See discussions, stats, and author profiles for this publication at: [Link]

net/publication/379278792

Security Challenges in IOT

Chapter · March 2024

DOI: 10.1007/978-981-97-0052-3_4

CITATIONS READS

0 828

4 authors, including:

Kingsley Theophilus Igulu

Kenule Beeson Saro-Wiwa Polytechnic Bori
27 PUBLICATIONS 18 CITATIONS

SEE PROFILE

All content following this page was uploaded by Kingsley Theophilus Igulu on 01 May 2024.

The user has requested enhancement of the downloaded file.

Security Challenges in IOT

Kingsley Igulu, Barilemena Johnson, Agbeb Nornu Stephen,

and Tarandeep Kaur Bhatia

Abstract The concept of the Internet of Things (IoT) revolves around the exchange
of information among low-power embedded devices, linked to the internet, in order
to enable seamless communication. The IoT has a profound impact on various
aspects of modern life, from mobile devices and sensors that keep track of the
surrounding environment to smart industrial gadgets. While the Internet of Things
offers numerous advantages, it also presents security and privacy concerns. The
information transmitted through the IoT includes sensitive data such as banking
information, geographic data, environmental data, medical information, and other
personal information. Hence, it is crucial to acknowledge the security challenges
posed by the IoT and address them appropriately. This chapter presents comprehen-
sive insights into the security challenges associated with the Internet of Things, while
considering the vast scope of the topic and existing literature. It discusses various IoT
security challenges, IoT security architectures, IoT security solution trust zones and
boundaries, potential risks of IoT devices, notable cases of IoT security breaches,
solutions to IoT security breaches, strategies for securing IoT data and best IoT
security practices.

Keywords Internet of Things (IoT) · Communication · Security · Embedded

devices · Security architectures

B. Johnson
Department of Computer Science, Ignatius Ajuru University of Education, Port Harcourt, Nigeria
K. Igulu (B) · A. N. Stephen
Department of Computer Science, Ken Saro-Wiwa Polytechnic, Rivers State, Bori, Nigeria
e-mail: igulukt@[Link]
T. K. Bhatia
School of Computer Science, UPES, Dehradun, India
e-mail: drtarandeepkaurbhatia@[Link]

© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2024 51
A. Prasad et al. (eds.), Communication Technologies and Security Challenges in IoT,
Internet of Things, [Link]
Security
52 Challenges in IOT K. Igulu et 52
al.

Introduction

The IoT has the potency to completely alter the way human engage with the physical
world from our homes and workplaces to our vehicles and cities. But with this
revolution comes a host of security challenges, from data privacy and hacking to
cyber-attacks and malware. As the IoT revolution progresses, it is essential that we
understand the risks and develop effective strategies to protect ourselves [13].
The IoT is a rapidly evolving field that is transforming industries such as agricul-
ture, healthcare transportation, and manufacturing. It is projected that by 2030, there
will be 50 billion IoT devices, with an associated economy worth of $11 trillion [53].
Nevertheless, the growth of IoT devices raises various security concerns that must
be addressed to guarantee that the benefits of IoT do not outweigh the hazards.
IoT devices are vulnerable to attacks from hackers who can exploit their weak-
nesses to gain unauthorized access to data, manipulate systems, and cause disrup-
tions. These security challenges are compounded by the fact that IoT devices are
often constructed with small memory, restricted processing power, and battery life,
which limits the implementation of robust security protocols. Furthermore, many
IoT devices are deployed in remote and harsh environments where maintenance and
security updates are challenging to implement [78].
In this chapter, we shall look at the security challenges facing the IoT revolution
and what can be done to address them. We shall explore the potential risks of IoT
technology, the need for robust security measures, and the steps that can be taken to
protect ourselves and our data. With the right approach, we can ensure that the IoT
revolution is a safe and secure one.

IOT Security Architecture

The term “IoT security architecture” refers to the planning and execution of protective
measures for the IoT devices, networks, and applications from cyber threats. An IoT
security architecture typically involves several layers of security controls to ensure
the confidentiality, availability, and integrity of transmitted data between IoT devices
and systems. Here are some key components of an IoT security architecture [13, 15,
57, 73]:
• Device security: This layer involves securing IoT devices at the hardware and
firmware levels, which includes secure boot, encryption, and device authentica-
tion. In addition to this, it involves making sure that the devices in question have
the most recent security patches and firmware updates installed.
• Network security: This layer involves securing communication between devices
in IoT and networks. This includes authorization and authentication, secure data
transmission, encryption, and intrusion detection.
Security
53 Challenges in IOT K. Igulu et 53
al.

• Cloud security: This layer involves securing the cloud infrastructure and services
that store and process IoT data. This includes data encryption, access control, and
backup and recovery mechanisms.
• Application security: This layer involves securing the IoT applications that run
on top of the infrastructure. This includes authentication, authorization, input
validation, and encryption of sensitive data.
• Data security: This layer involves securing the data transmitted and stored by
IoT devices and systems. This includes data encryption, access control, and data
loss prevention mechanisms.
• Physical security: This layer involves securing the physical environment where
IoT devices and systems are deployed. This includes access control, surveillance,
and monitoring mechanisms.
Overall, an effective IoT security architecture should be designed to cater for the
peculiar security challenges eventuated by IoT devices and networks, such as the
massive scale of devices, the variety of communication protocols, and the diversity
of application domains.

Components of IoT Security Architecture

The solution developed during the procedure of designing an architecture for the IoT
would have many different parts. Each of these parts serves a different purpose and
provides essential building blocks that may be put together in any way to create an
IoT solution. Any of these parts can be used in the design and construction of an IoT
system.
• Devices: The sensors and other parts of the Internet of Things are connected to
specific devices. Devices may also be linked to additional parts. The “things” in
“Internet of Things” come from the devices themselves.
• Field Gateway(s): This is a software or hardware component that acts as an
intermediary between the endpoint devices and the cloud. By acting as a hub for
both cloud-based and on-premises components, they can be leveraged to improve
security. Message or protocol translation, aggregation of events and messages in
communication, and other system-level services are only a few of the many uses
for field gateways.
• Edge Devices: One subset of Field Gateways are the Edge Gateways (also known
as edge devices). It’s superior because it allows Cloud functions to be executed
locally, in close proximity to other devices, hence minimizing delays in the feed-
back loop of real-time processing. Edge gateways can be outfitted to perform tasks
typically performed in the cloud, such as event stream processing and machine
learning.
Security
54 Challenges in IOT K. Igulu et 54
al.

• Cloud Gateway: These are equivalent to the popular Field Gateways; the main
difference is that they are hosted in the cloud rather than on a company’s own
servers. By being in the cloud rather than on a local device, Cloud Gateways can
perform the same duties as Field Gateways.
• Services: The Services section of an IoT system’s backend encompasses every-
thing else, such as REST APIs, databases, and so on. Depending on their role
in the overall IoT solution architecture, these services can be setup in the cloud,
on-premises, or hybridized.

Boundaries and Trust Zones for IoT Security Solutions

Every Internet of Things solution is assembled from a wide variety of individual

components. The many components of an Internet of Things solution will each be
compartmentalized into their own distinct Trust Zones and Boundaries as part of the
system’s overarching security architecture. These diverse zones and borders enable
both physical and software-based isolation layers to separate the various system
components in order to ensure their security [13].
As depicted in Fig. 1, security measures are utilized to partition the various compo-
nents of an Internet of Things (IoT) solution, isolating each component from the
others in a more secure manner. This is done to give Trust Zones and Boundaries
with segmented protection.
When developing any kind of Internet of Things Security Architecture, the
following trust zones are the most important ones to bear in mind:
i. Local Zone
ii. Device Zone
iii. Cloud Gateway Zone
iv. Remote User Zone
v. Field Gateway Zone
vi. Gateway and Services Zone.
Trust Zone boundaries should be separate. This isolates each zone, protecting
it. As you move closer to the cloud, adding security to each successively higher
zone verifies the communications between the zone below it and the local zone or
on-premises components.
Except for the Device Zone and the Field Gateway Zone, most zone boundaries
are depicted in Fig. 1. Field Gateway(s) will receive event data from the Device Zone
devices via direct communication. If your Internet of Things (IoT) solution calls for
or benefits from a higher level of security, you may want to consider extending this
paradigm with a Trust Boundary. The boundaries and trust zones of your Internet of
Things architecture are something you design.
Security
55 Challenges in IOT K. Igulu et 55
al.

Fig. 1 IoT trust zones and boundaries [13]

Security Challenges Facing the IoT Revolution- an Overview

The IoT has the potential to completely alter the way we engage with the physical
world, from our homes and workplaces to our vehicles and cities [20, 44, 56]. But with
this revolution comes a host of security challenges, from data privacy and hacking
to cyber-attacks and malware. As the IoT revolution progresses, it is essential that
we understand the risks and develop effective strategies to protect ourselves. In this
overview, we’ll look at the security challenges facing the IoT revolution and what
can be done to address them [78].
We shall explore the potential risks of IoT technology, the need for robust security
measures, and the steps that can be taken to protect ourselves and our data. With the
right approach, we can ensure that the IoT revolution is a safe and secure one.

Security Challenges of the IoT Revolution

The security challenges posed by the IoT revolution are numerous. Increases in the
number of Internet-connected devices have also increased the potential for malicious
actors to exploit weaknesses in these systems. IoT devices are often vulnerable to
a range of security challenges which are listed and discussed below according to
[60, 63].

Vulnerabilities in Devices

Typically, the processing power, memory, and battery life of IoT devices are all on
the low end. This often leads to vulnerabilities that can be exploited by attackers to
gain access to sensitive data or take control of the device. Manufacturers must ensure
that IoT devices are designed with security in mind, including secure communication
Security
56 Challenges in IOT K. Igulu et 56
al.

protocols, firmware updates, and secure data storage. In the context of IoT security,
device security is considered to be a crucial aspect according to the findings of
several researchers [83, 84, 87]. Yu et al. [84] have discussed the presence of known
vulnerable devices that can be exploited for DDoS attacks due to issues like hardcoded
administrative login credentials and open DNS resolvers. Airehrour et al. [3] have
reported a 2012 case where TRENDNET IP cameras streamed live footage without
the need for a password. Patton et al. [58] have conducted a thorough investigation of
35,737 different IoT devices, and the results show that the majority of devices were
openly accessible over the internet without any identification requirements.
IoT devices have various potential vulnerabilities that can be exploited by
attackers. These vulnerabilities can be classified into three categories: physical,
software, and network.

Physical Vulnerabilities

Physical vulnerabilities are related to physical access to IoT devices. IoT devices can
be physically accessed by attackers to manipulate the device, extract sensitive data
or install malware. For example, attackers can physically tamper with the device to
extract passwords or install malware.

Software Vulnerabilities

Software vulnerabilities are related to the software running on the IoT devices. IoT
devices are often designed with limited resources, which means the software may
not be fully secure. Additionally, IoT devices may be running outdated or unpatched
software, which can leave them vulnerable to attacks. For example, attackers can
exploit a software vulnerability to remotely control the device.

Network Vulnerabilities

The network connections of IoT devices present security risks. Since many IoT
devices are online, they are susceptible to cybercriminal activity. Additionally, IoT
devices are often connected to other devices, which can be exploited to gain access to
the IoT device. For example, attackers can exploit a network vulnerability to intercept
data transmitted between the device and the cloud server.
Security
57 Challenges in IOT K. Igulu et 57
al.

Inadequate Identification, Authentication and Authorization

Many As per industry experts, one of the major security challenges in the Internet of
Things (IoT) is the lack of authentication and authorization mechanisms in many IoT
devices. Attackers can easily exploit this vulnerability to gain unauthorized access
to the device and compromise its security. To combat this issue, manufacturers need
to implement robust authentication mechanisms such as multi-factor authentication
and role-based access control to restrict access to only authorized users.
The identification and authentication of devices are complex tasks in IoT due to the
vast number of devices connected. Authentication is crucial to ensure the integrity of
a device’s data stream. Additionally, authorization serves as a crucial access control
measure to prevent hacking attempts. A study by [56] indicates that current security
mechanisms lack access control and privacy protection. Therefore, it is imperative to
implement authorization servers in server-based protocols to ensure access control
in IoT.

Lack of Encryption

Encryption is critical to protect data transmitted between IoT devices and servers.
However, many IoT devices do not have built-in encryption capabilities or use weak
encryption algorithms. This leaves data vulnerable to interception and manipulation
by attackers. It is essential to implement strong encryption mechanisms to protect
data transmitted between devices and servers.

Environment Constraints

The environment presents a significant problem for loT security. Hossain et al. [35]
enumerate them. The computing power, memory, and battery life of devices are cited
as the first hardware restrictions. Therefore, operations that are computationally
complex and memory expensive are not a good fit for the IoT. Next, they focus on
software restrictions. Thin network stacks are a feature of loT devices’ operating
systems, which may prevent them from being remotely reprogrammed. This restricts
the development of security modules and the distribution of security updates for
certain platforms. Finally, they talk about the limits imposed by the network. The
security design is complicated by the networks’ mobility, scale, and heterogeneity.
The computational and network limits are agreed upon by [11, 19] as limitations to
loT security.
Security
58 Challenges in IOT K. Igulu et 58
al.

Legislative Issues

As Weber [78] pointed out, the loT business was mostly self-regulated at the time, but
new legal frameworks will be required to protect consumers’ privacy. Weber claimed
that such rules might not be sufficient to guarantee true anonymity or safety. Weber
argued that a global IoT necessitates a global regulatory framework. In the wake
of increasing global concerns over security, it is imperative that the IoT industry is
regulated by a comprehensive security framework. As emphasized by Weber [79,
71] the IoT poses significant challenges to national security, company secrets, and
personal privacy, and therefore, requires legal provisions to ensure its safe and secure
growth.

Enforcement Mechanisms

The enforcement mechanisms of the Internet of Things are either flawed or nonex-
istent, as stated in [83, 84]. Because IoT devices have limited resources and vary
widely in their characteristics, traditional security measures like antivirus software
are not available. Moreover, unlike regular networked devices, IoT devices do not
have automated software updates. Instead, they rely on firmware updates, which need
to be carried out separately by each manufacturer and for each device. Another issue
is that most network security approaches depend on strong static perimeter defenses,
such as firewalls, which become ineffective when insecure IoT devices are integrated
deeply within the network. Kumar et al. [44] also expressed concerns regarding the
absence of security updates for the Internet of Things.

Privacy Concerns

The privacy aspect of the IoT is a significant concern due to the increased risks
of security threats like eavesdropping, unauthorized access, data manipulation, data
forgery, and remote tampering with devices. Researchers such as Ram Mohan Rao
et al. (2018), [65] have highlighted this issue. Data forgery, which involves unautho-
rized modification of device data by external parties, is another potential security risk,
as pointed out by [49]. The data collected in IoT, such as personal information like
names, addresses, and insurance policy numbers, is often sensitive, as emphasized
by [3], and transmitting it to cloud environments introduces additional challenges.
“A vast number of the services and apps offered by the internet of things (IoT)
give sensitive and personal information that is accessible and can be exploited by
an adversary” [49]. Sensitive information that is not encrypted may be accessed by
unauthorized persons.
Security
59 Challenges in IOT K. Igulu et 59
al.

IoT devices often collect and transmit personal data, such as location, health, and
biometric information. This data must be protected from unauthorized access and
use. Manufacturers must implement appropriate data privacy policies and ensure that
personal data is collected and stored securely.
Data privacy is another significant concern in IoT. The vast volumes of data
produced by Internet of Things (IoT) devices can encompass confidential and private
information pertaining to individuals and organizations. This data can include loca-
tion data, personal health information, and financial data. The following are some
data privacy challenges in IoT:
• Collection and Storage of Data: IoT devices collect and store large amounts of
data. This data can be vulnerable to theft or misuse.
• Data Ownership: Who exactly owns the information collected by IoT gadgets is
often not made apparent. This can create challenges when it comes to data privacy
and security.
• Consent: It is often unclear whether individuals have given consent for their data
to be collected and used. This can create challenges for organizations when it
comes to compliance with data privacy regulations.
Overall, data privacy in IoT requires a combination of technical and organizational
measures to ensure that data is protected at every stage of the data lifecycle.

Distributed Denial-Of-Service (DDoS) Attacks

IoT devices are often connected to the internet through home networks, which
are typically not designed to handle large-scale DDoS attacks. Attackers can use
compromised IoT devices to launch DDoS attacks, which can cripple servers and
websites. Manufacturers must ensure that IoT devices are designed with built-in
security mechanisms that can detect and prevent DDoS attacks.
Overall, the security challenges in IoT are complex and require a holistic approach
that involves manufacturers, users, and regulators. Manufacturers must build security
into their devices from the ground up, while users must be educated on how to use IoT
devices safely and responsibly. Regulators must also develop policies and standards
to ensure that IoT devices meet minimum security requirements [17, 30, 85].

Cross-Device Dependencies

According to Yu et al. [84], the interconnectedness of the Internet of Things creates

extra opportunities for cyberattacks. They describe a scenario in which an attacker
disables an air conditioner, raising the room temperature, which in turn triggers
another system to open the windows, posing a threat to the physical security of the
facility. It is not unusual to see devices with many connections. Yu et al. [84], offers
Security
60 Challenges in IOT K. Igulu et 60
al.

a few examples: There are 188 cross-device policies available through the NEST
Protect home security system, 227 through the Wemo Plugin, and 63 through the
Scout Alarm.

Data Theft

Theft of data or information is the illegal acquisition or compromise of private or

sensitive data kept in computer systems, networks, or electronic media belonging
to a company. As the world becomes increasingly interconnected and reliant on
technology, data theft in IoT is of increasing concern. With the increasing use of
IoT devices, the risk of data theft is also increasing. Cybercriminals are constantly
finding new ways to exploit vulnerabilities in IoT devices, and organizations must
be vigilant in protecting their sensitive and valuable data.
One of the main reasons for data theft in IoT is the lack of security measures
in place. Many IoT devices do not have adequate security protocols, making them
an easy target for hackers. Assaults including man-in-the-middle attacks, denial-of-
service attacks, and ransomware can easily infiltrate these devices. In addition, IoT
devices are often connected to a network that is also vulnerable to attack. This means
that if one device is compromised, it can provide a gateway for hackers to access
other devices on the network.
The substantial quantity of data collected and transmitted by IoT devices
contributes to the risk of data theft. This data encompasses sensitive information,
including personal identification details, financial data, and health information. If
this data is accessed by unauthorized individuals, it can be exploited for identity
theft, financial fraud, or other nefarious intentions. In addition, the sheer volume of
data being collected can make it difficult for organizations to monitor and control
access to this data.
The majority of data breaches occur because hackers stole sensitive data for either
identity theft or sale on the dark web. If a hacker or threat actor manages to get unau-
thorized access to sensitive information, they may change, erase, or even completely
block the owners from viewing the data.
Keep in mind that when discussing data theft, the terms data leak and data breach
are typically used interchangeably. Data leaks and breaches are two different things.
Intentional cyber attacks are what we call a “data breach.” On the other side, a data
leak occurs when private information is inadvertently shared online or when hard
drives or other storage devices are lost or stolen, allowing threat actors to gain access
to the data without any additional effort on their part.
Security
61 Challenges in IOT K. Igulu et 61
al.

Data Tampering

Tampering refers to the act of making unauthorized changes to or deletions from a

resource. An application that can be accessed via the internet and a web browser
on a device is referred to as a web application. When discussing web applications,
“data tampering” refers to any incident in which an unauthorized user (such as a
hacker) gains access to a system and then tampers with the data stored inside. Indirect
tampering can also be accomplished by a hacker or other malicious user using a script
exploit. This means that the hacker would get the script to execute by disguising it
as a user input from a page or as a web link [40, 82].
Tampering presents a major threat to the security of the Internet of Things. Files
stored in cloud-based apps, which are used by millions of companies throughout the
world, can be edited and updated with this tool. In the late 1980s, tampering was first
used as a method to sabotage data or plant a harmful or destructive program with
the intention of deleting data. Since that time, it has developed further and improved
over the course of the years. In the year 2000, hackers were able to fabricate data
and falsify information in order to trick the consumers of a web application. Each
year brings new and better technology that makes it easier for bad actors to hack
web applications. This is due to the fact that these technologies provide simple tools
and application programs that make it easier to tamper with data or manipulate data
within computer systems [13, 28, 73, 87].
Utilizing a firewall and the security features offered by Windows to restrict access
to critical files, directories, and other resources is a first line of defense against the
alteration of data. Additionally, the web application ought to function with the least
amount of privileges possible. In order to prevent script vulnerabilities from being
exploited, it is important to never put any faith in the information that originates
from a user or even a database. When acquiring information from untrusted sources,
appropriate and safe precautions should be taken to ensure that the material does not
contain any executable code that may be used for malevolent purposes.
[76] provides a categorization of these security challenges or requirement as given
in Fig. 2.

Potential Risks of IoT Devices

IoT devices also pose various risks that can have serious consequences. These risks
can be classified into three categories: privacy, financial, and physical [53, 53].
Security
62 Challenges in IOT K. Igulu et 62
al.

Fig. 2 Security requirement classification according to [76]

Privacy Risks

Privacy risks are related to the protection of personal information of the user. IoT
devices collect and transmit sensitive personal data, such as health data or location
data. If this data is intercepted, it can be used for malicious purposes. For example,
attackers can steal personal data and use it for identity theft or blackmail.

Financial Risks

Financial risks are related to the financial loss of the user. IoT devices can be used for
financial transactions, such as online shopping or banking. If an IoT device is compro-
mised, attackers can steal financial information and use it to make unauthorized
purchases or transfers.

Notable Examples of IoT Security Breaches

Several high-profile IoT security breaches have occurred in recent years, highlighting
the need for better security measures. Some notable examples include:
• Mirai Botnet: In 2016, the Mirai botnet infected more than 600,000 IoT devices,
including cameras, routers, and digital video recorders. In order to disrupt DNS
services, the botnet was utilized to perform a massive, distributed denial of service
(DDoS) attack [5, 86].
Security
63 Challenges in IOT K. Igulu et 63
al.

• Jeep Hack: In 2015, a group of hackers demonstrated how they could take control
of a Jeep Cherokee remotely. The hackers were able to manipulate the car’s air
conditioning, radio, and even its brakes [6, 24, 54].
• St. Jude Medical Hack: In 2017, a security researcher discovered that it was
possible to hack into St. Jude Medical’s pacemakers and defibrillators. The vulner-
ability could have been exploited to remotely control the devices or to drain their
batteries [10, 26, 29].
• Smart Home Device Hacks: Many smart home gadgets, including smart locks
and security cameras, were discovered to be hackable in 2020. Because of this,
hackers may be able to enter people’s houses or spy on them [55, 57, 73] (Shilpa
Sharma 2021).
• Target breach: Using a flaw in a contracted HVAC (Heating, Ventilation, and
Air Conditioning) system, hackers were able to breach Target’s payment system
in [Link] hackers’ success in stealing credit card information for millions of
Target consumers highlights the dangers of interconnected Internet of Things
(IoT) devices and vital infrastructure [50, 59, 66].
• Baby monitor hack: In 2015, a family in Houston, Texas, discovered that their
baby monitor had been hacked when they heard a stranger’s voice coming from
the device. The baby monitor had been connected to the internet without proper
security measures, allowing the attacker to access the device and monitor the
family’s activities [23, 32, 33].
• Stuxnet worm: In 2010, Iran’s nuclear program was attacked using the Stuxnet
worm, which specifically targeted the country’s industrial control systems. The
centrifuges used in uranium enrichment were controlled by programmable logic
controllers (PLCs), which the worm exploited, causing them to malfunction and
destroying the program [38].
These examples demonstrate the importance of IoT security, and the potential risks
associated with insecure IoT devices and systems. It is essential to implement proper
security measures, including access control, network segmentation, and behavioral
analytics, to protect IoT devices and data from potential security breaches.

Physical Risks

Physical risks are related to the safety of the user. IoT devices can be used to control
physical systems, such as door locks or medical equipment. If an IoT device is
compromised, attackers can control the physical system and cause harm to the user.
For example, attackers can remotely unlock the door of a house and break into it.
Security
64 Challenges in IOT K. Igulu et 64
al.

Solutions to IoT Security Challenges

Even though Internet of Things comes with tremendous security issues when
compared to traditional systems, numerous researchers have also provided solutions
for the challenges that Internet of Things presents to security. In the parts that follow,
we’ll talk about some of the ways in which the problems with IoT security could be
fixed. Vasilomanolakis et al. [76] provide a taxonomy of such approaches.

Trust Management

According to both Yu et al. [84] and Hossain et al. [35], trust management is crucial
to the IoT. Having a system in place to manage trust can help individuals deal with
the risks and uncertainties of the Internet of Things. Trust involves guaranteeing
someone’s safety and keeping their business private. According to Bekkali et al.
[11], Ferraris et al. [20] and Tsunoda et al. [74], trust is a key component of the
IoT. They claim that consumers’ experiences with the Internet of Things’ various
features are crucial to their faith in the network as a whole. Users need agency over
their service experiences and transparency into their interactions with systems. They
also think that establishing a reliable governance system can boost people’s faith in
IoT.
Trust management in the IoT is multidimensional as explored in [42]. New decen-
tralized trust models, trust mechanisms for cloud computing, and the creation of
trust-based apps at the node level are the three focus areas for IoT trust research.
They argue that trust evaluations must be automated and unbiased.

Authentication

Zhang and Green [85] provide several different authentication models for use with the
internet of things. Some examples of these models are the gateway model, the trust
chain model, the security token model, and the global trust tree model of authentica-
tion. Every model comes with both positives and negatives specific to it. Mahmoud
et al. [47] discusses authentication mechanisms as well. They describe a method that
only requires one cipher and one time to use it, and utilizes a request-reply technique.
Though very trivial but strong passwords and multi-factor authentication should
be adopted.
Strong Passwords: Strong passwords are essential for IoT devices. Passwords
should be long and complex, and different for each device.
Multi-Factor Authentication (MFA): With MFA, users are required to submit
not one but two different types of authentication before getting access to an IoT
device.
Security
65 Challenges in IOT K. Igulu et 65
al.

In addition to authentication, the following are examples of various forms of

access control that should be implemented in in IoT deployments:
• Role-based access control: Access to IoT resources and data should be restricted
based on the user’s role or job function. This can help to limit access to sensitive
data or critical systems and reduce the risk of unauthorized access or data breaches.
• Device authentication: IoT devices should be authenticated before they are
allowed to connect to the network or access IoT resources. This can be
achieved through digital certificates, unique identifiers, or other forms of device
authentication.
• Network segmentation: IoT networks can be segmented to limit the scope of a
potential security breach and reduce the attack surface of IoT devices and systems.
Access to each network segment can be restricted based on the user’s role or job
function.
• Audit logging: All access to IoT devices, applications, and data should be logged
and monitored. This can help to detect and prevent unauthorized access or data
breaches and provide a record of all access activity.

Privacy Solutions

Data privacy is also an important consideration when implementing IoT security

measures. Companies need to take precautions to safeguard their data and the privacy
of their customers. Encryption, firewalls, and other forms of access control are all
part of this strategy. Companies must also keep their systems patched and updated
to fix any security holes that may have appeared.
Tsunoda et al. [74] present several potential answers to the problems with privacy.
One of these principles is called “privacy by design,” and it stipulates that users should
be provided with the opportunity to take control of their own data. Transparency is
yet another guiding principle. In the context of loT, transparency refers to the idea
that users should be aware of which entities are handling their data, as well as how
and when those companies are using the data. The management of data is the third
recommendation that they provide. Taking this step requires determining who over-
sees keeping the secrets. Data management policies and enforcement mechanisms
should address an extensive array of usage cases. To deal with the issue of managing
IoT data in cloud environments, [31] propose a method called User-driven Privacy
Enforcement for Cloud-based Services on the Internet of Things (UPECSI). With
UPECSI, users may manage their sensitive information before it is even sent to the
cloud.
Users also need to be educated on the security concerns associated with the
IoT revolution, and this is something that businesses should take care of. Giving
users access to the resources they need to keep their data safe and conducting routine
reviews of security policies and procedures are both essential. Additionally,
businesses should make testing and monitoring of their systems a regular practice.
Security
66 Challenges in IOT K. Igulu et 66
al.

Finally, businesses need to test and monitor their systems frequently for problems.
Automated tools for incident detection and response, as well as routine security
audits, fall under this category. To further guarantee the safety of their data in the
event of a security breach, businesses must also have a thorough backup and recovery
plan in place.
Encryption can help in privacy management by securing data that is transmitted
between IoT devices and servers, as well as data that is stored on the devices them-
selves. End-to-end encryption ensures that only the intended recipients can read the
data.
Manufacturers of IoT devices should develop privacy policies that are open, simple
to comprehend, and compliant with industry standards.

Policy Enforcement

An approach to the security of loT devices that is based on software is presented in

[84]. Their answer is a security architecture that is made up of miniature security
functions that are denoted with the symbol mboxes. A centralized loTSec controller
is included in the architecture. This controller keeps an eye on the surrounding
environment and generates a global picture to facilitate the enforcement of policies
across multiple devices. From this point of view, administrators have the ability to
configure and instantiate new mboxes, as well as their routing methods.

Fault Tolerance

In order for Internet of Things systems to be reliable, [74] list a number of require-
ments. There are three necessities for fault tolerance in the loT to be realized. First
and foremost, security needs to be turned on by default for all devices. The second
essential requirement is to provide all IoT devices with the capability to contin-
uously monitor the network and its services without restrictions. Moreover, it is
crucial for every device to possess self-defense mechanisms against potential threats
and network failures. These components should be capable of promptly responding
to service attacks and efficiently restoring them to their normal functioning state.

Secure Communication

According to [44], the protocol stack of IoT devices will seek to mimic that of conven-
tional Internet hosts in order to provide the groundwork for an enlarged internet. They
argue that this allows the Internet of Things to take advantage of many existing secu-
rity measures. In addition, secure communication protocols for the IoT are explored
Security
67 Challenges in IOT K. Igulu et 67
al.

in [56]. They look into both asymmetric key-based security solutions and symmetric
pre-distributed-key-based security solutions.
Secure communication protocols can reduce the network vulnerabilities of IoT
devices. In today’s digital era, security has become a top priority for almost every
business. With the expanding use of Internet of Things devices, guaranteeing the
security of transmitted data has become a major challenge. To limit the hazards
connected with IoT devices, it is vital to employ secure communication protocols
that encrypt the transferred data, such as TLS or SSL. In order to strengthen the
overall security of IoT devices, it is essential to prioritize the deployment of these
protocols.

Secure Routing

In the realm of IoT security, secure routing protocols play a crucial role. These
protocols ensure that sensitive data transmitted across networks remains secure
and protected from potential attacks. There are several examples of such proto- cols,
including the trust-aware secure routing framework (TSFR), the secure multi- hop
routing protocol (SMRP), the group-based trust management scheme (GTMS), the
two-way acknowledgment-based trust (2-ACKT) protocol, and the collaborative
lightweight trust-based routing protocol [3]. As IoT continues to evolve, the need for
robust security measures will only increase, making secure routing protocols a top
priority for organizations and businesses alike.

DDoS Protection

A Leaming Automata (LA) has been proposed as a countermeasure to Distributed

Denial of Service assaults in IoT networks [62, 85]. The LA would make an intelli-
gent determination based on the environment regarding the packet sampling rate. The
DDoS protection component works by constantly monitoring the requests received
by each device during the detection phase. If the device detects a pre-set maximum
capacity being surpassed, it immediately issues a DDoS warning to the neighboring
nodes. This warning notifies the neighboring nodes about the threat and allows them
to take necessary precautions to mitigate it. In essence, the DDoS protection compo-
nent is a crucial feature that ensures the security and safety of IoT devices. With its
robust monitoring capabilities and preemptive warning system, it plays a vital role
in safeguarding the Internet of Things from potential cyber threats. As the use of IoT
devices continues to expand, it is essential to prioritize their security to ensure their
safe and successful integration into our daily lives. As soon as the warning is sent, the
devices will begin to conduct an IP address scan in an effort to identify the attacker.
After the attacker has been located, the remaining nodes will be informed of this
Security
68 Challenges in IOT K. Igulu et 68
al.

threat and will immediately discard any packets that originate from the attacker’s IP
address [17, 22, 30, 69, 85].
[80] present a method based on this principle for detecting and averting DDoS
attacks in IoT networks. Taking a copy of the sink node’s configuration is another
option (a node that collects data from sensors). This new node would function as
a redundant channel, performing a portion of the sink node’s duties. It has been
calculated that this strategy is financially viable [62, 85].

Spam Prevention

It is imperative to have measures in place to prevent spam and unwarranted dissemi-

nation of material. Using digital signatures to verify data in 2D barcodes is a popular
approach described by [67]. This technique entails encoding the original content,
digitally signed content, and the public key of the individual who made the barcode
within the barcode itself. Once a user scans the barcode into their computer, they can
verify the author’s identity by visiting the URL generated by the code. Additionally,
an application could be used to verify the contents of the QR code and its position
in the certificate chain [67].
With the use of digital signatures, the security of IoT devices can be significantly
enhanced. It provides an effective way of ensuring that the content being accessed is
authentic and has not been tampered with. As such, this solution is gaining popularity
among businesses and organizations that rely on the security of IoT devices to conduct
their operations.

Secure Software Development

Secure software development can reduce the software vulnerabilities of IoT devices.
IoT devices must be designed with security in mind from the beginning. This includes
regular software updates and patches to fix vulnerabilities [22, 72].

LoT Architectures

Several other IoT architectures are presented in the literature [76]. The objective of
an IoT architecture is to link physical devices with their digital counterparts that
generate services and the like. IoT architectures include Open source cloud solutions
for the Internet of Things (OpenioT), the IoT at Work (IoT@Work), and the Internet
of Things architecture (IoT-A) [76].
Security
69 Challenges in IOT K. Igulu et 69
al.

Regulatory Solutions

The Internet of Things (IoT) is a rapidly evolving concept that has caught the attention
of governments around the world. As Weber [78] explains, the European government
has been proactive in its efforts to regulate the IoT. In 2007, the European Union
recognized the IoT as a legitimate concept and in 2009, a 14-point strategic action
plan was developed. However, as the technology continued to advance, concerns
about data protection and security emerged.
In 2012, it became evident that there were significant differences of opinion
between users and industry stakeholders regarding data protection in the context
of the IoT. The European Commission recognized the need for clear, comprehensive
rules governing the use of IoT devices, and in 2013, the task of developing such rules
was assigned to the European firm RAND [14, 48, 68].
Since then, the issue of IoT security has remained at the forefront of public debate,
with governments and industry leaders working together to find solutions that will
safeguard personal information and protect against cyber-attacks [16, 48, 70, 77, 83].
However, things are less cut and unambiguous in the United States. Most discus-
sions happen inside the many federal departments that focus on different aspects of
the Internet of Things. In 2013, the Federal Trade Commission (FTC) initially asked
for public feedback on the privacy and security of the Internet of Things. More than
60% of the 27 responses were negative to regulatory intervention. The FTC hosted
a session on the IoT later that year. The study’s authors concluded that regulation
should be based on whether or not businesses expect to make money solely from
selling IoT devices, or whether or not they expect to make money from selling user
data as well [48, 70].
IoT (Internet of Things) devices and the data they collect and transmit are only
as safe and private as the security standards and regulations that govern them. The
healthcare, transportation, and energy sectors all rely heavily on IoT devices, making
them prime targets for destructive cyberattacks [48].
Security standards and regulations set guidelines and requirements for manufac-
turers and service providers to follow when designing, developing, and deploying
IoT devices. They provide a framework for assessing and managing security risks,
implementing security controls, and ensuring that the devices comply with industry
best practices.
Some of the key security standards and regulations in IoT include:
ISO/IEC 27,001: Information security management systems should adhere to this
standard since it has international credibility. Protecting private information, such
as that gathered by Internet of Things gadgets, is made easier with this methodical
approach [14, 75].
NIST Cybersecurity Framework: The National Institute of Standards and Tech-
nology developed the NIST framework as a set of standards, recommendations, and
best practices to aid in the control of cyber risks. It helps organizations better prepare
for, respond to, and recover from cyberattacks [48, 77].
Security
70 Challenges in IOT K. Igulu et 70
al.

GDPR: The General Data Protection Regulation is a comprehensive privacy law

that must be followed by all European Union (EU) countries. It lays up strin-
gent guidelines for the collection, processing, and storage of sensitive personal
information. If an IoT device gathers or processes data about EU residents, it
must do so in accordance with the General Data Protection Regulation (GDPR)
[2, 8, 43, 52, 68, 70].
HIPAA: The federal government of the United States enacted the Health Insur-
ance Portability and Accountability Act to protect the privacy of medical records.
Medical IoT devices must be HIPAA-compliant so that sensitive patient information
is protected [2, 25].
IEEE 802.1X: This network access control standard provides a way of authen-
tication for IoT devices that connect to a network. It aids in preventing unwanted
access and guarantees that only authorized devices have network access [9, 41].
The basis for protecting the security and privacy of IoT devices and data is provided
by security standards and legislation. Compliance with these standards and regula-
tions is essential for protecting critical infrastructure and maintaining trust in the IoT
ecosystem.
Given the complex nature of the IoT, ensuring security and data protection will
require ongoing collaboration between stakeholders and a commitment to imple-
menting best practices and standards. It is only through such efforts that the vast
potential of the Internet of Things can be realized in a manner that is safe, secure,
and sustainable over the long term. It determined that “soft law,” which incorporates
rules, oversight, and ethical character while yet guaranteeing industry independence,
is the optimal regulatory approach for the Internet of Things.

Physical Security

Locking cabinets or rooms in which IoT devices are stored can help prevent illegal
physical access to these devices. Physical security on the IoT refers to the precautions
taken to prevent the loss, compromise, or tampering of IoT hardware and infrastruc-
ture. Protecting IoT devices and infrastructure against unauthorized physical access
and tampering is a crucial part of overall IoT security [7, 82].
Here are some ways physical security can be implemented in IoT [12, 81, 82]:
• Device placement: IoT devices should be placed in secure locations where they
are less likely to be accessed by unauthorized individuals. For example, devices
can be placed in locked rooms or cabinets, or secured to walls or floors.
• Access control: Access to Internet of Things devices must be controlled to only
authorized individuals. This is possible using physical keys, access cards, or
biometric authentication.
• Video surveillance: Video cameras can be used to monitor the physical environ-
ment where IoT devices are deployed. This can help to deter theft or vandalism
and provide evidence in case of a security incident.
Security
71 Challenges in IOT K. Igulu et 71
al.

• Tamper-evident seals: Tamper-evident seals can be used to indicate if a device

has been tampered with or opened without authorization. This can help to detect
and prevent physical attacks on IoT devices.
• Environmental monitoring: Environmental sensors can be used to monitor the
physical environment where IoT devices are deployed. This can help to detect
changes in temperature, humidity, or air quality that may indicate a security threat.
Physical security is an important aspect of IoT security that should not be
overlooked. By employing physical security measures, corporations may prevent
attackers from physically accessing or tampering with Internet of Things (IoT)
devices and systems, as well as secure the confidentiality, integrity, and availability
of IoT data.

Network Segmentation

Network segmentation can help prevent a compromised IoT device from spreading
malware or other threats to other devices on the same network. Network segmentation
in IoT involves dividing an IoT network into smaller, more secure subnetworks or
segments. This can help to improve security by limiting the scope or spread of a
potential security breach and reducing the attack surface of IoT devices and systems
[12, 36].
Here are some ways network segmentation can be used in IoT [16, 36, 37]:
• Device segmentation: IoT devices can be grouped into smaller subnetworks based
on device type, location, or function. This can assist in limiting the spread of
a potential security breach and lower the likelihood of unauthorized access to
sensitive data or essential systems.
• Application segmentation: IoT applications can be separated into smaller subnet-
works based on their function or sensitivity. This can help to protect critical
applications and data from unauthorized access or tampering.
• User segmentation: Users can be assigned to specific subnetworks based on their
role or access requirements. This can help to limit the exposure of sensitive data
or systems to unauthorized users.
• Data segmentation: IoT data can be separated into smaller subnetworks based
on its sensitivity or importance. This can help to protect critical data from
unauthorized access or tampering.
Overall, network segmentation in IoT can help to improve security by limiting
the scope of a potential security breach, reducing the attack surface of IoT devices
and systems, and providing more granular control over access to sensitive data or
critical systems. However, network segmentation can also increase complexity and
management overhead, so it should be implemented carefully and with consideration
of the overall security posture of the IoT network.
Security
72 Challenges in IOT K. Igulu et 72
al.

Data Anonymization

IoT devices can anonymize data by removing personally identifiable information

from it. This safeguards users’ privacy while granting businesses access to valuable
data for research and insight. Data privacy protection relies on the removal of PII,
or personally identifiable information. Data anonymization is a crucial method for
ensuring the privacy of consumers whose information is being gathered and processed
by Internet of Things (IoT) devices and systems [27, 45].
Here are some ways data anonymization can be implemented in IoT:
• Pseudonymization: Pseudonymization involves replacing identifiable data with
pseudonyms or unique identifiers to protect the identity of individuals. This can
be accomplished by substituting personal data such as addresses, names, and
mobile numbers with random or unique IDs.
• Data aggregation: Data aggregation involves combining data from multiple
sources to create a larger dataset while removing personally identifiable infor-
mation. As a result, it becomes more challenging to identify particular persons
from the data, which might aid in protecting individuals’ privacy.
• Data masking: Data masking entails changing or removing portions of data that
could be used to identify specific individuals. This can include masking or deleting
sensitive data such as credit card numbers, ssn, or medical information.
• Differential privacy: Using noise or randomization, differential privacy makes it
harder to determine the identities of specific people in a dataset. This method can
assist safeguard personal information while still facilitating research.
In general, data anonymization is a crucial method for shielding the privacy of
individuals whose information is being processed by Internet of Things (IoT) gadgets
and infrastructure. Organizations can adhere to data protection requirements such as
the General Data Protection Regulation and the California Consumer Privacy Act
as well as preserve the privacy of their customers and employees by using data
anonymization procedures.

Behavioral Analytics

Behavioral analytics can help identify unusual behavior on IoT devices that may
indicate a security threat. It involves using data analytics techniques to monitor
and analyze the behavior of IoT devices and users. It helps to identify patterns
and anomalies in device behavior, which can indicate potential security threats or
performance issues [18, 21].
Here are some ways behavioral analytics can be used in IoT [4, 34, 45]:
• Anomaly detection: Behavioral analytics can be used to detect anomalies in
device behavior that may indicate a security breach or malfunction. By analyzing
Security
73 Challenges in IOT K. Igulu et 73
al.

patterns of behavior, such as communication patterns or usage patterns, behavioral

analytics can identify deviations from normal behavior and trigger alerts.
• Predictive maintenance: Behavioral analytics can be used to identify patterns in
device behavior that may indicate potential maintenance issues. By analyzing
device performance data, such as sensor readings or error logs, behavioral
analytics can predict when a device may require maintenance or repair.
• User behavior analysis: User activity can be analyzed using behavioral analytics
to discover potential security threats. By analyzing user activity, such as logins or
data access patterns, behavioral analytics can detect anomalies in user behavior
that may indicate a security breach.
• Fraud detection: Behavioral analytics can be used to detect fraud in IoT systems.
By analyzing patterns in device behavior or user activity, behavioral analytics
can detect fraudulent activities, such as fake sensor readings or unauthorized data
access.
• Performance optimization: Behavioral analytics can be used to optimize device
performance. By analyzing usage patterns and device behavior, behavioral
analytics can identify areas where device performance can be improved and make
recommendations for optimization.
Overall, behavioral analytics in IoT can help to improve security, performance,
and reliability of IoT devices and systems by providing insights into device behavior
and identifying potential issues before they become major problems.

Preventing Hacking and Malware Attacks

In today’s digital age, it is of the utmost importance to ensure the security of orga-
nizational systems. With the proliferation of IoT devices, the threat of hacking and
malware assaults has grown. Organizations must take proactive steps to protect their
systems from such malicious activities. Strong security measures such as the use of
complex passwords, two-factor authentication, and access control measures must be
adopted [39, 46, 64].
Moreover, it is essential to regularly update and patch the systems to address any
new vulnerabilities that may arise. The consequences of a security breach can be
disastrous, leading to data loss, financial loss, and reputational damage. Therefore,
organizations must make security a top priority and invest in the necessary resources
and technologies to safeguard their systems [1, 55, 61].
Given the evolving nature of cyber threats, it is crucial to stay vigilant and keep up
with the latest security trends. Organizations must conduct regular security audits to
identify potential weaknesses and take corrective measures. By adopting a proactive
security strategy, firms may reduce the likelihood of hacking and malware assaults,
thereby protecting the safety and confidentiality of their data [53].
Firms also need to do their part to make sure their users understand the secu-
rity dangers associated with the IoTs. This involves assessing security policies and
 Security
74 Challenges in IOT K. Igulu et 74
al.

procedures on a regular basis and giving users the resources, they need to keep their
data safe. In addition, organizations should guarantee that their systems are routinely
tested and monitored for any problems [53].
Lastly, companies should ensure that their systems are routinely tested and moni-
tored for any problems. This includes the use of automated tools to detect and respond
to security incidents, as well as the implementation of regular security audits. Addi-
tionally, organizations should ensure that they have a comprehensive backup and
recovery plan in place to ensure that their data is safe in the event of a security breach
[53].

The Need for Robust IoT Security Measures

Given the potential security risks posed by the IoT revolution, it is essential that
organizations take steps to protect themselves. To protect data and ensure the secu-
rity of IoT devices, strict security measures must be implemented. Access control
techniques, encryption, and firewalls are all part of this effort to keep out intruders.
In addition, businesses must keep their systems patched and updated to close security
holes when they are discovered [51, 53].
Companies also need to do their part to make sure their customers understand
the security dangers associated with the Internet of Things. Giving users access to
security-related resources and conducting routine reviews of security policies and
procedures are both essential. Finally, businesses should make testing and monitoring
their systems a routine practice.

Conclusion

To provide a safe and secure environment, the IoT revolution brings numerous and
sophisticated security concerns that must be addressed. Organizations must take
proactive steps to protect their data and equipment. This involves implementing
robust security measures like strong passwords, two-factor authentication, and access
controls. Regularly updating and patching systems is also crucial to address emerging
vulnerabilities.
Furthermore, educating users about IoT security risks is essential. Providing users
with necessary tools and resources to protect their data and conducting regular
reviews of security policies and procedures are important steps. Continuous testing
and monitoring of systems are vital to identify and address potential issues. Auto-
mated tools can aid in detecting and responding to security incidents, while regular
security audits ensure ongoing evaluation.
Moreover, organizations should establish comprehensive backup and recovery
plans to ensure data safety in case of a security breach. By addressing these challenges

View publication stats