The Internet of Things (IoT) is an umbrella term for a broad range of technologies and studies, which are rapidly expanding and modifying our world. IoT expansion has exploded over recent years, resulting in
demand for proper security and implementation guidelines to be established. There is no universally accepted definition of the IoT, which may lead to devices being misrepresented or excluded in the collective security process. In 2014, the Institute of Electrical and Electronics Engineers (IEEE) described the IoT vaguely as ‚a network of items—each embedded with sensors—which are connected to the Internet‛ *1+. In the context of this paper, the IoT will be defined as a series of objects, devices, and sensors that are connected to either a single or multiple networks. The IoT technology that has amassed over the years is both incredibly capable
and complex. IoT technology includes devices and objects such as radio-frequency identifications (RFID) tags, IP cameras, various sensors, and smart assistants that aid in efficient completion of tasks. The interconnected
nature of IoT devices provides an environment to streamline tasks, reduce workload, and minimize the impact on the end-user.
IoT growth trends are quantitatively on the rise; as of 2019, over 26.66 billion IoT devices were implemented globally . Predictions for IoT device implementation by 2025 vary drastically. Statista, a research company headquartered in Germany, provides a projection of 75.44 billion devices by 2025 . Contrarily, the International Data Corporation has predicted that there will be 41.6 billion connected IoT devices that generate 79.4 zettabytes of data in 2025 . IoT devices are slowly becoming more prevalent in the healthcare domain. The purpose of these devices in the context of healthcare is to improve the life of the user.
Continuous glucose monitoring (CGM) devices, for example, communicate wirelessly with a user’s insulin pump, requiring less user interaction than traditional glucometers and insulin pumps. According to 2018
Verizon data breach investigations report, thirty per cent of data breaches in the healthcare domain were the result of an error by activities such as accidental disposal and delivering personal information to the wrong
patient . To combat user errors, we rely on the IoT as an intermediary since it reduces the need for human interaction. However, there are valid concerns that manufacturers are not implementing a security-centric
approach. The concern is further elevated considering the sensitive information stored on these devices and the degree to which the user relies upon them.
The future of IoT in the consumer and sales market is full of possibilities and presents a drastic upgrade over current practices. Growth trends reflect a steady rise in the commerce domain, as more businesses and
customers discover the value of IoT devices and begin daily implementation. In the commerce domain, there is a distinct focus on near-field communication/point of sale (NFC/POS) systems, RFID tags, and IoT sensors. Our research covers only a small portion of the IoT device spectrum. These devices simplify customer transactions, create a medium for sellers to communicate with customers more efficiently, and streamline employee productivity. Furthermore, these devices can monitor trends and purchasing practices, help consumers locate a product, streamline the checkout process, and provide security for the customers.
Consumers generally associate IoT terminology with the commercially available devices in the home domain. In 2018, most consumers are familiar with IoT devices, and due to the increased accessibility, many
users rely upon them every day. Consumers interact with devices such as Nest thermostats, smart home sensors, and personal assistants, like Amazon Alexa. IoT devices in a user’s home can streamline tasks, learn
patterns, and even provide security in some cases. A 2016 IoT study commissioned by the Interactive Advertising Bureau to Maru/Matchbox found that sixty-two per cent of Americans utilize IoT devices in their
homes, with growth trends expected to rise even higher . While IoT devices flood into the marketplace and the average consumer’s home, security for IoT devices become fallible. The relative infancy the
technology combined with haphazard marketing schema pose a heightened security concern; products are often released without proper security safeguards in place. IoT device security should be at the forefront rather
than an afterthought. The industry needs to establish proactive measures and proper security safeguards for IoT devices, before introducing them to the marketplace, to mitigate the impact of breaches to millions of
Security and privacy issues in IoT domains include consumer, personal, patient, organizational, institutional, and industrial data. The unregulated nature of IoT devices can leave consumers’ personal data vulnerable to extraction through a series of device vulnerabilities. Potentially targeted data can include names, numbers, addresses, credit card information, and social security numbers. Institutions (including governments) are also at risk when they use IoT technology, due to the massive flow of data into and out of their systems. The possibility of a breach is likely; proper personnel must be thoroughly vetted and prepared for securing organizational and customer data. Each domain contains numerous unique attack vectors that
pose critical security risks, and potential compromises of data.
Beyond security and privacy issues, the nature of IoT devices present issues which make them susceptible to new types of attacks. Particularly, battery-powered devices (e.g., activity tracking devices, sensors) are
vulnerable to the sleep deprivation attack  which drains a device’s power. This is a type of denial of service (DoS) attack in which the attacker continuously sends requests to a device thus increasing the device’s power
consumption and eventually drains a device’s power completely. In another research work , researchers specifically analyze the impact of, as they refer to it, depletion of battery (DoB) attacks on WSNs. WSN sensors
are already limited in their battery capacity, therefore, DoB attacks severely impact WSNs and threaten their operation. These attacks further weaken the IoT network. To properly mitigate threats and attacks, the elements of the CIA triad (confidentiality, integrity, and availability) must be followed to allow for safer use of the technologies .
This work is the continuation of our earlier research on attack vector for IoT networks . Our primary research goal is to develop a threat model for the IoT networks by identifying device-level vulnerabilities,
attacks, and threats that are imposed on IoT devices, as well as heightening security controls within the healthcare, commerce, and home domains. Secondly, we highlight the proposed model’s practicality with an
overview of potential applications, illustrated through case studies. Our paper is organized as follows. Section2 discusses the needs of IoT security at the device level as well as its applications at different IoT domains.
Section 3 identifies common vulnerabilities in IoT devices. In Section 4, we compute the vulnerability scores for several devices using NIST-CVSS for different IoT domains. Section 5 provides an investigation of attacks and
threats that stem from device vulnerabilities and analysis of user impact. Section 6 highlights our security recommendations in both general and specific contexts. Section 7 illustrates our case studies, in which our
security recommendations are applied to example scenarios. Finally, Section 8 concludes our research paper.