There is a trend to move more and more information processing towards
the edges of information systems, close to the data sources and sinks,
and to the end-users [31]. In 2018, Gartner evaluated
that 10% of “enterprise-generated data is created and processed outside
a traditional centralized data center or cloud” [55], and predicted in
2021 that this number would increase to 50% in 2025 [63]
(which it originally predicted at 75% in its 2018 report [55])
while the number of IoT devices will triple [63] or quadruple [23]
between 2020 and 2030 reaching “more than 15 billion IoT devices [that]
will connect to the enterprise infrastructure by 2029” [23] (IoT
analytics even forecasts 27 billions connected IoT devices by 2025 [38]). There
are varying reasons for this trend, among which: improving latency,
relieving the network bandwidth from part of the huge amount of data
generated, and bringing some autonomy to the end-users interacting at
the periphery of the information system. This trend exists in the civil
world, and in particular in industry with the specific concept of
Industrial IoT (IIoT) [86] [81] [52] [80], but also in the military one
with the concepts of the Internet of Battle Things (IoBT) [49] [78] [2] or
Internet of Military Things (IoMT) [87] [18], which aim in part to
increase local information exploitation [73] [57] [58]. To develop those concepts
in the military domain, among other initiatives, the Internet of
Battlefield Things Collaborative Research Alliance (IoBT-CRA) [70] [1] [89] was
established in 2017 for a 10 years period.
In this call, devices handling those peripheral computations are
called Smart Peripheral Devices (SPDs). Those SPDs are
quiet different from, and have more variability, than devices found in
the “core” of information systems (servers, desktops and laptops). They
range: from somewhat expensive and powerful devices, such as
smartphones or communication equipment of military
vehicles [58]; to low cost low power
devices, such as disposable wearable devices or
disposable vessels [54] [25];
through Internet of Things (IoT) devices [88], and some
lightweight Edge Computing devices [85]. While quite
different, SPDs share some characteristics: they reside at the periphery
of the system and are more susceptible to loss and theft; they have to
comply with specific constraints limiting the resources they can use;
they run on specific hardware usually not found in “core” devices; they
use connection technologies not found in the core of the system to
communicate with the core and between themselves; they handle some
information processing directly, independently from the core of the
system; they have to allow for “temporary” disconnections from the core,
while still being able to function properly; and they are not
continuously visible and monitored by the core of the information
system.
Those specifics raise some concerns over their resilience to
cybersecurity attacks [20] [21] [61] [8] [77] [9] [37] [50] [26] [53] [5] [79], and
even the faithfulness of their supply chain [72]. As stated by
Verizon for IoT [83], but applying to all
SPD, “an [SPD] can be an attack vector (a weak point that can be
exploited to mount an attack), a vehicle for attacks (like a part of a
botnet used to carry out a distributed denial-of-service (DDoS) attack)
or a target in its own right”. For example, the Mirai botnet [4]
infected many IoT devices and has been used to attack many other
systems. Mobiles are also an interesting target for attackers [74] [90] [14] [67]. Over a one year
period, half of companies recently surveyed by Verizon suffered a
compromise involving a mobile device [83]; for half of the
companies concerned, applications were involved (in 2021, the percentage
of organizations experiencing the installation of a malware on a remote
device doubled [43]); and half of SMBs that
suffered a mobile-related hack said that it had a major impact.
Attackers do design applications and phishing campaigns specifically for
mobiles [83], and if they do its
because there is a benefit in doing so. As a consequence, more than 8
companies out of 10 have a specific budget for mobile security [83]. Last
year C&ESAR
addressed the concept of Zero Trust, among others. From the point of
view of the security of the core of the information system, an SPD can
be disconnected if the core has lost trust in it. However, the features
carried by this SPD will also be lost. It is therefore important to be
able to secure those SPDs.
However, cybersecurity technologies and methodologies applied to the
core of information systems are not necessarily directly applicable to
SPDs. Adapting standard Endpoint Detection and Response (EDR) solutions
to the vast variety of SPD and integrating them to the core IT system
SIEM is not a simple task. The specific technologies used for SPDs may
contain weaknesses and vulnerabilities different from those of core
system technologies [84] [76]. Ensuring the
cybersecurity of SPDs may also require specific methodologies [51].
For example, SPDs use specific technologies in their processing stack
(hardware and software). Among the various hardware used, they rely more
commonly on ARM platforms and technologies. Those hardwares and
deployment environment have specific characteristics impacting their
cybersecurity [6] [75]. Among
the various hardware support for securing SPDs [39], we can cite Secure
Elements (SE) [11] or Tusted Execution Element
(TEE). SPDs also use specific operating systems, such as Android and iOS
for smartphones [91] [35]. And, for some
of them, they allow end-users (hopefully the device administrator) to
pull computing payloads from application stores populated by softwares
coming from various, sometimes obscure, sources. The low confidence in
the cybersecurity level of those application stores has pushed some
institutions such as Google to launch initiatives to improve the state
of affairs [36] or to launch projects aiming at
standardizing the cybersecurity requirements for those applications
[62] [42]. This state of
affairs with regard to the low cybersecurity level of mobile
applications pushes for much need improvements [16].
SPDs also use different technologies to connect to the core of the
information system and to connect between themselves. One promising
technology is the 5G one [46] [7] [44] [38] [40], and 6G in the future
[24] [3]. However, this
technology, as well as the others, have raised cybersecurity concerns
among researchers [10], institutions
[22] [28] [27] [60] [59] [32]
[65] [69] and industry
[66]
[41]. For
example, even the specification of Bluetooth contains vulnerabilities
[19] [13] [12]. The
deployment environment and ability of SPDs to create device-to-device
connections result in networks, such as ad hoc or mesh ones, having
different shapes and behaving differently than core information system
networks, and having specific cybersecurity concerns.
To secure communications in those networks, SPDs can rely on
cryptography. However, the low level of infrastructure support some of
them receive and low computation power some of them have may require
some specific cryptographic solutions, such as lightweight cryptography
[34] or
specific key agreement protocols [56].
Another challenge that comes with SPDs is their deployment “far away”
from the core of the information system, and with an intermittent
connection to it. This setting prevents the implementation of security
policies centered around the core of the information system. SPDs
require sepcific security policies that require specific means for
deployment, management and enforcement. Those means need to be secured
in their own right in order to prevent attackers from exploiting them to
take control of the managed SPDs.
Finally, the peripheral deployment of SPDs, their proximity to
information sources, and their common reliance on information collection
imply concerns over privacy and data protection issues [33] [45] [48]
[47]. As a
consequence, policymakers have published specific and generic laws and
regulations that apply to SPDs [64] [82]
[68] [15]
[17] [71] [29]
[30].
[1]
T.
Abdelzaher,
“Alliance for IoBT Research on
Evolving Intelligent Goal-driven Networks (IoBT REIGN),”
University of Illinois at Urbana-Champaign, Website, 2022. [Online].
Available:
https://iobt.illinois.edu/.
[2]
T.
Abdelzaher
et al.,
“Toward an
Internet of Battlefield Things: A Resilience Perspective,”
Computer, vol. 51, no. 11, pp. 24–36, Nov. 2018, doi:
10.1109/MC.2018.2876048.
[3]
C.
D. Alwis
et al.,
“Survey on 6G
Frontiers: Trends, Applications, Requirements, Technologies and Future
Research,” IEEE Open Journal of the Communications
Society, vol. 2, pp. 836–886, 2021, doi:
10.1109/OJCOMS.2021.3071496.
[5]
M.
Aqeel, F. Ali, M. waseem Iqbal, T. Rana, M. Arif, and M. Auwul,
“A Review of Security and Privacy Concerns in
the Internet of Things (IoT),” Journal of
Sensors, vol. 2022, pp. 1–20, Sep. 2022, doi:
10.1155/2022/5724168.
[7]
H.
Attar
et al.,
“5G System Overview
for Ongoing Smart Applications: Structure, Requirements, and
Specifications,” Computational Intelligence and
Neuroscience, pp. 1–11, Oct. 2022, doi:
10.1155/2022/2476841.
[9]
P.
S. Bangare and K. P. Patil,
“Security Issues
and Challenges in Internet of Things (IOT) System,” in
Proc. Advance Computing and Innovative
Technologies in Engineering (ICACITE), 2022, pp. 91–94, doi:
10.1109/ICACITE53722.2022.9823709.
[10]
D.
Basin, J. Dreier, L. Hirschi, S. Radomirovic, R. Sasse, and V. Stettler,
“A Formal Analysis of 5G
Authentication,” in
Proc.
Computer and Communications Security (CCS), 2018, pp.
1383–1396, doi:
10.1145/3243734.3243846.
[14]
C.
Brown et al., “Assessing Threats to
Mobile Devices & Infrastructure: The Mobile Threat
Catalogue,” National Institute of Standards; Technology
(NIST), NIST Interagency Report 8144, Sep. 2016. Draft.
[17]
California Senate, “California
Senate Bill No. 327,” California Senate, Sep. 2018.
Référence 209 dans la page wikipedia sur IoT.
[18]
L.
Cameron, “Internet of Things Meets the
Military and Battlefield: Connecting Gear and Biometric Wearables for an
IoMT and IoBT,” IEEE Computer Society,
2018.
[22]
CISA,
“5G Security
and Resilience,” Cybersecurity; Infrastructure Security
Agency (CISA), Website, 2023. [Online]. Available:
https://www.cisa.gov/5g.
[24]
S.
Dang, O. Amin, B. Shihada, and M.-S. Alouini, “What should 6G be?” Nature
Electronics, vol. 3, no. 1, pp. 20–29, Jan. 2020.
[26]
P.
Delgado-Santos, G. Stragapede, R. Tolosana, R. Guest, F. Deravi, and R.
Vera-Rodriguez,
“A Survey of Privacy
Vulnerabilities of Mobile Device Sensors,” ACM
Computing Surveys, vol. 54, no. 11s, pp. 1–30, Jan. 2022, doi:
10.1145/3510579.
[27]
Enduring Security Framework (ESF) working
group,
“ESF Potential Threats to 5G Network
Slicing,” National Security Agency (NSA), the
Cybersecurity; Infrastructure Security Agency (CISA),; the Office of the
Director of National Intelligence (ODNI), Guidance, Dec. 2022. [Online].
Available:
https://www.cisa.gov/5g-library.
[28]
Enduring Security Framework (ESF) working
group,
“Potential Threat Vectors to 5G
Infrastructure,” National Security Agency (NSA), the
Cybersecurity; Infrastructure Security Agency (CISA),; the Office of the
Director of National Intelligence (ODNI), Apr. 2021. [Online].
Available:
https://www.cisa.gov/5g-library.
[34]
S.
Ganiev and Z. Khudoykulov,
“Lightweight
Cryptography Algorithms for IoT Devices: Open issues and
challenges,” in
Proc. Information
Science and Communications Technologies (ICISCT), 2021, pp.
01–04, doi:
10.1109/ICISCT52966.2021.9670281.
[35]
S.
Garg and N. Baliyan,
“Comparative analysis of
Android and iOS from security viewpoint,” Computer
Science Review, vol. 40, p. 100372, 2021, doi:
10.1016/j.cosrev.2021.100372.
[37]
Y.
Harbi, Z. Aliouat, S. Harous, A. Bentaleb, and A. Refoufi,
“A Review of Security in Internet of
Things,” Wireless Personal Communications, vol.
108, no. 1, pp. 325–344, Sep. 2019, doi:
10.1007/s11277-019-06405-y.
[39]
W.
Hu, C.-H. Chang, A. Sengupta, S. Bhunia, R. Kastner, and H. Li,
“An Overview of Hardware Security and Trust:
Threats, Countermeasures, and Design Tools,” IEEE
Transactions on Computer-Aided Design of Integrated Circuits and
Systems, vol. 40, no. 6, pp. 1010–1038, Jun. 2021, doi:
10.1109/TCAD.2020.3047976.
[40]
X.
Huang, T. Yoshizawa, and S. B. M. Baskaran,
“Authentication Mechanisms in the 5G
System,” Journal of ICT Standardization, vol. 9,
no. 2, pp. 61–78, 2021, doi:
10.13052/jicts2245-800X.921.
[43]
Jamf, “Security 360 Annual Trends
Report,” Jamf, 2022.
[44]
X.
Ji
et al.,
“Overview of 5G security
technology,” Science China: Information Sciences,
vol. 61, no. 8, Aug. 2018, doi:
10.1007/s11432-017-9426-4.
[45]
A.
Karale,
“The Challenges of IoT Addressing
Security, Ethics, Privacy, and Laws,” Internet of
Things, vol. 15, p. 100420, 2021, doi:
10.1016/j.iot.2021.100420.
[46]
R.
Khan, P. Kumar, D. N. K. Jayakody, and M. Liyanage,
“A Survey on Security and Privacy of 5G Technologies:
Potential Solutions, Recent Advancements, and Future
Directions,” IEEE Communications Surveys &
Tutorials, vol. 22, no. 1, pp. 196–248, 2020, doi:
10.1109/COMST.2019.2933899.
[48]
K.
Kollnig
et al.,
“Before and after
GDPR: Tracking in Mobile Apps,” Internet Policy
Review, vol. 10, no. 4, 2021, doi:
10.14763/2021.4.1611
.
[49]
A.
Kott, A. Swami, and B. West,
“The Internet of
Battle Things,” Computer, vol. 49, no. 12, pp.
70–75, Dec. 2017, doi:
10.1109/MC.2018.2876048.
[50]
B.
Liao, Y. Ali, S. Nazir, L. He, and H. U. Khan,
“Security Analysis of IoT Devices by Using Mobile
Computing: A Systematic Literature Review,” IEEE
Access, vol. 8, pp. 120331–120350, 2020, doi:
10.1109/ACCESS.2020.3006358.
[51]
B.
Liao, Y. Ali, S. Nazir, L. He, and H. U. Khan,
“Security Analysis of IoT Devices by Using Mobile
Computing: A Systematic Literature Review,” IEEE
Access, vol. 8, pp. 120331–120350, Jul. 2020, doi:
10.1109/ACCESS.2020.3006358.
[52]
P.
K. Malik
et al.,
“Industrial
Internet of Things and its Applications in Industry 4.0: State of The
Art,” Computer Communications, vol. 166, pp.
125–139, 2021, doi:
10.1016/j.comcom.2020.11.016.
[56]
M.
Miettinen and N. Asokan,
“Ad-hoc key
agreement: A brief history and the challenges ahead,”
Computer Communications, vol. 131, pp. 32–34, 2018, doi:
10.1016/j.comcom.2018.07.030.
[59]
MITRE, “MITRE and
the Office of the Under Secretary of Defense Announce FiGHT™ Framework
to Protect 5G Ecosystem,” MITRE; the Department of Defense
(DoD), Press Release, Sep. 2022.
[60]
MITRE and the Department of Defense (DoD),
“FiGHT™ (5G Hierarchy of
Threats),” MITRE; the Department of Defense (DoD),
Knowledge Base, 2022. [Online]. Available:
https://fight.mitre.org/.
[61]
M.
binti Mohamad Noor and W. H. Hassan,
“Current
research on Internet of Things (IoT) security: A survey,”
Computer Networks, vol. 148, pp. 283–294, 2019, doi:
10.1016/j.comnet.2018.11.025.
[62]
B.
Mueller, S. Schleier, J. Willemsen, and C. Holguera,
“OWASP
Mobile Application Security Verification Standard
(MASVS),” Open Web Application Security Project
(OWASP), Jan. 2022. Version 1.4.2. [Online]. Available:
https://mas.owasp.org/.
[63]
A.
Neff, “Predicts 2022: The Distributed
Enterprise Drives Computing to the Edge,” Gartner, Inc.,
2021.
[66]
NIST,
“5G
Cybersecurity: Volume B: Approach, Architecture, and Security
Characteristics,” NIST, Special Report (SP) 1800-33B, Apr.
2022. Preliminary Draft. [Online]. Available:
https://www.nccoe.nist.gov/5g-cybersecurity.
[69]
V.
Oeselg, R. Šalaševičius, H. Ploom, and A. Palm, “Military Movement: Risks from 5G Networks,”
NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), Research
Report, 2022.
[70]
Office of Strategic Communications,
“Internet of Battlefield Things (IoBT)
CRA,” U.S. Army DEVCOM Army Research Laboratory, Website,
2023. [Online]. Available:
https://www.arl.army.mil/cras/iobt-cra/.
[76]
A.
Qamar, A. Karim, and V. Chang,
“Mobile
malware attacks: Review, taxonomy & future
directions,” Future Generation Computer Systems,
vol. 97, pp. 887–909, 2019, doi:
10.1016/j.future.2019.03.007.
[77]
G.
Rowlands, “The Internet of Military Things
& Machine Intelligence: A Winning Edge or Security
Nightmare?” III, 2017.
[78]
S.
Russell and T. Abdelzaher,
“The Internet of
Battlefield Things: The Next Generation of Command, Control,
Communications and Intelligence (C3I) Decision-Making,” in
Proc. IEEE Military Communications Conference
(MilCom), Oct. 2018, pp. 737–742, doi:
10.1109/MILCOM.2018.8599853.
[80]
M.
Serror, S. Hack, M. Henze, M. Schuba, and K. Wehrle,
“Challenges and Opportunities in Securing the Industrial
Internet of Things,” IEEE Transactions on Industrial
Informatics, vol. 17, no. 5, pp. 2985–2996, 2021, doi:
10.1109/TII.2020.3023507.
[81]
E.
Sisinni, A. Saifullah, S. Han, U. Jennehag, and M. Gidlund,
“Industrial Internet of Things: Challenges, Opportunities,
and Directions,” IEEE Transactions on Industrial
Informatics, vol. 14, no. 11, pp. 4724–4734, 2018, doi:
10.1109/TII.2018.2852491.
[83]
Verizon, “Verizon 2022 Mobile
Security Index,” Verizon, Aug. 2022.
[84]
P.
Weichbroth and L. Łysik,
“Mobile Security:
Threats and Best Practices,” Mobile Information
Systems, vol. 2020, Dec. 2020, doi:
10.1155/2020/8828078.
[91]
M.
Zinkus, T. M. Jois, and M. Green,
“Data
Security on Mobile Devices: Current State of the Art, Open Problems, and
Proposed Solutions.” arXiv, 2021, doi:
10.48550/ARXIV.2105.12613.