing capabilities of different technologies like RFID, Wireless sensor network (WSNs) and increased storage capacity of these technologies will increase the interconnected devices. The different objects of our daily life such as people, vehicles, computers, books, TVs, mobile phones, clothes, food, medicine, passports, luggage, etc. will have at least one unique identification allowing them to communicate with one another (Abomhara and Koien, 2014).

Figure 1-4: Internet of Everything (adapted from Cisco, 2012)

Internet of everything (IoE) is the combination of people, process, data and things to make network connections more valuable than ever before, it is helpful to change the information

People Process Data Things Home Busines s Mobile People to People Machine to Machine People to Machine

(12)

into actions that create new capabilities increase economic opportunity for businesses, individuals and countries (Cisco, 2012). Figure 1-4 shows the main components of IoE i) people will be connected in more relevant and valuable ways ii) data will be more intelligent to make better decisions iii) process deliver the right information to the right person at the right time and iv) things are physical devices and objects connected to the Internet. IoE is helpful to improve industry outcomes by increasing the power of the Internet, it is also helpful to increase IoT progress (Evans, 2012).

1.1.1. IoT devices

The IoT as discussed by Radoglou Grammatikis, Sarigiannidis and Moscholios (2019) consists of many networks in which the devices can interact with each other via the Internet. These devices are usually called as “things” and are discussed in the figure 1-5, each of these “things” have its own properties.

Figure 1-5: The properties of IoT devices (Radoglou Grammatikis, Sarigiannidis and Moscholios, 2019)

Identification: This is the first property of connected devices. Each IoT device required to

identify uniquely within the network. Two methods IPV4 and IPV6 are used to assign unique address to the objects in the network. Firstly, IPV4 was used for addressing but due to increase of the object IPV6 is being used because it is 128 bit addressing scheme (Burhan, Rehman, Khan and Kim, 2018).

Sensing: This method is used to obtain the information from the physical environment

(Radoglou Grammatikis, Sarigiannidis and Moscholios, 2019). Different sensing devices are used to collect the data from the devices such as smart sensors, actuator, RFID tags (Burhan, Rehman, Khan and Kim, 2018).

Communication: In this process connected devices sends and receive data, messages, files etc.

Different technologies are used to perform communication among objects such as Bluetooth, Wireless networks, RFID etc.

(13)

Computation: This method is used to process the information which is obtained from the

devices (Radoglou Grammatikis, Sarigiannidis and Moscholios, 2019). It is used to remove unnecessary information. Different hardware and software platforms are available to perform computing (Burhan, Rehman, Khan and Kim, 2018).

Services: It refers the functions provided by the devices to the users according to the

information which they receive (Radoglou Grammatikis, Sarigiannidis and Moscholios, 2019).

Semantics: It is the last property of the connected devices. It refers that the IoT devices have

the ability to obtain correct information from the physical environment and provide information as services at the right time (Radoglou Grammatikis, Sarigiannidis and Moscholios, 2019).

1.1.2. IoT technologies

IoT is used to connect different products with the digital world, this interconnection among the devices is growing with the advancement of the technologies like sensors, smart phone, cloud computing, communication capabilities etc. (Abomhara and Koien, 2014). The IoT is a network of different physical objects like vehicles, machines, home appliances, and more that use different technologies to exchange data over the Internet. Table 1-1 explains technologies which support the concept of IoT.

Table 1-1: IoT technologies

IoT technologies Supporting technologies

Identification technologies RFID, WSN

Networks and Communication technologies GSM, UMTS, Wi-Fi, Bluetooth, ZigBee

Software and Hardware technolgies Smart devices with enhanced inter-device communication

Identification technologies: The connected devices in IoT environment needs to be defined

uniquely. The Identification technologies such as RFID and WSN are used for unique identification of connected devices.

(14)

Network and communication technologies: Technologies like Global system of mobile

communication (GSM), Universal mobile telecommunication (UMTS), Wireless Fidelity (Wi-Fi), Bluetooth, ZigBee allows the devices to connect with each other. The communication among the connected devices need to be secure so that the user can use the network with full confidence and security assurance.

Software and hardware technologies: smart devices with high communication among device

will lead to smart systems providing high degrees of intelligence and autonomy, facilitating the rapid IoT application deployment (Abomhara and Koien, 2014).

1.2. Information Security

Information security is an important aspect of the life for the organizations and individuals using Information system. These systems store and share important information which require protections against a range of threats which require a variety of security controls. These systems and information need to be protected from unauthorized access, disclosure, disruption, modification. Vashi et al. (2017) discuss that the use of IoT of increasing rapidly which make it more vulnerabilities and security problems. Burg, Chattopadhyay and Lam (2018) explains the communication and security of IoT is provided by a huge wireless and wired infrastructure that provide the connectivity among the devices.

The Internet is the underlying foundation of IoT, both of these technologies are facing same type of security issues. IoT comprises of three main layers the perception layer, transportation layer and the application layer. Each of these layers has its own security problems.

Information security comprises of three objectives i.e. Confidentiality, Integrity and availability (Awad et al., 2018). The explainetion of Information security objectives is available in the table 1-2.

(15)

Table 1-2 Objectives of information security

Objectives Description

Confidentiality Confidentiality means, information should

not be available or disclosed to unauthorized persons.

Integrity Integrity means, assurance of accuracy and

reliability that no one can make changes without authorization.

Availability Availability means, that data or information

should be available when needed.

The main objectives of information security are discussed in the table 1-2. According to Awad et al. (2018) the objectives explained in the above table are the most commonly available in all the information security literature but there are few more properties which are equally important for the information security. Those properties are explained in the table 1-3.

Table 1-3 Objectives of information security

Objectives/properties Description

Authenticity Authenticity means, that data/information is

genuine and being able to be verified and trusted (Awad et al., 2018).

Accountability Accountability means, non-repudiation,

deterrence, fault isolation, intrusion detection and prevention and legal action (Awad et al., 2018).

Non-repudiation Both the sender and receiver provide the proof of the sending and receiving the data (Awad et al., 2018).

Reliability Reliability means, the results are consistent

(16)

1.2.1. Security threats of IoT

IoT is a layered architecture, it consists of three layers or five layers. Three layers are perception layer, network layer and application layer and five layers are perception layer, network layer, application layer, middleware layer and business layer. Each layer is susceptible to security threats and attacks. These can be active, or passive. These threats can originate from external sources or internal network (Yousuf, Mahmoud, Aloul and Zualkernan, 2015). Firstly, attacks on perception layer could be leakage of confidential information, Denial of service (Dos) attack etc. Secondly, attacks on the network layer could be sybil attack, sinkhole attack, man in middle attack etc. Finally, attacks on the application layer could be malicious code injection, sniffing attach etc.

1.2.2. IoT security implementation

As discussed in the previous section each of the layer has different type of security attacks. The different security measures are implemented to protect the data e.g. encryption; authentication, confidentiality and access control.

1.3. Problem definition

The IoT is not only a single technology, rather it is a combination of different hardware and software technologies. The solutions provided by the IoT is based on the information technology, which refers the hardware and software which use to store, retrieve and process data (Patel and Patel, 2016). Furthermore, the communication technologies are also important part of IoT. The IoT uses all the available technologies for communication like Bluetooth, RFID, NFC, Wi Fi etc. These communication technologies need to be efficient, reliable and secure to fill the requirements of the IoT.

The companies and employees in the industry are still unaware of this concept. The lack of knowledge and awareness most of the companies are hesitant to deploy IoT. They are unaware of the potential security and privacy issues connected to their deployment of IoT. The companies need to know more about this concept because of above mentioned problems. They want to know more about the potential threats and solutions regarding the security of IoT. Furthermore, they want to know more about the competency required for the information security and how cost effective these security issues in conjunction with their deployment of

(17)

IoT. This knowledge and competence should help them to transfer from a non-IoT-business to an IoT-business.

1.4. Research questions

As discussed in the previous sections the IoT is a relatively new technology most of the companies are hesitant to deploy IoT technology. Hopefully, this thesis provides the information which is required by the companies to deploy IoT technology. Keeping in view, this thesis work will focus on following questions.

Q 1. What are IoT security issues in the layered architecture?

Q 2. How the IoT security is being implemented in the layered architecture? Q 3. How the technology can be improved for the IoT future growth?

1.5. Research methodology

The research methodology of this thesis project is literature review using a qualitative approach. Webster & Watson (2002) explains as a literature review creates a firm foundation for advancing knowledge, a successful literature review facilitates theory development, closes areas where a plethora or research exist, and uncovers areas where research is needed. The purpose of literature review is to build a knowledge base of research. Systematic literature review is used to find relevant research to answer the research questions.

1.6. Delimitation

IoT is a mixture of different hardware and software technology. The IoT technology solutions based on the information technology (IT), refers to hardware and software which used to store, retrieve, process data and communications technology which includes electronic systems used for communication between individuals or groups (Patel and Patel, 2016). IoT is a layered architecture as discussed before, each of the layers have own security risks while performing their actions. This thesis work will focus on privacy and security threats of IoT and countermeasures used to overcome those threats. The different protocols are used for communication among the connected devices. Unfortunately, these protocols are not the part of this study because of the time limitations.

(18)

1.7. Thesis structure

Chapter 1 presents the brief introductionIoT and Information Security in conjunction with IoT. Chapter 2 present the background of the IoT and its layered architecture. Chapter 3 present the methodology used for the systematic literature review. Chapter 4 present the IoT security issues and answer the research questions. At the end conclusion based on this research paper will be discussed.

(19)

2. Background of IoT

This chapter contains a comprehensive discussion about IoT its characteristic and IoT layered architecture Definition of IoT

2.1 IoT definition

IoT has many definitions and different authors define this term differently. This variation depends on which context the term is used and the aim of using the things. (Patel and Patel, 2016) defines IoT as IoT is not only a network of computers rather it has developed a network of all type of devices like digital cameras, vehicles, smart phones, home appliances, medical instruments and industrial systems, people, buildings, all of these connected devices can communicate and share in order to achieve smart reorganizations, positioning, online upgrade, process control and administration. Dorsemaine et al. (2015) defines IoT is an infrastructure of connected objects which allows their management, data mining and the access to the data they generate.”

The more comprehensive and recommended definition of IoT is proposed by International Telecommunication Union - Telecommunication Standardization Bureau (ITU-T). ITU-T (2012) defines IoT as “a global infrastructure for the information society, enabling advanced

services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies”. The interconnection of physical

world with the virtual world opens up new possibilities which enables to access anything from any place. This interconnection can also increase the possibilities of new threats, security risks and vulnerabilities.

The IoT can be defined in different ways as mentioned in the above definitions. All these definitions are somehow relevant with each other. The IoT can be defined as follows based on the definitions mentioned above “IoT is an infrastructure of the geographically connected devices like smartphones, industrial systems, vehicles etc. which connects using communication technologies to generate and access the data to provide accurate positioning, safety and administration.”

(20)

2.1.1. Characteristics of IoT

The Internet of Things is the mixture of different hardware and software technologies. The IoT solutions based on integration of information technology i.e. hardware and software used to store, retrieve and process data (Patel and Patel, 2016). The Internet is the main communication source for connectivity among different devices using wireless technologies such as RFID and WSNs. These technologies use sensors to sense and monitor environment, these devices have low resources in terms of computation, memory, storage and energy capacity (Viriyasitavat, Anuphaptrirong and Hoonsopon, 2019).

Figure 2-1: Characteristics of IoT

The fundamental characteristics of the IoT are shown in figure 2-1. The characteristics of IoT are Interconnectivity, things-related services, heterogeneity, dynamic changes, enormous scale, safety and connectivity (Patel and Patel, 2016).

Interconnectivity: The IoT is the connection of different devices these devices can be

interlinked with each other using any network. The connected devices can be located at geographically distributed locations. The connected devices can produce and share huge amount of data that is stored and process at a centralized location such as cloud.

IoT Dynamic changes Enormou s scale Safety Connecti _vity Heteroge _neity Things-related services Interconn _ectivity

(21)

Things-related services: These services are provided within the boundaries of things such as privacy and consistency between physical things and their associated virtual things (Patel and Patel, 2016).

Heterogeneity: IoT system consists of different type of connected devices each of these devices

has its own hardware and software and follow different protocol. These devices can interact with each other through different network (Viriyasitavat, Anuphaptrirong and Hoonsopon, 2019).

Dynamic changes: The IoT environment is very dynamic it continuously adopts the changes.

The connected devices through IoT system can be distributed at geographical locations. The state of devices change dynamically, e.g. connecting and disconnecting from the network. Moreover, the number of connected and disconnected devices can change dynamically (Patel and Patel, 2016).

Enormous scale: The huge amount of data is produced by the interconnected devices. The data

produced by these devices need to manage in a systematic way.

Safety: This is the important aspect of IoT. The personal data and our physical well-being need

to be protected. Similarly, the networks and the data moving across the network needs to be secure in all means.

Connectivity: It enables a network accessibility and compatibility. Accessibility is getting on

a network while compatibility provides the ability to consume and produce data (Patel and Patel, 2016).

2.2. IoT Architecture

IoT devices consists of multiple devices like sensors, actuators, processors, and transceivers. IoT consist of multiple technologies that work together. Sensors and actuators are devices, which are used to interact with the physical environment. The data collected by the sensors has to be stored and processed intelligently in order to derive useful inferences from it (Sethi and Sarangi, 2017). The communication between IoT devices is wireless because these devices are

(22)

located at geographically location. The communication through wireless connection always have high rate of risk of unreliability and distortion.

2.2.1. Three layers architecure

The IoT architecture consists of three or five layers (Sethi and Sarangi, 2017). Three-layer architecture is considered the most basic architecture.

Figure 2-2: Three layers architecture of IoT

The Figure 2-2 shows the three-layer architecture of IoT. Above mentioned layer architecture is described as follows:

(i) The perception layer is the physical layer: this layer has sensors for sensing and gathering information about the environment. This layer identifies all the devices which are connected in the physical environment.

(ii) The network layer this layer is responsible for connecting to other smart things, network devices, and servers. This layer also used for transmitting and processing data among connected devices.

(iii) The application layer this layer is responsible for delivering application specific services to the user. This layer defines various applications where the IoT can be deployed e.g. smart homes, smart cities, and smart health.

Application layer

Network layer

Perception layer/ sensing layer

(23)

2.2.2. Five layers architecture

The five layers architecture is the most detailed description of IoT architecture. Figure 6 shows the five layers IoT.

Figure 2-3: Five layers architecture of IoT

Five-layer architecture is the provide the detail description of IoT layer whereas the three-layer architecture defines the main idea. The figure 2-3 explain the five-layer architecture, business layer, processing layer and transport layer added for the detail description of the IoT architecture. These layers are explained below:

(i) The transport layer: This layer used to transport data form the from the perception layer to the processing layer and vice versa through networks such as wireless, 3G, Local area network (LAN), Bluetooth, RFID, and Near filed communication (NFC).

(ii) The processing layer: this layer is also considered as middleware layer. It stores, analyses, and processes data that comes from the transport layer. This layer is also responsible to provide different services to the lower layers. Different technologies such as databases, cloud computing, and big data processing modules are also deployed in this layer.

(iii) The business layer: this layer manages the entire IoT system it manages all the applications, business and profit models, and user’s privacy.

Business layer

Application layer

Middleware layer

Network layer

(24)

3. Methodology

This chapter contains a comprehensive discussion about the methodology used to for this thesis. This thesis follows the process of systematic literature review explained by Okoli and Schabram (2010) in their paper titles as “A Guide to Conducting a Systematic Literature Review of Information Systems Research”.

3.1.Research methodology

The knowledge of the topic under discussion is essential to answer the research questions (as proposed in chapter 1). It means, that prior knowledge of the project is important because this would help to supplement the understanding about the topic. In order to answer the research questions about IoT and its security I would review the research which already had been done to get the detail knowledge of the topic and to avoid performing similar research again. This is good approach as it will help to understand the different researches and get knowledge. This knowledge will help me to review the literature systematically. It will also help me to answer all the research questions.

3.2.Systematic literature review using qualitative approach

A systematic literature review is used to find and review relevant literature in field of study through a highly rigorous and systematic process. The process of systematic literature review covers the content found in the literature alongside the methods used to find the literature, what search strategies used and how and from where the literature searched. A systematic literature review also focuses on the criteria used to evaluate the literature found for the review. Like any literature review, a systematic literature review gives a broad understanding of topic area, to show what work has already been done in the chosen area and what research methods are being used. The literature review also helps to find research gap and direct your research. There are three reasons of systematic literature review: clarity, validity and auditability. Clarity focused on research questions and explicit search strategies which help to clarify considerations of scope and terminology, validity focused on a valid research output, there should be a clear reasoning behind the inclusion of particular papers and theories and auditability is used keep the accurate results of systematic strategies. Accurate record keeping of search strategies will allow others to verify results.

(25)

3.2.1. Systematic Literature review

Systematic literature review provides theoretical background for the research; learning the basics of research on a topic of interest; or answering practical questions by understanding what existing research has to say on the matter. A systematic literature review must be systematic by following a methodological approach, it also explain the procedures by which it was conducted, it is comprehensive and includes all the relevant material, and reproducible by others who would follow the same approach in reviewing the topic (Okoli and Schabram, 2010). A systematic literature review is a method to identify, evaluate and synthesize the existing literature and also recorded work produced by researchers, scholars and practitioners (Fink, 2005).

3.3.Research process

A literature review is a discussion of the information relevant to the specified field of research. The good quality systematic literature review consists of various steps, each of which is required for a systematic literature review. All the steps are important for any kind of literature review; however, for a review to be scientifically rigorous, all of the steps are essential (Okoli and Schabram, 2010). Figure 3-1 describe the steps involved in the systematic literature review.

The literature review according to Rowley and Slack (2004) is a process to i) evaluate information sources ii) searching and locating information resources iii) developing conceptual frameworks and mind mapping iv) writing the literature review. A literature review is the study of the existing literature in a subject field; the objective of the literature review is to summarize the state of the art in that subject field. The literature review makes it possible to identify areas in which further research would be beneficial.

(26)

Figure 3-1 Systematic literature review

This research follows a systematic literature review process described by (Okoli and Schabram, 2010). Figure 3-1 presents all the stages and activities involved in this systematic literature review research.

3.3.1. Purpose of the literature review

This is the first step of the review the researcher should clearly define the purpose and intended goal of the review (Okoli and Schabram, 2010). Based on the guidelines provided by the Okoli and Schabram (2010) this systematic literature review divided into into three phases: planning, conducting, and reporting the review. Based on the guidelines, this section details the research questions, the performed research steps, and the protocol of the literature review. This

Purpose of the literature review

Searching the literature

Data extraction Qualitative Quality appraisal Qualitative Planning Selection Extraction Conducting review Systematic literature review Execution

(27)

systematic literature review is based on the research questions i) What are IoT security issues in the layered architecture? ii) How the IoT security is being implemented in the layered architecture and iii) How the technology can be improved for the IoT future growth? This thesis is organized systematically on the basis of guidelines provided by (Okoli and Schabram, 2010) to answers the research questions.

The literature review guides always begin with an explanation and justification for conducting literature reviews, most importantly the researcher must be sure and clear about conducting the systematic literature review. The first step of conducting a literature review is to clearly define the purpose of the review to (Okoli and Schabram, 2010). This is not a part of the active procedure rather it is a consideration of the technique to be embarked upon.

3.3.2. Searching the literature

The next phase of the systematic literature review is the planning this phase started once the purpose of the literature review and the research questions have been formulated. This phase defines a protocol of inclusion and exclusion of the researches within the scope of this thesis to answer the questions (Okoli and Schabram, 2010). Currently, open access databases such as Google Scholar and the Directory of Open Access Journals and specific subject databases such as Scopus, IEEE Xplore and the Uppsala university library offer electronic access to most published literature.

A lot of articles were reviewed and selected on the basis of the defined keywords i.e. IoT, IoT security, IoT future aspects etc. These articles were searched from online database such as Google scholars, IEEE, and Uppsala university online database. Firstly, the initial screening was performed on the set of articles selected for the literature review. The initial screening was conducted based on the abstract. Finally, those articles were selected which provide relevant information to answer the research questions.

For example, Internet of Things-IOT: Definition, Characteristics, Architecture, Enabling Technologies, Application & Future Challenges, written by (Patel and Patel, 2016) available at the Research gate. This paper was selected for the research review because it provides the required information for my thesis work. The keywords of this articles are IoT definition, Characteristics of IoT, future challenges, architecture and IoT functional view.

(28)

Another example IoT Elements, Layered Architectures and Security Issues: A Comprehensive Survey. Sensors, 18(9), p.2796 written by (Burhan, Rehman, Khan and Kim, 2018) available at the Research gate. These papers were selected on the base of its keywords (Internet of Things (IoT); layered architectures; security; privacy; security attacks;protection methods; secure architecture).

Firstly, all the articles used for this literature review were selected on the base of their keywords (IoT, IoT layer architecture, IoT security, IoT future aspects, years of selections ). Secondly, articles were selected according to the information required to answer the research questions. Finally, selected articles were downloaded if the full version of the article is available otherwise it was excluded. Furthermore, I define an inclusion and exclusion criteria of the articles to be used for this literature review. The define criteria is defined in the table below.

Table 3-1 Inclusion and exclusion criteria

Type Inclusion criteria

Topic Selected literature must be relevant to the topic and abstract to answer the research questions.

Publication time Selected articles for the review must be published between 2010 to 2020.

Reliability The selected articles must be from reliable sources (conferences, workshops etc.).

Language Language of the selected articles must be English

Journals/Articles The article used in the literature review searched from different online sources i.e. google scholar, IEEE, Uppsala university library online database.

Books Books were used for reference to understand the topic in detail.

The table 3-1 explains the inclusion criteria of the research article for the literature review. All the steps were considered equally important when selecting the article for the literature review. If any of the topic which is not relevant to the defined criteria in the table 3-2 was excluded from the review. i) Topic: search the literature from the online source, article/journals, that is relevant to the topic, and can also answer the research questions. ii) Publication time: of the searched articles was between 2010-2020, it was required to search the enough data and select

(29)

the latest literature available. iii) Reliability: the searched literature was selected from the reliable source like google scholars, IEEE and www.ub.uu.se etc. iv) Language selection of the literature was only English; it was impossible for me to understand the literature available in any other language. v) Journals/Articles: only articles and journals were searched because they provide most recent information and vi) Books: were used to understand the topic in detail.

Figure 3-2 Flow chart of inclusion and exclusion criteria

Search on the base of keyword Identify relevant sources

Search the article

Relevant to abstract?

Select the article

Excluded

Select the article

No

Excluded

Download the article Select the article

Excluded Excluded Yes Yes Yes Yes Excluded Publication Time Reliable source Full article No Lang. is Eng. Select the article

Yes No

(30)

The figure 3-2 explain the inclusion criteria in the form of flow chart. If any of the downloaded article is not relevant to the inclusion criteria explained in the table 3-1 was excluded from the review.

3.3.3. Data extraction strategy

The next step after defining the inclusion and exclusion criteria of the articles is to define data extraction strategy from the included articles. Most of the available guides for literature review do not discuss data extraction at all but take it for granted that after a certain screening process, extraction will happen before synthesis can be completed (Okoli and Schabram,2010). This strategy was defined carefully because the final results of this literature review are based on this extracted data. The data was systematically taken from each article to answer the research questions.

Finally, having gone through all the previous stages and reading the articles in detail several time, I was able to extract the data required for the review. The extraction process consists of i) aims and finding ii) methods iii) outcome iv) results and v) publication year, each step focused on particular kind of data, to provide effective answers to the review of the literature (Nazrul Islam, 2013).

Figure 3-3 Data extraction strategy Data Extraction

Results Aims and finding

Methods Publication year Outcome Relevant to topic Type of finding Quality appraisal

Type of the paper

(31)

The data extraction strategy is based on the steps mentioned in the figure 3-3. Each of these steps is focused on specified type of data. The literature for this thesis work was selected by following different stages and keywords (IoT, IoT layer architecture, IoT security, IoT future aspects, years of selections).

Table 3-2 Number of selected papers

Source Paper searched Papers after stage 1 Papers after stage 2

Papers after stage 3

Google Scholar 17100 630 60 45

IEEExplore.ieee.org 35 25 20 13

https://www.ub.uu.se/ 954 45 25 12

Sum 18089 690 105 70

The table 3-2 discuss the number of papers download for this research work. The total number of selected papers for this research is also mentioned in the table. The final selection of the papers based on the inclusion and exclusion criteria and keeping in the view the quality appraisal of selected papers discussed in the next section.

(i) Aims and findings: that retrieved data related to the abstract of research topic stating the research aims and its findings, what are the outcome of research. (ii) Method: that retrieved data related to the research methods employed in this research. The initial focus of this step is to find the type of the article. The article should be research based so that this review investigates the methods that was employed to make research claim. (iii) Outcome validation: that retrieved data related to the validation of research outcome. This step focused on a paper’s outcome validation, that the paper validated its research outcome or not. If the paper’s outcome is validated, then it requires to validate its methods used to conduct these outcomes. (iv) Results

obtained: that investigated the reviewed papers to find that the results obtained in the paper are

according to the research topic and specified goals in the abstract. (v) Publication: year that extracted the data related to the year of publication for the selected papers. Publication year is important because IoT is a relevant new filed, updates about this are coming overnights. That’s why, most recent papers were selected for this review.

(32)

3.3.4. Quality appraisal

The quality of selected articles is important to consider. All the selected articles are not of the same quality it is required to measure the quality of the article based on some standards. The standard of quality is measured based on the assessments defined in the table 3-3.

Table 3-3 Quality appraisal criteria

Level Methodology

quality

Methodology relevance

Topic relevance

Excellent Excellent research Research questions clearly stated

Study is close to the review questions

Good Research design

clearly stated with evidence of sensible decisions taken to provide valid and reliable

Research questions are explicit or can be deducted from text.

Study is broadly in line with one of the key review

questions and provide useful evidence Satisfactory It is implicit and

used to collect useful data

RQs implicit but appear to be broadly matched by research design and finding

At least some part of the literature is relevant to one of the review

questions. Inadequate Research design not

stated and contains flaws

RQs not stated or not matched by design

Study does not address key questions

3.3.5. Synthesis of the literature

Once all the articles have been selected according to the criteria specified in the previous sections, the next step is to combine them in order to make comprehensive sense out of a large number of studies. Synthesis is the process to aggregate, discuss organize and compare. After the completion of this stage polished synthesis of information should be available, and the writing the literature step should be a straightforward process (Okoli and Schabram, 2010).

(33)

Figure 3-4 Synthesis of literature

Figure 3-4 explains the process to synthesize the selected literature i) Gather literature that addresses your research questions ii) Review literature and take notes: describe, summarize, analyze, and identify key concepts iii) Synthesize literature: compare & contrast, critically evaluate, interpret, so that you can draw conclusion (Research Guides: The Literature Review: A Research Journey: Synthesize, 2020).

3.3.6. Conducting the review

The final step of literature review is reporting the finding and writing the review. This is the most complicated step of writing the literature review (Okoli and Schabram, 2010). If all the previous steps are followed then whole process of literature review will went systematically (Kitchenham, 2004). The most important step of conducting the review is that all the steps must be documented with sufficient detail that these results must be reproducible for the future researchers.

Gather literature

Review literature and take notes

Synthesize literature: critically evaluation

(34)

Figure 3-5: Systematic review flowchart

After completion of all the previous steps the final step is conduct the review. Figure 3-5 describe the process of selection of article/journals for conducting the review. The multiple articles/journals were selected from different sources such as Uppsala university library online database, IEEE, google scholars. All the relevant documents were selected based on the inclusion criteria as described in the table 3-2. Firstly, all the selected literature was mapped with the research questions as the final outcome of the literature review is to answer these questions. Secondly, selected literature passes the quality appraisal as discussed in the section 3.2.4. Finally, the review conducted to answer the research questions.

Scoping the review Inclusion criteria

Searching the literature

Article meets the inclusion criteria?

Relevant to research questions

Mapping to research questions

Quality appraisal

Conducting review

Excluded

Yes

(35)

4. Results

This chapter will explains the results according to the research questions defined in the section 1.5.

4.1. IoT security

The IoT environment is growing rapidly and it has huge impact on social life and business environment. The connected devices through this environment generates huge amount of data. According to Sahinaslan (2019) The data exchanged over the network will be greater than 44 zettabytes (ZB) by 2020. Similarly, by 2025 every connected person in the world (about 75% of the total population at that time) will have a digital data engagement over 4,900 times per day, about once every 18 seconds. The IoT devices will generate over 90 ZB of data in 2025. This rapid growth brings lot of risks and threats.

The various application domains like smart homes, smart industries, smart cars and etc are the examples of IoT. If a user wants to receive any kind of service from IoT he needs to connect various kind of networks, which can be serous security and privacy risk. The main causes of these attacks are hardware and software vulnerabilities. Security is mandatory to overcome these hardware and software vulnerabilities. Some existing solutions of these vulnerabilities are very expensive. Hence, lightweight and well scaled protocols are needed with low cost.

4.1.1. IoT security vs traditional IT security

Alaba, Othman, Hashem and Alotaibi (2017) explains that there are several differences between IoT and conventional wireless networks in terms of dealing with security and privacy. Frustaci, Pace, Aloi and Fortino (2018) explains That the devices in the IoT system has limited hardware and software resources (i.e., sensor or RFID), whereas traditional IT is mostly based on resources rich devices. So, IoT devices only use lightweight algorithms to find a right balance between higher security and lower capabilities. Hassija et al. (2019) explains that without a trusted IoT ecosystem, IoT applications may lose all their potential along with the security issues faced generally by the Internet, cellular networks, and WSNs, alongside these issues IoT has its own security challenges such as privacy issues, authentication issues, management issues, information storage and so on.

(36)

Table 4.1 IoT security vs Traditional IT security

Traditional IT security IoT security

Add-on Security Built in Security

Complex algorithms Lightweight algorithms

User control Privacy issues because IoT collect

information automatically

Small technological heterogeneity Large technological heterogeneity

Many security guards Few security guards

IT devices are located in closed environments

IoT devices are located in open environments.

The difference between IoT security and traditional IT security are discussed in the table 4.1. The traditional security architecture is designed based on the user perspective that is not applicable for communication among devices. The security issues in both networks could be same but to handle those issues different techniques and approaches are used (Alaba, Othman, Hashem and Alotaibi, 2017).

4.1.2. IoT vulnerabilities

IoT is the network of large number of devices and they are also at the high security risks. Bertino and Islam (2017) explains that IoT systems are higher security risks for several reasons i) these systems don’t have well defined perimeters ii) these systems are highly heterogeneous with respect to communication medium and protocols iii) smart phone applications require permissions for installations and other user interactions but in IoT devices these permissions might not possible due to large number of devices etc. Li Tryfonas and Li (2016) explains the data security and privacy issues are very important, but the risks associated with the IoT will reach new levels due to this communication and autonomous decision making begin to embed complexity, security loopholes, and potential vulnerability. Similarly, Radoglou Grammatikis, Sarigiannidis and Moscholios (2019) explains that the interconnections and the similarity of devices and technologies in the IoT generate possible cyber-physical security vulnerabilities

(37)

that can be exploited by various cyber attackers. Table 4.2 explains the common vulnerabilities of IoT.

Table 4.2: Common Vulnerabilities of IoT

Security Concerns Example

Insecure web interface Inability to change default password and username, exposed credential, weak passwords, lack of robust password recovery etc.

Insufficient

authentication/authorization

Privilege escalation (design flaw or configuration error in an application or operating system)

Insecure network services DoS, buffer overflow, fuzzing attacks etc. Lack data encryption and

verification

Transmission of unencrypted data and credential

Privacy concerns Collection of unnecessary user data; exposed personal data and insufficient controls on who has access to user data Insecure cloud interface Account enumeration, no account lockout, credentials

exposed in network traffic

Insecure mobile interface Insufficient authentication, lack of transport encryption and account enumeration

Insecure security configuration Weak password policies, no security logging and lack of data encryption option

Insecure software/firmware Lack of secure update mechanism, update files not verified before upload

Poor physical security Device easy of disassemble, access to software via USB ports, removable storage media

In order to achieve trust among the systems, an important part is to secure them. The approach to securing these systems relies on threat and risk analyses. The solutions of these risks consist of many different kinds of security architectures. The process of securing IoT environments is a difficult task since there will be many different scenarios and each scenario consists of different kind of devices. Each security solution looks different from the other since these systems may contain entities which are constrained in different ways.

(38)

Similarly, one of the characteristics of IoT is its expected “enormous scale” as there will be many interconnected devices. The security analysis or a threat and risk analysis will not only include software security because if a system is de-parameterised and devices are outside the perimeter of a secure environment, then physical threats become more relevant. A standardised level of security has to be found which provides required safety without affecting the functionality too much.

4.2. IoT Security Issues

The IoT is a layer architecture, each of these layers has its own functionalities and use different technologies to perform their actions. The rapid increase of IoT devices is also increasing the security risks. This section discusses possible security threats in IoT layers, Confidentiality, Integrity, Availability, Authentication, Data Freshness and Self- Organization are the key feature to secure the IoT technologies (Cerullo et al., 2018).

The IoT is a layered architecture and each layer has its own security attacks. A lot of security challenges and requirements which need to be addressed. The recent research in IoT is mainly on authentication and access control protocols, but the rapid advancement of technology it is important to incorporate new networking protocols like IPv6 and 5G to achieve the future IoT security requirements.

4.2.1. Perception layer/sensing layer threats

The information gathering is the main operation of the perception layer. This layer uses sensors, RFIDs, barcode etc. to gather information. The attacker can attack on its sensor node due to its wireless nature (Vashi et al., 2017). All type of sensors, such as RFID, NFC, sensor nodes are the main technologies of perception layer. This layer is classified into two section namely, the perception node (sensors, controllers etc.) and the perception networks that interconnects the network layer (Alaba, Othman, Hashem and Alotaibi, 2017).

(39)

Table 4.3 Perception layer types of attacks

Attack Countermeasure

Node capture Attacks Authentication, encryptions

Malicious code Injection attack Continuously observe the behavior of running system.

False data injection attack Authentication

Tampering Prevent sensor physical damage

Eavesdropping and interface attacks Encryption techniques, Access controls, access restriction etc.

Jamming Use of low transmission power, channel

surfing etc.

Node capture attacks: IoT applications are the combination of several low power nodes. These

nodes are vulnerable to a variety of attack. The attacker can capture the node and get all the information and data (Hassija et al., 2019), (Yousuf, Mahmoud, Aloul and Zualkernan, 2015).

Malicious code Injection attack: In this type of attack the attacker can inject some malicious

code in the memory of the node. By injecting this type of code, the attacker may force the node to perform some unintended functions (Vashi et al., 2017), (Li, S et al., 2016), (Hassija et al., 2019).

False Data injection attack: Once the attacker captures the node, he can inject erroneous data

onto the IoT system. This leads the false results and they can use this method to cause a DoS attack (Hassija et al., 2019).

Tampering: The attacker can get the physical access of the of sensors. By using this method,

the attacker can sensitive information like encryption/decryption keys (Cerullo et al., 2018).

Eavesdropping and interference: IoT application consist of various nodes deployed in the

open environment, this exposed the IoT applications to eavesdropper. The attacker may capture the date during the different phase (Vashi et al., 2017) (Cerullo et al., 2018).

(40)

Jamming: This attack disturbs the radio channel, the attacker sends useless information to

corrupt or lost the message (Cerullo et al., 2018). This kind of attack can be divided into four categories: constant jamming, deceptive jamming, random jamming and reactive jamming (Radoglou et al., 2019).

4.2.2. Network layer/transportation layer

It is also called transportation layer, this layer relay on the information collected by the perception layer (Vashi et al., 2017). This layer provides network transmission and information security and spread information in the perception layer, that is data transmission and storage awareness. The network layer includes mobile devices, cloud computing, and the Internet (Alaba, Othman, Hashem and Alotaibi, 2017). This layer provides an interaction between application and service. It is important to design an effective security strategy to protect against attacks (Li, S et al., 2016).

Table 4.4 Network layer attacks

Phishing site attack Do not open unknow emails

Access Attack/Man-in-the-Middle attack Encryption method between client and server, identification and authentication techniques.

DoS attack Intrusion Detection Systems (IDS) and an Intrusion Protection Systems (IPS)

Sybil attack Unique shared key between the node and the base station

Routing attacks/sinkhole attack Continuous monitoring the nodes.

Hello Flood attack Authentication of neighbor nodes through an identity verification protocol.

Phishing site attack: In this type of attack the attacker tries to capture the several IoT devices

by putting the minimal efforts. The attacker tries to capture the username and password of one person which makes the whole IoT system vulnerable to cyberattack (Hassija et al., 2019).

Access attack: In this attack an unauthorized person gets the access of the IoT network. The

(41)

of attack is to collect the valuable information instead of damaging the network (Hassija et al., 2019).

DoS attack: In this attach the network is flooded with a useless traffic by an attacker, resulting

in a resource exhaustion of the targeted system and network unavailable to the user (Vashi et al., 2017) (Li, S et al., 2016). Many IoT devices are not strongly configured, and thus become and easy target of this attack (Hassija et al., 2019).

Sybil attack: In the sybil attack, the malicious nodes can create multiple identities in order to

mislead other nodes. The purpose of the attacker, in this case, is to take control different areas of the network, without using any physical node (Radoglou et al., 2019) (Cerullo et al., 2018).

Routing attacks/sinkhole attack: In this kind of attack malicious node try to redirect the

routing path and attract the nodes to route traffic through this node. (Radoglou et al., 2019) (Cerullo et al., 2018) (Hassija et al., 2019).

Hello flood attacks: A node utilized HELLO message to join a network. Hello Flood attack

consists in forwarding of a large amount of this specific message in order to flood the network and thus avoid the exchange of other types of message. (Cerullo et al., 2018) (Radoglou et al., 2019).

4.2.3. Middleware layer

The middleware layer in IoT is to create an interface between the network layer and the application layer. This layer also provides powerful computing and storage capabilities. Middleware layer includes device discovery and management, Big data analytics, Security etc. Middleware layer provides a reliable and robust IoT interface, it is also open to various attacks (Hassija et al., 2019). Moreover, this layer has capability to retrieve, process, compute information, and then automatically decide based on the computational results middleware layer has two essential functions i.e. service management and store the lower layer information into the database (Vashi et al., 2017).

(42)

Table 4.5 Middleware layer attacks

Flooding attack in cloud User authentication

De-synchronization Authenticate each forward packet

SQL injection attack Validate user input, encryption, limited rights

Man-in-the-Middle attack Encryption method between client and server, identification and authentication techniques.

Flooding attack in cloud: This attack has a big impact on cloud system by increasing the

load on the cloud services. This attack works same as the DoS in the cloud and affect the quality of service (QoS). The attacker continuously sends multiple request to a service (Hassija et al., 2019) (Cerullo et al., 2018).

SQL Injection Attack: In such attacks, attacker can embed malicious SQL statements in a

program. The attacker can obtain private data of any user and can even alter record in the database (Hassija et al., 2019).

De-Synchronization: An attacker forwards some fake sequence number for de-synchronizing

the endpoints and producing the data retransmission (Cerullo et al., 2018).

Man-in-the-Middle attack: This is the form of eavesdropping attack in which the target of

attack is the communication channel. The unauthorized party can monitor the communication between two parties without identification (Vashi et al., 2017).

4.2.4. Application layer

The Application is the uppermost layer and it is visible to end user. Applications such as, smart grid, smart city, healthcare system, and intelligent transportation protocols constitute this layer (Alaba, Othman, Hashem and Alotaibi, 2017). This layer has specific security issues which are not present in other layers such as data theft and privacy issues. Most IoT applications also

(43)

consist of sub-layers in between network and application layer, usually termed as an application support layer or middleware layer. (Hassija et al., 2019).

Table 4.6 Application layer attacks

Data theft attacks Data encryption, user and network

authentications etc.

Data corruption Anti-virus, firewalls, spy-ware etc.

Sniffing attacks Security protocols

DOS attacks Intrusion Detection Systems (IDS) and an

Intrusion Protection Systems (IPS)

Malicious code injection attacks Continuously observe the behavior of running system.

Reprogram attacks Protect programming process

Data thefts: IoT applications deals with lot of data which is critical and private. The data in

transit is more vulnerable than the data at rest. The users always reluctant to transmit their private data on the IoT system (Hassija et al., 2019).

Data corruption: Malicious codes such as viruses, spy-ware, worms etc. are the possible

attacks in this layer. The malicious codes can alter the data collected by the sensors, the receiver will receive the wrong data and perform wrong actions (Cerullo et al., 2018).

Sniffing attacks: The attackers may use sniffer application to monitor the network traffic in

IoT application. This may allow the attackers to gain access to confidential user data.

Denial-of-Service attack: These type of attacks stops the authenticate users to use the IoT

application by artificially making the servers or networks too busy to respond.

Malicious code injection attacks: Attackers can inject the malicious code in a script because

this is the simplest way to break the security. Due to these attacks the attackers can hijack an IoT account and paralyze the IoT system.

(44)

Reprogram Attacks: If the programming process is not protected, then the attackers can try to

reprogram the IoT object remotely. This could lead hijacking the IoT network.

4.3. Solution of IoT layers threats

The previous section discusses security vulnerabilities in all the layers of IoT. This section will discuss the countermeasures against the threats discussed before.

4.3.1. Perception layer

The threat at the perception layer, such as node capture, malicious code attacks, tampering, jamming etc. discussed in the previous section. The threats at the perception layer addressed the natural disasters, then environmental threats, the human-caused physical threats and the jamming attacks (Radoglou et al., 2019). Gou, Yan, Liu and Li (2013) explains the sensor nodes in the perception layer of IoT are usually in unattended occasions, vulnerable and even some of the equipment will be stolen, we can furnish sensor nodes continuously and replace damaged nodes in the key position, so that the network can self-heal to protect the physical security of the IoT.

On the other hand, it is required only authenticated user and devices can assess the system, if physical threats are due to human beings. Therefore, user authentication systems, physical access control mechanisms, and a trust framework are required for data security. Encryption is used to prevent the data from tempering, maintain confidentiality and data integrity. Encryption can be achieved by two ways i) node to node and ii) end to end encryption (Vashi et al., 2017).

4.3.2. Network layer

The threat at the networks layer, such as phishing site attacks, DoS attack, sinkhole attack etc. discussed in the previous section needs to be addressed to achieve security at this layer. To protect against unauthorized access in the network layer, authentication mechanisms can be used. When a large number of sensory data or unsafe intrusion data come from the perception layer, filtering and detection mechanism can be used to ensure data security (Gou, Yan, Liu and Li, 2013). In order to make the confidentiality, integrity, availability immune in network layer by node to node encryption can be used at this layer (Vashi et al., 2017). Different

Internet of Things: Systematic literature review of security and future research