8182 IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO.

5, OCTOBER 2019

IoT: Internet of Threats? A Survey of Practical

Security Vulnerabilities in Real IoT Devices
Francesca Meneghello, Student Member, IEEE, Matteo Calore, Daniel Zucchetto , Member, IEEE,
Michele Polese , Student Member, IEEE, and Andrea Zanella , Senior Member, IEEE

Abstract—The Internet of Things (IoT) is rapidly spreading, “smart” services and products, such as smart appliances, smart
reaching a multitude of different domains, including personal houses, smart watches, smart TVs, and so on, the IoT devices
health care, environmental monitoring, home automation, smart are quickly spreading in all environments, becoming every-
mobility, and Industry 4.0. As a consequence, more and more
IoT devices are being deployed in a variety of public and pri- day more pervasive. Moreover, many of such smart services
vate environments, progressively becoming common objects of require users to intentionally reveal some personal (and, some-
everyday life. It is hence apparent that, in such a scenario, times, private) information in change for advanced and more
cybersecurity becomes critical to avoid threats like leakage of personalized services. It is then clear that security and privacy
sensible information, denial of service (DoS) attacks, unautho- should be of primary importance in the design of IoT technolo-
rized network access, and so on. Unfortunately, many low-end
IoT commercial products do not usually support strong secu- gies and services. Unfortunately, this is not the case for many
rity mechanisms, and can hence be target of—or even means IoT commercial products that are provided with inadequate,
for—a number of security attacks. The aim of this article is to incomplete, or ill-designed security mechanisms.
provide a broad overview of the security risks in the IoT sec- In the last years, growing attention has been dedicated
tor and to discuss some possible counteractions. To this end, to the risks related to the use of simple IoT devices in
after a general introduction to security in the IoT domain, we
discuss the specific security mechanisms adopted by the most services that have access to sensitive information or critical
popular IoT communication protocols. Then, we report and ana- controls, such as, video recoding of private environments,
lyze some of the attacks against real IoT devices reported in real-time personal localization, health-monitoring, building
the literature, in order to point out the current security weak- accesses control, industrial processes, and traffic lights [3], [4].
nesses of commercial IoT solutions and remark the importance Furthermore, some security attacks against commercial IoT
of considering security as an integral part in the design of IoT
systems. We conclude this article with a reasoned comparison of devices have appeared in the mass media, contributing to raise
the considered IoT technologies with respect to a set of qualifying public awareness of the security threats associated with the IoT
security attributes, namely integrity, anonymity, confidentiality, world.
privacy, access control, authentication, authorization, resilience, In order to make commercial IoT devices more resilient
self organization. to cyber attacks, security should be taken into account right
Index Terms—Attacks, devices, Internet of Things (IoT), from the design stage of new products [5]. However, the wide
security. heterogeneity of IoT devices hinders the development of well-
established security-by-design methods for the IoT [6], [7].
The challenge is further complicated by the severe limits
I. I NTRODUCTION in terms of energy, communication, computation, and stor-
HE INTERNET of Things (IoT) is an emerging commu- age capabilities of many IoT devices. Such limits indeed
T nication paradigm that aims at connecting different kinds
of objects to the Internet, in order to harvest data generated
prevent the possibility of adopting standard security mecha-
nisms used in more traditional Internet-connected devices [8],
by sensors, remotely control appliances and machines, moni- and call for new solutions that, however, are not yet
tor environments, vehicles, and buildings, and so on [1]. The standardized.
number and variety of IoT devices have rapidly grown in the Besides the technical aspects, it is also necessary to develop
last years, with a prediction of over 50 billions devices con- a cybersecurity culture among the IoT stakeholders, in particu-
nected to the Internet by 2020 [2]. Thanks to a plethora of new lar manufacturers and final users. As a matter of fact, many IoT
device manufacturers come from the market of low-cost sen-
Manuscript received January 24, 2019; revised April 21, 2019 and June sors and actuators (e.g., home automation, lights control, video
30, 2019; accepted July 31, 2019. Date of publication August 13, 2019;
date of current version October 8, 2019. This work was supported by the surveillance, and so on). Such devices were originally designed
POR FESR 2014-2020 Work Program of the Veneto Region (Action 1.1.4) to work in isolated systems, for which the security threats are
through the project No.10066183 titled “Sistema domotico IoT integrato ad much more limited. As a consequence, many manufacturers
elevata sicurezza informatica per smart building.” (Corresponding author:
Michele Polese.) do not possess a solid expertise in cybersecurity and may
The authors are with the Department of Information Engineering, University be unaware of the security risks associated with connecting
of Padova, 35131 Padua, Italy (e-mail: [email protected]; their devices to a global network. Such a lack of know-how,
[email protected]; [email protected]; michele.polese@
dei.unipd.it; [email protected]). together with the hectic approach to the design of new prod-
Digital Object Identifier 10.1109/JIOT.2019.2935189 ucts and the need to compress costs and time-to-market have
2327-4662 c 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY JALANDAR. Downloaded on August 26,2021 at 08:53:15 UTC from IEEE Xplore. Restrictions apply.
 MENEGHELLO et al.: IoT: INTERNET OF THREATS? SURVEY OF PRACTICAL SECURITY VULNERABILITIES IN REAL IoT DEVICES 8183

led to the commercialization of IoT products where security

is either neglected or treated as an afterthought [9]. In par-
allel, the final users are also not much educated in terms of
security practices and often fail to implement even the most
basic procedures to protect their devices as, e.g., changing
the preinstalled password of the devices on first use. Such an
underestimation of their role in protecting personal devices
makes users themselves unaware and unintentional allies of
possible attackers.
The aim of this article is hence to provide an up-to-date
vision of the current IoT cybersecurity scenario, contributing
to improve the awareness of the threats that IoT devices may
represent. To this end, this article will discuss the origins of
such threats and the possible counteractions. The problems
related to cybersecurity in IoT systems have already been
addressed by other works in the literature as, e.g., [6] and
[10]–[15]. Unlike such papers, here we address the topic from
a more practical perspective. After a quick introduction to the
cybersecurity, we focus on the specific problems of the IoT
domain, where devices may not even support basic features,
such as random number generation or standard encryption
routines. We hence consider the four communication proto-
cols mostly used in commercial IoT devices, namely ZigBee,
Bluetooth low energy (BLE), 6LoWPAN, and LoRaWAN. We
briefly recall the security procedures supported by each pro-
tocol and, hence, analyze the attack surface, also reporting a
series of real attacks against popular commercial IoT devices
as examples of the risks associated with poorly designed secu-
rity mechanisms. Furthermore, we describe the processing
units, communication protocol, and cryptographic hardware Fig. 1. Structure of this article and relations among the security aspects.
and software used in some commercial IoT devices, to offer
an idea of the solutions currently adopted in the market. II. S ECURITY C HALLENGES IN THE I OT D OMAIN
This article can then be useful to readers and practitioners
interested to grasp the more practical implications of IoT secu- As discussed in the remainder of this article, the attacks
rity. Furthermore, the comparative analysis presented at the against IoT devices are often simple and easy to conduct. They
end of this article reveals some gaps in the literature that call could be performed in order to break user privacy and leak
for further investigation and experimentation. personal sensible information. The collected data can indeed
Fig. 1 provides a visual representation of this article organi- range from simple room temperature and humidity measure-
zation, which is as follows. Sections II and III are introductory ments, to more sensible information such as the heart-rate
to the following analysis. More specifically, Section II recalls signal, or the user’s location and living habits. Another com-
the main functionalities of an IoT system and the related secu- mon attack strategy consists in compromising one device in the
rity challenges, while Section III describes the main security IoT network and use it as a beachhead to perform fraudulent
algorithms and protocols considered in this article. Moreover, acts toward another network node [16].
we will provide some details related to the implementations of In order to set a common ground for the discussion that will
security protocols in the chipsets commonly used in commer- follow in the next sections, here we provide a broad overview
cial IoT devices. Section IV is dedicated to the communication of the IoT security requirements and of the related challenges.
protocols for the IoT. We briefly recall the main characteris-
tics of each technology, focusing in particular on its native A. Security Requirements
security mechanisms. Then, we provide a critical analysis of To begin with, we present a taxonomy of the security
the attack surface, i.e., of the possible vulnerabilities related to requirements for an IoT system with respect to the different
that protocol. In Section V, we report practical implementation operational levels, that is to say, at the Information, Access,
details of widespread IoT solutions, discussing in particular and Functional level [17], [18].
some hardware aspect as the microcontroller and the connec- Information Level: At this level, security should guarantee
tivity modules which have a role in determining the security the following requirements.
level of such devices. Finally, in Section VI, we provide a qual- 1) Integrity: The received data should not been altered
itative comparison of the devices considered in this article, and during the transmission.
we conclude this article with some open research directions 2) Anonymity: The identity of the data source should
in Section VII. remain hidden to third parties.

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY JALANDAR. Downloaded on August 26,2021 at 08:53:15 UTC from IEEE Xplore. Restrictions apply.
 8184 IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 5, OCTOBER 2019

3) Confidentiality: Data cannot be read by third parties. A communication timing, while nodes are performing encryp-
trustworthy relationship should be established between tion procedures. Among them, the power consumption of the
IoT devices in order to exchange protected information. devices is widely exploited to guess and recover the encryp-
Replicated messages must also be recognizable. tion secret keys. For each encryption operation, a power trace
4) Privacy: The client’s private information should not be can be captured: the power data is generally computed from
disclosed during the data exchange. It must be hard to the voltage difference across a resistor inserted in series with
infer identifiable information by eavesdroppers. the power supply. Simple power analysis attacks try to directly
Access Level: It specifies some security mechanisms to con- interpret the power traces related to a small number of encryp-
trol the access to the network. More specifically, it provides tion rounds. Instead, the differential power analysis is a more
the following functionalities. effective and advanced approach: a bigger amount of traces
1) Access Control: It guarantees that only legitimate users are statistically analyzed in order to extract additional encryp-
can access to the devices and the network for adminis- tion information [22]. At the edge layer, IoT devices are also
trative tasks (e.g., remote reprogramming or control of vulnerable to hardware trojan and DoS attacks that attempt
the IoT devices and network). to make resources unavailable to the legitimate users, e.g.,
2) Authentication: It checks whether a device has the right by forcing the device to exit sleep (low-power consumption)
to access a network and whether a network has the right mode in order to drain their batteries, or by jamming the
to connect the device. This is likely the first operation radio communications. Also, the device package can be tam-
carried out by a node when it joins a new network [19]. pered with, e.g., to extract the cryptographic secrets of the
Note that devices have to provide strong authentica- device, modify its software to disguise a malicious node as
tion procedures in order to avoid security threats. For a legacy one (camouflage), or attempt reverse engineering
example, if all the IoT devices produced by the same to figure out the details of proprietary communication pro-
manufacturer are configured with the same authentica- tocols and possibly reserved information (as patent-covered
tion credentials, then the hacking of one device may algorithms).
compromise all of the security aspects at the information Access/Middleware Layer: At this level the main attacks
level. are eavesdropping (also called sniffing), injection of fraudulent
3) Authorization: It ensures that only the authorized devices packets and nonauthorized conversations. Even routing attacks
and the users get access to the network services or have to be taken into account: an attacker may use this kind
resources. of attack to spoof, redirect, misdirect, or drop data packets.
Functional Level: This level defines the security require- Application Layer: Attacks at the Application Layer are
ments in terms of the following criteria. quite different from the previous ones, since they directly
1) Resilience: It refers to network capacity to ensure target the software running on the devices rather than the com-
security for its devices, even in case of attacks and munication technology. Such attacks may address the integrity
failures. of, e.g., machine learning algorithms, where the attacker
2) Self Organization: It denotes the capability of an IoT manipulates the training process of the learning algorithm to
system to adjust itself in order to remain operational induce misbehaviors. There can also be attacks on the login
even in case of failure of some parts due to occasional and authentication phases.
malfunctioning or malicious attacks. Fremantle and Scott [17] and Mosenia and Jha [23]
presented an in-depth analysis of all these aspects, where they
discuss some of the major vulnerabilities presented above,
B. Taxonomy of Security Attacks proposing solutions at different layers, from the device side
Besides the requirements and mechanisms at the information, to the cloud services.
access, and functional levels, it is important to understand In [24], the possible attacks against IoT devices are
which are the vulnerabilities and the possible attacks at the presented from a different standpoint, i.e., by considering how
different layers of the communication stack. As explained an attacker can exploit the IoT device for malicious purposes.
in [20], the communication architecture of an IoT system can The authors identify four possible approaches, as detailed
be roughly divided in Edge, Access, and Application layers. below.
The edge layer provides PHY and MAC functionalities for Ignoring the Functionality: This class includes all the
local communications. The access layer grants the connection attacks in which the specific functionalities of the IoT device
to the rest of the world, usually through a gateway device are ignored, and only its capability to connect to the local area
and a Middleware Layer that acts as intermediary between the network (LAN) or to the Internet is exploited. For example,
IoT world and the standard Internet. Finally, the Application IoT devices can be used to create a bot-net (a network com-
Layer takes care of the service-level data communications. In pletely controlled by the attacker) or to penetrate the victim’s
the following we present a possible taxonomy of the attacks home network and infect his/her computers.
that can target these communication layers. Reducing the Functionality: In this case, the attacker tries
Edge Layer: One of the main threats at this level is rep- to kill or limit the functionalities of the device, in order to
resented by the side channel attacks [21]. The goal of these annoy the victim or create malfunctions in a wider system. For
attacks is to leak information from the analysis of side signals, example, this type of attack may be directed to IoT devices
such as power consumption, electromagnetic emissions, and like smart TVs or smart refrigerators, with the aim of blocking

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY JALANDAR. Downloaded on August 26,2021 at 08:53:15 UTC from IEEE Xplore. Restrictions apply.
 MENEGHELLO et al.: IoT: INTERNET OF THREATS? SURVEY OF PRACTICAL SECURITY VULNERABILITIES IN REAL IoT DEVICES 8185

or limiting their functioning in order to extort money from the

victim for restoring their normal behavior.
Misusing the Functionality: The normal functionalities of
the IoT devices are used to create discomfort to its owner.
For example, an attacker may tamper a heating, ventilation,
and air-conditioning (HVAC) control unit and make a cer- Fig. 2. Encryption for the AES block cipher. The three blocks, substitution
tain environment uncomfortable by excessively increasing or (S), transposition (T), and linear (L) ciphers, are repeated to obtain the final
decreasing the temperature. Similarly, the attack may target a encryption. In the diagram, k0 and k1 are the lower and upper parts of the
encryption key, u denotes a block of plaintext to be encrypted, and the other
smart light system, getting remote control over the lights in a symbols represent the block after each encryption module.
room or building, overwriting the victims’ commands.
Extending the Functionality: The IoT device is used to
achieve completely different functionalities. For example, a
presence sensor of an alarm system may be used to track the length (in number of bits) of the key, the algorithm takes the
position of the victims in their living environment, even when name of AES-128, AES-192, or AES-256.
the alarm system is off. Examples of asymmetric cryptosystems are the Rivest
Shamir Adleman (RSA) [28], the McEliece [29] and the
Elgamal [30] algorithms.
III. M AIN S ECURITY M ECHANISMS FOR I OT S ERVICES Encryption can also be used to provide authentication and
In this section, we present standard security mechanisms integrity protection, but in most cases these functionalities
that have been designed to satisfy the requirements described require additional mechanisms, in particular in IoT systems.
in the previous section. In practice, authentication and integrity protection are pro-
Encryption: It is the main and most important operation to vided by means of message authentication codes (symmetric
ensure confidentiality during the communication. It consists mechanisms), digital signatures (asymmetric mechanisms),
in changing the actual message (plaintext) into a different one and hash functions. For what concerns message authentication
(ciphertext) using a hash function that can be easily reverted codes and digital signatures, the transmitted message is the
only knowing a secret key. Using encryption, a possible eaves- result of the concatenation of the plaintext and a tag computed
dropper can only have access to the ciphertext, but should not from the plaintext using the private key. At the receiver side,
be able to interpret the content of the message. The encryption a tag is computed using the private or public key (depending
mechanism can be symmetric or asymmetric. In symmetric on whether we opted for a symmetric or asymmetric process)
encryption, the same secret key is used both for message and it is compared to the transmitted tag.
encryption and decryption, and hence it must be known by For example, many IoT services require to broadcast
both the sender and the receiver. In the asymmetric case, each the same message to many destinations. If the message is
endpoint needs to possess its own pair of keys: a public key encrypted by the transmitter, all the destinations need to
and the associated private key, which cannot be easily derived decrypt the ciphertext to check the authenticity of the sender
from the public one. The public key can be known to anyone, and retrieve the message. This operation requires time and
while the private key should be kept secret. The public and pri- drains energy from the device battery. If confidentiality is not
vate keys are designed in a way that a message encrypted with an issue, a better solution may consist in sending the mes-
the former can only be decrypted with the latter. Therefore, sage in plaintext, attached with a tag that identifies the sender.
to guarantee confidentiality, the message is encrypted by the The verification of the message authenticity can then be per-
sender by using the public key of the receiver, which can then formed by one designated and trusted receiver, while all the
recover the original message by using its own private key. other nodes can just read the message, without wasting time
Standard Encryption Mechanisms: The encryption pro- and resources [25].
cess can be performed in two different ways: through a stream The tag is usually obtained by using a good encryp-
cipher, encrypting the plaintext bit-by-bit (or byte-by-byte) or tion function, such as AES, as in the cipher block chaining
with a block cipher, treating a block of plaintext as a whole message authentication code (CBC-MAC) symmetric mech-
and producing a block of ciphertext of equal length [25]. To anism [31]. An asymmetric mechanism for tag computation
encode long messages, block ciphers can be used in different is the digital signature algorithm (DSA), part of the ElGamal
operating modes: electronic CodeBook (ECB); cipher block signatures family, published in 1991 by NIST with the federal
chaining (CBC); cipher FeedBack (CFB); output FeedBack information processing standard (FIPS) 186 [32], and revised
(OFB); and counter (see [26] for details). multiple times in the following years. In 2009, for example,
One of the most used block cipher for symmetric encryp- FIPS 186 included the elliptic curve DSA (ECDSA). An alter-
tion is the advanced encryption standard (AES) (or Rijndael), native asymmetric mechanism is RSA [28], which implements
published in 2001 by the National Institute of Standards and hash functions other than those of the previous two mech-
Technology (NIST) [27]. AES is obtained through the cascade anisms. In fact, such hash functions map messages of any
of N successive series of three elementary block ciphers: a length into fixed length hash values, which are then transmitted
substitution cipher, a transposition cipher, and a linear cipher. with the messages. The hash functions are practically con-
Fig. 2 shows the first three blocks of the chain, which are structed through a Merkle–Damgard scheme [33], [34]. The
repeated to obtain the final encryption. Depending on the most known functions are: MD-5 that produces a 128-bit hash,

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY JALANDAR. Downloaded on August 26,2021 at 08:53:15 UTC from IEEE Xplore. Restrictions apply.
 8186 IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 5, OCTOBER 2019

SHA-1 with a 160-bit hash, and SHA-256 and SHA-512 that phenomena, such as the timing of user processes, or the ther-
produce 256 and 512-bit hash, respectively. mal noise measured by the radio receiver [43]. For example,
For what concerns IoT applications, the constrained appli- a source of random seeds may be obtained by feeding the
cation protocol (CoAP), defined by IETF in RFC 7252 [35], noise signal of the radio power amplifier into the quantizer,
recommends to use the AES Counter with CBC-MAC, which which will then generate a stream of (ideally) independent bits.
is compactly indicated as AES-CCM. This mechanisms makes However, due to bandwidth restrictions, temperature bias, and
use of 128 bit keys and generate 8 bit authentication tags. The other unavoidable factors, the bitstream may show a certain
ephemeral elliptic curve Diffie Hellman (ECDHE) method is level of correlation.
instead recommended for key establishment, and the ECDSA Unfortunately, most of the source of randomness avail-
for authentication. able in laptops and desktop PCs are not available in low-end
Lightweight Cryptography: Given the growth of the num- embedded systems, such as the devices that will be ana-
ber of connected, low-complexity IoT devices, the research lyzed in the following section. For this reason, the research
community has tried to design specific security algorithms for has recently addressed the challenge of designing lightweight
resource and energy constrained devices. Lightweight cryp- PRNG algorithms for resource constrained devices [44]–[46].
tography is a new branch of cryptography that focuses on Secure Hardware: As discussed in the previous section,
these aspects, including new encryption block and stream IoT devices are vulnerable to edge layer attacks. Most of the
ciphers, message authentication codes, and hash functions, devices can be deployed in remote areas with a low level of
which are conceived to be executed by devices with limited protection so that an illegitimate user can perform side chan-
computation, communication, and storage capabilities. In 2012 nel attacks. Several countermeasures have been proposed in
the International Organization for Standardization (ISO) and the literature, based on the different encryption schemes. It
the International Electrotechnical Commission (IEC) pub- is possible to exploit both hardware and software solutions to
lished the ISO/IEC 29192 standard that specifies a series of eliminate or, at least, randomize the signals footprint exploited
lightweight encryption mechanisms [36], included the block by this type of attacks.
ciphers PRESENT [17] and CLEIFA [18]. PRINCE is another For example, physically unclonable functions (PUFs) can
lightweight block cipher, not included in the standard [37]. be adopted to improve hardware security [47]. The basic con-
Moreover, the Simon and Speck families of lightweight cept of PUF is to exploit little differences introduced by the
block cipher were presented by Beaulieu et al. [38]. As fabrication process of the chip to generate a unique signature
lightweight hash function, ISO/IEC 29192 standard proposed of each device. A PUF circuit provides a response to a given
PHOTON [39] and SPONGENT [40]. In 2013 NIST started a input challenge and, due to the intrinsic hardware differences,
lightweight cryptography project to investigate and develop the responses are chip specific. As an example, an Arbiter
solutions for real-world applications. At the beginning of PUF circuit is composed of two supposedly identical paths:
2019 NIST has published a call for algorithms for lightweight for each input, the output depends on the fastest path [48].
cryptography: after discussion and evaluation, the algorithms Majzoobi et al. [49] proposed the lightweight secure PUFs
will go through a standardization process [41]. concept, in which the response generation is resistant against
Random Number Generators: An important aspect for reverse engineering attacks that try to emulate the PUF by
security is the randomness: security protocols frequently parametrically modeling its behavior.
require the generation of (pseudo)random numbers for differ- PUFs can be categorized into strong and weak [50]. If a
ent purposes as, e.g., to create nonces during the authentication PUF can support a number of challenge-response pairs that
phase, to avoid replay attacks, and to generate asymmetric are exponential in the number of challenge bits, it is called
keys [42]. A random number generator is cryptographically strong PUF. Strong PUFs are typically used for authentication
secure when it produces a sequence for which no algorithm protocols that require new pairs for each operation. Arbiter
can predict in polynomial time the next bit of the sequence PUF belongs to this category. On the other hand, weak PUFs
from the previous bits, with a probability significantly greater can support a small number of challenge-response pairs and
than (1/2). According to Shannon’s mathematical theory of they are used for cryptographic key generation, avoiding the
communication, the entropy of a k-bit long (pseudo)random need to store secure keys on the devices. An example of weak
sequence must be as close as possible to k. PUF is the ring-oscillator described in [51].
Two types of random number generators are commonly Other hardware solutions to prevent side channel anal-
used for cryptographic applications: 1) the true random num- ysis attacks can be found in the literature: a hardware
ber generator (TRNG) that exploits physical noise sources and implementation of the SIMON algorithm is presented in [21],
2) the pseudo random number generator (PRNG) that expands while a method to randomize the instruction execution cycles
a relatively short key into a long sequence of seemingly ran- is shown in [52]. A software countermeasure is reported in [53]
dom bits, using a deterministic algorithm. PRNGs are typically based on the randomization of a parameter used in RSA
used in real applications and technologies. In this case, since signature.
the adopted algorithms are usually known, the seed of the Anyway, all these techniques have some drawbacks, as the
pseudorandom generator is the only source of randomness increase of power consumption of the device and the increase
and, as such, it must be properly selected. A common way of the chip area. Because of the resource constraints of the IoT
to generate random seeds is by exploiting different physical edge devices, it could be very hard to find effective solutions.

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY JALANDAR. Downloaded on August 26,2021 at 08:53:15 UTC from IEEE Xplore. Restrictions apply.
 MENEGHELLO et al.: IoT: INTERNET OF THREATS? SURVEY OF PRACTICAL SECURITY VULNERABILITIES IN REAL IoT DEVICES 8187

Intrusion Detection Systems: As discussed above, differ-

ent security mechanisms have been proposed to protect the
devices against threats at the different layers. However, besides
preventing the attacks, it is also fundamental to be able to
detect ongoing attacks. Complex anti-virus software and traf-
fic analyzers cannot be used in IoT devices, due to resource
and energy constraints. For this, lightweight intrusion detec-
tion methods have been presented in the last years [54]. For
example, anomalies in system parameters, like CPU usage,
memory consumption, and network throughput, may be indica- Fig. 3. ZigBee protocol stack. The technical specifications for ZigBee can
tive of an ongoing attack [55]. A similar approach is proposed be found in [60].
in [56]: the energy profile is analyzed to detect anomalies
in power consumption, which are linked to different types of
attacks. In [57], the signatures of various attacks are derived Application Layer (APL) provides the data transmission and
from relevant features like packet dropping/send rate and sig- security services, and permits to bind the devices to two
nal strength intensity. Comparing the traffic pattern with these or more application entities located on the same network.
signatures, the attacks can be detected with good probability. The NWK provides functionalities such as routing, security,
Machine learning can also be exploited for intrusion detection and configuration of new devices. The NWK also manages
purposes. In [58], for example, a random forest classification the establishment of new connections, the joining and leav-
algorithm is used to group the traffic flows into different cate- ing procedures, and the addressing and neighbor discovery
gories, based on some selected features. An attack is detected services.
when some flows exhibit nonstandard patterns and are hence ZigBee includes different application profiles that define
classified as anomalous. message formats and functional procedures to guarantee ven-
dors interoperability [60].
IV. S ECURITY OF P OPULAR I OT C OMMUNICATION Communications, secrecy, and authentication services are
T ECHNOLOGIES provided by message encryption and authentication, using
AES in the counter with CBC-MAC (CCM) mode. Integrity
As discussed in the previous sections, most of the legacy
protection is ensured by a 128 bit message integrity code
security protocols used in the standard Internet cannot be
(MIC) and replay protection is based on a 4 Byte frame
plainly applied to the IoT scenario, because of the constraints
counter.
of many IoT devices in terms of computational, power, and
Each ZigBee network includes a Trust Center, i.e., a device
communication capabilities [59]. Therefore, new mechanisms
trusted by all the other nodes in the network. The trust cen-
specifically designed for the IoT scenario have been proposed
ter usually corresponds to the network coordinator and is
in the literature and implemented in some commercial IoT
responsible for 1) authenticating the devices that require to
systems.
join the network; 2) deciding whether to accept or deny the
In this section, we focus on the security mechanisms imple-
join request; 3) maintaining and distributing network keys; and
mented by some of the most popular transmission technologies
4) enabling end-to-end security between devices.
used in the IoT domain, namely ZigBee, BLE, 6LoWPAN, and
The ZigBee network can either have a star topology, where
LoRaWAN. Moreover, we review the security vulnerabilities
the end-devices are directly connected to the coordinator, or
of these technologies, reporting different attack vectors found
a tree topology, when the interconnection is performed by
in the literature.
intermediate routers. By interconnecting the routers, further-
Among these technologies, ZigBee, BLE, and 6LoWPAN
more, it is possible to realize a mesh topology, as shown in
are predominantly used for short-range communications in
Fig. 4.
homes or small offices. LoRaWAN instead is used for
The cryptographic routines used in ZigBee employ two
long-range scenarios, such as city-wide monitoring and con-
128 bit keys: the link key and the network key. The link key is
trol applications. From a protocol stack perspective, while
used to secure unicast communications between APL entities.
ZigBee and BLE are full-stack technologies, 6LoWPAN and
Each unicast communication uses a different link key, which
LoRaWAN cover only some layers of the stack, and therefore
is disclosed to the two linked entities only. The network key
can be potentially used in the most diverse applications.
is needed for broadcast communications: it is shared among
all the devices in the same network.
A. ZigBee There are different ways for a device to acquire the required
Description: ZigBee [60] is a two-way, wireless commu- link or network key [62].
nication standard developed by the ZigBee Alliance. Thanks 1) Preinstallation: The link or network key is installed in
to its low cost and low power consumption, ZigBee is one of the device during the manufacturing process.
the most used technology to connect IoT devices. As shown 2) Key Transport: The link or network key is generated
in Fig. 3, the standard specifies the application and network elsewhere (usually by the Trust Center) and then com-
layers (NWK), while the link and physical layers are taken municated to the device. The standard suggests to load
from the IEEE 802.15.4 standard [61]. In more detail, the the key using an out-of-band technique, however, it

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY JALANDAR. Downloaded on August 26,2021 at 08:53:15 UTC from IEEE Xplore. Restrictions apply.
 8188 IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 5, OCTOBER 2019

Fig. 5. General architecture of a smart light system.

Fig. 4. ZigBee mesh topology. efficient routing path toward the coordinator in order to attract
more traffic flows. In this way, the attacker can modify or drop
incoming packets. Moreover, if the malicious entity is directly
includes the possibility to send the key in-band. In the connected to the Internet, all the ZigBee network is exposed
latter case, the key may be sent in clear text or encrypted to Internet attacks.
using a preshared key specific for each application pro- The sinkhole attack, however, requires that the malicious
file. For example, for home automation devices, the node is able to connect to the network and communicate with
preshared key is defined in the ZigBee standard and is the other nodes. The ghost attack presented in [66], instead,
publicly available. For ZigBee light link (ZLL) devices, does not require any knowledge of the communication keys.
instead, the preshared key will be distributed only to Its aim is to drain the ZigBee node energy, increasing the
certified manufacturers and is bound with a safekeep- success probability of other DoS attacks. The strategy con-
ing contract, according to the ZLL specification [63]. sists in injecting fake messages with increasing frame counters
However, it has been leaked on the Internet in 2015, so into the network, impersonating one legitimate node. At the
it is now publicly known [62], [64]. receiver side, if the fake message counter is larger than that
3) Key Establishment: Through this process, a link key Li stored for the sending node, the counter is updated and the
is shared between the Trust Center and another device message is accepted and processed. Even if the message will
in the network for securing the communications between be dropped during the integrity check, the node consumes
them. The procedure starts with the exchange of a trusted some energy for the processing. The attack will also inflate the
information, the master key, preinstalled during the man- frame counter at the receiver, possibly creating a misalignment
ufacturing process. The master key is provided by the with the counter at the legitimate source, whose messages may
ZigBee Alliance to its members and is different for each be misinterpreted as duplicate and then disregarded.
application profile. After this phase, the device and the Finally, KillerBee is a practical tool for hacking ZigBee
trust center exchange ephemeral data that are used to devices [67]. The framework makes it possible to sniff and
derive Li . When two devices i and j need to commu- inject traffic in a ZigBee network as well as decode and manip-
nicate with each other, the Trust Center provides them ulate packets. In [68], some attacks that exploit this tool, like
with a link key Li,j , encrypted using the link keys Li and replay attacks, are presented.
Lj , respectively. Note that this method cannot be used to Other attack vectors are specific to ZLL installations.
generate network keys. In 2012, LIFX and Philips presented their first smart lights
The process through which a new ZigBee network is set solutions and, afterward, many other companies developed
up or a new ZigBee device is added to an existing network is similar connected light systems. Many vendors, such as
called commissioning. In addition to the commissioning proce- Philips, use the ZLL application profile. A general smart light
dures specific of the different application profiles, the ZigBee system architecture is presented in Fig. 5.
standard also specifies a common procedure that makes it Based on several reports, however, many smart light systems
possible to interconnect devices with different profiles. implement only the essential security mechanisms required
Attack Surface: A possible attack vector in ZigBee network to obtain the ZigBee Alliance’s certification [64]. At a first
consists in discovering the keys used to secure the communi- analysis, it may seem unnecessary to implement many secu-
cations. For example, the repeated encryption of known and rity precautions in a light system, since it does not involve
fixed messages (e.g., control messages defined in the stan- the transmission of confidential information, and can still be
dard) makes the system vulnerable to plaintext attacks [62]. operated manually in case the network does not work properly.
This technique enables the recovery of a cryptographic key by However, as explained above, attackers may use these devices
having access to both the encrypted and decrypted messages. to relay an attack to the rest of the home or corporate network,
Hence, to ensure a high security level, the network key needs bringing more critical devices at risk.
to be changed periodically. Morgner et al. [64] investigated the security level in three
A sinkhole attack against a ZigBee network is presented different ZigBee smart light systems, namely Osram Lightify,
in [65]. The attack is performed through a malicious entity GE Link, and Philips Hue. The study evaluates vulnerabil-
that legally joins the network, but then pretends to have an ities of both bulbs and interconnected devices, and reports

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY JALANDAR. Downloaded on August 26,2021 at 08:53:15 UTC from IEEE Xplore. Restrictions apply.
 MENEGHELLO et al.: IoT: INTERNET OF THREATS? SURVEY OF PRACTICAL SECURITY VULNERABILITIES IN REAL IoT DEVICES 8189

seven different types of attack. The attacks are based on the commissioning procedure in order to regain access to the
inter-PAN frames, which are used to transmit touchlink com- network. Therefore, the attacker can extract the network
missioning commands such as scan request and scan response. key from the network join end-device request. In fact, as
These frames are neither secured nor authenticated: a mali- mentioned, the network key is encrypted using the well
cious entity can send the same commands pretending to belong known master key. Only Philips hue devices are vul-
to the network. The attacker can then do illicit operations, nerable to this attack since the touchlink commissioning
compromising the security of the network, as better explained procedure is not enabled in the other devices.
next. 6) Inject Commands Attack: This attack makes it possible
1) Active Device Scan: The scan searches for ZLL devices to send commands to the devices in order to control their
in the range of the attacker, sending scan requests actions. The knowledge of the current network key is
on different channels. By listening to the correspond- needed (e.g., via the execution of the previous attacks).
ing scan responses, the attacker can obtain a complete All the analyzed smart light systems are vulnerable to
overview of the devices connected to the network. The this attack.
three analyzed systems exhibit different behaviors: a) all
light bulbs and controller from lightly respond to the
attacker’s scan request; b) the GE link controller does B. Bluetooth Low Energy
not respond; and c) the hue controller responds only Description: Bluetooth is a widely used short range wire-
if its Touchlink commissioning button has been pushed less communication protocol. Its low energy and IoT-tailored
within the last 30 s. version, named BLE, has been first introduced in the Bluetooth
2) Blink Attack: This attack can be activated after a device core specification version 4.0 [69].
scan by sending to the victim device the inter-PAN com- A BLE network is composed of two types of devices:
mand identify request. In this way, the device starts to masters and slaves. The masters act as initiators during the
blink for a default period. The identify request command communication setup and the slaves associate to them [70].
is implemented in all the three lightbulb systems to allow The entities are connected in a star topology, where each slave
the user to visually identify which device has a certain is associated with a single master, as exemplified in Fig. 6.
network address. As a consequence, all the systems are BLE operates in the unlicensed 2.4 GHz ISM band and uses
vulnerable to the blink attack. 40 channels with a 2 MHz spacing [70]. The physical layer
3) Reset Attack:. The attacker performs a device scan and data rate is 1 Mb/s and the coverage range is typically over
then resets them all to the factory state by sending the various tens of meters. The BLE MAC layer is split into two
inter-PAN command reset to factory new request. All parts: advertising and data communication. 37 of the avail-
devices of the three lightbulb systems are vulnerable to able channels are used during the transmission of data and
this attack. the remaining 3 are used by unconnected entities to broadcast
4) DoS Attack and Hijack Attack: In these attacks, the end device information and establish connections [71].
user loses control of the victim device. Two strategies In the data communication phase, data is normally sent
can be adopted for DoS attacks. The first consists of in bursts to save energy. In this way, slaves can remain in
forcing the device to change the transmission channel, sleep mode for long periods, waking up periodically to lis-
sending a network update request inter-PAN command ten to the channel for possible messages from the master.
including the new channel. As a second option, the The master decides the rendezvous instants with the slaves,
attacker can cause the device to join a nonexisting according to a time division multiple access (TDMA) scheme.
network, changing its network key with arbitrary bytes. Communication reliability is provided through a stop and wait
This is possible by sending the inter-PAN command (S&W) automatic packet retransmission mechanism, based on
network join end-device request: at the reception of cumulative acknowledgments.
the command, the device leaves its current network, As depicted in Fig. 7, besides physical and MAC layers, the
changing its parameters according to the new configu- stack entails other protocols such as the logical link control
ration. The hijack attack works similarly to this second and adaptation protocol (L2CAP), and the low energy attribute
approach, with the difference that it forces the device to protocol (ATT).
join an existing network chosen by the attacker. In this BLE encryption and authentication processes are based on
case, the network key of the desired network is used. AES-CCM with 128 bit keys, as for ZigBee. The symmetric
All the evaluated smart light systems are vulnerable key for a master–slave link is generated during the pairing
to DoS and hijack attacks. However, all of them inte- procedure, which is executed as follows.
grate user functions to reobtain control over the attacked 1) The devices exchange their authentication capabilities
devices. and requirements. This phase is completely unencrypted.
5) Network Key Extraction Attack: This attack makes it 2) The devices generate or exchange a temporary key (TK)
possible to find the current network key by eavesdrop- using one of the available pairing methods. Then they
ping the messages exchanged by the devices during exchange some values to confirm that the TK is the same
the touchlink commissioning procedure. A preliminary for both devices. After that, a short term key (STK) is
DoS attack is needed to disconnect the device from generated from the TK. The STK will be used to encrypt
the network. After that, the victim device will start a the data stream.

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY JALANDAR. Downloaded on August 26,2021 at 08:53:15 UTC from IEEE Xplore. Restrictions apply.
 8190 IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 5, OCTOBER 2019

3) Optionally, the devices can perform a final step, like that

for BLE version 4.1.
The pairing methods have also been updated, with the intro-
duction of a new option and the hardening of the methods in
the previous version.
1) Just Works: The noninitiating device generates a nonce
and a confirmation value Cb , function of the nonce
and the public keys of the two devices. The Cb and
the nonce are then sent to the initiating device. The
latter generates its own nonce and sends it to the non-
initiating device. It also uses the noninitiating devices
Fig. 6. BLE star topology: each slave is associated with a single master.
nonce and the public keys to check whether the received
code Cb is valid. Clearly, this does not provide any
security, since an attacker may generate its own nonce
and use the public keys to create a valid confirmation
value.
2) Numeric Comparison: This method is as just works, but
the devices also generate a value which is function of the
public keys and the nonces. This value must be displayed
to the user, which must manually confirm that the shown
number is the same in both devices. This last step solves
the issue with the previous method.
Fig. 7. BLE protocol stack. The technical specifications for BLE can be 3) Out of Band: With this method, random numbers and
found in [69]. commitment values, which are functions of the random
numbers and public keys, are exchanged in an out-
of-band fashion, e.g., using near field communication.
Finally, a bonding phase may optionally follow the pairing Using this method, the security level achieved is equal
procedure: in this, the devices exchange and store common to the integrity and secrecy of the out-of-band method
link keys (i.e., bonds) that can be reused when a link between of choice.
the two devices is re-established at a later time. 4) Passkey: In this method, the user first inputs a k bit
The available pairing methods are the following three. long secret passkey to both devices (or reads it from
1) Just Works: The TK is set to 0. Of course, this does not one of the devices and inputs it to the other). Then, for
provide any level of security. each bit i = 1, . . . , k of the passkey, the devices must
2) Out of Band: The TK is exchanged out-of-band, e.g., perform a two-step procedure: a) each device generates
using near field communication. This method provides a nonce and computes a commitment value, which is
a security level that is as high as that of the out-of-band function of the nonce, the passkey, and the public keys.
method used to exchange the key. However, it can be Commitments and nonces are then exchanged between
inconvenient for the user. devices. b) after that, each device recalculates the com-
3) Passkey: The TK is a six digit number that the user mitments as before, but exchanging the order of the two
passes between the devices. For example, one of the public keys, and using the nonce of the other device. If
devices generates the number and show it on a display: the passkey is the same, the commitment value must be
the user must then input the same number to the other equal to that found before.
device. In this case, the security level is high, but the The use of elliptic curve cryptography, however, is not with-
devices need to be equipped with user’s interfaces that out drawbacks: based on the experimental results presented
make it possible to read and type-in the TK, which may in [72], the energy consumed to perform a single ECDH-
be impractical for miniaturized IoT devices. ECDSA key exchange is more than 6000 times larger than that
Starting from BLE version 4.2, a new pairing procedure has required by symmetric encryption techniques (236 mJ versus
been put in place, using elliptic curve cryptography. 38 µJ).
1) Each device generates an elliptic curve Diffie Attack Surface: The pairing methods just described have
Hellman (ECDH) public-private key pair. Then, some important security issues. In BLE 4.0 and 4.1, there is
they exchange the public key with each other and no protection to eavesdropping and man-in-the-middle attacks
derive a key, called DHKey, from their own secret key during the pairing phase, except for the out of band pairing. In
and the public key of the other device, using elliptic fact, in the Just Works pairing method the key is known, while
curve functions. in the Passkey method the key is easily brute-forced. In some
2) The devices use one of the available pairing methods cases, brute-force is not even required [73]–[77]. BLE 4.2 is
(see below) to confirm that DHKey is the same for both affected by similar problems, principally for the Passkey pair-
of them and to generate a long term key (LTK) that will ing, since the passkey is verified one bit at a time [77], [78].
be used to symmetrically encrypt the data stream. When the attacker is interested in eavesdropping, it can try

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY JALANDAR. Downloaded on August 26,2021 at 08:53:15 UTC from IEEE Xplore. Restrictions apply.
 MENEGHELLO et al.: IoT: INTERNET OF THREATS? SURVEY OF PRACTICAL SECURITY VULNERABILITIES IN REAL IoT DEVICES 8191

Nike+ Fuelband, contains a standard USB connector used for

charging and synchronizing with the computer. This connec-
tor is also used by the manufacturer to write the firmware
into the device memory. Using the same USB port, it is pos-
sible to send commands to the STM32 microcontroller in the
device, enabling unrestricted read and write operations into the
memory. Therefore, it is possible to flash a tampered firmware
version and disable all protection mechanisms. The possi-
ble consequences of a firmware attack like this could range
Fig. 8. Data rate [bps] versus time—Resting user [71]. from the possibility of a back-door injection, in order to leak
user information or credentials, to the installation of rogue
services allowing for full remote control of the device by the
attacker.
Furthermore, the analysis in [79] shows that, in most cases,
fitness tracking applications transmit every logged event over
the Internet, and in some cases, it is even unclear why such
transmissions are occurring. This allows an attacker to per-
form data analysis on the amount of exchanged data. On top
of that, the authors found that Garmin devices do not use an
encrypted protocol to transmit data between the mobile device
Fig. 9. Data rate [bps] versus time—Running user [71]. and the Garmin servers, except during the account creation
phase. By exploiting this vulnerability, a man-in-the-middle
attack is able to capture e-mail addresses and session identi-
to match the confirmation value considering the current bit fiers, which are transmitted in clear-text. A similar result is
ri of the key equal to 0. If the confirmation value does not presented in [81], using FitBit devices: in this case, login
match, then ri = 1. When trying to directly connect to a credentials are forwarded in clear-text in an HTTP POST
device, instead, the attacker can consider ri = 0. If the other request.
device aborts the procedure, then ri = 1. This procedure can At DEF CON 2016, researchers presented several security
be repeated for bit i = 1, . . . , k, learning, therefore, the entire vulnerabilities of a large number of door lock and padlock
key. devices that use BLE to communicate with the user’s smart-
Another issue is linked to the advertise mode of BLE phone [82], [83]. They found that the passwords of devices
devices. Das et al. [71] found that the analyzed fitness track- like Quicklock Door lock, Quicklock Padlock, and iBluLock
ers are almost always in advertise mode. This is because the Padlock are transmitted in clear text and hence can be easily
master device frequently disconnects from the tracker in order eavesdropped. Other devices use passwords composed by a
to preserve energy. Therefore, when the smartphone applica- small number of characters, making brute force attacks feasi-
tion for the fitness tracker is not running, the tracker closes ble. The Ceomate Bluetooth Smart Door lock and other devices
its communication link, remaining in advertise mode until the are vulnerable to replay attacks due to the bad implementa-
next connection establishment. Also, most of the devices ana- tion of the encryption mechanisms. The Okidokey Smart Door
lyzed in [71] always expose the same MAC address. This lock can be opened by just changing the value of one byte
makes it possible to capture exchanged messages and corre- that brings the door lock in an error state, forcing it to open.
late over a long period of time the BLE traffic between a The Mesh Motion Bitlock Padlock is vulnerable to man-in-the-
pair of devices. As an example, an attacker may be able to middle attack: the attacker is able to impersonate the lock to
track the movements of the BLE device owner or even just steal the password sent by the user’s smartphone. The vul-
verify its presence in an area. Furthermore, this attack may nerabilities of the August door lock are investigated in [84]
be used to track the user’s activity: in fact, even though the and [85]. However, August seems to be very proactive to fix
packets are encrypted, the volume of data exchanged is a clear the discovered issues: when in 2015 the hard-coded encryption
indicator of user’s motions, as exemplified in Figs. 8 and 9. key was revealed, the code was patched in 24 h [86].
The figures show the difference between the BLE data traffic Finally, as for ZigBee, attack softwares can also be found
exchanged by a tracker and a smartphone for a resting and for BLE. For example, GATTack enables to break different
a running user. As a security feature, the BLE specifications aspects of the BLE security [87].
allow a device to use random MAC addresses and to frequently
change them. For example, the Apple Watch randomizes the
MAC address both when it is rebooted and during normal C. 6LoWPAN and CoAP
usage at an approximately 10 min interval [79]. Description: 6LoWPAN and CoAP are two IETF proto-
Arias et al. [80] described another type of attack that could cols that can be implemented in IoT devices to ease their
be conducted against wearable fitness devices. This is based interaction with standard IP-based systems. As illustrated in
on firmware hacking, which is possible only if the attacker Fig. 10, 6LowPAN is an IPv6 adaptation protocol for resource-
has physical access to the device. The device considered, a constrained devices that communicate over low power and

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY JALANDAR. Downloaded on August 26,2021 at 08:53:15 UTC from IEEE Xplore. Restrictions apply.
 8192 IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 5, OCTOBER 2019

Fig. 10. 6LoWPAN protocol stacks, as specified in [88].

lossy links, such as IEEE 802.15.4 [88], [89]. 6LowPAN

makes use of compression and fragmentation mechanisms to
reduce the size of the IP datagrams and remove most of
redundant fields. CoAP, instead, is a RESTful protocol at the
Application Layer, laying on top of the UDP transport pro- Fig. 11. DODAG tree built for 6LoWPAN routing.
tocol. It has been designed to be easily mapped into HTTP
via proxies, to support retransmissions, sleepy devices, and
resource discovery. The use of UDP makes it possible to
avoid the support of the rather sophisticated connection-control traffic. These types of attack can be detected by keeping
mechanisms of TCP, but on the other hand requires to account track of the number of instances of each identity or by
for out-of-order message delivery and loss packets. monitoring the geographical location of the devices.
At the PHY and MAC layers, networks employing 2) Sinkhole Attack: This is the same type of attack
6LowPAN and CoAP typically relay on protocols from the described for ZigBee: the malicious node declares to the
IEEE 802.15.4 family. Instead, the routing within the IoT sink very efficient routing paths toward the other nodes,
network is usually based on the IPv6 routing protocol for low- gaining control over a large part of the traffic flows.
power and lossy networks (RPL), defined in RFC 6550 [90]. 3) Selective Forwarding and Black Hole Attacks: These
RPL has been mainly designed for multipoint to point commu- attacks take place when a node of the network, that
nications, such as those in wireless sensor networks. However, is supposed to forward the packets along the correct
it also supports point to multipoint (sink broadcast) and point- routing path, discards some of the traffic (selective for-
to-point (leaf nodes communicating with each other). RPL warding), or all the traffic (black hole), that passes
builds a directed acyclic graph (DAG) based on a root node through it. Possible solutions may be the creation of
called Low power and lossy border router (LBR), usually disjoint or dynamic paths inside the DAG.
being the device responsible for the management of a group 4) Hello Flooding Attack: The Hello message is used by
of nodes and representing the border between two networks. a node in a 6LoWPAN network to announce its pres-
From the DAG, RPL creates a destination oriented direct ence. If a node receives a Hello message, it assumes
acyclic graph (DODAG) tree, exemplified in Fig. 11. The that the sender node is in its neighborhood, and can
DODAG contains only one root and is loop free. Starting from thus be directly reachable. An attacker can exploit this
the DODAG root, devices broadcast their DODAG information mechanism by broadcasting Hello messages using a
objective (DIO) message, which contains device and link met- transmission power larger than that permitted. In this
rics. The global repair and local repair mechanisms are used way, a substantial number of nodes consider the attacker
in case of a broken link: the first recalculates the whole topol- as a neighbor. However, when one of them tries to use
ogy, while the second operates locally, by informing all the the new link, the sent packets will be lost, since the
children of a node that they need to update their parent. legacy transmit power level is not sufficient to guarantee
Attack Surface: A hypothetical attacker can target the RPL good communication. This type of attack can be avoided
or operate at the adaptation layer, based on the level of control using link layer acknowledgments to check the message
over the network that it wants to achieve. reception.
a) Attacks against RPL: Many of the attacks on Contrary to the previous ones, the following attacks relies
6LoWPAN focus on redirecting traffic and disrupting the rout- on the exploitation of the RPL service messages [91]–[93].
ing tree. In the following we report some examples of such 1) Local Repair Attack: The malicious node continu-
attacks [91]–[93]. ously sends local repair messages. This forces repeated
1) Clone ID and Sibyl Attacks: In the clone ID attack, the updates of the network topology, even if there is no
malicious node clones the identity of another node. In connectivity problem. These operations are costly both
the sibyl attack, the attacker uses the identity of sev- in terms of computational resources and energy, caus-
eral entities at the same time. In this way, the malicious ing service degradation and early energy depletion for
entity can access and redirect a large amount of network battery operated devices.

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY JALANDAR. Downloaded on August 26,2021 at 08:53:15 UTC from IEEE Xplore. Restrictions apply.
 MENEGHELLO et al.: IoT: INTERNET OF THREATS? SURVEY OF PRACTICAL SECURITY VULNERABILITIES IN REAL IoT DEVICES 8193

2) Version Number Attack: The version number is a field

of DIO messages that is incremented at each rebuild-
ing of the DODAG. The malicious transmission of DIO
messages with a higher version number may force the
whole DODAG to be unnecessarily rebuilt. Again, this
causes service degradation and energy depletion.
b) Attacks from the Internet side: Neither 6LoWPAN
nor CoAP provide secrecy, authentication, or integrity pro- Fig. 12. Protocol stacks of LoRaWAN end-devices, gateway, and network
tection. Therefore, the use of 6LoWPAN and CoAP without server. The document in [100] provides the specifications for LoRaWAN.
additional security measures makes the devices fully accessi-
ble from the Internet. A proposal has been made to extend
CoAP in order to provide built-in security, but it has not yet In order to protect 6LoWPAN networks from the attack-
been included in the standard [94]. The CoAP specifications, ers, intrusion detection systems specifically tailored to IoT
instead, suggest the use of datagram TLS (DTLS) to pro- networks have been studied [91]–[93]. An intrusion detec-
vide secrecy, authentication, and integrity protection [35], [95]. tion system monitors the network parameters and can identify
Alternatively, IPsec [96] can be used to provide authentication signs of intrusions or attacks. Intrusion detection systems for
and encryption at the IP level. 6LoWPAN networks are optimized to save the largest amount
If no encryption and authentication mechanisms are used, an of network resources. Due to the vast attack surface, intru-
attacker could easily gain access to the IoT network and eaves- sion detection systems should operate both at the adaptation,
drop sensitive information from the data flow. Additionally, RPL, and Application Layers. Therefore, a hybrid architec-
the attacker may gain the control of the sensor nodes, e.g., to ture is needed, in which a centralized module, installed on the
create a bot-net [97]. As an example, Hernandez et al. [98] border router, cooperate with distributed modules installed on
presented a modification of the Nest thermostat firmware to internal nodes.
use it as part of a bot-net. The bot-nets may then be used to
launch DoS attacks to other targets. This kind of attack can be D. LoRaWAN
detected through an analysis of the node traffic: in fact, nodes Description: LoRaWAN, introduced in 2015 by the LoRa
in a bot-net usually transmit more data than clean devices, in Alliance [100], is a link layer protocol that sits on top of the
order to maintain the bot-net. LoRa physical layer. The protocol stack is shown in Fig. 12. As
c) Attacks at the adaptation layer: The forwarding for the previous protocols, LoRaWAN is optimized for battery-
of packets between the public Internet and the 6LoWPAN powered end-devices. LoRaWAN has a star-of-stars topology
network is implemented at the border router. The lack of that includes end-devices, gateways, and network server, as
authentication and the limited computational resources of the exemplified in Fig. 13.
devices that perform the adaptation make this mechanism In an LoRaWAN network, the end-devices communicate
vulnerable to attacks. Two attacks that can be performed at via single-hop links to one or more gateways, which are
this level, fragment duplication and buffer reservation, are themselves connected to a single network server via legacy
presented in [99]. The fragment duplication attack relies on IP technologies. LoRa communication uses channels in the
the fact that a node cannot verify at the 6LoWPAN layer 868/900 MHz ISM band. The data rate ranges from 0.3 Kb/s
if a received fragment belongs to the same IPv6 packet to 50 Kb/s with a communication range of many kilometers.
of the previous ones, since this control is performed at The communication is bidirectional and is always initiated by
higher layers. If a malicious node injects fragments with the end-device. After each uplink transmission, the end-device
the same header of the legitimate 6LoWPAN packet, the opens two downlink windows in different sub-bands to receive
target node cannot distinguish between them and the legit- data from the network server. The protocol used to access the
imate ones. Therefore, it cannot decide which fragments channel is ALOHA [101], [102].
have to be used during packet reassembly procedure. This LoRa end-devices can belong to three different classes,
causes the reconstruction of a corrupted IPv6 packet, which is namely A, B, and C, which are associated to different oper-
consequently dropped. ation modes. The operation mode of class A, described above,
The buffer reservation attack leverages the limited memory has to be implemented by all LoRaWAN devices. Class B and
of the network nodes. In the 6LoWPAN network, receiving C, instead, offers some additional features. Class B devices
nodes must reserve buffer space to reassemble the fragments can open extra receive windows at scheduled times to enable
that belong to the same IPv6 packet. When the reassembly the reception of unsolicited messages from the network server.
buffer is assigned to one IPv6 packet, received fragments of Class C devices, instead, are expected to be connected to the
other IPv6 packets are dropped. Since buffer space reservation power grid and, then, can keep the receive window always
is kept for 60 s, if an arbitrary fragment is transmitted by open.
the attacker to the target node, the latter will not be able to The commissioning procedure by which a device can join an
receive further fragmented packets in the following minute. LoRaWAN network is named over the air activation (OTAA).
Consecutive repetitions of this attack cause a long term DoS This procedure leverages on some information stored on the
to the targeted device, while employing just a small amount device: the end-device identifier (DevEUI), the application
of the malicious node resources. identifier (AppEUI), and the application key (AppKey). The

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY JALANDAR. Downloaded on August 26,2021 at 08:53:15 UTC from IEEE Xplore. Restrictions apply.
 8194 IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 5, OCTOBER 2019

also in the network server that generated them. Violation of

the network server by other means, e.g., by attacking a nonse-
cure service running on the same computer, may give access
to the LoRaWAN network and applications.
Furthermore, because of the way the protocol is designed,
nodes must share the same NwkSKey and AppSKey if they
need to support multicast messages. In this case, discover-
ing the keys from just one node will give access to all the
other communications. To overcome this problem, the nodes
need to be able to differentiate between multicast and unicast
Fig. 13. LoRaWAN star-of-star topology. communications. In the first case, they should use the com-
mon key, while the unique NwkSKeys and AppSKeys should
be preferred for unicast communications. In this way, if the
first two are unique global identifiers for the end-device and attacker corrupts the multicast key, only multicast messages
the application provider, respectively. Instead, the AppKey is would be insecure.
an AES-128 key assigned by the application owner and is spe- An attacker may also focus on the link between the gate-
cific to the end-device. The uniqueness of the key is needed way and the network server. Even if, in principle, any legacy
to ensure security: if the key is shared between devices, traffic IP protocol can be used for such a connection, in practice
eavesdropping becomes possible. The join procedure is initi- many deployments relay on the protocol provided by Semtech,
ated by the end-device by sending a join request, including which is based on plain unprotected UDP. Therefore, while the
the DevEUI and AppEUI. If the device is allowed to join the LoRaWAN packets payload is encrypted, still it is possible to
network, the network server replies with a join accept mes- disrupt the network services by forging or modifying network
sage. The message includes the network identifier (NetID), management packets.
the application nonce (AppNonce), and the end-device address Class B networks introduce additional threats because of
(DevAddr). The NetID and DevAddr are 32 bits long: the first beacons and multicast messages [103]. Beacon messages are
uniquely identifies the network, while the second identifies not encrypted: they represent a source of information about
the end-device within the network. The AppNonce is used by the network and provide a way to inject malicious data into
the end-device to derive the network session key (NwkSKey) it. In fact, beacons can also be generated by an attacker, and,
and the application session key (AppSKey), which are spe- since a node cannot distinguish between malicious and gen-
cific for each end-device. The latter and the network server uine beacon messages, the network operations could be easily
use the session keys to encrypt and decrypt the payload of disrupted.
the messages. Specifically, NwkSKey is used for MAC com-
mands, while AppSKey is employed for application specific
messages. These keys are also used to verify the MIC, to guar-
antee data integrity. In fact, the MIC is a 4 bytes tag, obtained V. E XAMPLES OF I MPLEMENTATIONS IN
by encrypting the message with NwkSKey using AES-128. C OMMERCIAL D EVICES
Once the end-device has joined the LoRaWAN network, In general, IoT devices include at least two microcontrollers:
all future messages are encrypted using a combination of one responsible for the management and processing of the data
NwkSKey and AppSKey. The payload encryption is performed and the other for connectivity. In the following of this section
using AES-128, and is based on the following procedure. First, we investigate the characteristics of the processors in charge
a number of 16-byte information blocks {Ai }, are created. Each of the connectivity aspects, with a particular focus on their
block contains the DevAddr, two frame counters, and a byte security features.
indicating the stream direction. Each block Ai is then encrypted Most of the considered devices use ARM microcontrollers
to obtain the corresponding Si block using the NwkSkey, if of the Cortex-M series. Especially, the M0, M0+, and M23
the payload to be encrypted consists only in MAC manage- microcontrollers are designed for applications that require
ment commands, and the AppSKey otherwise. The payload is minimal costs, power, and size. Because of these character-
finally encrypted by the XOR operation between the message istics, they are the most adopted in embedded applications.
itself and the sequence of blocks Si [100]. Instead, the M3 and M4 models offer a balance between
Attack Surface: The first weakness of the LoRaWAN pro- performance and energy efficiency. Lastly, the M7 is the most
tocol is related to key management [103]. AppKey, NwkSKey, powerful controller, designed for high performance embedded
and AppSKey are all stored in the end-devices. Therefore, applications [104]. Fig. 14 reports the relative performance of
using a side channel analysis attack it can be possible to different Cortex-M designs with respect to the Cortex M0.
recover the keys exploiting the variations in power consump- Differently from the more powerful Cortex-A and Cortex-
tion or electromagnetic emissions from the transceiver during R processors, the Cortex-M series is provided only with a
the encryption. This is eased by the fact that LoRaWAN Memory Protection Unit, which is a trimmed down version
devices are expected to work in an unattended fashion and of the Memory Management Unit: it only provides memory
in remote locations, and hence surreptitious physical access to protection, instead of providing full virtual memory manage-
the device is possible. NwkSKeys and AppSKeys are stored ment. Also, the Cortex-M microcontrollers are equipped with

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY JALANDAR. Downloaded on August 26,2021 at 08:53:15 UTC from IEEE Xplore. Restrictions apply.
 MENEGHELLO et al.: IoT: INTERNET OF THREATS? SURVEY OF PRACTICAL SECURITY VULNERABILITIES IN REAL IoT DEVICES 8195

Fig. 14. Arm Cortex-M series [105].

Fig. 15. Performance comparison of elliptic curve cryptography using the

less RAM and flash memory with respect to microcontrollers NIST secp256r1 curve in different microcontrollers [106].
from the other two classes [42].
Microcontrollers from the Cortex-M family do not inte- of them and presents multiple hardware implementations
grate any hardware pseudorandom number generator, nor any (Table I). Most of the light bulbs available on the market
module supporting cryptographic algorithms such as AES. embed the wireless module ATMEL SAMR21, which has
Therefore, support for cryptographic algorithms is imple- two components: 1) the ATMEL SAMD21 core (based on
mented via software or by dedicated co-processors, which is the ARM Cortex M0+ architecture) and 2) the AT86RF233
the most common solution in commercial devices. radio transceiver, which supports both ZigBee and 6LoWPAN
For what concerns software cryptographic routines, protocols. The ARM Cortex M0+ microcontroller does not
performance could wildly vary between different microcon- implement any hardware cryptographic routine, since it lacks
trollers, even within the same family. In this regard, Tschofenig a hardware pseudorandom number generator. To overcome this
and Pegourie-Gonnard from ARM have collected performance problem, the AT86RF233 incorporates a two-bit random gen-
figures of different cryptographic algorithms implemented in erator where the source of randomness is given by the noise
software in the M0/M0+ and M3/M4 microprocessors [42], observations [107], [108]. The generated random number can
[106]. The algorithms taken into account are ECC, SHA, and be used both for the creation of a random seed for the AES
AES. Tests were performed on two different development key generation. In addition, a dedicated hardware module is
boards: the NXP LPC1768 and the Freescale FRDM-KL25Z. included to perform the AES-128 encryption procedure. To
The former embeds an ARM Cortex-M3 CPU at 96 MHz, use this module, a 128-bit nonmodifiable initial key needs to
512 KB flash memory and 32 KB RAM. The latter is con- be preinstalled in the device. The source of entropy is updated
trolled by an ARM Cortex-M0+ CPU at 48 MHz, 128 KB every 1 µs. Other Philips HUE products (e.g., the Philips
flash memory and 16 KB RAM.1 The authors exploit dif- Go) embed a different 8-bit microcontroller, the ATMEL
ferent NIST secp*r1 elliptic curves used in cryptography and M2564RFR2, which still uses the just described mechanism
show performance results using different optimization settings. as the entropy source. The HUE Bridge, another product in
Fig. 15 reports the results for the two development boards: the Philips HUE line, embeds the Texas Instruments CC2530
in particular, the performance of different phases of elliptic microcontroller, which integrates an Intel 8051 microproces-
curve cryptography algorithms are compared when using the sor and a co-processor for AES encryption and decryption.
NIST secp256r1 curve. Both CPU speed and RAM usage Pseudorandom numbers are generated using a 16-bit linear
have a significant impact on performance. Therefore, it is feedback shift register, which can be seeded with random data
crucial to reach the optimal tradeoff between RAM usage from the noise in the radio analog-to-digital-converter [109].
and performance. Tschofenig and Pegourie-Gonnard state that, The Nest Protect smoke alarm and the Nest thermostat
usually, the increased performance is worth the additional also use ZigBee for communications. They adopt the EM357
RAM usage. system-on-a-chip (SoC) from Silicon Labs, which is based on
the 32-bit ARM Cortex-M3 and includes an IEEE 802.15.4
A. ZigBee Implementations radio transceiver [110]. The SoC is provided with additional
hardware to perform AES encryption: the AES CCM, CBC-
As introduced in Section IV-A, different smart light systems
MAC, and CTR modes are implemented in hardware. The 16-
adopt the ZigBee protocol. The Philips HUE system is one
bit seed is generated from the analog circuitry thermal noise.
1 The considered boards have no hardware pseudorandom number genera-
tor, which means that the low entropy of the generated numbers would not B. BLE Implementations
be suitable for real world deployments. This, however, does not affect the
speed of the considered cryptographic functions, therefore the results are still As mentioned in Section IV-B1, most of the considered fit-
significant. ness bands embed microprocessors from the ARM Cortex M

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY JALANDAR. Downloaded on August 26,2021 at 08:53:15 UTC from IEEE Xplore. Restrictions apply.
 8196 IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 5, OCTOBER 2019

TABLE I
S OME ZLL P RODUCTS LoRaWAN is more commonly used in sensor networks to col-
lect data from large areas: the products using this protocol are
heavily customized for each application.

VI. F INAL R EMARKS

Given the widespread adoption of IoT solutions for sensor
networks, domotics, and health application, providing secure
communications in IoT networks is of paramount importance.
TABLE II
S OME BLE P RODUCTS In this scenario, the end user is often unaware of the secu-
rity issues related to the devices which are part of her/his
everyday life. For example, without protections against eaves-
dropping, IoT wireless networks can expose sensitive personal
information. Also, without authentication, malicious attack-
ers can masquerade as legitimate devices and disrupt IoT
network operations. In addition to the issues related to the
protocol and network security design, the reduced computa-
tional capabilities and the need for low energy consumption
limit the cryptographic functionalities that can be installed in
family. For what concerns the BLE connectivity module, as IoT devices.
shown in Table II, both the popular FitBit Flex 2 and FitBit As we have discussed in this article, in ZigBee and BLE
Charge HR use the nRF8001 by Nordic semiconductor for the implementations, ease-of-use is favored over strong security.
BLE connectivity [111]. The latter works together with the This is because of the supposedly noncritical applications
Texas Instruments CC2540 microcontroller, which provides they usually support, underestimating the risk that such tech-
an AES security co-processor for encryption and decryption nologies can be exploited to enter more critical systems, for
purposes [112]. A different design choice has been taken for example when a dual-stack device is attached to both a critical
the newer FitBit Charge 2, which uses the BlueNRG SoC by and noncritical system.
STMicroelectronics. This SoC includes an ARM Cortex M0 6LoWPAN and LoRaWAN adopt two complementary secu-
microcontroller, which embeds an AES security co-processor, rity strategies. Since LoRaWAN can be used, for very simple
and a separate Bluetooth module [113]. applications, without any transport and application layers, the
The Nike+ Fuelband uses two different modules: the protocol has been designed with strong security in mind and
CC2564B BLE radio interface and the 16-bit MSP430F5 mandatory packet encryption and authentication. The design-
MCU, both from Texas Instruments [114]. The first of these ers of 6LoWPAN and CoAP, instead, decided to delegate the
modules has a 128-bit hardware encryption accelerator that, security aspects to other layers and hardened only the aspects
however, only supports the version 4.0 security features. The strictly connected to the protocol operation (e.g., routing and
more recent Nike+ Fuelband SE uses the Qualcomm Bluetooth fragmentation). This allows, for example, the use of CoAP
Smart IC CSR1010A, which has a dedicated module for over LoRaWAN, without incurring in the cost for encryption
AES encryption, but is limited to the BLE 4.1 specification and key exchanges at multiple levels.
too [115]. Additional security extensions to existing standards have
been proposed in the literature, but they have not been adopted
by standardization entities and in commercial devices yet. For
C. Devices With 6LoWPAN Stack example, [72] proposes CryptoCoP, an encryption protocol
The Lifx Color 1000 light bulb system implements the for resource-constrained devices that supports energy-efficient
6LoWPAN protocol, and uses the Texas Instruments SoC symmetric key cryptography for BLE. Bonetto et al. [119]
CC2538 [116]. This SoC is based on the ARM Cortex M3 and proposed another interesting solution to decentralize compu-
implements AES in hardware. For 6LoWPAN applications, the tationally intensive tasks of devices to a trusted and uncon-
ATMEL SAMR21, already discussed in Section V-A, can also strained node of the network; this node is then responsible
be used. Another solution with AES hardware implementation for the calculation of the master session key on behalf of a
is the LTC5800-IPM by Linear Technology, which is based on group of constrained IoT devices. Zhou and Piramuthu [120]
the ARM Cortex M3 [117]. investigated some issues with security improvement proposals
found in the literature for IoT devices, particularly for the
Fitbit fitness trackers. In [121], an algorithm for IoT con-
D. LoRa Devices nection establishment and key exchange, between node and
LoRa development boards use the STM32L052T8Y6 MCU mediator, based on timestamps is proposed. The time-based
coupled with the Semtech SX1272 radio transceiver [118]. The secure key generation approach aims at efficiently managing
MCU is based on a Cortex M0+ microprocessor. Differently and renewing the keys to provide a trustful connection, while
from the previous protocols, not many consumer-level IoT guaranteeing the integrity of data transmitted over an insecure
products that implement LoRaWAN are available. In fact, channel. Timestamps and nonces are also used to avoid attacks

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY JALANDAR. Downloaded on August 26,2021 at 08:53:15 UTC from IEEE Xplore. Restrictions apply.
 MENEGHELLO et al.: IoT: INTERNET OF THREATS? SURVEY OF PRACTICAL SECURITY VULNERABILITIES IN REAL IoT DEVICES 8197

TABLE III
S UMMARY OF THE S ECURITY G OALS , V ULNERABILITIES AND M ECHANISMS FOR THE A NALYZED T ECHNOLOGIES

TABLE IV
S UMMARY OF THE C LASSES OF ATTACKS T HAT H AVE B EEN I DENTIFIED AGAINST D EVICES I MPLEMENTING A S PECIFIC T ECHNOLOGY. E MPTY C ELL :
N O ATTACK R EPORTED IN THE L ITERATURE . F ULL C ELL : A N ATTACK H AS B EEN R EPORTED IN THE L ITERATURE . T HE TARGET
OF THE ATTACK I S E NCODED IN THE C ELL C OLOR : R ED FOR ATTACKS TO THE I NFORMATION L EVEL ,
B LUE FOR THE ACCESS L EVEL , G REEN FOR THE F UNCTIONAL L EVEL

based on packet fragmentation in 6LoWPAN, as explained research challenges. In Table III is reported the security mech-
in [122]. anisms that the different technologies implement to fulfill the
requirements specified by the security goals at the information,
VII. O PEN C HALLENGES access and functional levels. In the same table, the vulnerabil-
Despite the many mechanisms proposed by security experts, ities that have been identified in the literature are summarized.
the field of IoT cybersecurity still offers a number of open These vulnerabilities allow a malicious entity to attack the IoT

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY JALANDAR. Downloaded on August 26,2021 at 08:53:15 UTC from IEEE Xplore. Restrictions apply.
 8198 IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 5, OCTOBER 2019

devices and threat the security goals. In Table IV, the attacks the development of the products to their usage, passing through
described in this article are grouped into five relevant classes their integration in smart networks.
and, for each of them, the technologies vulnerable to attacks While the amount of issues reviewed in this article is con-
of that type are highlighted. A blank cell means that, to the sistent, we believe that a more careful design of the devices
best of our knowledge, there are not works in the literature and the networks will make IoT systems really secure and will
that study the vulnerability of that technology to that specific enable their use also for critical applications.
class of attacks.
From the table we can see that both ZigBee and 6LoWPAN R EFERENCES
suffer from attacks against the network communication proto- [1] A. Zanella, N. Bui, A. Castellani, L. Vangelista, and M. Zorzi, “Internet
cols, as the routing information in the packets are not usually of Things for smart cities,” IEEE Internet Things J., vol. 1, no. 1,
authenticated. Similarly, they are subject to energy or resource pp. 22–32, Feb. 2014.
[2] D. Evans, “The Internet of Things. How the next evolution
depletion attacks that force the nodes to process a large number of the Internet is changing everything,” San Jose, CA, USA,
of forged packets. Full header and control packets authenti- Cisco Internet Bus. Solutions Group, White Paper, Apr. 2011.
cation would block many of such attacks and improve the Accessed: Jun. 2019. [Online]. Available: https://www.cisco.com/
c/dam/en_us/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf
functional level robustness of the network. The deployment [3] H. Almuhimedi et al., “Your location has been shared 5,398 times! A
of such comprehensive authentication procedures, however, is field study on mobile app privacy nudging,” in Proc. 33rd Annu. ACM
hindered by two factors. The first is linked to the lack of a Conf. Human Factors Comput. Syst., 2015, pp. 787–796.
[4] S. Misbahuddin, J. A. Zubairi, A. Saggaf, J. Basuni, S. A-Wadany,
widely accepted lightweight encryption algorithm that could and A. Al-Sofi, “IoT based dynamic road traffic management for smart
be implemented in hardware, or be supported by the most cities,” in Proc. 12th Int. Conf. High Capacity Opt. Netw. Enabling
common cryptographic libraries for embedded devices. The Emerg. Technol., Dec. 2015, pp. 1–5.
[5] M. R. Warner, “Internet of Things cybersecurity improvement act of
second relates to the supplementary information to be added 2017,” in Proc. 115th U.S. Congr., Sep. 2017, p. 1691.
to the packets for this additional authentication requirement, [6] J. Granjal, E. Monteiro, and J. S. Silva, “Security for the Internet of
which would increase the already significant overhead incurred Things: A survey of existing protocols and open research issues,” IEEE
Commun. Surveys Tuts., vol. 17, no. 3, pp. 1294–1312, 3rd Quart.,
for short payload messages. Therefore, there is a need for 2015.
strong authentication mechanisms that use a small amount of [7] M. M. Hossain, M. Fotouhi, and R. Hasan, “Towards an analysis
additional space in the packet, or for mechanisms using alter- of security issues, challenges, and open problems in the Internet of
Things,” in Proc. IEEE World Congr. Services, Jun. 2015, pp. 21–28.
native types of information, e.g., acquired from the physical [8] Y. B. Saied, “Collaborative security for the Internet of Things,”
layers. Physical layer authentication is a possible solution, but Ph.D. dissertation, Institut National des Télécommun., Évry, France,
its maturity level is still insufficient for its implementation in Jun. 2013.
[9] C. Kolias, G. Kambourakis, A. Stavrou, and J. Voas, “DDoS in the
commercial products. IoT: Mirai and other botnets,” Computer, vol. 50, no. 7, pp. 80–84,
A second open challenge is related to the management of Jul. 2017.
shared cryptographic keys, which is a common weakness of [10] T. Xu, J. B. Wendt, and M. Potkonjak, “Security of IoT systems: Design
challenges and opportunities,” in Proc. IEEE/ACM Int. Conf. Comput.-
the different protocols (see Table IV). As mentioned in the Aided Design, San Jose, CA, USA, Nov. 2014, pp. 417–423.
protocol analysis, commissioning and configuration procedure [11] K. Zhao and L. Ge, “A survey on the Internet of Things security,” in
often require a shared key among all the nodes in the network. Proc. 9th Int. Conf. Comput. Intell. Security, Dec. 2013, pp. 663–667.
[12] Z. Yan, P. Zhang, and A. V. Vasilakos, “A survey on trust management
The management of such a key, however, is a complex task, for Internet of Things,” J. Netw. Comput. Appl., vol. 42, pp. 120–134,
since a key update requires its secure and timely distribu- Jun. 2014.
tion over the whole network. Moreover, additional overhead is [13] M. Ammar, G. Russello, and B. Crispo, “Internet of Things: A survey
on the security of IoT frameworks,” J. Inf. Security Appl., vol. 38,
required to guarantee the consistency of the shared key among pp. 8–27, Feb. 2018.
the devices. Since a shared key is more likely to be discov- [14] M. Frustaci, P. Pace, G. Aloi, and G. Fortino, “Evaluating critical secu-
ered by attackers, key rotation should happen quite frequently, rity issues of the IoT world: Present and future challenges,” IEEE
Internet Things J., vol. 5, no. 4, pp. 2483–2495, Aug. 2018.
further exacerbating the problems. To avoid such complex- [15] W. Zhou, Y. Jia, A. Peng, Y. Zhang, and P. Liu, “The effect of IoT
ity in shared key management, a mechanism is needed to new features on security and privacy: New threats, existing solutions,
allow devices to create and update shared keys independently, and challenges yet to be solved,” IEEE Internet Things J., vol. 6, no. 2,
pp. 1606–1616, Apr. 2019.
for example by using information available to all devices but [16] Marketwired. (Jan. 2014). Proofpoint Uncovers Internet of
unknown to attackers. Things Cyberattack. Accessed: Jun. 2019. [Online]. Available:
As we have seen, the physical implementation of a given https://www.proofpoint.com/us/proofpoint-uncovers-internet-things-iot-
cyberattack
technology is as important as its theoretical design. For [17] P. Fremantle and P. Scott, “A survey of secure middleware for the
example, the use of microcontrollers with poor quality entropy Internet of Things,” Peer J. Comput. Sci., vol. 3, p. e114, May 2017.
sources may allow an attacker to extract the key used in the [18] R. H. Weber, “Internet of Things—New security and privacy chal-
lenges,” Comput. Law Security Rev., vol. 26, no. 1, pp. 23–30,
cryptographic routines. Also, devices that do not randomize Jan. 2010.
identifiers transmitted in clear, like MAC addresses, can be [19] S. Sicari, A. Rizzardi, L. Grieco, and A. Coen-Porisini, “Security, pri-
exploited to attack the users’ privacy. vacy and trust in Internet of Things: The road ahead,” Comput. Netw.,
vol. 76, pp. 146–164, Jan. 2015.
The European Union Agency for Network and Information [20] C. Pielli, D. Zucchetto, A. Zanella, L. Vangelista, and M. Zorzi,
Security, in [123], evaluates good practices to secure the life- “Platforms and protocols for the Internet of Things,” EAI Endorsed
cycle of IoT products and servers, looking at all the security Trans. Internet Things, vol. 15, no. 1, p. e5, Oct. 2015.
[21] A. Singh, N. Chawla, J. H. Ko, M. Kar, and S. Mukhopadhyay, “Energy
aspects in this scenario. Security measurements are categorized efficient and side-channel secure cryptographic hardware for IoT-edge
into the three phases of IoT devices life-cycle: starting from nodes,” IEEE Internet Things J., vol. 6, no. 1, pp. 421–434, Feb. 2019.

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY JALANDAR. Downloaded on August 26,2021 at 08:53:15 UTC from IEEE Xplore. Restrictions apply.
 MENEGHELLO et al.: IoT: INTERNET OF THREATS? SURVEY OF PRACTICAL SECURITY VULNERABILITIES IN REAL IoT DEVICES 8199

[22] P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in Proc. [49] M. Majzoobi, F. Koushanfar, and M. Potkonjak, “Lightweight secure
Annu. Int. Cryptol. Conf., 1999, pp. 388–397. PUFs,” in Proc. IEEE/ACM Int. Conf. Comput.-Aided Design, San Jose,
[23] A. Mosenia and N. K. Jha, “A comprehensive study of security of CA, USA, Nov. 2008, pp. 670–673.
Internet of Things,” IEEE Trans. Emerg. Topics Comput., vol. 5, no. 4, [50] C. Herder, M.-D. Yu, F. Koushanfar, and S. Devadas, “Physical unclon-
pp. 586–602, Oct./Dec. 2017. able functions and applications: A tutorial,” Proc. IEEE, vol. 102, no. 8,
[24] E. Ronen and A. Shamir, “Extended functionality attacks on IoT pp. 1126–1141, Aug. 2014.
devices: The case of smart lights,” in Proc. IEEE Eur. Symp. Security [51] G. E. Suh and S. Devadas, “Physical unclonable functions for device
Privacy, Mar. 2016, pp. 3–12. authentication and secret key generation,” in Proc. 44th ACM/IEEE
[25] W. Stallings, Cryptography and Network Security Principle and Design Autom. Conf., San Diego, CA, USA, Jun. 2007, pp. 9–14.
Practice, 6th ed. Upper Saddle River, NJ, USA: Pearson, 2014. [52] Y. Nozaki and M. Yoshikawa, “Shuffling based side-channel counter-
[26] M. Dworkin, “Recommendation for block cipher modes of operation— measure for energy harvester,” in Proc. IEEE 7th Glob. Conf. Consum.
Methods and techniques,” document SP800-38A, NIST, Gaithersburg, Electron., Oct. 2018, pp. 714–715.
MD, USA, Nat. Inst. Stand. Technol., Dec. 2001. [53] Y. Zhang, X. Zheng, and B. Peng, “A side-channel attack counter-
[27] Specification for the Advanced Encryption Standard (AES), NIST measure based on segmented modular exponent randomizing in RSA
Standard FIPS 197, Nov. 2001. cryptosystem,” in Proc. 11th IEEE Singapore Int. Conf. Commun. Syst.,
Nov. 2008, pp. 148–151.
[28] R. L. Rivest, A. Shamir, and L. M. Adleman, “Cryptographic com-
[54] B. B. Zarpelao, R. S. Miani, C. T. Kawakani, and S. C. de Alvarenga,
munications system and method,” U.S. Patent US4 405 829 A, Sep. 20,
“A survey of intrusion detection in Internet of Things,” J. Netw.
1983.
Comput. Appl., vol. 84, pp. 25–37, Apr. 2017.
[29] R. J. McEliece, “A public-key cryptosystem based on algebraic coding
[55] F. Li, A. Shinde, Y. Shi, J. Ye, X. Li, and W. Z. Song, “System statistics
theory,” Deep Space Netw. Progr. Rep., vol. 44, pp. 114–116, Jan. 1978.
learning-based IoT security: Feasibility and suitability,” IEEE Internet
[30] T. Elgamal, “A public key cryptosystem and a signature scheme based Things J., vol. 6, no. 4, pp. 6396–6403, Aug. 2019.
on discrete logarithms,” IEEE Trans. Inf. Theory, vol. 31, no. 4, [56] F. Li, Y. Shi, A. Shinde, J. Ye, and W. Z. Song, “Enhanced cyber-
pp. 469–472, Jul. 1985. physical security in Internet of Things through energy auditing,” IEEE
[31] Information Technology—Security Techniques—Message Internet Things J., vol. 6, no. 3, pp. 5224–5231, Feb. 2019.
Authentication Codes—Part 1: Mechanisms Using a Block Cipher, [57] H. Sedjelmaci, S. M. Senouci, and T. Taleb, “An accurate security
ISO/IEC Standard 9797-1:2011, Mar. 2011. game for low-resource IoT devices,” IEEE Trans. Veh. Technol., vol. 66,
[32] E. Barker, Digital Signature Standard (DSS), NIST Standard FIPS no. 10, pp. 9381–9393, Oct. 2017.
186-1, Dec. 1998. [58] J. Li, Z. Zhao, R. Li, and H. Zhang, “AI-based two-stage intrusion
[33] R. C. Merkle, “A certified digital signature,” in Proc. Conf. Theory detection for software defined IoT networks,” IEEE Internet Things J.,
Appl. Cryptol., vol. 435, Jul. 1989, pp. 218–238. vol. 6, no. 2, pp. 2093–2102, Apr. 2019.
[34] I. B. Damgård, “A design principle for hash functions,” in Proc. Conf. [59] G. Caparra, M. Centenaro, N. Laurenti, S. Tomasin, and L. Vangelista,
Theory Appl. Cryptol., vol. 435, Jul. 1989, pp. 416–427. “Wireless physical-layer authentication for the Internet of Things,” in
[35] Z. Shelby, K. Hartke, and C. Bormann, “The constrained application Proc. Glob. Internet Things Summit, Jun. 2017, pp. 390–417.
protocol (CoAP),” Internet Eng. Task Force, RFC 7252, Jun. 2014. [60] ZigBee Specification, Revision 20, document 053474r20,
[36] Information Technology—Security Techniques—Lightweight ZigBee Alliance, Davis, CA, USA, Sep. 2012.
Cryptography, ISO/IEC Standard 29192-2012, Jan. 2012. [61] Wireless Medium Access Control and Physical Layer Specifications for
[37] J. Borghoff, “PRINCE—A low-latency block cipher for pervasive Low-Rate Wireless Personal Area Networks, IEEE Standard 802.15.4,
computing applications,” in Advances in Cryptology—ASIACRYPT, Oct. 2003.
X. Wang and K. Sako, Eds. Berlin, Germany: Springer, 2012, [62] T. Zillner, “ZigBee smart homes: A hacker’s open house,”
pp. 208–225. in Proc. CRESTCon Conf., May 2016. [Online]. Available:
[38] R. Beaulieu, S. Treatman-Clark, D. Shors, B. Weeks, J. Smith, and https://www.youtube.com/watch?v=eK-kI7Q9DE4
L. Wingers, “The SIMON and SPECK lightweight block ciphers,” in [63] ZigBee Light Link Standard, Revision 1.0, document 11-0037-10,
Proc. 52nd ACM/EDAC/IEEE Design Autom. Conf., Jun. 2015, pp. 1–6. ZigBee Alliance, Davis, CA, USA, Apr. 2012.
[39] J. Guo, T. Peyrin, and A. Poschmann, “The PHOTON family of [64] P. Morgner, S. Mattejat, Z. Benenson, C. Müller, and F. Armknecht,
lightweight hash functions,” in Advances in Cryptology—CRYPTO, “Insecure to the touch: Attacking ZigBee 3.0 via touchlink commis-
P. Rogaway, Ed. Berlin, Germany: Springer, 2011, pp. 222–239. sioning,” in Proc. 10th ACM Conf. Security Privacy Wireless Mobile
[40] A. Bogdanov, M. Knežević, G. Leander, D. Toz, K. Varıcı, and Netw., Jul. 2017, pp. 230–240.
I. Verbauwhede, “SPONGENT: A lightweight hash function,” in [65] L. Coppolino, V. DAlessandro, S. DAntonio, L. Levy, and L. Romano,
Cryptographic Hardware and Embedded Systems—CHES, B. Preneel “My smart home is under attack,” in Proc. IEEE 18th Int. Conf.
and T. Takagi, Eds. Berlin, Germany: Springer, 2011, pp. 312–325. Comput. Sci. Eng., Oct. 2015, pp. 145–151.
[66] X. Cao, D. M. Shila, Y. Cheng, Z. Yang, Y. Zhou, and J. Chen,
[41] Information Technology Laboratory. (2019) Lightweight
“Ghost-in-ZigBee: Energy depletion attack on ZigBee-based wire-
Cryptography Project. Accessed: Jun. 2019. [Online]. Available:
less networks,” IEEE Internet Things J., vol. 3, no. 5, pp. 816–829,
https://csrc.nist.gov/projects/lightweight-cryptography
Oct. 2016.
[42] H. Tschofenig and M. Pegourie-Gonnard, “Performance of state-of-
[67] KillerBee. Accessed: Jun. 2019. [Online]. Available:
the-art cryptography on ARM-based microprocessors,” in Proc. NIST
https://github.com/riverloopsec/killerbee
Lightweight Cryptography Workshop, Jul. 2015. [Online]. Available:
[68] J. Wright. KillerBee: Practical ZigBee Exploitation
https://www.nist.gov/news-events/events/2015/07/lightweight-cryptogr
Framework. Accessed: Jun. 2019. [Online]. Available:
aphy-workshop-2015
https://www.willhackforsushi.com/presentations/toorcon11-wright.pdf
[43] D. Eastlake, J. Schiller, and S. Crocker, “Randomness requirements for [69] Bluetooth Core Specification 4.0, Bluetooth SIG, Kirkland, WA, USA,
security,” Internet Eng. Task Force, RFC 4086, Jun. 2005. Jun. 2010.
[44] K. Mandal, X. Fan, and G. Gong, “Design and implementation of [70] C. Gomez, J. Oller, and J. Paradells, “Overview and evaluation of
warbler family of lightweight pseudorandom number generators for Bluetooth low energy: An emerging low-power wireless technology,”
smart devices,” ACM Trans. Embedded Comput. Syst., vol. 15, no. 1, Sensors, vol. 12, no. 9, pp. 11734–11753, Aug. 2012.
pp. 1:1–1:128, Feb. 2016. [71] A. K. Das, P. H. Pathak, C.-N. Chuah, and P. Mohapatra, “Uncovering
[45] A. B. O. López, L. H. Encinas, A. M. Muñoz, and F. M. Vitini, “A privacy leakage in BLE network traffic of wearable fitness trackers,”
lightweight pseudorandom number generator for securing the Internet in Proc. 17th Int. Workshop Mobile Comput. Syst. Appl., Feb. 2016,
of Things,” IEEE Access, vol. 5, pp. 27800–27806, 2017. pp. 99–104.
[46] M. Bakiri, C. Guyeux, J.-F. Couchot, L. Marangio, and S. Galatolo, “A [72] R. Snader, R. Kravets, and A. F. Harris, III, “CryptoCoP: Lightweight,
hardware and secure pseudorandom generator for constrained devices,” energy-efficient encryption and privacy for wearable devices,” in Proc.
IEEE Trans. Ind. Informat., vol. 14, no. 8, pp. 3754–3765, Aug. 2018. Workshop Wearable Syst. Appl., Jun. 2016, pp. 7–12.
[47] B. Halak, M. Zwolinski, and M. S. Mispan, “Overview of PUF-based [73] A. Y. Lindell, “Attacks on the pairing protocol of Bluetooth v2.1,”
hardware security solutions for the Internet of Things,” in Proc. IEEE presented at the Black Hat USA Conf., Jun. 2008.
59th Int. Midwest Symp. Circuits Syst., Oct. 2016, pp. 1–4. [74] A. Y. Lindell, “Comparison-based key exchange and the security of the
[48] M. Roel, Physically Unclonable Functions: Constructions, Properties numeric comparison mode in Bluetooth v2.1,” in Proc. Cryptograph.
and Applications. Heidelberg, Germany: Springer, 2013. Track RSA Conf., Apr. 2009, pp. 66–83.

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY JALANDAR. Downloaded on August 26,2021 at 08:53:15 UTC from IEEE Xplore. Restrictions apply.
 8200 IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 5, OCTOBER 2019

[75] J. Barnickel, J. Wang, and U. Meyer, “Implementing an attack on [99] R. Hummen, J. Hiller, H. Wirtz, M. Henze, H. Shafagh, and
Bluetooth 2.1+ secure simple pairing in passkey entry mode,” in K. Wehrle, “6LoWPAN fragmentation attacks and mitigation mech-
Proc. 11th IEEE Int. Conf. Trust Security Privacy Comput. Commun., anisms,” in Proc. 6th ACM Conf. Security Privacy Wireless Mobile
Jun. 2012, pp. 17–24. Netw., Apr. 2013, pp. 55–66.
[76] M. Ryan, “Bluetooth: With low energy comes low security,” [100] A. Bertolaud et al., “LoRaWAN 1.1 specification,” LoRa Alliance,
in Proc. 7th USENIX Workshop Offensive Technol., Aug. 2013. Fremont, CA, USA, Oct. 2017.
Accessed: Jun. 2019. [Online]. Available: https://www.usenix.org/ [101] M. Capuzzo, D. Magrin, and A. Zanella, “Confirmed traffic
conference/woot13/workshop-program/presentation/Ryan in LoRaWAN: Pitfalls and countermeasures,” in Proc. Annu.
[77] W. K. Zegeye, “Exploiting Bluetooth low energy pairing vulnera- Mediterranean Ad Hoc Netw. Workshop, Jun. 2018, pp. 1–7.
bility in telemedicine,” in Proc. Int. Telemetering Conf., Oct. 2015, [102] M. Capuzzo, D. Magrin, and A. Zanella, “Mathematical modeling
pp. 317–326. of LoRaWAN performance with bi-directional traffic,” in Proc. IEEE
[78] T. Rosa, “Bypassing passkey authentication in Bluetooth low energy,” Glob. Commun. Conf., Dec. 2018, pp. 206–212.
Cryptol. ePrint Archive, Rep. 2013/309, May 2013. Accessed: [103] R. Miller, “LoRa security: Building a secure LoRa solu-
Jun. 2019. [Online]. Available: https://eprint.iacr.org/2013/309 tion,” Basingstoke, U.K., WR InfoSecurity, White Paper,
[79] A. Hilts, C. Parsons, and J. R. Knockel, “Every step you fake: A com- Mar. 2016. Accessed: Jun. 2019. [Online]. Available:
parative analysis of fitness tracker privacy and security,” Open Effect, https://labs.mwrinfosecurity.com/publications/lo/
Canada, Rep., Apr. 2016. Accessed: Jun. 2019. [Online]. Available: [104] Cortex-M, ARM, Cambridge, U.K. Accessed: Jun. 2019. [Online].
https://openeffect.ca/reports/Every_Step_You_Fake.pdf Available: https://www.arm.com/products/processors/cortex-m
[80] O. Arias, J. Wurm, K. Hoang, and Y. Jin, “Privacy and security in [105] Cortex–M Series Performance Graph, ARM, Cambridge, U.K.
Internet of Things and wearable devices,” IEEE Trans. Multi-Scale Accessed: Jun. 2019. [Online]. Available: https://web.archive.org/web/
Comput. Syst., vol. 1, no. 2, pp. 99–109, Apr./Jun. 2015. 20170828182449/
[81] M. Rahman, B. Carbunar, and U. Topkara, “Secure management of low [106] H. Tschofenig and M. Pegourie-Gonnard. (Mar. 2015). Performance
power fitness trackers,” IEEE Trans. Mobile Comput., vol. 15, no. 2, Investigations. Accessed: Jun. 2019. [Online]. Available:
pp. 447–459, Feb. 2016. http://www.ietf.org/proceedings/92/slides/slides-92-lwig-3.pptx
[82] A. Rose and B. Ramsey, “Picking Bluetooth low energy locks [107] “Low power, 2.4GHz transceiver for ZigBee, RF4CE, IEEE 802.15.4,
from a quarter mile away,” presented at DEF CON 24, 2016. 6LoWPAN, and ISM applications,” Datasheet AT86RF233, Atmel,
Accessed: Jun. 2019. [Online]. Available: https://www.youtube.com/ San Jose, CA, USA, Jul. 2014. Accessed: Jun. 2019. [Online].
watch?v=8h9nbMB1eTE Available: http://ww1.microchip.com/downloads/en/DeviceDoc/Atmel-
[83] Merculite Security. (2016) Hacking Bluetooth Low Energy Locks. 8351-MCU_Wireless-AT86RF233_Datasheet.pdf
Accessed: Jun. 2019. [Online]. Available: https://github.com/ [108] Atmel SAM R21E / SAM R21G SMART ARM-Based Wireless
merculite/BLE-Security Microcontroller Datasheet, Atmel, May 2016. Accessed:
[84] M. Fuller, M. Jenkins, and K. Tjølsen. (2017). Security Analysis Jun. 2019. [Online]. Available: http://ww1.microchip.com/downloads/
of the August Smart Lock. Accessed: Jun. 2019. [Online]. en/DeviceDoc/SAM-R21_Datasheet.pdf
Available: https://courses.csail.mit.edu/6.857/2017/project/3.pdf [109] A True System-on-Chip Solution for 2.4-GHz IEEE 802.15.4 and
[85] M. Ye, N. Jiang, H. Yang, and Q. Yan, “Security analysis of Internet- ZigBee Applications—CC2530 Datasheet, Texas Instrum., Dallas,
of-Things: A case study of August smart lock,” in Proc. IEEE TX, USA, Feb. 2011. Accessed: Jun. 2019. [Online]. Available:
Conf. Comput. Commun. Workshops, Atlanta, GA, USA, May 2017, http://www.ti.com/lit/ds/symlink/cc2530.pdf
pp. 499–504. [110] EM351/EM357 High-Performance, Integrated ZigBee/802.15.4
System-on-Chip Datasheet, Silicon Labs, Austin, TX, USA,
[86] S. Hall. (Mar. 2015). Making Smart Locks Smarter (AKA. Hacking
Aug. 2013. Accessed: Jun. 2019. [Online]. Available:
the August Smart Lock). Accessed: Jun. 2019. [Online]. Available:
https://www.silabs.com/documents/public/data-sheets/EM35x.pdf
http://blog.perfectlylogical.com/post/2015/03/29/Making-Smart-Locks-
[111] nRF8001 Single-Chip Bluetooth Low Energy Solution Product
Smarter
Specification 1.3, Nordic Semicond., Trondheim, Norway, Mar. 2015.
[87] GATTack.io Outsmart the Things. Accessed: Jun. 2019. [Online].
Accessed: Jun. 2019. [Online]. Available: https://www.nordicsemi.com/
Available: https://gattack.io/#
?sc_itemid=%7B0EAB29C6-60BA-436D-AE00-2090F3AD62C4%7D
[88] G. Montenegro, N. Kushalnagar, J. Hui, and D. Culler, “Transmission [112] 2.4-GHz Bluetooth Low Energy System-on-Chip—CC2540 Datasheet,
of IPv6 packets over IEEE 802.15.4 networks,” Internet Eng. Task Texas Instrum., Dallas, TX, USA, Jun. 2013. Accessed: Jun. 2019.
Force, RFC 4944, Sep. 2007. [Online]. Available: http://www.ti.com/lit/ds/symlink/cc2540.pdf
[89] G. Mulligan, “The 6LoWPAN architecture,” in Proc. 4th Workshop [113] BlueNRG Bluetooth Low Energy Wireless System-on-Chip
Embedded Netw. Sensors, Jun. 2007, pp. 78–82. Datasheet, STMicroelectronics, Geneva, Switzerland, Dec. 2017.
[90] R. Alexander et al., “RPL: IPv6 routing protocol for low-power and Accessed: Jun. 2019. [Online]. Available: http://www.st.com/
lossy networks,” Internet Eng. Task Force, RFC 6550, Mar. 2012. content/ccc/resource/technical/document/datasheet/group3/ac/c1/ad/80/
[91] P. Pongle and G. Chavan, “A survey: Attacks on RPL and 6LoWPAN 54/fa/49/9d/DM00262983/files/DM00262983.pdf/jcr:content/translatio
in IoT,” in Proc. Int. Conf. Pervasive Comput., Jan. 2015, pp. 1–6. ns/en.DM00262983.pdf
[92] A. Rghioui, A. Khannous, and M. Bouhorma, “Denial-of-service [114] CC256x Dual-Mode Bluetooth Controller Datasheet, Texas Instrum.,
attacks on 6LoWPAN-RPL networks: Issues and practical solutions,” Dallas, TX, USA, Jan. 2016. Accessed: Jun. 2019. [Online]. Available:
J. Adv. Comput. Sci. Technol., vol. 3, no. 2, pp. 143–153, 2014. http://www.ti.com/lit/ds/symlink/cc2564.pdf
[93] A. Mayzaud, R. Badonnel, and I. Chrisment, “A taxonomy of attacks [115] CSR1010 QFN Datasheet, Qualcomm, San Diego, CA, USA,
in RPL-based Internet of Things,” Int. J. Netw. Security, vol. 18, no. 3, Jan. 2015. Accessed: Jun. 2019. [Online]. Available: https://
pp. 459–473, May 2016. www.qualcomm.com/media/documents/files/csr1010-data-sheet.pdf
[94] A. E. Yegin and Z. Shelby, “CoAP security options,” IETF Internet [116] CC2538 Powerful Wireless Microcontroller System-on-Chip for 2.4-
Draft, Oct. 2011. Accessed: Jun. 2019. [Online]. Available: https:// GHz IEEE 802.15.4, 6LoWPAN, and ZigBee Applications Datasheet,
datatracker.ietf.org/doc/html/draft-yegin-coap-security-options-00 Texas Instrum., Apr. 2015. Accessed: Jun. 2019. [Online]. Available:
[95] J. Mattsson and F. Palombini, “Comparison of CoAP security proto- http://www.ti.com/lit/ds/symlink/cc2538.pdf
cols,” IETF Internet Draft, Jul. 2018. Accessed: Jun. 2019. [Online]. [117] “SmartMesh IP node 2.4GHz 802.15.4e wireless mote-on-
Available: https://datatracker.ietf.org/doc/html/draft-ietf-lwig-security- chip,” Datasheet LTC5800-IPM, Linear Technol., Milpitas, CA,
protocol-comparison-01 USA, Dec. 2015. Accessed: Jun. 2019. [Online]. Available:
[96] K. Seo and S. Kent, “Security architecture for the Internet protocol,” http://cds.linear.com/docs/en/datasheet/5800ipmfa.pdf
Internet Eng. Task Force, RFC 4301, Dec. 2005. [118] “Long range, low power RF transceiver 860-1000 MHz with
[97] E. J. Cho, J. H. Kim, and C. S. Hong, “Attack model and detection LoRa technology,” Datasheet SX1272, Semtech, Camarillo,
scheme for botnet on 6LoWPAN,” in Proc. Asia–Pac. Netw. Oper. CA, USA, Mar. 2017. Accessed: Jun. 2019. [Online].
Manag. Symp., Sep. 2009, pp. 515–518. Available: https://www.semtech.com/products/wireless-rf/lora-
[98] G. Hernandez, O. Arias, D. Buentello, and Y. Jin, “Smart nest transceivers/sx1272
thermostat: A smart spy in your home,” presented at the Black Hat [119] R. Bonetto, N. Bui, V. Lakkundi, A. Olivereau, A. Serbanati, and
USA Conf., Aug. 2014. Accessed: Jun. 2019. [Online]. Available: M. Rossi, “Secure communication for smart IoT objects: Protocol
https://www.blackhat.com/docs/us-14/materials/us-14-Jin-Smart-Nest- stacks, use cases and practical examples,” in Proc. IEEE Int. Symp.
Thermostat-A-Smart-Spy-In-Your-Home-WP.pdf World Wireless Mobile Multimedia Netw., Jun. 2012, pp. 1–7.

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY JALANDAR. Downloaded on August 26,2021 at 08:53:15 UTC from IEEE Xplore. Restrictions apply.
 MENEGHELLO et al.: IoT: INTERNET OF THREATS? SURVEY OF PRACTICAL SECURITY VULNERABILITIES IN REAL IoT DEVICES 8201

[120] W. Zhou and S. Piramuthu, “Security/privacy of wearable fitness track- Daniel Zucchetto (S’17–M’19) received the B.Sc.
ing IoT devices,” in Proc. 9th Iberian Conf. Inf. Syst. Technol. (CISTI), degree in information engineering in 2012 and
Jun. 2014, pp. 1–5. the M.Sc. degree in telecommunication engineering
[121] R. Giuliano, F. Mazzenga, A. Neri, and A. M. Vegni, “Security access from the University of Padova, Padua, Italy, in 2012
protocols in IoT capillary networks,” IEEE Internet Things J., vol. 4, and 2014, respectively. He received the Ph.D. degree
no. 3, pp. 645–657, Jun. 2017. from the University of Padova with a thesis on solu-
[122] H. Kim, “Protection against packet fragmentation attacks at 6LoWPAN tions for large scale, efficient, and secure Internet of
adaptation layer,” in Proc. Int. Conf. Converg. Hybrid Inf. Technol., Things (IoT).
Aug. 2008, pp. 796–801. He visited Telenor Research, Fornebu, Norway,
[123] C. Lévy-Bencheton, E. Darra, G. Tétu, G. Dufay, and M. Alattar, in 2016 and Intel Labs Europe, Dublin, Ireland,
“Security and resilience of smart home environments: Good practices in 2019. Since April 2019, he has been a Senior
and recommendations,” Eur. Union Agency Netw. Inf. Security, Athens, Systems Engineer with the Centre for Intelligent Power, Eaton Corporation,
Greece, Rep., Dec. 2015. Accessed: Jun. 2019. [Online]. Available: Dublin. His current research interests include smart energy systems, low-
https://www.enisa.europa.eu/publications/security-resilience-good-prac power wide area network technologies and next generation cellular networks
tices. doi: 10.2824/360120. (5G), with particular focus on their application to the IoT.

Francesca Meneghello (S’19) received the B.Sc. Michele Polese (S’17) received the B.Sc. degree
degree in information engineering and the M.Sc. in information engineering and the M.Sc. degree in
degree in telecommunication engineering from the telecommunication engineering from the University
University of Padova, Padua, Italy, in 2016 and 2018 of Padova, Padua, Italy, in 2014 and 2016,
respectively, where she is currently pursuing the respectively, where he is currently pursuing the
Ph.D. degree with the SIGNET Research Group, Ph.D. degree with the Department of Information
Department of Information Engineering, under the Engineering, under the supervision of Prof.
supervision of Prof. M. Rossi. M. Zorzi.
Her current research interests include deep learn- He visited New York University (NYU), New
ing architectures and signal processing with applica- York City, NY, USA, in 2017, AT&T Labs,
tion to remote radio frequency sensing and wireless Bedminster, NJ, USA, in 2018, and Northeastern
networks. University, Boston, MA, USA, in 2019. He is collaborating with several
Ms. Meneghello was a recipient of the Best Student Paper Award at academic and industrial research partners, including Intel, Santa Clara, CA,
WUWNet 2016 and the Best Student Presentation Award at the IEEE Italy USA, InterDigital, Wilmington, DE, USA, NYU, AT&T Labs, University
Section SSIE 2019. of Aalborg, Aalborg, Denmark, King’s College London, London, U.K.,
Northeastern University, and NIST, Gaithersburg, MD, USA. His current
research interests include analysis and development of protocols and
architectures for the next generation of cellular networks (5G), in particular
for millimeter-wave communication, and in the performance evaluation of
complex networks.
Mr. Polese was a recipient of the Best Journal Paper Award of the IEEE
ComSoc Technical Committee on Communications Systems Integration and
Modeling 2019 and the Best Paper Award at WNS3 2019.

Andrea Zanella (S’98–M’01–SM’13) received the

Laurea degree in computer engineering and the
Ph.D. degree in electronic and telecommunications
engineering from the University of Padova, Padua,
Italy, in 1998 and 2001, respectively.
In 2000, he was a visiting scholar with the
Department of Computer Science, University of
California at Los Angeles, Los Angeles, CA, USA.
Matteo Calore received the B.Sc. degree in He is an Associate Professor with the Department
information engineering and the M.Sc. degree in of Information Engineering, University of Padova.
telecommunication engineering from the Department He is one of the coordinators of the SIGnals and
of Information Engineering, University of Padova, NETworking (SIGNET) Research Group. His long-established research
Padua, Italy, in 2016 and 2018. activities are in the fields of protocol design, optimization, and performance
For several years, he has collaborated with the evaluation of wired and wireless networks.
SIGNET Research Group, University of Padova, Dr. Zanella is a Technical Area Editor of the IEEE I NTERNET
on many projects. His current research interests OF T HINGS J OURNAL , and an Associate Editor of the IEEE
include next generation of cellular networks (5G) T RANSACTIONS ON C OGNITIVE C OMMUNICATIONS AND N ETWORKING,
and machine learning in the domain of low-powered the IEEE C OMMUNICATIONS S URVEYS AND T UTORIALS, and Digital
devices. Communications and Networks.

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY JALANDAR. Downloaded on August 26,2021 at 08:53:15 UTC from IEEE Xplore. Restrictions apply.