Bruce Schneier, a noted computer security and cryptography expert, recently noted that “Our cars are computers with an engine, our ATMs are computers with money inside, and our refrigerators are computers that keep things cold.” The proliferation of the Internet of Things (IoT) is augmenting everyday objects with computational and networking capabilities. The IoT brings many benefits ranging from safety and security to efficiency. However, it also brings many security and privacy threats. In classical computer security, the maximal damage an attacker could inflict was limited to data loss. With the IoT, attackers can have physical effects in the world, such as opening doors , causing fake fire alarms , and disrupting electricity supply . The computer security and privacy community has recognized this emerging problem, and has focused its efforts on understanding and fixing its issues.
An often-asked question is, are there any new intellectual challenges in securing these systems? This is a natural question to ask given that recent high-profile IoT security events like the Mirai attack  largely depended on known traditional security issues (e.g., default passwords, lack of network security). We believe that like any emerging area, there are new problems, old ones in new forms, and problems we know how to solve. In our previous article, “Internet of Things Security Research: A rehash of old ideas or new intellectual challenges?”, we made an early case for why there might exist intellectually novel and challenging problems in securing these systems. In this article, we revisit those observations, and discuss novel results that have arisen since then. As this is an active area, we take a broad view on IoT security and privacy, but we do not try to be complete in our treatment. Our goal is to provide a few pointers to recent work that brings new problems and solutions to light and, in doing so, identify a few general themes and future paths.
Ii A sampling of recent results in IoT security
In this article, we discuss a sampling of recent results that have appeared in academic security conferences, including work at conferences in related areas (Table I). We sampled papers to achieve broad coverage of novel themes—a comprehensive treatment of existing work is outside the scope of this article. We organize our discussion based on the IoT computing stack introduced in our earlier article :
Hardware layer: the embedded systems that make up IoT devices. These devices use sensors and actuators to sense and effect physical change in their environments.
Network layer: the set of network protocols and other communication infrastructure that enable devices to talk with each other, and with other pieces of software that form an IoT ecosystem.
Middleware layer: the software and services that understands heterogeneous IoT protocols, and enables higher-level functionality to execute. This can include cloud-hosted services.
Users and Applications layer: the topmost layer that users can see. This layer is often specific to a domain. For example, in the context of smart homes, this layer could be if-this-then-that style programs.
The results we discuss in this article address issues in all these layers. Within a specific layer, we organize our discussion around a set of themes. The themes broadly characterize why the problems and solutions considered in the corresponding papers are novel.
|Category||Paper||General Themes in IoT Security||Potential Future Challenges|
|Hardware, Physical Safety||Ding et al. ||Properties of deployment environments that affect security guarantees; Physical-world aware security||Interplay between intermittently-powered devices and security; Classic security mechanisms extended to be physically aware|
|Kiningham et al. |
|Rahmati et al. |
|Simpson et al. |
|Soltan et al. |
|Network||Formby et al. ||Behavior Predictability; Conflicting Security Properties; New Privacy Attacks and Defenses||
Comprehensive investigations of conflicting properties and behavior predictability; Energy-security tradeoff for padding-based privacy defenses
|Wilson et al. |
|Apthorpe et al. |
|Middleware, OS||Fernandes et al. ||Decentralization of trust; Designing access control systems around environmental context; Global Safety and Security Properties||Exploring integrity, confidentiality, and availability problems for decentralized middleware; Designing access control systems with sensing as a core component; Model physical interactions|
|Schuster et al. |
|Celik et al. |
|Users, Applications||He et al. ||Interplay of usability, security, and multi-user devices; Attacks that rely on a lack of usability and on new interaction modalities; Risk asymmetry||Understanding the efficacy and usability of sensing for access control and authentication purposes; Understanding and mitigating inter-personal issues in multi-user devices; Defending against voice-based confusion attacks|
|Kumar et al. |
|Rahmati et al. |
|Zhang et al. |
|Zeng et al. |
Ii-a Hardware Security and Physical Safety
Theme: Environmental Factors. Embedded systems deployed in homes, buildings, cities, and on our bodies cannot be replaced as frequently as we replace our laptops or phones. For example, it is uncommon to replace a refrigerator every year, nor is it common to replace a pacemaker frequently. Furthermore, IoT devices and sensors may be deployed inside concrete, under water, or in other harsh and/or hard to reach conditions. The deployment environments of IoT devices lead to new challenges. One such challenge is to ensure security properties like encryption remain secure for long periods of time. Several crypto-systems have gone from being recommended to being insecure in less than 10 years . Ensuring that a system remains secure for long periods of time is difficult because attackers adapt quickly. Kiningham et al. make this observation, and outline the CESEL architecture that can remain secure for 20 years , a reasonable period of time for IoT devices. CESEL consists of five primitives specifically chosen to be useful in that time frame. These properties are based on a few fundamental primitives that are currently common to cryptographic systems and protocols such as nonces, and modular arithmetic. Another issue is how to patch these devices against new security vulnerabilities. This is especially challenging given that the IoT space is dominated by startups, many of whom will either perish to the market forces, ending support for their devices, or do not have the resources or technical knowledge to maintain an update infrastructure. Simpson et al.  propose creation of a central security manager built on top of the smart home’s hub or gateway router to alleviate this problem in home IoT settings. However, this solution only targets home IoT hubs and will not be applicable in settings where such a hub does not exist. Harsh deployment conditions may also affect devices access to a constant source of energy and the IoT devices have to rely on energy harvesting from sources such as solar, vibration, or RF to satisfy their requirements. Having intermittent access to energy poses new security challenges. Rahmati et al.  for example, highlight the lack of trusted source of time in this context and propose coarse-grained time measurements using volatile memory decay.
Theme: Physical Attacks. A standard attacker technique in computer networks is to move laterally between nodes—an attacker might compromise a specific user’s computer, and then use that as a launch point to compromise other systems in the network. Ding et al. discussed how an attacker might use physical channels to achieve this lateral movement . For instance, assume a home has a temperature sensor, a thermostat, and a user-created rule that automatically opens the windows if the temperature goes above a certain value. An enterprising thief might compromise the thermostat, and then realize that they can turn it on to increase temperature in the room, triggering the user-created rule to open the windows. Ding et al. also proposed techniques to detect such interaction chains automatically by taking into account physical interactions in addition to digital interactions.
Similar to how botnets can disrupt network infrastructure and services, Attacks on the IoT can damage physical infrastructure. Stuxnet worm , for example, targeted Iran’s nuclear facilities and damaged its centrifuges. Similar attacks can potentially affect civilian infrastructure. Soltan et al.  discuss attacks on the power grid using a set of compromised high-wattage consumer appliances like ovens, and heaters. Previous attacks on the power grid often involved vulnerabilities in the management interfaces or the SCADA systems that comprise the grid. However, the introduction of Internet-connected appliances violates the fundamental assumption in power grid design that the consumer patterns are not adversarial.
Future Challenges. Stepping back, we remark on a few future challenges in hardware and physical layer security inspired by the papers discussed above. We expect that many IoT devices will be deployed in difficult-to-reach environments, such as sensors in concrete bridges that harvest power using vibrations, and sensors inside the human body. The properties of these environments introduce new challenges: (1) The interplay between security primitives and intermittently-powered or ultra-low powered devices requires further investigation. For example does a CESEL mote provide any properties that allow a sensor to pick up a security protocol from where it left off because it ran out of power? Developing cryptographic algorithms, secure hardware, or software targeting these applications is an open area of research. (2) How do we extend current security mechanisms such as information flow control and model checking to account for physical-world interactions? (3) How can embedded systems be patched and secured against future attacks if they are no longer supported by their manufacturer?
Theme: Behavior Predictability.
Most general-purpose computer systems support varied functionality. This translates to highly varying network signatures, making security mechanisms like anomaly detection difficult due to errors. By contrast, IoT devices have well-defined functions—a door lock opens and closes, an industrial relay is either on or off. Thus, we observe that IoT device network behavior can be relatively stable compared to other kinds of computer systems. Formbyet al. use this notion in their work on creating behavioral fingerprints for industrial control systems (ICS) . A key observation in their work is that ICS devices have simple and well-defined functions, leading to relatively stable network signatures. Stepping back, we see that a classic network security technique can leverage the unique aspects of IoT devices to reduce errors.
Theme: Conflicting Properties. The main job of the TLS protocol is to enable end-to-end encryption between two computer systems so that third parties cannot inspect communication. It is generally a good sign that IoT devices support TLS. However, many times users want to audit and inspect what these devices are saying about them and their activities. Unfortunately, the TLS protocol does not allow this kind of inspection, leading to a conflict between security and auditability. We do not run into this conflict in the traditional web setting because the user controls one end of the TLS connection. Wilson et al. made this observation and invented TLS-Rotate-and-Release (TLS-Rar). This protocol allows for trusted auditing devices to decrypt TLS streams without compromising future communication.
Theme: New Privacy Attacks and Defenses. Apthorpe et al. recently showed that network observers can infer IoT device activity even when the streams are encrypted . Such an inference in the general case is error-prone because computers are general purpose devices. However, the behavior predictability discussed above can enable high-fidelity reconstruction of device and user activity from encrypted streams. Investigating such attacks in the context of non-IP protocols is an interesting open area. Apthorpe et al. also present a set of defenses based on independent link padding showing, that it can be effective, and bandwidth-efficient.
Future Challenges. Stepping back, we remark on a few themes and open challenges in this space. Behavior predictability is a general emergent theme for IoT devices. This can enable new defenses, and new attacks as well. An open opportunity is to thoroughly investigate this issue along multiple dimensions such as non-IP protocols, and resource constraints. For example, Apthorpe et al. discussed a padding defense. An open question might be: What is the cost of such padding on energy-constrained devices that uses protocols like BLE? This introduces a new energy-security tradeoff into padding defenses. Another challenge concerns the theme of conflicting properties. Currently, it is unknown whether there are other security properties that we take for granted in the non-IoT world, but have undesirable properties in the IoT world. Investigating these conflicting properties in a more comprehensive manner is an open and novel research question.
Ii-C Middleware and OS
Theme: Decentralization of Trust. A primary function of the middleware layer is to enable interoperability between multiple IoT ecosystems. Current consumer-grade IoT devices, such as those found in homes, and offices exhibit heterogeneity in their communication protocols and in their APIs. This heterogeneity exists due to resource constraints (e.g., Bluetooth Low Energy used in battery-powered presence detectors), a lack of standardization, and market competition. Middleware, such as Samsung SmartThings, and If-This-Then-That (IFTTT) understands many protocols, and enables programmers and users to create automations that span diverse sets of devices. Fernandes et al. examined the security design issues in the IFTTT platform . The IFTTT platform uses OAuth tokens (a type of bearer credential) to gain access to a user’s resources. Using these tokens, IFTTT can execute rules of the form: if trigger then action. Fernandes et al. observed that middleware like IFTTT becomes a gold mine of tokens when we consider the scale at which these services operate. If such middleware is compromised, millions of security credentials will be leaked. Consequently, Fernandes et al. proposed Decentralized Action Integrity, a security principle that provides the guarantee that even if the tokens are stolen, the attacker cannot use them arbitrarily. Although the notion of an integrity guarantee is not new, the IoT setting opens up new research opportunities for formulating and enforcing decentralized security properties. The general takeaway is that IoT systems are fundamentally decentralized, and security mechanisms should consequently be decentralized as well. Another novelty is that decentralization can address the ‘end-of-life’ problem. Physical devices like door locks and refrigerators have long service lives, and can outlast the companies that make them. If an IoT device or middleware is dependent on infrastructure maintained by a company that could eventually stop a product line, will the automations continue to function? Worse yet, if a company goes out of business, who would maintain the infrastructure? Decentralization provides an answer by moving functionality closer to the end-nodes. DTAP exemplifies this idea by using the IFTTT-cloud only as compute infrastructure. Conceptually, any cloud service can replace the IFTTT-cloud component in DTAP architecture.
Theme: Contextual Access Control. Another function of middleware is to enforce proper access control and authorization. A defining characteristic of access control in the IoT setting is that many decisions are contextual. For example, access to a sprinkler might only be allowed when someone is at home. Schuster et al. explored the use of context in access control decisions, and observed that access control in the home is often decentralized in addition to being contextual, often occurring in multiple independent frameworks . For example, the Nest thermostat and the LG oven might each implement their own context detection and access control framework. Instead of duplicating functionality, Schuster et al. propose the Environmental Situation Oracle (ESO) that encapsulates the sensing of physical contexts. In contrast to existing notions of context (e.g., what IP address range did the login occur from?), the novel challenge in the IoT setting is to sense physical phenomena (e.g., someone is near the oven) in a usable, scalable, and secure way.
Theme: Global Interactions. The middleware enables many different kinds of automations to run concurrently. A set of programs interacts with many physical devices in a single deployment. Even if individual programs are safe, unsafe situations can arise when we consider the behavior of this collection of programs as a whole. This is a very complex problem in the general case, making reasoning about global safety properties difficult. However, in the smart home setting, the individual programs are generally simple. Thus, examining global safety and security properties in the context of home automation programs is a promising and novel area of investigation. Recently, Celik et al. built the Soteria system that uses model checking to jointly investigate the security of IoT environments—a collection of physical devices and multiple automation programs .
Future Challenges. Stepping back, we remark on a few open challenges in this space. Like many computing systems before, we see IoT middleware architecture placing undue trust in centralized untrustworthy components. As many IoT systems are fundamentally decentralized, it is sensible to express security guarantees in a decentralized way as well. Specifically, the challenge is to de-privilege centers of trust, such as monolithic web apps (e.g., IFTTT), into smaller units where each user only trusts a minimal amount of infrastructure. Additionally, IoT deployments consist of a set of automations, and analyzing the security and safety of the environment as a whole is an open problem when we consider physical interactions between entities. Finally, another challenge concerns that fact that access control for IoT is physically contextual. Designing systems to sense and enforce contextual-policies presents new opportunities. Sensing of context in particular has strong connections to usability, and we explore this in the next section.
Ii-D Users and Applications
Theme: Usability of Contextual Authentication and Access Control. Authentication in traditional computing systems generally involves mechanisms like user names and passwords. In a smart home setting, many devices do not have traditional input-output modalities such as a screen or keyboard. Thus, exploring new forms of establishing identity is an interesting new challenge. Biometrics is a popular alternative, but unlike passwords, it is inexact and can make errors. Understanding the impact of these errors, and corresponding user behavior is an open question. He et al. recently conducted a study to explore access control and authentication of users to devices, and concluded that contextual factors and interpersonal relationships should play a more significant role in access control policies than they currently do . Zeng et al. also report on a study investigating usability issues of current access control mechanisms in homes with multiple users, concluding that multi-user issues will be a new challenge .
Theme: Risk Asymmetry. Another aspect of usability concerns how to present app permission requests to users. Current designs group device operations into similar functional units. For example, oven.on and oven.off are in the same functional group. However, physical device operations have clear and intuitive notions of risk: oven.on is a potential fire hazard, oven.off is potentially uncooked food. Rahmati et al. observe this risk asymmetry and contributed a design process to leverage risk asymmetry as an alternative to functional groupings of permissions. The resulting system, Tyche, showed that apps can remain functional with 60% less access to high-risk operations.
Theme: Novel Attacks due to New Interaction Modalities. Usability issues also permit novel attacks. Kumar et al. and Zhang et al. recently discovered voice-based confusion attacks on smart speakers like Amazon Alexa and Google Home [12, 20]. An attack is a set of spoken words that sound similar, such as “Hey Alexa, ask Capital One to…” and “Hey Alexa, ask Capitol Won to…” These attacks leverage a combination of lack of user awareness about the specific application they are talking to, and the deficiencies in current speech processing technology. This is complicated by the fact that many voice assistant currently lack the general context humans have when conversing. Exploring methods to increase this context in the hope of disambiguating confusing situations is an open research area.
Future Challenges. Stepping back, we discuss a few open challenges in this layer: (1) we realize that access control and authentication in homes is contextual, and will occur through non-traditional interaction modalities. Characterizing this space and building usable
systems that enforce the breadth of access control and authentication policies will probably require leveraging results from the ubicomp community in sensing; (2) characterizing and navigating the interpersonal issues in multi-user device situations presents new opportunities in usability security; (3) understanding the effectiveness of voice-based confusion attacks, and exploring defenses using biometrics and user education presents opportunities in enhancing the design of voice assistants.
Iii Concluding Remarks
Using a sampling of recent results, we revisited our earlier S&P article, and discussed intellectually novel and challenging problems in IoT security and privacy. We also identified general themes that are inspired by these results, and discussed a few open areas for future work at all layers of the computing stack. Although our treatment of results is incomplete, it is broad in its coverage of novel themes. We hope that this article spurs on research in IoT security and privacy in these new and challenging areas, so that we may gain the benefits of a connected world without the risks.
-  “Krebs on Security – Mirai Botnet,” https://krebsonsecurity.com/tag/mirai-botnet/, 2017, Last accessed: Mar 2017.
-  “Symantec – W32.Stuxnet Dossier,” https://www.symantec.com/content/en/us/enterprise/media/security˙response/whitepapers/w32˙stuxnet˙dossier.pdf, 2017, Last accessed: Mar 2017.
-  N. Apthorpe, D. Reisman, S. Sundaresan, A. Narayanan, and N. Feamster, “Spying on the smart home: Privacy attacks and defenses on encrypted iot traffic,” CoRR, vol. abs/1708.05044, 2017.
-  Z. B. Celik, P. McDaniel, and G. Tan, “Soteria: Automated iot safety and security analysis,” in USENIX Annual Technical Conference (USENIX ATC), Boston, MA, July 2018. [Online]. Available: https://www.usenix.org/system/files/conference/atc18/atc18-celik.pdf
-  W. Ding and H. Hu, “On the safety of iot device physical interaction control,” in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’18. New York, NY, USA: ACM, 2018, pp. 832–846. [Online]. Available: http://doi.acm.org/10.1145/3243734.3243865
-  E. Fernandes, A. Rahmati, J. Jung, and A. Prakash, “Decentralized Action Integrity for Trigger-Action IoT Platforms,” in 22nd Network and Distributed Security Symposium (NDSS), 2018.
-  E. Fernandes, J. Jung, and A. Prakash, “Security Analysis of Emerging Smart Home Applications,” in Proceedings of the 37th IEEE Symposium on Security and Privacy, May 2016.
-  E. Fernandes, A. Rahmati, K. Eykholt, and A. Prakash, “Internet of things security research: A rehash of old ideas or new intellectual challenges?” IEEE Security & Privacy, vol. 15, no. 4, pp. 79–84, 2017.
-  D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah, “Who’s in control of your control system? device fingerprinting for cyber-physical systems,” 2016.
-  W. He, M. Golla, R. Padhi, J. Ofek, M. Dürmuth, E. Fernandes, and B. Ur, “Rethinking access control and authentication for the home internet of things (iot),” in 27th USENIX Security Symposium (USENIX Security 18). Baltimore, MD: USENIX Association, 2018, pp. 255–272. [Online]. Available: https://www.usenix.org/conference/usenixsecurity18/presentation/he
-  K. Kiningham, M. Horowitz, P. Levis, and D. Boneh, “Cesel: Securing a mote for 20 years,” in Proceedings of the 2016 International Conference on Embedded Wireless Systems and Networks, ser. EWSN ’16. USA: Junction Publishing, 2016, pp. 307–312. [Online]. Available: http://dl.acm.org/citation.cfm?id=2893711.2893788
-  D. Kumar, R. Paccagnella, P. Murley, E. Hennenfent, J. Mason, A. Bates, and M. Bailey, “Skill squatting attacks on amazon alexa,” in 27th USENIX Security Symposium (USENIX Security 18). Baltimore, MD: USENIX Association, 2018, pp. 33–47. [Online]. Available: https://www.usenix.org/conference/usenixsecurity18/presentation/kumar
-  A. Rahmati, E. Fernandes, K. Eykholt, and A. Prakash, “Tyche: A risk-based permission model for smart homes,” in Proceedings of the 3rd IEEE CyberSecurity Development Conference (SecDev), 2018.
-  A. Rahmati, M. Salajegheh, D. Holcomb, J. Sorber, W. P. Burleson, and K. Fu, “Tardis: Time and remanence decay in sram to implement secure protocols on embedded devices without clocks,” in Presented as part of the 21st USENIX Security Symposium (USENIX Security 12). Bellevue, WA: USENIX, 2012, pp. 221–236. [Online]. Available: https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/rahmati
-  R. Schuster, V. Shmatikov, and E. Tromer, “Situational access control in the internet of things,” in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’18. New York, NY, USA: ACM, 2018, pp. 1056–1073. [Online]. Available: http://doi.acm.org/10.1145/3243734.3243817
-  A. K. Simpson, F. Roesner, and T. Kohno, “Securing vulnerable home iot devices with an in-hub security manager,” in Pervasive Computing and Communications Workshops (PerCom Workshops), 2017 IEEE International Conference on. IEEE, 2017, pp. 551–556.
-  S. Soltan, P. Mittal, and H. V. Poor, “Blackiot: Iot botnet of high wattage devices can disrupt the power grid,” in 27th USENIX Security Symposium (USENIX Security 18). Baltimore, MD: USENIX Association, 2018, pp. 15–32. [Online]. Available: https://www.usenix.org/conference/usenixsecurity18/presentation/soltan
-  J. Wilson, R. S. Wahby, H. Corrigan-Gibbs, D. Boneh, P. Levis, and K. Winstein, “Trust but Verify: Auditing Secure Internet of Things Devices,” in Proceedings of the The 15th ACM International Conference on Mobile Systems, Applications, and Services (MobiSys 2017), June 2017.
-  E. Zeng, S. Mare, and F. Roesner, “End user security and privacy concerns with smart homes,” in Proceedings of the Thirteenth USENIX Conference on Usable Privacy and Security, ser. SOUPS’17. Berkeley, CA, USA: USENIX Association, 2017, pp. 65–80. [Online]. Available: http://dl.acm.org/citation.cfm?id=3235924.3235931
-  N. Zhang, X. Mi, X. Feng, X. Wang, Y. Tian, and F. Qian, “Understanding and mitigating the security risks of voice-controlled third-party skills on amazon alexa and google home,” in 40th IEEE Symposium on Security and Privacy (S&P 19), 2019.