Elsevier

Computer Networks

Volume 129, Part 2, 24 December 2017, Pages 444-458
Computer Networks

The rise of ransomware and emerging security challenges in the Internet of Things

https://doi.org/10.1016/j.comnet.2017.09.003Get rights and content

Abstract

With the increasing miniaturization of smartphones, computers, and sensors in the Internet of Things (IoT) paradigm, strengthening the security and preventing ransomware attacks have become key concerns. Traditional security mechanisms are no longer applicable because of the involvement of resource-constrained devices, which require more computation power and resources. This paper presents the ransomware attacks and security concerns in IoT. We initially discuss the rise of ransomware attacks and outline the associated challenges. Then, we investigate, report, and highlight the state-of-the-art research efforts directed at IoT from a security perspective. A taxonomy is devised by classifying and categorizing the literature based on important parameters (e.g., threats, requirements, IEEE standards, deployment level, and technologies). Furthermore, a few credible case studies are outlined to alert people regarding how seriously IoT devices are vulnerable to threats. We enumerate the requirements that need to be met for securing IoT. Several indispensable open research challenges (e.g., data integrity, lightweight security mechanisms, lack of security software’s upgradability and patchability features, physical protection of trillions of devices, privacy, and trust) are identified and discussed. Several prominent future research directions are provided.

Introduction

Immigrating to a promising era of the Internet of Things (IoT), ubiquitously small embedded devices are implanted with various sensors to sense data from their surroundings and provide smart controlling decisions. The proliferation of miniaturized sensors and connected IoT devices is expected to reach 26 billion by 2020, most of which are wearable devices [1]. In this modern era of technology, people have started to deploy real-world IoT applications, from connected smart homes [2], connected cars [3], [4], smart parking [5], and health monitoring [6], [7] to smart utility meters [8], as shown in Fig. 1. Although IoT can facilitate different aspects of people’s lives, enabling high security, developing ransomware prevention, and establishing solutions are the key remaining concerns, given that IoT devices hold sensitive information [9].

A HP study reveals that 70% of IoT devices are vulnerable to attacks4. Hacking of smart cars is also one of the security threats in IoT [10]. According to recent market data, the IoT security market is expected to rise to $28.90 billion by 2020, which indicates that high-security threats are expected to rise substantially in the foreseeable future5. On the other hand, ransomware continues to experience record growth in 2017. Therefore, ensuring that each device has the appropriate control to maintain data confidentiality and integrity within an organization is necessary [11]. In addition, investigation of IoT security along with data integrity holds practical significance in IoT development. Fig. 2 illustrates the security threats in IoT. Traditional security mechanisms will be unable to accommodate IoT devices completely because most of these devices have battery constraints and limited resources; however, these mechanisms require more resources [12]. Therefore, the prime focus of this study is on exposing emerging IoT threats, challenges, and potential solutions.

In general, IoT security has been widely investigated [13], [14], [15], [16], [17], [18], [19], [20], [21], [22]; however, to the best of our knowledge, none of the existing studies specifically focused on emerging threats and challenges, such as ransomware. In addition, several other important aspects of IoT security, which are discussed in the current study, have not been reported.

The contributions of this study can be summarized as follows.

  • We initially discuss the rise of ransomware attacks and outline the associated challenges.

  • We investigate, report, and highlight the state-of-the-art research efforts directed at IoT from the security perspective.

  • We devise a taxonomy of IoT security by classifying and categorizing the literature.

  • A few notable reported case studies on IoT security are outlined.

  • We enumerate the requirements for securing IoT.

  • We identify and discuss indispensable open challenges in strengthening the security in IoT.

  • Several prominent future research directions are provided.

These contributions are provided separately from Sections 2 to 8; the concluding remarks are provided in Section 9.

Section snippets

Ransomware

This section describes the basic working of ransomware in an IoT context and discusses their common types. We also discuss some of the approaches used by ransomware to penetrate in the IoT network and provided some examples of IoT-based ransomwares. Finally, some remedies and challenges are highlighted.

Unlike traditional malware threats, a ransomware attack in IoT can be more devastating as it may affect an entire landscape of security services, i.e., confidentiality, integrity, and

State-of-the-art research on IoT security

Although various aspects of security are extensively investigated in different domains, such as ad hoc and sensor networks [35], [36] and software defined networks [37], [38], however, IoT security is still largely unexplored.

For example, the authors in [39] proposed a secure Message Queue Telemetry Transport (MQTT) mechanism called AUPS (Authenticated Publish Subscribe). The mechanism is developed by extending MQTT, which is a popular communication protocol in the IoT paradigm, by introducing

Taxonomy

Fig. 3 depicts the taxonomy that is devised based on various parameters, including threats, requirements, IEEE standards, deployment levels, and technologies.

Case studies on IoT security

This section discusses different case studies that aim to alert users on how serious IoT devices are vulnerable to exploitation. This section is also a motivation for the need to strengthen the security in the IoT paradigm. Table 2 provides a summary of the case studies.

New requirements for securing IoT

An IoT framework can be divided into three layers: device, gateway, and service. The security implementation at each of these layer is vital for securing the entire IoT. However, the requirements of security model for each layer are different. Herein, we discuss the security requirements for each layer of the IoT framework.

Open research challenges

This section discusses the research challenges on security in the IoT paradigm. In Table 3, we enlist some of IoT security startups.

Future research directions

In this section, a few prominent security-related research directions in IoT are provided.

Conclusion

Remarkable advances in smart technologies have paved the way toward a new computing paradigm called the IoT. This study discussed the ransomware attacks and security concerns in IoT. First, we discussed the rise of ransomware attacks and outlined the associated challenges. Second, we investigated, reported, and highlighted the state-of-the-art research efforts on IoT security. Third, a taxonomy is devised by classifying and categorizing the literature. Fourth, a few credible case studies are

Acknowledgement

Imran’s work is supported by the Deanship of Scientific Research at King Saud University through Research group No. (RG # 1435-051).

Ibrar Yaqoob received his Ph.D. degree in Computer Science from the University of Malaya, Malaysia, in 2017. He earned 550 plus citations, and 50 plus impact factor during his Ph.D. candidature. He worked as a researcher at Centre for Mobile Cloud Computing Research (C4MCCR), University of Malaya. His research experience spans over more than three and half years. He has published a number of research articles in refereed international journals and magazines. His numerous research articles are

References (90)

  • S.N. Premnath et al.

    Security and privacy in the internet-of-things under time-and-budget-limited adversary model

    IEEE Wireless Commun. Lett.

    (2015)
  • S. Li et al.

    The internet of things: a survey

    Inf. Syst. Front.

    (2015)
  • R.J. Tobias

    Wireless communication of real-time ultrasound data and control

    SPIE Medical Imaging

    (2015)
  • E. Ahmed et al.

    Internet-of-things-based smart environments: state of the art, taxonomy, and open research challenges

    IEEE Wireless Commun.

    (2016)
  • A. Al-Fuqaha et al.

    Internet of things: a survey on enabling technologies, protocols, and applications

    IEEE Commun. Surv. Tut.

    (2015)
  • D. Lin et al.

    Internet of vehicles for e-health applications: a potential game for optimal network capacity

    IEEE Syst. J.

    (2017)
  • C. Perera et al.

    Context aware computing for the internet of things: a survey

    IEEE Commun. Surv. Tut.

    (2014)
  • A.M. Ghosh et al.

    Remote health monitoring system through iot

    5th International Conference on Informatics, Electronics and Vision (ICIEV)

    (2016)
  • N.M. Khoi et al.

    Irehmo: an efficient iot-based remote health monitoring system for smart regions

    17th International Conference on E-health Networking, Application Services (HealthCom)

    (2015)
  • M. Sanduleac et al.

    Unleashing smart cities efficient and sustainable energy policies with iot based unbundled smart meters

    IEEE International Conference on Emerging Technologies and Innovative Business Practices for the Transformation of Societies (EmergiTech)

    (2016)
  • Q. Jing et al.

    Security of the internet of things: perspectives and challenges

    Wireless Netw.

    (2014)
  • J. Pacheco et al.

    Iot security development framework for building trustworthy smart car services

    IEEE Conference on Intelligence and Security Informatics (ISI)

    (2016)
  • Q. Wen et al.

    Application of dynamic variable cipher security certificate in internet of things

    Cloud Computing and Intelligent Systems (CCIS), 2012 IEEE 2nd International Conference on

    (2012)
  • G. Ketema et al.

    Efficiently observing internet of things resources

    IEEE International Conference on Green Computing and Communications

    (2012)
  • J. Granjal et al.

    Security for the internet of things: a survey of existing protocols and open research issues

    IEEE Commun. Surv. Tut.

    (2015)
  • K. Zhao et al.

    A survey on the internet of things security

    Computational Intelligence and Security (CIS), 2013 9th International Conference on

    (2013)
  • Z. Yan et al.

    A survey on trust management for internet of things

    J. Netw. Comput. Appl.

    (2014)
  • R. Roman et al.

    On the features and challenges of security and privacy in distributed internet of things

    Comput. Netw.

    (2013)
  • E. Bertino et al.

    Botnets and internet of things security

    Computer

    (2017)
  • L. Chen et al.

    Robustness, security and privacy in location-based services for future iot: a survey

    IEEE Access

    (2017)
  • E. Bertino et al.

    Botnets and internet of things security

    Computer

    (2017)
  • B. Nassi, A. Shamir, Y. Elovici, Oops!...i think i scanned a malware, arXiv preprint...
  • R. Richardson et al.

    Ransomware: evolution, mitigation and prevention

    Int. Manage. Rev.

    (2017)
  • J. Bugeja et al.

    An analysis of malicious threat agents for the smart connected home

    Pervasive Computing and Communications Workshops (PerCom Workshops), 2017 IEEE International Conference on

    (2017)
  • D. Kavya

    Ransomware of things (rot)

    Fuzzy Syst.

    (2017)
  • V. Adat et al.

    Security in internet of things: issues, challenges, taxonomy, and architecture

    Telecommun. Syst.

    (2017)
  • C.J. DOrazio et al.

    Data exfiltration from internet of things devices: ios devices as case studies

    IEEE Internet Things J.

    (2017)
  • T. Ring

    Connected cars–the next target for hackers

    Netw. Security

    (2015)
  • S.-M. Cheng, P.-Y. Chen, C.-C. Lin, H.-C. Hsiao, Traffic-aware patching for cyber security in mobile iot, arXiv...
  • S.D. Castilho et al.

    Proposed model to implement high-level information security in internet of things

    Fog and Mobile Edge Computing (FMEC), 2017 Second International Conference on

    (2017)
  • C.E. Stewart et al.

    Communityguard: a crowdsourced home cyber-security system

    Proceedings of the ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization

    (2017)
  • A. Derhab et al.

    Fortifying intrusion detection systems in dynamic ad hoc and wireless sensor networks

    Int. J. Distrib. Sens. Netw.

    (2014)
  • T. Hayajneh et al.

    Secure authentication for remote patient monitoring with wireless medical sensor networks

    Sensors

    (2016)
  • A. Akhunzada et al.

    Securing software defined networks: taxonomy, requirements, and open issues

    IEEE Commun. Mag.

    (2015)
  • Z. Shu et al.

    Security in software-defined networking: threats and countermeasures

    Mob. Netw. Appl.

    (2016)
  • Cited by (216)

    View all citing articles on Scopus

    Ibrar Yaqoob received his Ph.D. degree in Computer Science from the University of Malaya, Malaysia, in 2017. He earned 550 plus citations, and 50 plus impact factor during his Ph.D. candidature. He worked as a researcher at Centre for Mobile Cloud Computing Research (C4MCCR), University of Malaya. His research experience spans over more than three and half years. He has published a number of research articles in refereed international journals and magazines. His numerous research articles are very famous and among the most downloaded in top journals. His research interests include big data, mobile cloud, the Internet of Things, cloud computing, and wireless networks.

    Ejaz Ahmed worked at Centre for Mobile Cloud Computing Research (C4MCCR), University of Malaya, Malaysia. Before that, he has worked as Research Associate in CogNet Research Lab NUST, Pakistan, (December 2009 to September 2012) and in CoReNet, CUST, Pakistan, (January 2008 to December 2009). His research experience spans over more than Eleven years. He is associate editor of IEEE Communication Magazine, IEEE Access, Elsevier Journal of Network and Computer Applications, and KSII TIIS. He has also served as a Lead Guest Editor/Guest Editor and Chair/Co-chair in international journals and international conferences, respectively. His areas of interest include Mobile Cloud Computing, Mobile Edge Computing, Internet of Things, Cognitive Radio Networks, and Smart Cities. He has successfully published his research work in more than sixty international journals and conferences. He has received several performance awards during his research career.

    Muhammad Habib ur Rehman is an assistant professor at COMSATS Institute of IT, Wah Cantt Pakistan, where he works on data stream mining systems for the Internet of Things. His research covers a wide spectrum of application areas, including smart cities, mobile social networks, quantified self, and mobile health. He received a PhD in mobile distributed analytics systems from the Faculty of Computer Science and Information Technology at the University of Malaya, Malaysia.

    Abdelmuttlib Ibrahim Abdalla Ahmed received his B.Sc. degree in computer science from OIU, Sudan, and his M.S. degree in computer science from IIUI, Pakistan. He is currently pursuing a Ph.D. degree at the University of Malaya. His research Interest areas include trust and reputation systems, security and digital forensics, Internet of Things, mobile and cloud computing, and vehicular networks.

    Mohammed Ali Al-Garadi received the M.Tech. degree in electronic and communication engineering from Jawaharlal Nehru Technological University, Hyderabad, India. He is currently pursuing the Ph.D. degree with the Faculty of Computer Science and Information Technology, University of Malaya, Kuala Lumpur, Malaysia. He has published several articles in academic journals indexed in well reputed databases such as ISI-indexed and Scopus-indexed.

    Muhammad Imran is an assistant professor in the College of Computer and Information Science, King Saud University. His research interests include mobile ad hoc and sensor networks, WBANs, IoT, M2M, multihop wireless networks, and fault-tolerant computing. He has published a number of research papers in peer reviewed international journals and conferences. His research is financially supported by several grants. He is serving as a Co-Editor-in-Chief for EAI Transactions on Pervasive Health and Technology. He also serves as an Associate Editor for the Wireless Communication and Mobile Computing Journal (Wiley), the Inderscience International Journal of Autonomous and Adaptive Communications Systems, Wireless Sensor Systems (IET), and the International Journal of Information Technology and Electrical Engineering. He has served/serves as a Guest Editor for IEEE Communications Magazine, IJAACS, and the International Journal of Distributed Sensor Networks. He has been involved in a number of conferences and workshops in various capacities such as a Program Co-Chair, Track Chair/Co-Chair, and Technical Program Committee member. These include IEEE GLOBECOM, ICC, AINA, LCN, IWCMC, IFIP WWIC, and BWCCA. He has received a number of awards such as an Asia Pacific Advanced Network fellowship.

    Mohsen Guizani (S’85-M’89-SM’99-F’09) received all of his degrees from Syracuse University, Syracuse, NY, USA, in 1984, 1986, 1987, and 1990, respectively. He is currently a Professor and the ECE Department Chair at the University of Idaho. He served in a number of academic positions in the USA. His research interests include wireless communications, mobile computing, computer networks, cloud computing, IoT, security, and smart grid. He currently serves on the editorial boards of several international technical journals and the Founder and the Editor-in-Chief of Wireless Communications and Mobile Computing journal (Wiley). He is the author of nine books and more than 400 publications in refereed journals and conferences. He guest edited a number of special issues in IEEE journals and magazines. He also served as a member, Chair, and the General Chair of a number of international conferences. He was selected as the Best Teaching Assistant for two consecutive years at Syracuse University. He was the Chair of the IEEE Communications Society Wireless Technical Committee and the Chair of the TAOS Technical Committee. He served as the IEEE Computer Society Distinguished Speaker from 2003 to 2005. He is a Fellow of IEEE and a senior member of ACM.

    1

    Member, IEEE.

    2

    Member, IEEE.

    3

    Fellow, IEEE.

    View full text