IoT: Communication Protocols and Security Threats

: The IoT is recognized as one of the most important areas of future technology and is gaining vast attention from a wide range of industries. Although, after 20 years from the first published literature (2002) the technology (as a whole) is not yet mature. In this study we will review the fundamentals of IoT with a general approach, by addressing the problems of a standard architecture, vulnerabilities and use cases of this promising technology. Moreover, we will review some of the communication protocols that have invented especially for IoT technology, security threats and general implementation challenges. Discussion over the findings of this review reveals and specifies the next steps required to expand and support IoT systems in a protected framework.


10
Few decades earlier, the Internet revolutionized our world by connecting users across 11 the globe simultaneously in real time. Today, the Internet of Things, which is also known 12 as the Internet of Everything or sometimes referred to as the Industrial Internet, is a 13 paradigm of technology envisaged as a network, connecting machines and devices globally 14 and making them capable of interacting both with each other and the physical world 15 autonomously within the existing Internet infrastructure.
improving their efficiency, accuracy and making the environment surrounding us more 37 clever and quick-to-respond, accomplishing the fusion of the digital and the physical world. 38 [4]. 39 This notion has multiplied the areas where it could be applied, which in turn, can 40 improve the common welfare by making use of the means already available in ways never 41 thought before and it is considered to be one of the most crucial fields of future technology 42 that is becoming popular with an extensive number of industries [5]. Except from efficiency 43 and accuracy, the interconnection of IoT devices opens a number of security threats to the 44 users that can be connected to critical systems [6]. The authors in [7] have identified the 45 major attacks on fog-based Internet of Things (IoT) applications. 46 The IoT technology forecast of connected devices is expected to increase by about 300% 47 from 8.7 billion devices in 2020 to more than 25 billion IoT devices in 2030. In 2020, China 48 was leading the IoT applications race with more than 3 billion devices in operation. The 49 prevailing IoT devices are present in each industrial field and retail market. In particular, 50 the retail market comprises around 60 percent of the total number of IoT devices in 2020. 51 This allocation is predicted to remain unaltered in the next ten years. [8]. 52 The contributions and novelty of this article are: The rest of this paper is organized as follows: In Section 2 we present the generic 58 architecture of IoT and in Section 3 we give an overview of communication protocols used. 59 Section 4 discusses security issues and concerns and gives a thorough understanding of 60 IoT security threats. In Section 5 we present the main IoT applications. In Section 6 we 61 discuss open security issues and challenges. Finally, Section 7 collects and discusses all the 62 conclusions we draw from the presented research work. 63

64
In theory, the term IoT is commonly used to describe the design and implementation 65 of a network that is successfully handling information data within the devices included in it. 66 In practice though, since this network is the Internet, this is something challenging because 67 all of the devices (Smart Sensors, Data Centers etc.) that are participating must be able to 68 communicate seamlessly with each other, either directly or indirectly (i.e. Gateways), in a 69 secure way. As a result, making all the devices of the Internet compatible is something that 70 requires specific protocols for communication, standard structure, application compatibility, 71 advanced Data Processing capabilities and many more. Despite their complexity in certain 72 implementations, their elementary operation is quite simple [9].

73
A smart object transmits data collected by its sensors (physical world) to a data center, 74 (either local or cloud-based), or even another smart object through an intermediate (gate-75 way). The use of the gateway is not mandatory as the smart object can potentially work as a 76 gateway too. Then, the data received "on the other side" are handled and multiple actions 77 can be initiated. These actions are the ones that add complexity to the implementation 78 because more interoperability is required to control or monitor an autonomous car, as to 79 turn on the heater in certain degrees.

80
Although the IoT technology applies to a vastly major number of fields and is not 81 standardized in any way, we will address a simple approach by reviewing the basic 82 architecture and the most common protocols invented for this technology [10].

83
To define a reference architecture that supports current features and future extensions 84 scalability, interoperability, data distribution, computing power and off course security, 85 some fundamental factors must be considered regarding the architectural standardization, 86 since several model architectures are described in the literature [11].

87
For example, in a systematic review about the Internet of Things architecture, examin-88 ing more than 145 studies and their underlined architectures, we noticed that architectures 89 in reference were mainly three-layer, four-layer or five-layer models, while in another 90 survey the layer classification was applied in three-, four-, five-, six-or seven-layer models 91 [12] (See Figure 1).

92
To make things more complicated, international organizations and big tech companies, 93 like the International Telecommunication Union (ITU), the Institute of Electrical and Elec-94 tronics Engineers (IEEE), Cisco, Google, Amazon and the European Telecommunications 95 Standards Institute (ETSI), have presented different IoT frameworks based on application 96 requirements, network topology, protocols, business and service models, as it encompasses 97 a variety of technologies. [13].

98
Since there's still no single standard reference architecture for IoT and not an easy 99 blueprint that can be followed for all possible implementations, in our approach we chose 100 the 3-layer model that consists of the Perception, Network/Transmission and Application 101 Layer, in which the layers in any case cannot be considered as sub-layers and can fully 102 describe the elementary operations of an IoT implementation [14]. The Perception or Physical Layer consists of the physical devices, which are the 105 cornerstone of IoT technology, whose purpose is to collect information, transform them 106 into digital data and pass them to another layer, so that actions can be done based on 107 that information. Acting as a medium between the digital and real world, these physical 108 devices can be Sensors (Temperature, Humidity, Light etc.), Actuators (Electric, Mechanical, 109 Hydraulic etc.), RFID (RFID tags), [15], Video Trackers (IP camera) or anything that can use 110 data to interact with different devices through a network.

111
The difference between the traditional sensors and the smart sensors used in IoT 112 however is that smart sensors include an integrated microprocessor (DMP), that can process 113 the digitized data captured by the sensor. These data can be normalized, noise filtered, or 114 transformed for the sake of signal conditioning before being forwarded to other devices 115 throughout the network.

117
The Transmission Layer that can also be found in the literature as Transportation or 118 Network Layer, is located between the perception and the application layer. In this layer 119 the data collected by smart sensors are transformed and forwarded to the Application 120 Layer using the suitable communication channels and protocols for further processing, 121 like analysis, data mining, data aggregation, and data encoding, while providing network 122 management functionality and not only a basic packet routing as the network layer of the 123 ISO/OSI model does.

124
In IoT implementations, wireless protocols are more commonly used compared to 125 wired ones, since wireless sensors can be installed even in places that lack the main req-126 uisites for wired sensors like power, communication cabling etc. Moreover, in a wireless 127 sensor network, it is easier for nodes to be added, removed or relocated without reconsider-128 ing the structure of the entire network. The selection of protocols to be used, can be based 129 in several factors like hardware heterogeneity, power consumption, the transmission speed, 130 and the transmission distance needed in each application and many others.

131
In other implementations however, a wired sensor network is preferred since these 132 networks are more reliable, more secure and offer higher transmission data speeds. For 133 example, IoT implementations in a hospital, where reliability and speed are major factors for 134 saving a patient's life, wired sensors are preferable and the requisites for their installation 135 can be planned during hospital's initial design (wiring, power delivery cables etc.).

136
In general, smart sensors must be able to communicate with each other through 137 Internet to handle information and interact with the physical world, while being uniquely 138 identified to prevent data conflicts. Depending on the specific applications, smart objects 139 can be directly reachable without the need of an intermediary gateway, implement a UI 140 making user interaction possible and many more. The Application Layer is present just above the Transmission Layer, it is based on 143 the implementation, and can be organized in different ways. This layer, depending on the 144 implementation, is responsible for analyzing and processing the information data that came 145 from the below Layers (Perception and Transmission). More specific, it handles these data 146 to applications in order to be used for the desired actions (i.e., control actuators), acting like 147 a bridge to transform and forward it to other nodes or hand it over to another application 148 for further processing.

149
Moreover, this is the layer where the user interface is placed (if any), giving the choice 150 for users to interact with the IoT system and perform various actions (for example if a 151 technical equipment needs servicing, the IoT will inform the technician through an interface 152 that "structurally" is operating on the Application layer.

153
The Application layer, in contrast with Transmission and Perception Layer, can vary a 154 lot based on the implementation. Since it is designed with a desired application in mind, 155 this layer is formed by its functionalities. For example, real-time monitoring and decision-156 making applications are in charge of taking actions based on the data collected from the 157 perception layer, information digitization is responsible for collecting and transforming 158 analog data into digital, analytics are used to process collected data and create an evaluation 159 model, while hardware control for transforming data into physical actions [16].

161
Many protocols contribute to an IoT implementation, but communication protocols are 162 mandatory for IoT networks. To choose the best IoT protocol means accurately weighing the 163 criteria of desired application range, power consumption threshold, information bandwidth 164 and latency, Quality of Service, all viewed through the prism of security. As mentioned 165 earlier, IoT devices use network standards and protocols to enable communication between 166 physical objects connected through cloud. Network protocols and standards are policies 167 that comprise certain rules that define the communication language between different 168 network devices.

169
Every device generally is connected to the internet by using the Internet protocol 170 (IP) but can also be connected locally via Bluetooth, NFC (near-field communication) and 171 others. Some of the differences between both types of connections are power, range, and 172 CPU power used. IP connections are complex and require increased power and memory, 173 but there are no range limitations. Bluetooth connections, on the other hand, are simple 174 and require less power and memory, but the range is limited.

175
Single devices like smartphones and personal computers use network protocols for 176 communication, however general protocols used by these devices might not meet specific 177 requirements like bandwidth, latency, and cover distance of IoT-based solutions. Although 178 IoT devices are easy to deploy, their communication protocols are the ones that must bridge 179 the lack of processing power, range, and reliability with existing internet infrastructure. 180 Since the existing protocols are not meeting the criteria for IoT implementation (Wi-Fi 802.11 181 a/b/g/n/ac, etc.), we will review some new IoT protocols created for IoT application 182 requirements.

183
For the reason that power consumption is an important factor when designing IoT 184 networks, low power wireless network technologies are preferable. These technologies 185 generally fall into two groups:  With a low requirement hardware capability in mind, LPWAN technology can operate 201 in more than 10 km distance depending on the surrounding and obstacles and data transfer 202 rates from 0.3 kbit/s to 50 kbit/s per channel. Moreover, while power consumption 203 and data rate are big challenges for LPWANs, Quality of Service (QoS) and scalability 204 are important factors when selecting an LPWAN protocol. The 6LoWPAN protocol is 205 an LPWAN protocol example, that combines IPv6 and LoWPAN technologies, and has 206 many advantages, like exceptional connectivity, compatibility with earlier architectures, 207 low-energy consumption, and ad-hoc self-organization.

209
WPAN is a local mesh network of devices organized in a mesh topology, in which, 210 every device is connected directly (without a gateway) with the other devices of the network 211 and transfers data between each other, until it reaches the final recipient inside this network. 212 This structure promotes network resilience, is simple to implement and costs less to set it 213 up than other networks, particularly over large areas due to the absence of extra equipment 214 (i.e., gateways).

215
ZigBee is considered the most popular mesh protocols used in IoT. It has a short-range 216 but consumes minimal power, which can extend communication over several IoT devices. 217 In comparison with LPWAN protocols, ZigBee can deliver high data transfer rates at a 218 single instance, but with more power efficiency due to its mesh topology. However, due to 219 their short physical range, ZigBee and every other mesh protocol are best suited for small 220 to medium-range implementations, like smart home networks [17].

222
Since IoT technology is designed to apply in many sectors that are crucial, especially 223 for national security and economy with different industry standards and specifications, 224 security issues require primary attention to minimize the attack surface and prevent security 225 issues. For example, in 29 of April 2021, Microsoft's IoT security research group, discovered 226 critical memory allocation vulnerabilities in IoT devices that could potentially be used to 227 bypass security controls and execute malicious code or cause a system crash [18].

228
Beside cyber-attacks, the development of large-scale heterogeneous networks of con-229 strained nodes engaging in real-time, should be based on an architecture that is resilient to 230 manage factors arisen from Reliability, QoS, Modularity, Semantic Interoperability, Privacy 231 Management, Hardware and Software Compatibility. Based on the 3-layer protocol, we 232 will discuss in the following issues and concerns that address the security threats of each 233 layer. The most important threats that endanger the Perception Layer have been selected 236 and described in the sequel.  The Application Layer is more prone to security issues compared to the other two 289 layers, due to its diversity. The Application Layer consists of the applications and software 290 built for IoT implementations and since these are countless, so are the applications built 291 for them. For example, when IoT is used for Smart Home applications, the threats and 292 vulnerabilities may come from every application with access to the hardware used either 293 from the inside (control center or even our mobile app) or outside (remote applications).

313
As mentioned above, IoT systems could be deployed to support endless applications. 314 Basically, "anything" can be turned into an IoT device that can interconnect with other 315 devices on a network boosting productivity, safety and cost reduction. However, we will 316 address some of the areas that IoT would reinvent, providing unimaginable capabilities 317 never thought before. IoT implementations can improve different parts in the agro-industrial industry, like 320 soil state and environmental conditions evaluation (Oxygen, Hydration, temperature, 321 CO2), biomass consistency and more, but also to adjust variables during production or 322 transportation phase. Another implementation is to keep track and predict a product's 323 inventory on shelves or even inside refrigerators, while processing valuable analytics. 324 Moreover, it can provide reliable information to the end user about the originality and 325 ingredients of the product and promote an informed, connected, developed and adaptable 326 rural community. In summary, IoT in Agriculture can literally reinvent the industry in 327 the years to come affecting farmers, suppliers, technicians, distributors, businessmen, 328 consumers, and government representatives [22]. 329

330
IoT, in conjunction with real-time connected objects, can play a significant role in pre-331 venting serious illnesses and reducing healthcare cost [23]. Moreover, the implementation 332 has a long-term impact on the health monitoring, administration, and clinical service to 333 patient's physiological information. The basic concept consists of patients connected with 334 sensors and the data are forwarded to the health-monitoring unit. Sometimes data are 335 stored in the cloud, which helps to manage the amount of data with safety [24]. 336 An IoT implementation coupled with machine learning, can be used for early detection 337 of heart diseases [25] or arthritis. This type of implementation consists of wearable devices 338 for collecting sensor data, a cloud center for storing the data, and a regression-based 339 prediction model for heart diseases and arthritis.

340
Each year, millions of people over 65 years old fall. An IoT implementation with 341 simple detection algorithm, can be used to detect people who fall on specific areas. These 342 areas will contain RFID information and location identification data that can be used to 343 provide alert to hospitals and family members thus preventing a possible life loss [26].

344
IoT-based healthcare system can provide ways to collect data from cancer patients 345 and monitor them on real-time for long periods, while using a variety of sensors and 346 communication protocols. The use of a network of sensors and suitable communication 347 protocols allow us to have smart devices which can transmit data remotely through different 348 servers from one end to the other. It can become quite easy for patients and the specialized 349 medical staffs, such as oncologists, to monitor and analyze the health condition of cancer 350 patients, especially beneficial for those with deteriorating health situation.

351
During a pandemic, like COVID-19, IoT can be used to monitor quarantined and high-352 risk patients by using the internet and a smart sensor or a mobile phone [27]. Moreover, 353 tracking the location of medical equipment in real time can improve treatment process 354 speed while providing procedure transparency. 355

356
As ESG (Environmental-Social-Governance) is common tool worldwide for new tech-357 nology evaluation, environmental IoT applications can be considered important. Real time 358 maps with air and water pollution, pandemic data, noise levels, temperature, and harmful 359 radiation, can now become a reality with the use of smart sensors. Besides that, IoT is capa-360 ble in collecting and storing environmental records, check the compliance of environmental 361 variables with local policies, trigger alerts, or send recommendation messages to citizens 362 and authorities. These data can be used by governments and organizations as inputs for 363 predictive models to forecast environmental variables and track pollution sources over time 364 and space, ultimately leading to faster and better decisions to ensure a safe and healthy 365 environment for all citizens [22]  Ships and vessels are lacking many of the technologies that are used on shore, due to 368 the open sea environment (absence of steady internet coverage, equipment more prone to 369 defections etc.). Since many on board departments need to cooperate, real time information 370 on board is crucial. The maintenance department could monitor shipboard equipment in 371 real time to deal proactively with maintenance, by monitoring shipboard equipment and 372 machinery enhanced with IoT technology, to discover issues and prevent potential failures. 373 In addition, since fuel represent about 55 percent of total ship operating costs, smart sensors 374 and monitoring equipment on-board can track ship's performance and report back to the 375 headquarters on shore, which in turn can support the ship master and chief engineer with 376 guidance when planning the most fuel-efficient route. Finally, identifying optimal speed, 377 current and upcoming weather conditions and engine configuration will potentially save 378 significant amounts of fuel, while minimizing CO2 emissions [28]. 379

380
The capabilities of an IoT system besides wealth creation, productivity and security 381 can also be used in Military. Many Countries worldwide are already trying to promote 382 Military and Defense Applications through IoT implementations in order to overcome 383 various warfare and battlefield challenges. In this case we have the "Internet of Military 384 Things" (IoMT) which is a class of IoT applications for Intelligent warfare and modern 385 combat operations. By creating a miniature ecosystem of smart technology capable of 386 distilling sensory information and autonomously governing multiple tasks at once, the 387 IoMT is conceptually designed to offload much of the physical and mental burden that 388 war fighters encounter in a field combat. Use cases like real-time Health monitoring, 389 Augmented reality training, superior Fleet management, Target recognition and Battlefield 390 awareness are only a few of the capabilities provided by an IoT implementation. IoT applications in a city are unimaginable, and include everything from energy man-393 agement, smart lighting, intelligent traffic management to water treatment and wastewater 394 management or evacuation guidelines in case of an emergency. In a machine-to-human 395 approach, data from sensors in traffic lights can be used from the central authority to adjust 396 traffic flow. In a machine-to-machine approach, intelligent traffic systems (i.e., smart traffic 397 lights, traffic cameras and a cloud data center) can monitor traffic and public transporta-398 tion to calculate possible upcoming congestions with the use of A.I. and prevent them by 399 adjusting traffic flow. IoT sensors in streetlights could also adjust not only power states 400 (ON/OFF) but also brightness depending on real light conditions (i.e., from dusk till dawn). 401 Considering the number of streetlights that can be found in a city, these few watts from 402 every streetlight add up, making the savings and environmental impact worthy. Moreover, 403 those same sensors can also alert if a light needs servicing, reducing repair tickets and 404 saving time to the service department [29]. 405

406
Transportation and logistics are industries that already reap the benefits of IO systems 407 from a variety of applications. However, IoT could inform, in real time, all kinds of fleets 408 (cars, trucks, ships, trains etc.) that carry goods, to reroute based on traffic, upcoming 409 weather conditions, vehicle or driver availability, thanks to IoT sensor data. The inventory 410 itself could also be equipped with sensors for tracking and temperature-control monitor-411 ing, as many industries like food and beverage, flower, and pharmaceutical often carry 412 temperature-sensitive products. In this case, alerts can be sent when temperatures change 413 to a level that threatens the product. Furthermore, blockchain technologies can be used to 414 ensure that the information about the transportation of the goods has not been altered. [ Since always, energy grids were designed to deliver electricity from large power 417 stations power by coal, nuclear etc. to a wide network of homes and businesses. Until 418 now, the electric grid could not accept power contributions from houses and businesses 419 that are harvesting power via renewable sources (solar panels, windmills etc.). A smart 420 grid though, is capable in accepting power from decentralized mini power stations like a 421 house with solar panels while coupled with wireless smart meters, can monitor how much 422 energy a net-positive establishment is generating and reimburse them accordingly. Besides 423 smart meters, every equipment can connect to the grid as well, enhancing its utilization. 424 For example, data from weather stations could inform the grid that in an upcoming cloudy 425 weather the solar panels will stop contributing power, hence the grid should adapt to this 426 parameter. [30] 427 Preprints (www.preprints.org) | NOT PEER-REVIEWED | Posted: 5 January 2022 doi:10.20944/preprints202111.0214.v2

428
Nowadays, numerous IoT devices are interacting through networks to provide for the 429 user, the required information. However when addressing IoT implementations it is not 430 that easy, as besides security, many challenges arise and in the next sessions we will briefly 431 describe some of the key challenges [31]. As mentioned above, a standardization is necessary because without established 434 regulation, precise guidelines and worldwide standards, the industry will eventually face 435 serious incompatibilities from unregulated IoT expansion which are more difficult to track 436 and examine their impacts to different sectors. In addition, many IoT devices are handling 437 unstructured data that are stored in various types of databases (NoSQL etc.) with different 438 querying approach, creating incompatibilities between systems. Since the number of the 439 end users keeps rising along with the extensive use of IoT devices in many sectors, a new 440 attack vector arises. Similar attack methods have led to increased acceptance of the need 441 for regulation, legislation, stronger protection measures and more strict controls for devices 442 that authenticating on the Internet [3]. 443

444
In communication networks, device integration is highly affected by the lack of the 445 effective standards and IoT is no exception. Since "traditional" communication interop-446 erability is challenging due to the wide range of available technologies making it hard to 447 communicate seamlessly between multi-vendor devices, IoT communication interoperabil-448 ity is more difficult to implement due to different programming languages and enormous 449 number of different components, utilized in the IoT hardware development. With these 450 types of incompatibilities, the reliability of a network is dramatically decreased making the 451 communication unstable. These issues have led the market to propose certain solutions like 452 standardization of protocols, but these solutions leave behind many incompatible hardware 453 devices. Since connected devices around the world are increasing exponentially, adversaries 456 now have many more potential entry points into a network. In simple terms, for every 457 new IoT device connected to a network the attack surface increases because an adversary 458 now has many more devices prone to hacking thus exposing the whole network's safety. 459 Additionally, the ability to collect and distribute data and information to another device 460 or network autonomously is also a disadvantage since the data could be sensitive but 461 certainly will be vulnerable. For example, there are IoT devices that require users to agree 462 to terms and condition of service before interacting with them. These types of agreements 463 can expose users' data making them vulnerable to attack. Therefore, strategies need to 464 be developed to handle people's privacy options across a broad spectrum of expectations. 465 Since ease of use and security are "enemies", the industry must figure out a solution that 466 promotes technological innovation and services while avoiding putting sensitive private 467 data and information in danger. Due to the diversity in the implementations of IoT technology and the legal scope that 470 regulates IoT devices, there have been numerous dilemmas with reference to the regula-471 tions and laws that apply, complicating its users whether certain actions are prohibited 472 or not in each jurisdiction [32]. Some of the legal questions that have arisen with regard 473 to the use of IoT devices include data retention and destruction policies, legal liability for 474 unintended uses of IoT devices, security breaches or privacy lapses, to name just a few 475 [33]. Additionally, global regulation, for instance, rules, processes, protocols, audits, trans-476 parency and continuity, is thus far absent in the IoT sphere, as a result of the nonexistent 477 legislation applying in general in the IoT field. Such regulations in the industrial, national 478 and international sphere could be remarkably beneficial in assisting organizations become 479 more efficient and reliable as far as systems are concerned and contribute to the lessening 480 of errors in the future [34].

482
With the advance of low-cost computing, cloud services, big data technologies, analyt-483 ics, and mobile technologies, small size physical devices forming a network, can collect and 484 exchange data without human intervention. In this hyperconnected environment, every 485 node can record, monitor, and adjust each interaction between connected things. Although, 486 this promising technology also threatens user's privacy and security in the different en-487 vironments under which is deployed. For this reason, solutions to threat detection [35], 488 intrusion, compromise or misuse in the IoT domain should be developed and generally 489 agreed-upon standards and security regulations are necessary for the industry to thrive. 490 Since the advantages of the technology are not questionable, governments and engineers 491 must unite their powers and overcome the challenges to make IoT networks be viewed as 492 the traditional networks making the term Internet of Everything valid.