Security and Privacy in the Internet of Things:

Current Status and Open Issues

Mohamed Abomhara Geir M. Køien
Department of Information and Communication Technology Department of Information and Communication Technology
University of Agder University of Agder
Grimstad, Norway Grimstad, Norway
Email: [email protected] Email: [email protected]

Abstract—The Internet of Things at large will foster billions sense all exposed flaws and weaknesses may be abused in an
of devices, people and services to interconnect and exchange environment with billions of devices [9].
information and useful data. As IoT systems will be ubiquitous
However, in the absence of solid security in place, attacks
and pervasive, a number of security and privacy issues will arise.
Credible, economical, efficient and effective security and privacy and malfunctions in the IoT may outweigh any of its benefits
for IoT are required to ensure exact and accurate confidentiality, [10]. Scalability factors and various restrictions on device ca-
integrity, authentication, and access control, among others. In pabilities also mean that traditional cryptography mechanisms,
this paper, the IoT vision, existing security threats, and open security protocols, and protection mechanisms are unavailable
challenges in the domain of IoT are discussed. The current state
or insufficient [11].
of research on IoT security requirements is discussed and future
research directions with respect to IoT security and privacy are The baseline security must be robust and the security
presented. architecture must be designed for long system life cycles
(>20 years), something indeed challenging. Dealing with large
I. I NTRODUCTION device populations further makes it understandable that some
The overall IoT context will consist of billions of individ- devices will be compromised. Therefore, new methodologies
uals, individual devices, and services that can interconnect and technologies ought to be developed to meet IoT require-
to exchange data and useful information [1]. Due to swift ments in terms of security, privacy and reliability [12].
advancements in mobile communication, Wireless Sensor Net- The rest of the paper is organized as follows. In section
works (WSNs) and Radio Frequency Identification (RFID) II an overview of the IoT vision, architecture, application
innovation, things and mechanisms in IoT can potentially and supporting technologies is provided. Section III identifies
collaborate with one another anytime, anywhere and in any some of the attacker models and threats, provides an outline
form [2, 3]. There are many possible application areas thanks of existing IoT security challenges and describes the security
to these smart things or objects. The major IoT target is requirements in the IoT. Section IV presents a summarization
the formation of smart environments and self-conscious/ au- of the state-of-art in research state of current technologies.
tonomous devices: smart transport, smart items, smart cities, Finally, in section V future research directions are discussed
smart health, smart living, and so on [4, 5]. and the paper is concluded.
In terms of business, IoT represents tremendous prospect
for different types of organizations, including IoT applications II. T HE I OT V ISION
and service providers, IoT platform providers and integrators,
telecom operators and software vendors [6]. According to The IoT vision is to revolutionize the Internet, to create
some estimates, over 30 billion connected things with more networks of billions of wireless identifiable objects and de-
than 200 billion intermittent connections [7] will generate vices, communicating with each other anytime, anyplace, with
approximately EUR714 billion in revenue by 2020 [8]. Many anything and anyone using any service. The increasing en-
vertical segments are expected to experience a double-digit hanced processing capabilities of RFID technologies, wireless
growth in upcoming years. Among the most prospective verti- sensor networks (WSNs) and storage capacity at lower cost
cal application domains are consumer electronics, automotive may create a highly decentralized common pool of resources
industries, and healthcare, as well as intelligent buildings and interconnected by a dynamic system of networks.
utilities. Through IoT architecture, intelligent middleware will be
With the rapid increase in IoT application use, several secu- capable of creating dynamic maps of the physical world within
rity and privacy issues are observed. When nearly everything the digital/virtual sphere by applying high temporal and spatial
will be connected to each other, this issue will only become resolution and combining the characteristics of ubiquitous
more pronounced, and constant exposure will literally reveal sensor networks and other identifiable things. Figure 1 shows
additional security flaws and weaknesses. Such limitations the symbiotic interaction among the real/physical, digital, and
may subsequently be exploited by hackers, and in a statistical virtual worlds with society [13].
 research articles on studies of different IoT architecture in-
stances. For example, Debasis and Jaydip [3] showed that
IoT is founded on architecture consisting of several layers,
from the field data acquisition layer at the bottom to an
application layer at the top. Such layered architecture is to
be designed in such a way that the requirements of various
industries, enterprises, societies, institutes, and governments
can be met. Internet layers serve the purpose of common
media for communication, the access gateway layer and edge
layer contribute to data capturing, while the application layer is
responsible for data utilization in applications. In another ex-
ample, in [14] Chen and others indicated that IoT architecture
can be primarily divided into three layers: the perception layer,
which assumes information collection, the network layer, for
Fig. 1. Internet of Things - a symbiotic interaction among the real/physical, information transmission, and the application layer to realize
the digital, virtual worlds and society (Source [13]) recognition and perception between objects and objects, and
people and objects, and to perform an intelligence function.
Moreover, there are numerous other projects funded by
In fact, communications in the IoT will take place not
universities and various government bodies for studying the
only between devices but also between people and their
requirements of IoT architecture with the aim to provide an
environment as presented in Figure 2. All individual objects
architectural reference [15, 16].
of our everyday life such as people, vehicles, computers,
Architecture standards should comprise well-defined ab-
books, TVs, mobile phones, clothes, food, medicine, passports,
stract data models, interfaces and protocols, together with
luggage, etc., will have at least one unique identification
concrete bindings to neutral technologies in order to support
allowing them to correspond with one another. Furthermore,
the widest possible range of humans, software, smart objects or
since these objects can sense the environment, they will have
devices, operating systems and programming languages [17].
the capability to verify identities and communicate with each
other, such that they will be able to exchange information B. IoT Application Domains
and become means for understanding complexity, and may Enabling objects to interrelate in our everyday living
often enable autonomic responses to difficult scenarios without and working environments makes many applications possible
human involvement. through the elaboration of information gathered from sur-
roundings. The IoT facilitates the development of numerous
applications, either closely or directly applicable to our present
existence, of which only few are currently deployed. Some
of the more significant examples of IoT applications are
categorized into the following domains: personal and social,
enterprises and industries, service and utility monitoring, and
mobility and transportation [5].
1) Personal and social domain: The applications falling in
this category permit users to interact with their surroundings
(home and work) or with other people to maintain and build
Fig. 2. Internet of Everything (Source [7])
social relationships [2].
2) Mobility and transportation domain: Vehicles and even
The IoT systems will yield tangible business benefits. Once roads, with power processors, actuators and sensors, are
many of these advantages are achieved, such as decentralizing becoming instrumental to providing suitable transportation
business processes, each thing will have the capacity to interact information by collecting important data about traffic control
individually and build up a distinctive life history of its and guidance [3, 18]. Traffic Information Grid (TIG) [19] and
activities and interactions over time. Also possible will be Intelligent Traffic Information Service (ITIS) [20] are some of
high-resolution management of assets and products, improved the more successful transportation applications in the IoT.
life-cycle management and better collaboration between enter- 3) Enterprises and industries domain: Activities involve
prises. financial or commercial transactions between companies, in-
dustries, organizations and other entities including manufactur-
A. IoT Architectures ing, logistics, service sectors, banking, financial governmental
Implementing IoT necessitates an open architecture based authorities, intermediaries, etc. [13].
on several layers to maximize interoperability among hetero- 4) Service and utility monitoring: This domain usually
geneous systems and distributed resources. There are various deals with the protection, monitoring and development of all
natural resources, from agriculture and breeding, to recycling, may easily hinder its functionality and nullify the benefits of
environmental management services, energy management, and using its services. Passive attacks are able to recover informa-
so on. tion from the network yet do not impact its behavior. However,
active attacks directly hinder service provisioning [26]. Threats
C. Supporting Technologies can be classified into external threats that originate from
The advanced development of technologies like communica- outside the network and internal threats that originate from
tion capabilities, sensors, smart phones, cloud computing, net- within the network [27, 28]. Internal attacks tend to be more
work virtualization and software will enable items to connect serious compared with external attacks since the internal
with each other all the time, everywhere [7]. The basic concept knows valuable and secret information, and possesses privi-
behind IoT is to interconnect any product in the physical leged access rights. According to Computer Security Institute
world with the digital world. Several technologies support the (CIS) and the FBI, approximately 60 percent to 80 percent of
concept of IoT, as follows: network misuse are originate from the inside network [29, 30].
1) Identification technologies: Wireless Sensor Networks The different types of threats that target IoT are detailed in
(WSN) and Radio-Frequency Identification (RFID) are ex- the following subsections.
pected to play a key role as enablers of identification tech- 1) Intruder Model.: A Dolev-Yao (DY) type of intruder
nology in IoT [2, 6, 13, 21]. shall generally be assumed [31, 32]. That is, an intruder which
2) Networks and communication technologies: Wire and is in effect the network (Section 3.4 in [33]) and which
Wireless technologies (e.g., GSM and UMTS, Wi-Fi, Blue- may intercept all or any message ever transmitted between
tooth, ZigBee) will allow billions of devices and services IoT devices and hubs. The DY intruder is extremely capable
to be connected [22–24]. Scalable and secured architectures and can even surpass the NSA. But while its capabilities
designed for IoT network communication are required for are slightly unrealistic,“attacks only get better, they never
secure and reliable wireless communication networks based get worse” remains to be considered, (a quote attributed to
on wireless identifiable devices and services [3]. Bruce Schneier). Thus, safety will be much stronger if our
3) Software and hardware technologies: Research on nano- IoT infrastructure is designed to be DY intruder resilient.
electronics devices focuses on miniaturization, low cost and
However, the DY intruder lacks one capability that or-
increased functionality in the design of wireless identifiable
dinary intruders may have, namely, physical compromise.
systems [13]. Smart devices with enhanced inter-device com-
Thus, tamper-proof devices are also greatly desirable. This
munication will lead to smart systems with high degrees of
goal is of course unattainable, but physical tamper resistance
intelligence and autonomy, facilitating the rapid IoT applica-
is nevertheless a very important goal, which, together with
tion deployment and creating new services [17].
tamper detection capabilities (”tamper evident”) may be a
III. S ECURITY T HREATS AND C HALLENGES IN I OT sufficient first-line defense.
The three core issues with the IoT are privacy for humans, Generally, it will be assumed that our “IoT intruder” has
confidentiality of business processes and third-party depend- full DY intruder capabilities in addition to some limited
ability. It is acknowledged that in the IoT setting, there are physical compromise power. We will presume that the physical
four interconnected, interacting components (people, objects, compromise attacks do not scale, and that it will therefore
software and hardware) that communicate over public, un- only at-worst affect a limited population of the total number
trusted networks. These are bound to be confronted with of IoT devices. The IoT architecture must consequently be
security, privacy and open trust problems. Therefore, questions designed to cope with compromised devices and be competent
regarding users, servers and trusted third parties, as discussed in detecting such incidents.
in [25] must be addressed. In such situation, security can be 2) Denial-of-service attacks (DoS): This kind of attack is
defined as an organized framework consisting of concepts, an attempt to make a machine or network resource unavailable
beliefs, principles, policies, procedures, techniques, and mea- to its intended users. Due to low memory capabilities and
sures required to protect individual system assets as well as limited computation resources, the majority of devices in IoT
the system as a whole against any deliberate or unintentional are vulnerable to resource enervation attacks. Moreover, the
threat. All these interactions must also be secured by one vast majority of defense mechanisms require high computa-
means or another, to ensure data and service provisioning of tional overhead, and are subsequently not suitable for resource-
all significant parties and restrict the amount of incidents that constrained IoT. Since DoS attacks in IoT can sometimes
will influence the entire IoT. prove very costly, researchers have exerted an extraordinary
The remainder of this section identifies some of the attacker arrangement to distinguish different types of such attacks, as
models related to IoT, an overview of existing IoT security well as devised strategies to defend against them. There is a
challenges and IoT security requirements. great number of DoS attacks that can be launched against the
IoT, such as jamming channels, consumption of computational
A. Intruder models and threats resources like bandwidth, memory, disk space, or processor
Owing to previous vulnerabilities in conventional internet time, and disruption of configuration information (such as node
networks, IoT now faces various passive and active attacks that information) [24, 34, 35].
 3) Physical attacks: This sort of attack tampers with hard- privacy, pseudonimity, and anonymity aspects require deeper
ware components. Due to the unattended and distributed nature analysis and research [42].
of IoT, most devices typically operate in outdoor environments, 3) Trust management and policy integration: When a num-
which are highly susceptible to physical attacks. [35–37]. ber of things communicate in an uncertain IoT environment,
4) Attacks on privacy: Since the IoT makes large vol- trust plays an important role in establishing secure commu-
umes of information easily available through remote access nication between things. Two dimensions of trust should be
mechanisms, privacy protection in IoT is become increasingly considered in IoT: trust in the interactions between entities,
challenging. The adversary need not be physically present to and trust in the system from the users perspective [34]. In order
carry out surveillance, but information gathering can be done to gain user trust, there should be an effective mechanism of
anonymously with very low risk. The most common attacks defining trust in a dynamic and collaborative IoT environment.
on user privacy are as follows [38]: The main objectives of trust research in the IoT framework are
• Eavesdropping and passive monitoring: This is most the following: first, the conception of new models for decen-
common and easiest form of attack on data privacy. If tralized trust; second, the implementation of trust mechanisms
messages are not protected by cryptographic mechanisms, for cloud computing; third, the development of applications
an adversary could easily understand the content. based on node trust (e.g., routing, data aggregation, etc.) [42].
• Traffic analysis: In order to effectively attack privacy, Trust evaluation must be automated and preferably au-
eavesdropping should be combined with traffic analysis. tonomous. There are many proposals for automated trust eval-
Through effective traffic analysis, an adversary can iden- uation, and one of the more interesting is the reputation-based
tify certain information with special roles and activities Subjective Logic (SL) approach [44]. The SL approach even
in IoT devices and data. permits negative trust (distrust), which is a useful abstraction
• Data mining: This enables attackers to discover informa- when communicating trust with human users. Within managed
tion that is not anticipated in certain databases. This could IoT systems it is anticipated for the IoT management entity to
be a security and privacy issue in IoT, and if information be a trust hub for all managed devices. Trust may be transitive
is made available, we are perhaps giving out more than between systems but needs to be subject to agreements. One
we bargained for? [39, 40]. model that potentially works out is the roaming agreement
model found in cellular systems, whereby a subscriber can use
B. Security and Privacy Challenges in the IoTs services in other networks provided that the operators have a
The Internet of Things is a multi-domain environment with roaming agreement in place. Trust will ultimately necessitate
a large number of devices and services connected together a foundation, one element of which is trustworthiness. In
to exchange information. Each domain can apply its own our context, a trust device must be able to avoid subversion.
security, privacy, and trust requirements. In order to establish The paper “Reflections on Trust in Devices“ [45] further
more secure and readily available IoT devices and services at investigates trust in devices from a human perspective and
low cost, there are many security and privacy challenges to provides critical analysis on the limits of trust in software and
overcome. Among those challenges are: hardware. In a post-Snowdon context, this provides food for
1) User privacy and data protection: Privacy is an im- thought. A good policy framework is desired to incorporate the
portant issue in IoT security on account of the ubiquitous evaluated trust level and current threat level prior to decision
character of the IoT environment. Things are connected, making.
and data is communicated and exchanged over the internet, 4) Authorization and access control: Authorization enables
rendering user privacy a sensitive subject in many research determining if the person or object, once identified, is permit-
works [10, 41]. Although an abundance of research has already ted to have the resource. Access control means controlling
been proposed with respect to privacy, many topics still need access to resources by granting or denying according to a
further investigation. Privacy in data collection, as well as data wide range of criteria. Authorization is typically implemented
sharing and management, and data security matters remain through the use of access controls. Authorization and access
open research issues to be fulfilled [42]. control are important in establishing a secure connection
2) Authentication and identity management: Authentication between a number of devices and services. The main issue
and IdM are a combination of processes and technologies to be addressed in this scenario is making access control
aimed at managing and securing access to information and rules easier to create, understand and manipulate. Additional
resources while also protecting things profiles. IdM uniquely information on access control is provided next (Sec. IV).
identifies objects, and authentication entails validating the 5) End-to-End security: Security at the endpoints between
identity establishment between two communicating parties IoT devices and Internet hosts is likewise important. Applying
[43]. It is essential to consider how to manage identity cryptographic schemes for encryption and authentication codes
authentication in the IoT, as multiple users and devices need to packets is not sufficient for resource-constrained IoT. For
to authenticate each other through trustable services. Many complete end-to-end security, the verification of individual
such open research issues have been presented, for instance identity on both ends, protocols for dynamically negotiating
in [17]. In order to identify all things uniquely, an efficient session keys (such as TLS and IPsec), and algorithms (for
identity management approach should be defined. Mobility, example AES and Hash algorithms) must be securely im-
plemented. In IoT with end-to-end security, both ends can An overview, categorization, and analysis of security and
typically rely on the fact that their communication is not privacy challenges in the IoT are given in [34, 47, 48]. It has
visible to anyone else, and no one else can modify data in been identified that the protection of user data and privacy
transit. Correct and complete end-to-end security is required, is one of the key challenges in the Internet of Things. It
without which, many applications would not be possible. is stated that lack of confidence regarding privacy results in
6) Attack resistant security solution: There are diverse decreased adoption among users and is therefore one of the
types of devices with different amounts of memory and limited driving factors in the success of IoT.
computation resources that are connected to the internet of Roman et al.[10] contend that for IoT to fully bloom
things. Since these devices are susceptible to attacks, there into a paradigm that will improve many aspects of daily
should be attack-resistant and lightweight security solutions life, open problems remain to be addressed in several areas,
available. Mitigation planes should be provided on devices to such as cryptographic mechanisms, network protocols, data
tackle external attacks, such as denial-of-service, flood attacks, and identity management, user privacy, self-management, and
etc. trusted architectures.
Suo et al. [11] presented a brief review of security in the IoT
C. Security requirement for IoTs and discussed the research status of key technologies including
IoT has become one of the most significant elements of the encryption mechanisms, communication security, protecting
future Internet with a huge impact on social life and business sensor data and cryptographic algorithms, and concisely out-
environments. As discussed in section III-A, a larger number lined the challenges.
of IoT applications and services are increasingly vulnerable
to attacks or information theft. To secure IoT against such A. Access Control
attacks, advanced technology is required in several areas. More In literature, two main access control models have been
specifically, authentication, confidentiality, and data integrity developed: Role-based access control (RBAC) and Attribute-
are the key problems related to IoT security [2, 46]. Au- based access control (ABAC). Beyond classical access con-
thentication is necessary for making a connection between trol, new models so-called usage control (UCON) [49] and
two devices and the exchange of some public and private U CONABC [50] were introduced to encompass traditional
keys through the node to prevent data theft. Confidentiality access control, trust management and digital rights manage-
ensures that the data inside an IoT device is hidden from ment. UCON enables finer-grained control over usage of
unauthorized entities. Data integrity prevents any man-in-the- digital objects than that of traditional access control policies
middle modification to data by ensuring that the data arriving and models. Unlike traditional access control or trust manage-
at the receiver node is in unaltered form and remains as ment, it covers both centrally controllable environment and an
transmitted by the sender. Table 1 shows a number of security environment where central control authority is not available.
components influencing IoT security functionality. UCON also deals with privacy issues in both commercial and
Vermesan and Friess [7] discussed security and privacy non-commercial environments. U CONABC model extended
framework requirements in dealing with IoT security chal- traditional access controls by including three decision factors
lenges, as follows: of Authorizations, oBligations, and Conditions, hence called
• Lightweight and symmetric solutions to support resource- ABC [51].
constrained devices. Recently, a new model has been proposed by Parikshit et
• Lightweight key management systems to enable the al. [24]. It presents a novel, integrated approach of authenti-
establishment of trust relationships and distribution of cation and access control in IoT devices and aims to replace
encryption materials using minimum communication existing approaches. Another RBAC model worth considering
and processing resources, consistent with the resource- is the so-called Spatial-RBAC (SRBAC) [52, 53]. which has
constrained nature of many IoT devices. several advantages in a highly distributed IoT system. It neatly
• Cryptographic techniques that enable protected data to captures the fact that threats and exposure are likely to be
be stored processed and shared, without the information geographically mapped.
content being accessible to other parties. V. S UMMARY AND C ONCLUSION
• Techniques to support (”Privacy by Design”) concepts, in-
cluding data identification, authentication and anonymity. A. Summary
• Keeping information as local as possible using decentral- The Internet of Things is a dynamic global network in-
ized computing and key management. frastructure with self-configuring capabilities based on stan-
• Prevention of location privacy and personal information dard and interoperable communication protocols. Physical and
inference that individuals may wish to keep private by virtual things have identities, physical attributes, and virtual
observing IoT-related exchanges. personalities, employ intelligent interfaces and are seamlessly
integrated into the information network. The vision of IoT is
IV. T HE RESEARCH STATE OF CURRENT TECHNOLOGIES to allow people and things to be connected anytime, anyplace,
In this section, we explore the condition of research on IoT with anything and anyone, ideally via any path/network and
security requirements. service. Identification technologies such as RFID and related
 TABLE I
SECURITY COMPONENTS INFLUENCING I OT SECURITY FUNCTIONALITY

Component Name Component Functionality Security Goals

Authorization Access control on Devices Data confidentiality
and services Data integrity
Authentication Authentication of service users Authentication
and devices users Accountability
Identity Management (IdM) Management of identities, pseudonyms User privacy
and related access policies Service privacy
Key exchange and Management (KEM) Exchange of cryptographic Keys Communication confidentiality
Communication integrity
Trust management and reputation service trust level service trust
and collecting user reputation scores service reputation

tools will be the cornerstone of the upcoming Internet of beings, software, smart objects or devices.
Things. Smart components are projected to be capable of exe- • Development of new frameworks that address global
cuting different sets of actions, according to the surroundings ID schemes, identity management, identity encoding/
and tasks they are designed for. There will be no limit to encryption, authentication as well as the creation of
the actions and operations these smart things can perform; for global directory lookup and discovery services for IoT
instance, devices will be able to direct their transfer, adapt applications with various identifier schemes.
to their respective environments, self-configure, self-maintain,
self-repair, and eventually even play an active role in their C. Conclusion
own disposal. The IoT make it possible to develop numerous The main goal of this paper was to provide an explicit
applications either closely or directly applicable to our present survey of the most important aspects of IoT with particular
living, such as personal and social domains, mobility and focus on the vision and security challenges involved in the
transportation domains, enterprise and industry domains as Internet of Things. the vision of IoT will allow people and
well as service and utility monitoring domains. In order to things to be connected anytime, anywhere, with anything
make IoT services available with a large number of devices and anyone, ideally using any path/network and any services.
communicating with each other, there are many challenges to While Radio Frequency Identification techniques (RFID) and
overcome. In this paper, the security confrontations related to related technologies make the concept of IoT feasible, there are
security services have been discussed, such as authentication, several possible application areas for smart objects. The major
privacy, trustworthiness, and end-to-end security. IoT targets include creating smart environments and self-
In summary, it is concluded that to realize the IoT, stronger conscious/autonomous devices, e.g., smart transport, smart
security models are required that employ context-related se- items, smart cities, smart health, smart living, and so on.
curity, which in return will help citizens build trust and Numerous difficulties and challenges related to IoT are still
confidence in these novel technologies rather than increase being faced. Challenges like assuring interoperability, attaining
fears toward complete surveillance scenarios. a business model in which hundreds of millions of objects
can be connected to a network, and security and privacy chal-
B. Future directions
lenges, such as authentication and authorization of entities are
According to our survey on IoT security and privacy, a great introduced. In the next few years, addressing these challenges
deal of research is needed in order to make the IoT paradigm will constantly be the focus and primary task of networking
become reality. In this section, future research directions are and communication research in both industrial and academic
suggested: laboratories.
• Security and privacy issues should be considered very
seriously since IoT deals not only with huge amounts R EFERENCES
of sensitive data (personal data, business data, etc.), but [1] J. Gubbi, R. Buyya, S. Marusic, and M. Palaniswami, “Internet of things
also has the power to influence the physical environment (iot): A vision, architectural elements, and future directions,” Future
with its control abilities. Cyber-physical environments Generation Computer Systems, 2013.
must accordingly be protected from any kind of malicious [2] L. Atzori, A. Iera, and G. Morabito, “The internet of things: A survey,”
Comput. Netw., vol. 54, no. 15, pp. 2787–2805, Oct. 2010. [Online].
attacks. Available: http://dx.doi.org/10.1016/j.comnet.2010.05.010
• Identifying, classifying and categorizing IoT technolo- [3] D. Bandyopadhyay and J. Sen, “Internet of things: Applications and
gies, devices and services that will drive the IoT devel- challenges in technology and standardization,” Wireless Personal Com-
munications, vol. 58, no. 1, pp. 49–69, 2011.
opment and supporting the the IoT vision. [4] D. Miorandi, S. Sicari, F. De Pellegrini, and I. Chlamtac, “Internet of
• Design of architecture standards ought to have well- things: Vision, applications and research challenges,” Ad Hoc Networks,
defined abstract data models, interfaces and protocols, vol. 10, no. 7, pp. 1497–1516, 2012.
[5] D. Yang, F. Liu, and Y. Liang, “A survey of the internet of things,”
together with concrete bindings to neutral technologies ICEBI-10, Advances in Intillegant Systems Research, ISBN, vol. 978,
in order to support the widest possible range of human pp. 90–78 677, 2010.
 [6] H. Sundmaeker, P. Guillemin, P. Friess, and S. Woelfflé, “Vision and [28] P. A. Diaz-Gomez, G. ValleCarcamo, and D. Jones, “Internal vs. external
challenges for realising the internet of things,” Cluster of European penetrations: A computer security dilemma,” in Proceedings of the 2010
Research Projects on the Internet of Things, European Commision, 2010. International Conference on Security & Management, 2010.
[7] O. Vermesan and P. Friess, Internet of Things: Converging Technologies [29] S. William and W. Stallings, Cryptography and Network Security, 4/E.
for Smart Environments and Integrated Ecosystems. River Publishers, Pearson Education India, 2006.
2013. [30] M. Watkins and K. Wallace, “Ccna security official exam certification
[8] O. Mazhelis, H. Warma, S. Leminen, P. Ahokangas, P. Pussinen, guide (exam 640-553),” 2008.
M. Rajahonka, R. Siuruainen, H. Okkonen, A. Shveykovskiy, and [31] D. Dolev and A. C. Yao, “On the security of public key protocols,”
J. Myllykoski, “Internet-of-things market, value networks, and business Information Theory, IEEE Transactions on, vol. 29, no. 2, pp. 198–208,
models : State of the art report,” 2013. 1983.
[9] M. Covington and R. Carskadden, “Threat implications of the internet of [32] I. Cervesato, “The dolev-yao intruder is the most powerful attacker,”
things,” in Cyber Conflict (CyCon), 2013 5th International Conference in 16th Annual Symposium on Logic in Computer ScienceLICS, vol. 1.
on, 2013, pp. 1–12. Citeseer, 2001.
[10] R. Roman, P. Najera, and J. Lopez, “Securing the internet of things,” [33] A. Armando, “Deliverable d2. 1: The high level protocol specification
Computer, vol. 44, no. 9, pp. 51–58, 2011. language,” Technical Report IST-2001-39252, http://www. avispaproject.
[11] H. Suo, J. Wan, C. Zou, and J. Liu, “Security in the tnternet of things: A org/delivs/2.1/d2-1. pdf, Tech. Rep., 2003. [Online]. Available:
review,” in Computer Science and Electronics Engineering (ICCSEE), http://www.avispa-project.org/delivs/2.1/d2-1.pdf
2012 International Conference on, vol. 3. IEEE, 2012, pp. 648–651. [34] R. Romana, J. Zhoua, and J. Lopezb, “On the features and challenges of
[12] G. Yang, J. Xu, W. Chen, Z.-H. Qi, and H.-Y. Wang, “Security security & privacy in distributed internet of things,” Computer Networks
characteristic and technology in the internet of things,” Nanjing Youdian (DOI: 10.1016/j. comnet. 2012.12. 018), 2013.
Daxue Xuebao(Ziran Kexue Ban)/ Journal of Nanjing University of [35] S. Babar, P. Mahalle, A. Stango, N. Prasad, and R. Prasad, Proposed
Posts and Telecommunications(Natural Nanjing University of Posts and Security Model and Threat Taxonomy for the Internet of Things (IoT),
Telecommunications(Natural, vol. 30, no. 4, 2010. ser. Communications in Computer and Information Science. Springer
[13] A. de Saint-Exupery, “Internet of things, strategic research roadmap,” Berlin Heidelberg, 2010, vol. 89, book section 42, pp. 420–429.
2009. [Online]. Available: http://dx.doi.org/10.1007/978-3-642-14478-3 42
[14] C. Yuqiang, G. Jianlan, and H. Xuanzi, “The research of internet [36] J. Sen, “A survey on wireless sensor network security,” arXiv preprint
of things’ supporting technologies which face the logistics industry,” arXiv:1011.1529, 2010.
in Computational Intelligence and Security (CIS), 2010 International
[37] S. Babar, A. Stango, N. Prasad, J. Sen, and R. Prasad, “Proposed
Conference on, 2010, pp. 659–663.
embedded security framework for internet of things (iot),” in Wire-
[15] J. Pan, S. Paul, and R. Jain, “A survey of the research on future internet less Communication, Vehicular Technology, Information Theory and
architectures,” Communications Magazine, IEEE, vol. 49, no. 7, pp. 26– Aerospace & Electronic Systems Technology (Wireless VITAE), 2011
36, 2011. 2nd International Conference on. IEEE, 2011, pp. 1–5.
[16] A. P. Castellani, N. Bui, P. Casari, M. Rossi, Z. Shelby, and M. Zorzi, [38] H. Ning, H. Liu, and L. Yang, “Cyber-entity security in the internet of
“Architecture and protocols for the internet of things: A case study,” things,” vol. 46, no. 4, pp. 46–53, 2013.
in Pervasive Computing and Communications Workshops (PERCOM
[39] C. Clifton and D. Marks, “Security and privacy implications of data
Workshops), 2010 8th IEEE International Conference on. IEEE, 2010,
mining,” in ACM SIGMOD Workshop on Research Issues on Data
pp. 678–683.
Mining and Knowledge Discovery. Citeseer, 1996, pp. 15–19.
[17] O. Vermesan, P. Friess, P. Guillemin, S. Gusmeroli, H. Sundmaeker,
A. Bassi, I. S. Jubert, M. Mazura, M. Harrison, M. Eisenhauer et al., [40] V. S. Verykios, E. Bertino, I. N. Fovino, L. P. Provenza, Y. Saygin,
“Internet of things strategic research roadmap,” O. Vermesan, P. Friess, and Y. Theodoridis, “State-of-the-art in privacy preserving data mining,”
P. Guillemin, S. Gusmeroli, H. Sundmaeker, A. Bassi, et al., Internet of ACM Sigmod Record, vol. 33, no. 1, pp. 50–57, 2004.
Things: Global Technological and Societal Trends, pp. 9–52, 2011. [41] M. Langheinrich, “Privacy by designprinciples of privacy-aware ubiq-
[18] E. Commission et al., “Internet of things in 2020. a roadmap for the uitous systems,” in Ubicomp 2001: Ubiquitous Computing. Springer,
future,” Working Group RFID of the ETP EPOSS, Tech. Rep, 2008. 2001, pp. 273–291.
[19] M. Li, M.-Y. Wu, Y. Li, J. Cao, L. Huang, Q. Deng, X. Lin, C. Jiang, [42] A. Riahi, Y. Challal, E. Natalizio, Z. Chtourou, and A. Bouabdallah, “A
W. Tong, Y. Gui et al., “Shanghaigrid as an information service grid: An systemic approach for iot security,” in Distributed Computing in Sensor
overview,” in Services Computing, 2005 IEEE International Conference Systems (DCOSS), 2013 IEEE International Conference on. IEEE,
on, vol. 1. IEEE, 2005, pp. 351–354. 2013, pp. 351–355.
[20] X. Li, J. Wu, X. Lin, Y. Li, and M. Li, “Itis: Intelligent traffic [43] P. Mahalle, S. Babar, N. R. Prasad, and R. Prasad, “Identity manage-
information service in shanghaigrid,” in ChinaGrid Annual Conference, ment framework towards internet of things (iot): Roadmap and key
2008. ChinaGrid’08. The Third. IEEE, 2008, pp. 10–14. challenges,” in Recent Trends in Network Security and Applications.
[21] A. M. Riad, “A survey of internet of things,” 2013. [On- Springer, 2010, pp. 430–439.
line]. Available: http://www.researchgate.net/publication/257957332 [44] A. Josang, “Conditional reasoning with subjective logic,” Journal of
A Survey of Internet of Things Multiple-Valued Logic and Soft Computing, vol. 15, no. 1, pp. 5–38,
[22] L. Tan and N. Wang, “Future internet: The internet of things,” in 2008.
Advanced Computer Theory and Engineering (ICACTE), 2010 3rd [45] G. M. Køien, “Reflections on trust in devices: An informal survey
International Conference on, vol. 5. IEEE, 2010, pp. V5–376. of human trust in an internet-of-things context,” Wireless Personal
[23] F. Mattern and C. Floerkemeier, “From the internet of computers to Communications, vol. 61, no. 3, pp. 495–510, 2011.
the internet of things,” in From active data management to event-based [46] J. Lopez, R. Roman, and C. Alcaraz, “Analysis of security threats,
systems and more. Springer, 2010, pp. 242–259. requirements,technologies and standards in wireless sensor networks,”
[24] P. N. Mahalle, B. Anggorojati, N. R. Prasad, and R. Prasad, “Identity in Foundations of Security Analysis and Design V. Springer, 2009, pp.
authentication and capability based access control (iacac) for the internet 289–338.
of things,” Journal of Cyber Security and Mobility, vol. 1, no. 4, pp. [47] R. H. Weber, “Internet of things new security and privacy challenges,”
309–348, 2013. Computer Law and Security Review, vol. 26, no. 1, pp. 23 – 30, 2010.
[25] J.-L. Ab Manan, M. F. Mubarak, M. A. M. Isa, and Z. A. Khattak, [48] C. M. Medaglia and A. Serbanati, “An overview of privacy and security
“Security, trust and privacy–a new direction for pervasive computing,” issues in the internet of things,” in The Internet of Things. Springer,
Information Security, pp. 56–60, 2011. 2010, pp. 389–395.
[26] A. K. Rai, R. R. Tewari, and S. K. Upadhyay, “Different types of attacks [49] J. Park and R. Sandhu, “Towards usage control models: beyond tradi-
on integrated manet-internet communication,” International Journal of tional access control,” in Proceedings of the seventh ACM symposium
Computer Science and Security, vol. 4, no. 3, pp. 265–274, 2010. on Access control models and technologies. ACM, 2002, pp. 57–64.
[27] T.-G. Lupu, I. Rudas, and N. Mastorakis, “Main types of attacks in wire- [50] J. PARK and R. SANDHU, “The uconabc usage control model,” ACM
less sensor networks,” in WSEAS International Conference. Proceedings. Transactions on Information and System Security, vol. 7, no. 1, pp. 128–
Recent Advances in Computer Engineering, no. 9. WSEAS, 2009. 174, 2004.
[51] R. Sandhu and J. Park, “Usage control: A vision for next generation
access control,” in Computer Network Security. Springer, 2003, pp.
17–31.
[52] F. Hansen and V. Oleshchuk, “Spatial role-based access control model
for wireless networks,” in Vehicular Technology Conference, 2003. VTC
2003-Fall. 2003 IEEE 58th, vol. 3, 2003, pp. 2093–2097 Vol.3.
[53] E. Bertino, B. Catania, M. L. Damiani, and P. Perlasca, “Geo-rbac: a
spatially aware rbac,” in Proceedings of the tenth ACM symposium on
Access control models and technologies. ACM, 2005, pp. 29–37.