Abstract
In the Internet of Things (IoT) context, gateways are devices that play a strategic role in the communication of things with the external environment. Gateways help with the problem of heterogeneity, acting to carry out the communication of the devices even if they use different protocols. Their centralized and strategic position in an IoT network makes security a key concern, as an attack on this device may leave the entire system vulnerable. Considering the security requirements in IoT, authentication is essential since devices should be authenticated before being inserted into the environment. The main contribution of this paper is the evaluation of the authentication compliance levels of currently used IoT gateways. A methodology is proposed to assess authentication requirements in IoT gateways, making it possible to analyze and select various authentication requirements published by recognized technical organizations such as IoTSF and OWASP. Several gateways currently used were chosen, installed, and configured, and a requirements inspection process was performed. In terms of results, it is possible to observe that, in their default configuration, the current gateways can only meet approximately 66% of the authentication requirements proposed by technical organizations.
Similar content being viewed by others
Data Availability
The datasets generated during and/or analyzed during the current study are available from the corresponding author on reasonable request.
Notes
The list of prioritized authentication requirements can be found at https://bit.ly/3HD7rYy.
Gateway Authentication Requirements Evaluation Report. Available at https://bit.ly/3O3Kmk9.
References
Nandy, T., Idris, M.Y.I.B., Noor, R.M., Kiah, L.M., Lun, L.S., Juma’at, N.B.A., Ahmedy, I., Ghani, N.A., Bhattacharyya, S.: Review on security of internet of things authentication mechanism. IEEE Access 7, 151054 (2019)
Lins, F.A.A., Vieira, M.: Security requirements and solutions for iot gateways: A comprehensive study. IEEE Internet Things J. 8(11), 8667 (2020)
AT &T. Intelligent Business. https://www.business.att.com/learn/research-reports/att-intelligent-business-report.html (2021). Accessed 3 Sept 2021
IoT Security Foundation. Secure Design Best Practice Guides—Release v2. https://www.iotsecurityfoundation.org/wp-content/uploads/2019/12/Best-Practice-Guides-Release-2_Digitalv3.pdf (2019). Accessed 14 July 2022
Narayanaswamy, S., Kumar, A.V.: Application layer security authentication protocols for the internet of things: a survey. Adv. Sci. Technol. Eng. Syst. J. 4(1), 317 (2019)
Prathibha, L., Fatima, K.: 2018 Second International Conference on Intelligent Computing and Control Systems (ICICCS), pp. 673–678. IEEE, New York (2018)
IoTSF IoT Security Compliance Framework Release 2.1 May 2020. https://www.iotsecurityfoundation.org/tag/release-2-1/. Accessed 14 July 2022
OWASP IoT Security Verification Standard. https://owasp.org/www-pdf-archive/OWASP-IoT-Top-10-2018-final.pdf. Accessed 16 May 2021
v2 Authentication verification requirements—OWASP Annotated Application Security Verification Standard 3.0.0 documentation. https://owasp-aasvs.readthedocs.io/en/latest/v2.html. Accessed 16 May 2021
ENISA, E.: European Union Agency for Cybersecurity Heraklion, Greece (2017)
IoT Security & Privacy Trust Framework. https://internetsociety.org/wp-content/uploads/2018/05/iot_trust_framework2.5a_EN.pdf. Accessed 6 June 2021
Cyber Security for Consumer Internet of Things—Baseline Requirements 2020. https://etsi.org/deliver/etsi_en/303600_303699/303645/02.01.00_30/en_303645v020100v.pdf. Accessed 7 June 2021
CSA IoT Security Controls Framework Version 2. https://cloudsecurityalliance.org/artifacts/csa-iot-security-controls-framework-v2/. Accessed 6 June 2021
GSMA IoT Security Assessment Checklist https://gsma.com/security/resources/clp-17-gsma-iot-security-assessment-checklist-v3-0/. Accessed 8 Apr 2021
Donzia, S.K.Y., Kim, H.K., Hwang, H.J.: International Conference on Computational Science/Intelligence and Applied Informatics, pp. 49–58. Springer, Heidelberg (2018)
Dickel, H., Podolskiy, V., Gerndt, M.: 2019 IEEE 12th Conference on Service-Oriented Computing and Applications (SOCA), pp. 17–24. IEEE, New York (2019)
Poess, M., Nambiar, R., Kulkarni, K., Narasimhadevara, C., Rabl, T., Jacobsen, H.A.: 2018 IEEE 34th International Conference on Data Engineering (ICDE), pp. 1519–1530. IEEE, New York (2018)
Ali, O., Ishak, M.K., Wuttisittikulkij, L., Maung, T.Z.B.: 2020 International Conference on Electronics, Information, and Communication (ICEIC), pp. 1–5. IEEE, New York (2020)
M. Quiñones-Cuenca, H.P. Pachar Bravo, J. Martínez-Curipoma, L. Quiñones, R. Torres: Desarrollo y evaluación de un gateway móvil IoT para redes 4G LTE. Enfoque UTE 11(4), 16 (2020)
Imdad, M., Jacob, D.W., Mahdin, H., Baharum, Z., Shaharudin, S.M., Azmi, M.S.: Internet of things (IoT); security requirements, attacks and counter measures. Indones. J. Electr. Eng. Comput. Sci. 18(3), 1520 (2020)
Hansch, G., Schneider, P., Fischer, K., Böttinger, K.: In 2019 24th ieee international conference on emerging technologies and factory automation (etfa), pp. 325–332. IEEE, New York (2019)
Ankele, R., Marksteiner, S., Nahrgang, K., Vallant, H.: Proceedings of the 14th International Conference on Availability, Reliability and Security, pp. 1–8. ACM, New York (2019)
Papcun, P., Kajati, E., Cupkova, D., Mocnej, J., Miskuf, M., Zolotova, I.: Edge‐enabled IoT gateway criteria selection and evaluation. Concurr. Comput. Pract. Exp. 32(13), e5219 (2020)
Kamalrudin, M., Ibrahim, A.A., Sidek, S.: Asia Pacific Requirements Engineering Conference, pp. 87–96. Springer, Cham (2017)
Kebande, V.R., Menza, N.K., Venter, H.S.: Digital forensic readiness framework for smart homes. Int. J. Adv. Sci. Eng. Info. Technol. 8, 342 (2018)
Ali, W., Dustgeer, G., Awais, M., Shah, M.A.: 2017 23rd International Conference on Automation and Computing (ICAC), pp. 1–6. IEEE, New York (2017)
Oh, S.R., Kim, Y.G.: 2017 International Conference on Platform Technology and Service (PlatCon), pp. 1–6. IEEE, New York (2017)
Jaiswal, S., Gupta, D.: Proceedings of International Conference on Communication and Networks, pp. 419–427. Springer, Cahm (2017)
Rodriguez, J.D.P., Schreckling, D., Posegga, J.: 2016 International Workshop on Secure Internet of Things (SIoT), pp. 1–10. IEEE, New York (2016)
Zbořil, J., Hujňák, O., Malinka, K.: 2023 International Conference on Information Networking (ICOIN). IEEE, New York (2023). https://doi.org/10.1109/icoin56518.2023.10049047
Amar, Y., Haddadi, H., Mortier, R., Brown, A., Colley, J.A., Crabtree, A.: An analysis of home IoT network traffic and behaviour. Preprint at https://arxiv.org/abs/1803.05368 (2018)
Mukalazi, A., Boyacı, A.: 2022 International Congress on Human-Computer Interaction, Optimization and Robotic Applications (HORA), pp. 1–8. (2022)
Felix, E.F., Lins, F.A.A., Nóbrega, O.O., Gomes, D.R., Jesus, B.A., Vieira, M.: Proceedings of the 11th Latin-American Symposium on Dependable Computing. ACM, New York (2022). https://doi.org/10.1145/3569902.3569915
Zuway, M.A.E., Farkash, H.M.: 2022 IEEE 21st International Conference on Sciences and Techniques of Automatic Control and Computer Engineering (STA)). IEEE, New York (2022). https://doi.org/10.1109/sta56120.2022.10019124
Top 10 Web Application Security Risks. https://owasp.org/www-project-top-ten/. Accessed 11 May 2023
OWASP®Zed Attack Proxy (ZAP). https://www.zaproxy.org/. Accessed 11 May 2023
OMG: Business Process Model and Notation (BPMN), Version 2.0 (2011). http://www.omg.org/spec/BPMN/2.0
Eclipse Kura Documentation. http://eclipse.github.io/kura/. Accessed 27 Mar 2021
ThingsBoard IoT Gateway Documentation. https://thingsboard.io/docs/iot-gateway/. Accessed 21 Mar 2021
WebIOPi Gateway Documentation. http://webiopi.trouch.com/. Accessed 21 Mar 2021
WebThings Documentation. https://webthings.io/docs/. Accessed 20 Mar 2021
Author information
Authors and Affiliations
Contributions
All authors reviewed the manuscript.
Corresponding author
Ethics declarations
Conflict of interest
The authors have no relevant financial or non-financial interests to disclose.
Ethical Approval
Not Applicable.
Research Involving in Human and Animal Participants
The authors also inform that no human participants or animals were involved in the research.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Gomes, D.R., Lins, F.A.A., Nóbrega, O.O. et al. Security Evaluation of Authentication Requirements in IoT Gateways. J Netw Syst Manage 31, 67 (2023). https://doi.org/10.1007/s10922-023-09754-z
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10922-023-09754-z