The Internet of Things (IoT) is growing enormously every day and it's expected that 50 billion devices will be connected by 2020 (Alshehri, Hussain, & Hussain, 2018). The Internet of Things (IoT) can be described as various smart devices that collaborate to achieve a particular goal (Alshehri et al., 2018). In a way, the IoT has extended the digital world to our real life by connecting objects around us to the Internet (Ouaddah, Elkalam, & Ouahman, 2017).
The primary purpose of the IoT is to share information of objects about details in people's life (Wen & Zhang, 2016). Besides personal use, the IoT also contributes to the community. Data collected through devices interconnected by the IoT may improve various functionalities as monitoring surgery in hospitals and providing tracking in automobiles (Khan & Salah, 2018).
However, the success or failure of the IoT will be determined by two main challenges: security and privacy. With the large number of connected devices, there is a high risk of security threats such as viruses or cyber-attacks (Ouaddah et al., 2017). With the current Distributed Denial-of-service (DDoS) attacks, it is crucial that devices connected by the IoT are secured. As a high number of devices are connected, a DDoS attack can easily take place. In a recent study Sicari, Rizzardi, Grieco, & Coen-Porisini (2014) point out an infrastructure is needed to deal with security threats in this dynamic environment.
In the literature, several models describe how to ensure reduce the privacy risks of data among users of devices connected by the IoT. Most articles only highlight these risks, but a tight solution to the privacy risks has yet not been found. Blockchain technology may solve the challenges regarding security and privacy, but since the technology is still new it has not been tested enough to determine its success. Little research of the combination of IoT and blockchain is conducted (Khan & Salah, 2018).
Therefore, the following research question can be derived:
"How does blockchain technology comparing to cloud models contribute to the improvement of security in the Internet-of-Things?"
1. LITERATURE REVIEW
This chapter presents a literature review about the existing literature regarding the security in the Internet-of-Things (IoT). The focus will lay on the relevance of new technologies for improving the security. Key concepts are described to give an introduction in the topic. Later, various models for improving this security are being reviewed and compared. A proposition of the best suited model will be given, which can be used as a basis for the empirical research. This model may be of value next to the existing literature as the security in the IoT still has not been guaranteed.
1.1 INTERNET OF THINGS
The term IoT was first acknowledged by Kevin Ashton in 1999 (Alshehri et al., 2018).
According to Wen and Zhang (2016) the "Internet of Things (IoT) is a worldwide network of interconnected objects and persons, which through unique addressing schemes are able to interact with each other and cooperate with their neighbors to reach common goals (p. 983)."
The IoT can be realized in three paradigms: internet-oriented (middleware), things oriented (sensors) and semantic-oriented (knowledge) (Gubbi, Buyya, Marusic, & Palaniswami, 2013).
The primary purpose of IoT is to share information of objects about details in people's life, for instance Smart Grids (Wen & Zhang, 2016). Besides personal use, the IoT also contributes to the community. Data collected through devices connected by the IoT may improve various functionalities as monitoring surgery in hospitals and tracking in automobiles (Khan & Salah, 2018). Despite the increasing amount of objects and persons connected, the development of IoT is still slowly due to the high development costs. A secure and stable transaction system to exchange information could drive and improve the security process, though existing models have not been able to ensure security (Wen & Zhang, 2016).
The ability to uniquely identify 'Things' is critical for the success of IoT, as it allows us to identify billions of devices and to control remote devices through the Internet. The most critical features for success are uniqueness, reliability, persistence and scalability (Gubbi et al., 2013).
Data security and privacy
Prior research towards the security among the IoT has been conducted. As the amount of devices interconnected is growing enormously, security for its users is not guaranteed (Ouaddah et al., 2017). Issues of security occur when the data is transferred from one cluster to another (Alshehri et al., 2018). Therefore the architecture needs to be secured from attacks which may pose a threat to privacy, integrity or confidentiality of data (Khan & Salah, 2018).
Until now, IoT has created major security problems. In 2015, an U.S.-based application security company, Veracode, tested six IoT devices. The front-end connections (between users and cloud services) and back-end connections (between devices and cloud services) were investigated. Serious security issues were found in five of them. Except for one, all devices failed to demand strong passwords and were vulnerable to cyber-attacks (Kshetri, 2017). If an IoT device is hacked, this can lead to serious consequences. In 2017, one of every nine households of Dutch residents have smart thermostat meters. Gas and electricity usage of residents can tell hackers and criminals if residents are home and able them to break into their houses (Multiscope, 2017).
To secure the communication in the IoT, authentication between two communicating parties is required. A secure implementation of authorization and authentication can lead to a secure architecture (Khan & Salah, 2018). Information in the IoT is nowadays shared via third parties (e.g. power companies are the third party of smart grids). Data is kept in the databases of those third parties even if a user is not utilizing the service or product anymore (Ouaddah et al., 2017)To protect data from attackers, encryption provides confidentiality in data, and message authentication codes provide integrity and authenticity. However, encryption does not protect against insider attacks (Gubbi et al., 2013).
1.2 BLOCKCHAIN TECHNOLOGY
According to Khan & Salah (2018) a blockchain is "a decentralized, distributed, shared, and immutable database ledger that caches registry of assets and transactions across a peer-to-peer (P2P) network (p. 401)." A blockchain consists of different blocks of data that are timestamped and validated by miners. This block of data consist of a list of all transactions and a crypto hash (links the blocks in the chain) to the previous block. The blockchain contains all transactions and provides a cross border global distributed trust. Each transaction is verified by a majority unity of nodes, which are verifying and validating each transaction. Once transactions are validated and verified by the nodes, block data can never be erased or adjusted. Blockchain can be built as (1) a permissioned (or private) network that can be exclusive to a certain group, or (2) permission-less or public network, open for everyone. Permission blockchains provide more privacy and better access control (Khan & Salah, 2018).
Data security and privacy
In a blockchain model, no information needs to be stored with third parties. Records are on different locked computers that hold identical information. Adding more keys to authorize a transaction process in a blockchain can further improve the security and privacy. For hackers to be effective, more than 50% of the systems in a network need to be hacked (Kshetri, 2017).
Blockchain-based identity and access management systems can provide a stronger defense against IP address forging attacks. Since blockchain cannot be adjusted, it is not possible for devices to connect to a network by distinguishing themselves by using fake signatures (Kshetri, 2017).
1.3 EXISTING LITERATURE REGARDING SECURITY IN THE IoT
In de opbouw van je betoog is het lasting te volgen welke criteria je gebruikt om de verschillende modellen te vergelijken: je hebt steeds andere rijtjes. Je kunt op dit punt je betoog strakker maken: dit zijn de criteria, dit zijn de modellen en vergeljking levert de volgende conclusies op.
The existing literature proposes various models that improve the security among the IoT. The following models are being described (1) E-business architecture for IoT (Wen & Zhang, 2016), (2) OM-AM model (Ouaddah et al., 2017), (3) Blockchain model (Kshetri, 2017) and (4) Scalable trust management in IoT (IoT-TM) (Alshehri et al., 2018).
Wen & Zhang (2016) propose an E-business architecture designed for IoT where the protocol of bitcoin is used as a basis. Normally there is always a third party involved when sharing data. The appearance of bitcoin first made it possible to have transaction without the intervention of a third party. Distributed autonomous corporations (DACs) are adopted as they can offer paid services without any human involvement (Wen & Zhang, 2016). The E-business architecture in figure 1, is suited to the IoT as it includes the following features: systemic, high efficiency, flexible, reasonable, low cost.
Figure 1: Traditional E-business entities (left); IoT E-business entities (right) (Wen & Zhang, 2016)
Ouaddah et al., (2017) propose a reference OM-AM model for a new framework for access control in the IoT based on blockchain technology in figure 2. OM-AM strands for Objective, Model, Architecture, and Mechanism. The OM layers describe the security objectives and what should be achieved to meet this requirement. The AM layers describe how to meet the requirements of the OM layers.
In order to build a security mechanism for the IoT, the nature of the applications and their security requirements need to be defined. An authorization model is used for representing the security policy, by reducing its complexity.
Figure 2: Objectives, Models, Architecture and Mechanism reference model (Ouaddah et al., 2017)
Kshetri (2017) proposes a blockchain model in figure 3, wherein the process of exchanging messages between devices is considered similar to financial transactions in a bitcoin network. Kshetri proposes that IoT solutions can use blockchain to enable secure communication between devices. Transactions can be signed cryptographically and be verified to ensure that only the initiator of the message could have sent it. This can possibly eliminate cyber-attacks.
It may be that blockchain can improve security in forward and backward links in supply chains, which makes it an effective tool to track the sources of insecurity.
Figure 3: Blockchain's role in strengthening and improving security in a supply chain network (Kshetri, 2017)
Finally, Alshehri et al. (2018) propose a clustering based approach where IoT nodes are grouped in clusters based on their trust value. The different nodes in a cluster gain or lose trust when they communicate with other nodes. Alshehri et al. propose intelligent solutions to critical issues regarding the trust management issues in the IoT by introducing the IoT-TM.
The IoT-TM provides a trustworthy platform for communication between all devices interconnected with other nodes in the IoT environment, presented in figure 4. The Master Node (MN) stores the trust values of the other nodes within its cluster. Then, the Super Node (SN) stores the trust values of all the MN's. The framework allows different IoT devices and applications to contact each other in a secure environment. The Cluster Node (CN) is a communication node which transports the data generated by the CN to a MN. The MN manages different CN's in the cluster and stores data received from CN is the MN memory.
Figure 4: Architecture of the IoT-TM (Alshehri et al., 2018)
Assessment of various models
Model Strengths Weaknesses
E-business architecture for IoT
OM-AM model
Blockchain model
Scalable trust management in IoT (IoT-TM)
1.4 BLOCKCHAIN TECHNOLOGY AS A CONTRIBUTION TO THE IoT
A common threat is that most IoT models depend on a centralized cloud model. This may have several risks that become a bigger issue when the number of network nodes is expanding. First, as existing IoT solutions are growing enormously, high costs are a big concern in centralized cloud models. Next to that they are expensive and difficult to manage, especially when applied to data intensive applications like IoT. Second, IoT devices are vulnerable to DDoS attacks, hackings, data thefts, and remote hijackings. Each block of the IoT architecture can be a weak spot, which can disrupt the entire network as all connected devices may be affected. Third, the centralized cloud model of IoT is exposed to manipulation. For instance, collecting real-time data does not guarantee that the information is processed appropriately. Smart Grid companies can manipulate data into a particular direction (Kshetri, 2017).
Although, blockchain technology is still in an early stage, it may be possible that the defaults of centralized cloud models described in paragraph 1.3 can be disregarded.
One of the challenges regarding IoT is about ownership and identity relationships of the IoT devices. Ownership changes during the lifetime of the device starting by the manufacturer and ending with the consumer. IoT relationships may be device-to-human (e.g. FitBit) or device-to-device (e.g. Smart Grid). Blockchain can be used to solve these challenges by registering and giving identity to connected IoT devices (Khan & Salah, 2018).
1.5 FUTURE PROSPECTS AND CONCERNS
The success or failure of this revolutionary evolution of IoT will be determined by two key challenges: security and privacy. Most solutions provide the ability for centralized authorities to gain unauthorized access to and control devices by collecting and analyzing user's data. This may cause ethical and privacy problems (Ouaddah et al., 2017).
A unified vision regarding the insurance of the main challenges security and privacy is still missing. Suitable solutions need to be designed and deployed, which are independent from the exploited platform and able to guarantee: confidentiality, access control, and privacy for users and things, trustworthiness among devices and users, compliance with defined security and privacy policies (Sicari et al., 2015).
Another shortcoming of the current cloud based IoT trust solutions is that they are not scalable across billions of IoT links and that they suffer from attack on their trust systems (Alshehri et al., 2018).
Blockchain technology could solve the challenges regarding security and privacy, but it has not been tested enough to determine its success. Further research regarding blockchain-based applications to ensure the security among the IoT will prove is this technology is capable of being completely secure and defendable against cyber-attacks (Kshetri, 2017).