NB-IoT Security: A Survey

Abstract

In the past few years, the term Internet of Things (IoT) has become very prevalent. In IoT, aggregation of data (from sensors) to processing the data (to the cloud) is energy constraint. To address this challenge, Narrowband- Internet of Things (NB-IoT) is becoming a popular choice for smart devices manufacturer due to its characteristics of high energy-efficient and long battery life. Researchers and academia have addressed the problem related to energy constraints, but it opens the door for security issues related to NB-IoT devices. In this paper, we have done a survey closely related to security issues related to NB-IoT technologies like RFID, WSN, WoT, and IoT. IoT is enabled with five-layered architectures, and each layer is prone to different security attacks. In this paper, we have provided a comparative analysis of security issues in a layer-based approach. We propose the different possible security attacks like shared node attack, synchronization attack, node failure attack, source code attack, and battery drainage attack associated with NB-IoT. To do the performance analysis of security attacks, related matrix, and their mathematical formulation is based on Secrecy Rate and Secrecy Outage Probability for the smart home application. This paper also raises security issues related to smart health and smart agriculture applications.

1 Introduction

For the last few years, the way of using technical devices, home appliances, instruments, and other objects have changed according to the reliability of the users. Due to which, IoT concept is increasing exponentially to make human life more relaxed and comfortable, which has led to a rise in data transfer and storage related to security is also increasing rapidly. IoT gives an image of the future Internet where every computing device, things of daily life, and every user has sensing and actuating capabilities. All of these cooperate and communicate with each other according to their convenience and economic benefit [1]. IoT is associated with the various concepts coming from Radio Frequency and Identification (RFID), Wireless Sensor Network (WSN), Web of Things (WoT) and Smart Things.

If IoT is combined with the cloud, it provides the benefit of integrating the Cyber-Physical System (CPS) with Supervisory Control and Data Acquisition (SCADA) [2]. Many essentials functional and nonfunctional requirements of IoT middleware technologies are defined, such as resource recovery, resource management, data, code and event management, scalability, reliability, availability, and security. The author in [3] explains the role of service-oriented middleware architecture design in IoT based on Service-oriented Computing.

Third Generation Partnership Projects (3GPP), in their radio access network plenary meeting, have decided to standardize the NB-IoT, which gives better indoor coverage, supports a large number of low-throughput devices, and better utilization of resource block [4]. Social IoT (SIoT) describes a world where the objects around human beings can intelligently sense and are motivated by various social networks over huge Internet sites such as Facebook, WhatsApp, Twitter, and Instagram [5]. The three-layer system model defined in [6] gives the concept of social IoT, based on the “trust management and security in the IoT world” by defining the exploitability matrix and impact matrix. The authors in [7] proposed an encapsulation of RFID messages for IPv6 packet for each IoT node so that each element or node is within reach of another node in the network. It also defines web squared, which is the evolution of Web 2.0.

Different IoT research areas and their challenges have been explained by authors in [8], which are related to security and standardization. IoT supports establishing connections and designing networks between two different objects in various heterogeneous environments. Confidentiality, integrity, availability, less space, and power consumption are the necessities of any IoT algorithm. Authors have proposed a Hybrid lightweight algorithm (HLA) [9] by combining the two lightweight asymmetric and asymmetric encryption algorithms. By using the Near-Threshold Computing (NTC) method, it reduces the power consumption, as compared to the standard voltage. The author in [10] aims to study the security of post-quantum cryptography and implement a cryptosystem based on these problems. This mathematical problem evaluates the performance in a real-time deployed network—the research project named Crypto-MathCREST supported by a Japanese agency named Japan science and technology. A lightweight protocol for IoT application is a transfer protocol, designed at the Internet Engineering Task Force (IETF), named [11] Constrained Application Protocol (CoAP). The author in [12] proposed a model for IoT, having a limited budget for protecting the device communication where computation time is very less, but the key size is large. In another case, he combined FPGA with Moore’s law and calculated the cost of breaking the security of the cryptosystem having a small key size. He showed that the cost of a cryptosystem decreases rapidly if the key size is small and suitable for IoT devices.

Various attacks on smart wearable devices (such as man-in-the-middle, mole attack, and mule attack) and its countermeasures are described in brief [13]. A lightweight game theoretic technique based on the Nash equilibrium concept [14] is used to activate an anomaly detection technique when a new attack’s signature is expected to occur. The relation between the time spent on analyzing the traffic volume and the time instance to patch the AP’s are analyzed in [15]. It proposed the patching of intermediate nodes, for preventing the redirection of malicious traffic, and introduced the DDoS attack, launched by the IoT botnets. The main requirement of IoT applications is to develop such protocols that are compatible with low power IoT devices. These protocols scale up to enormous storage of data in the cloud. As the low power IoT devices may work for 10–20 years, so it is required to secure today’s devices against the attacks for the next 20 years [16].

In LPWAN technologies, on both licensed and unlicensed spectrum, the unlicensed spectrum consists of Long Range (LoRa) and SIGFOX, while the licensed spectrum consists of LTE-M and NB-IoT technology. All these technologies use a narrowband spectrum and suitable for small data, sent over a large area, by the object and maintains the battery life over the years. In [17], author(s) introduced a method of non-orthogonal multiple access (NOMA) to overcome the limitation of system capacity and also defined LTE-M and LTE-N techniques for machine type communication and Narrowband IoT Category. Power consumption analysis, effective bandwidth, and transmission time analysis for LPWAN are performed in [18, 19]. 3GPP standardized two LTE operated technologies called eMTC (enhanced Machine Type Communication) and NB-IoT in release-13. eMTC works with relatively large data transmission (≤ 1 Mb/s) as compared with NB-IoT (160–250 kbps(DL), 160–200 kbps(UL), low mobility and high coverage (~ 17 km in suburban and ~ 5 km in urban) while NB-IoT is designed to achieve better performance as compared to eMTC [16].

1.1 Contributions and Organization

This paper provides a detailed analysis of possible security attacks on NB-IoT enabled devices, with proposed approaches and techniques related to smart home and smart health care applications.

Our contributions in the paper are summarized below:

• This paper cogitates the security perspectives of RFID, WSN, and WoT used in the evolution of IoT and NB-IoT through proposed architecture.

• Analyze the possible security attacks on different layers of IoT and NB-IoT.

• Provide a detailed analysis of different possible attacks on NB-IoT.

• Proposed possible attacks on NB-IoT with proposed architecture and detail mathematical analysis such as Node failure attack, shared node attack, and synchronization attack.

The layout of this paper is shown in Fig. 1. This section of the paper provides the background of the basic concept of IoT and associated security issues with IoT and NB-IoT. Section 2 gives an introduction of technologies like RFID, WSN, WoT with security provision, used in IoT advancement. Section 3 contains definitions of various security matrices, a table of detailed layer-wise security attacks, techniques, or methods proposed by various authors for IoT scenarios and various challenges related to IoT. Section 4 provides a brief idea about NB-IoT operation modes. The network architecture has been proposed in this section. Section 5 is the most significant section, describe different possible attacks on NB-IoT devices based on applications such as smart home, critical smart healthcare. In this section, we have also proposed a system model and security issues for NB-IoT and have given the mathematical formulation and methods for solving these attacking scenarios. Resource allocation based possible attacks and proposed attacks are defined in this part of the paper. Section 6 concludes this paper with future work. Additionally, the appendix provides the list of research projects working on IoT security and the list of abbreviations.

Fig. 1

Organization of the survey on NB-IoT

2 Evolution of Internet of Things

The number of intelligent wireless devices is increasing in an exponential way, in which data availability, data transfer speed, power requirement, and security issue is playing a pivotal role. In wireless automation, if we go back before the era of the Internet, fixed, mobile telephony, and short messaging services (SMS’s) came into existence. After advancement in the Internet, there has been an age of emails, e-commerce, social media, and smart things. Different sensing technologies like RFID, WSN, and other technologies like machine-to-machine communication (M2M), SCADA has been introduced in the development of the IoT. In recent years, IoT has become a part of the global Internet and consists of billions of intelligent devices communicating with each other by using the Internet. Its growth is going on the way of IoT to the Internet of Everything (IoE).

Figure 2 shows the development of IoT and further NB-IoT technology, in terms of the number of users, technology growth, and frequency spectrum used. It provides the details of year wise technology evolution from RFID to NB-IoT with their applications. Table 1 provides the assessment among RFID, WSN, and WoT.

Fig. 2

Source: Statista (2018)

Evolution of RFID → IoT/NB-IoT

Table 1 Comparison of RFID/WSN/WoT in IoT evolution

2.1 Radio Frequency Identification (RFID)

In the evolution, IoT technology identification and tracking enabled technology, which came into existence in the 80 s, about 3 decades ago, are being used worldwide in the form of RFID tag. The first patent filed by Mario W. Cardullo, on active RFID tag consists of rewritable storage, in 1973 in the United States. Subsequently, the evolution of IoT technology in 1999, RFID has taken the backside of connected sensors. In 2004, Juels [20] had been proposed yoking protocol, for providing cryptographic proof to scan two RFID tags simultaneously.

International Standards Organization (ISO) and Electronics Product Code Global (EPC Global) are the two central standardization bodies, incorporated into standardizing the RFID technology [21]. This radio sensing technology utilizes radio waves for automatic identification of objects from the RFID tag of smart labels. These tags may be passive or powered by battery as per the requirements of the objects.

Figure 3 shows the system architecture for the RFID tag cloning attack (A1–A4), and its detection by using the BASE algorithm [22]. A passive cloning attacker launches the cloning attack and injects the clone tags. These cloned tags work the same as the genuine tags and are hard to distinguish. It gives a proper response to the RFID reader queries so that detection protocol fails to detect the cloned tag. The workflow of this baseline protocol (P1–P4) is shown in Fig. 3. A detection approach is fed on ID cardinality, as input in the BASE algorithm. If the tag cardinality is higher than the ID cardinality (ALOHA frame size), the clone is detected. Otherwise, it’s not detected. This approach is mainly coordinated by an RFID reader, which queries from clone tags (step-P2), and the reply comes from the tag (step-P3). Based on the response from the reader, the clone sends alert as an output (step-P4). In the next iteration, the system proposed in Fig. 3 is detached from clone tags (clone free) operations.

Fig. 3

RFID system model with cloning attack and detection [22]

As per RFID security concern, tag counterfeiting and tag encoding are the essential aspects of maintaining the integrity of tag. In a situation when multiple RFID tags transmit data to the RFID reader simultaneously, conflict in data may occur. This problem can be solved by applying anti-collision techniques. Multiple security threats, such as reverse engineering attack, power analysis attack, tracking cloning attacks, and their countermeasures in respect of RFID, are explained in [23]. In RFID concern, authors in [24] introduced various tags, side-channel attack, timing attack, and briefly explained a protocol named “An Optimistic Trivial RFID Authentication Protocol” (O-TRAP). A security framework for E-passports, medical information systems, and implant-based access-control types vulnerable application areas, provided in [25], evaluates the security and privacy risk based on RFID. K. Bu et al. [26] has classified the cloning attack and their countermeasures on RFID, proposed in the last 15 years. They have also proposed their cryptographic solution to prevent cloning. An ultra-lightweight authentication protocol for RFID tags is defined in [27], which is suitable to provide security in IoT objects. An RFID based lightweight mutual authentication scheme is proposed in [28], which is suitable for providing security in medical IoT objects. Thus lightweight approaches for securing the RFID can also be used for securing the IoT network, concerned with RFID.

2.2 Wireless Sensor Network (WSN)

On one step towards the IoT, WSN technology is an integral part. Without sensors, one cannot assume the existence of IoT. In the 1950s, the first WSN was introduced by the US Military to find and track Russian submarines. A program on Distributed Sensor Network (DSN) was also started by the Defense Advanced Research Projects Agency (DARPA) of the United States in 1980 [29]. This technology is working on frequency bands 315, 433, and 868 MHz in the European countries, 915 MHz in North American countries, and 2.45-GHz ISM frequency band. Typically, the sensors used in WSN are battery powered and are less secure. The continuous development of WSN technologies, wireless communication technologies, embedded systems, nanotechnologies, and optimization of the sensors makes it possible to develop smart systems, to monitor activities of human beings and other activities continuously. Various standards used by the WSN technology are ZigBee, 6LoWPAN, ISA100.11a, OCARI, and Wireless HART. IEEE 802.15.4 physical layer specifications standards are similar for all standards [30].

A WSN network with a blackhole attack scenario is shown in Fig. 4. Here, initially, the malicious sensor node “A” detects the active route for the sensor’s data transfer from the sender node “S1” to the sink node or gateway. Attacker node “A” recognizes the detection address and sends a Route Replay Packet (RREP) with the spoofed destination address, based on the significant sequence number and small hop count to a nearest normal sensor node “S2”. This node “S2” forwards RREP packets to the sender node “S1”. Hence the data is being sent from sensor node uses the new route, which goes via malicious node “A.” These data drop by a malicious node. Thus, the communication occurs between the sender and sink nodes, in case of a black hole attack [31]. In normal conditions (without attack), the sensing data is collected by the sink node/gateway and forwarded to the end-user by accessing the infrastructure network of the Internet.

Fig. 4

WSN with Black hole attack specification [31]

A scheme named Active Trust proposed in [32] generates the number of detection routes for reducing the attack success probability of a black hole attack. For securing the WSN network, the probabilistic risk assessment framework is defined in [33], for the sensor’s cloud environment with the help of Bayesian networks. Another security approach using the route optimization algorithm for increasing the network lifetime, and protection of the weak WSN node, is proposed by [34]. For a large mobile WSN case, a protocol named Q-s composite [35] is defined for random pre-distribution of the classified material.

2.3 Web of Things (WoT)

Designing a network of “smart things” in the physical world in huge amount has become the aim of various research activities. The layered architecture is the same in both the cases for IoT and WoT. IoT is the hardware layer to connect everyday items to the Internet, while WoT is the software layer to connect them to the Internet. For developing smart things applications, WoT uses various web technologies, such as JavaScript, PHP, and Ajax explained in [36]. A survey on WoT security conducted in [37], points out the current limitations of security research. He proposed architecture for WoT with security, based on smart gateways as the ideal devices.

Figure 5 shows the underlying communication architecture between WoT client and WoT things. The WoT client can be a web browser or an application on the user’s system or smartphone. WoT Things (e.g., Street light controller) have a WoT network interface, driver’s API, and firmware. Things description describes the interactions that can either be stored in the WoT device itself or any things directory stored remotely, such as the cloud server. When more secure access to the things description is required, the device supports itself.

Fig. 5

Basic WoT things communication with WoT client

For security consideration, initially, the WoT checks weather the WoT Client is talking with the correct WoT things or with some other network device. The WoT client must check the authenticity of the WoT thing device. Secondly, WoT things must verify the WoT client authentication before receiving the requests. Therefore, the mutual authentication process is performed between IoT client and IoT thing to supply credential information.

A Role-Based Access Control (RBAC) security architecture [38] is shown in Fig. 6. Its objective is to integrate the RBAC model with the WoT environment. A set of authorization rules are provided in this model to access any WoT Things/entities. Access control of the things resources is done centrally. It specifies a process, continuously working inside a trusted computer base named Reference Monitor (RM).

Fig. 6

Role-based access control/WoT architecture

It is located inside the ambient space manager, compounded with two main facilities (1) Access Control Enforcement Facility (AEF) and (2) Access Decision Facility (ADF). AEF is situated inside the monitor section and ADF in the rule engine section. AEF and ADF interact with each other to check whether the access request is approved (yes) or blocked (no). AEF intercept each request coming from any WoT resource ‘Things’ and forwards it to ADF, before making any decision. ADF decision process depends on various decision factors, including hierarchal relationships, constraints, and policies database, and responds to the AEF. The rest of the process performed by the AEF would continue based on RBAC authorization permission.

2.4 Internet of Things (IoT)

As the name implies, it is the combination of three components, i.e., Internet, connectivity, and physical objects (things). IoT is the future of the Internet, in which every physical object is identified and access through the Internet. Various technologies (such as ZigBee (IEEE802.15.4), WLAN (IEEE802.11), Bluetooth/Bluetooth Low Energy (BLE) (IEEE 802.15.1), and Wireless Body Area Network (WBAN) (IEEE802.15.6)) are used to communicate the IoT data in the network [5].

2.4.1 Application Architecture of IoT

Figure 7 on this page shows the IoT real-time application architecture, broadly classified into three parts (a) Transmitting unit. (b) Communication channel and (c) Receiving unit. The transmission unit consists of various sensors, processors, and radio nodes. These nodes are further processed, and the cluster head is made. These sensor nodes are within the jurisdiction of the gateway, which assigns locally unique addresses to these IoT nodes within that particular LAN. This data flow through a proxy server and then goes to the cloud networks by using the Internet, where it uses a web socket to go to the cloud server. The cloud server analyzes the data, and various backend processes run in that cloud server. Based on that analytics and data processing, the actuation of devices takes place.

Fig. 7

IoT real-time application

IoT technology supports applications such as smart homes, wearables, smart cities, smart grid, smart industry, connected health, smart security, transportation, and smart agriculture. These applications cover the maximum number of IoT objects, according to iot-analytics.com. IoT provides a ubiquitous computing environment for increasing efficiency and reduces human effort through better knowledge of machines. It allows us to measure things which were not measurable earlier, or at least not in real-time, at a cost much lesser than other available alternatives.

2.4.2 Layered Architectures of IoT

IoT devices are always an attractive target for attacking. That’s why security always becomes a challenging issue at the physical as well as the application layer. Due to the low cost and ultra-low-cost IoT modules, security solutions must be lightweight; otherwise, the cost of IoT devices would increase due to the complexity of the algorithm. Instead of securing a single unit of software or a single layer of IoT, we require to secure the entire IoT system. Three layers of security architecture have been proposed in [39], consisting of application layer, transportation layer, and perception layer. It differentiates various security issues based on this layered architecture. Authors in [40], defined Service Oriented Architecture (SOA) for IoT middleware and divided IoT Architecture into 5 sub-layers (application layer, middleware layer, Internet layer, access gateway layer, and edge layer) and also give the overview on the applications and various challenges on IoT. From the perspective of industry, [41] has introduced the background and some industrial applications of IoT. Service-oriented Architecture (SoA) of IoT defines the IoT as a well-defined simple subsystem. It divides the architecture into four sub-layers defined as an interface layer, service layer, network layer, and sensing layer. A five-layer architecture defined in Fig. 8 consists of the following layers.

Fig. 8

IoT 5 layer architecture

2.4.2.1 Object Layer

It is the lowermost layer. It may also be called a perception layer or physical layer. Different types of sensors like RFID, barcodes, infrared sensors, and other sensor-enabled physical objects come under this layer. This layer collects the data of sensors and sends it to the upper layer.

2.4.2.2 Object Abstraction Layer

This is the second layer in IoT architecture. It may also be called as the network layer. This layer abstracts the data of the object layer and transfers safely to the service management layer by using various communication technologies such as cloud computing, fog computing, WiFi, GSM, and LTE.

2.4.2.3 Service Layer

The third layer of this architecture is the Middle layer of IoT architecture design. This layer manages and processes the data received from various heterogeneous networks. Services division and integration, service implementation, and provide services using a service repository to the upper layer. It works as a service platform to the upper layer.

2.4.2.4 Application Layer

It gives the service to the customers based on their request for various applications of IoT such as smart home, smart healthcare, smart agriculture, smart industry, and smart grid.

2.4.2.5 Business Layer

The uppermost layer of the IoT framework is a business Layer. It is also called the management layer. This layer is responsible for developing a business model, flowchart, and graphs. These are based on the data coming from the application layer. It helps in making future business strategies and planning for the growth of the organization.

3 IoT Security Matrix and Possible Attacks

With the growth of IoT in the past few decades, Internet traffic is increasing, and issues related to security are also increasing gradually. To address these issues, much research has been carried out by the industry and academia, such as resource allocation, lifetime enhancement in the sensor nodes, and power optimization. However, few works are there on security issues. Paradoxically, there is no security matrix that can accurately evaluate cryptographic security in the IoT environment. It still requires a more precise definition of the security standards in the IoT environment.

3.1 Security Matrix and Possible Layerwise Attacks

The main goal of security is to obtain favorable results for the following matrices.

3.1.1 Attack Success Probability (ASP)

It is defined as the probability of attack by an attacker, by which he can successfully achieve his attacking goal. In respect of IoT objects, there is a probability of compromising that object successfully [42]. If we consider any transmission network, ASP is the probability of compromising the target by affecting all the links (routes) that are used to connect the device with the network.

3.1.2 Attack Cost (AC)

It is the costing to the attacker for successfully achieving the attack goal. For any IoT object case, the metric is the costing by an attacker to compromise that object. The value of the attack cost depends on the node or object position on the IoT network [42].

3.1.3 Attack Impact (AI)

It is an effective loss done by an attacker to achieve his aim. This effective loss is the loss in terms of other previous basic metrics like availability, Integrity, and confidentiality. In the case of a single node, AI is the loss caused by an attacker to perform a successful attack on that node.

3.1.4 Mean-Time-to-Compromise (MTTC)

In IoT/NB-IoT network or any IoT object, MTTC is the value of average time consumed by an attacker to successfully compromise the node/network.

3.1.5 Secrecy Capacity (SC)

The difference in channel capacity \(\left( {C_{bs} } \right)\) between the link established from source to destination in the normal condition and channel capacity (\(C_{ed} )\) of link affected by eavesdropper or intruder is known as Secrecy capacity (\(C_{Secrecy}\)) of the channel.

$${\text{i}} . {\text{e}}\quad C_{Secrecy} = C_{bs} - C_{ed} .$$

3.1.6 Secrecy Outage Probability (SOP)

This term is used to characterize the secrecy performance of the communication system in terms of probability. The SOP is the probability that the secrecy capacity at a particular instant is less than a predetermined threshold secrecy rate. NB-IoT device’s security will not be guaranteed to spoof the information, and hence, that system is said to be in an outage; otherwise, it is secured.

Figure 9 distributes the various possible security attacks on IoT as well as NB-IoT, layer-wise in 3 layers and 5 layers. These attacks break the device’s security at a physical level, communication security at the network level, and management or application security at the application level. The definition of these attacks and their possible countermeasures are explained in Table 2.

Fig. 9

Layer wise possible security attack

Table 2 Layerwise IoT/NB-IoT security attack

3.1.7 Algorithms/Techniques for IoT Security

For securing the IoT device’s data and communication networks, various algorithms proposed in recent years are described in this section in brief. These IoT security techniques focus on the small size, lightweight, efficient methods/algorithms. Various IoT techniques given in the table provided on the next page are related to NB-IoT, cybersecurity, fog-cloud-based IoT Networks. The pros and cons of these techniques are mentioned in the corresponding column. Singh et al. [61], combined symmetric and asymmetric key encryption and proposed hybrid lightweight techniques. Sedjelmaci et al. [14] used a simulator for achieving high detection accuracy. For Mobile IoT, Cheng et al. [15] introduced various patching techniques for blocking malware in IoT nodes. For narrowband IoT, Yang et al. [62] proposed an algorithm to secure traffic offloading for scenarios of single and multiple smart devices. Another hybrid algorithm has been given by Safi et al. [63] to improve the security of IoT. [64], proposed the HEIGHT algorithm to optimize energy requirement and hardware resources. For cloud and fog based networks, Shen et al. [65] gave a game-based strategy for detecting the malware. On the next page, Table 3 shows the security algorithms related to IoT.

Table 3 Algorithms/techniques proposed for IoT/NB-IoT security

3.1.8 Major Challenges in IoT

In IoT, most of the researchers are working to resolve the issues/challenges which will make the future IoT devices more reliable, standardize, secure, and compatible with another device. IoT applications cover the entire field related to our life. Everyone’s identity is available for all, due to which in the current age of social networking IoT related device’s data is always available for a robust security attack. There is no perfect secure prone architecture available in IoT networks, hence designing the standardized security architecture is a big challenge. NB-IoT technology is based on LTE technology, whereas some features of its specifications deemed unnecessary for LPWA needs have been stripped out. Due to this, NB-IoT is capable of providing unique advantages that other technologies like 2G, 3G, or LTE cannot achieve or could only do so at enormous cost. So, only NB-IoT gains its capability of long battery lifetime, deeper indoor coverage, and low module cost. In short, NB-IoT provides a bridge between IoT and power-optimized networks, i.e., it can solve the problem of energy consumption. The following are the significant challenges listed in tabular form, on which researchers and standardization committees have been working. IoT challenges are described in Table 4, and Fig. 10 shows it diagrammatically.

Table 4 Major IoT challenges with NB-IoT solutions

Fig. 10

IoT challenges

4 NB-IoT

If we compare various LPWAN technologies, NB-IoT has drawn more attention from researchers and academia. Due to its features of High-end point density, low-cost, high indoor coverage, long battery life, and massive capacity, it is becoming the choice of most of the IoT devices, as shown in Fig. 11.

Fig. 11

NB-IoT characteristics

NB-IoT is operated at a low-frequency bandwidth of 180 kHz for both uplink and downlink and is suitable for low-cost devices. It offers a coverage range of 164 dB, and the latency of NB-IoT is around 10 s, i.e., it will target IoT devices that are located in the areas where signals are not good and are delay tolerant. Both IP and non-IP based data delivery are supported by NB-IoT. In the non-IP based data delivery, SMS service may also be used to deliver data, without using Internet protocol. As compared with other LPWAN technologies, the lesser spectrum is allocated for NB-IoT. The efficient use of the NB-IoT spectrum (i.e., resource allocation) is one of the key issues [71]. It reuses the existing LTE of GSM network structure. NB-IoT gives more flexibility for the deployment; hence, it is suitable for deploying the 5G network [72].

4.1 Operation Modes

NB-IoT can work in three operation modes, as shown in Fig. 12. Based on the available spectrum and use cases, the operator selects the most suitable operation mode to satisfy its requirement [73].

1. 1.

   In-band mode: In the In-band operation technique, it utilizes 1 PRB of (180 kHz) the resources within the LTE carrier bandwidth.

2. 2.

   Guard-band mode: In the guard band operation technique, NB-IoT uses the resource blocks within the guard band (edge frequency band) of the LTE carrier. It uses 200 kHz frequency band from the guard band.

3. 3.

   Standalone mode. In it, NB-IoT can use one or more than one GSM (200 kHz) carriers and does not overlap with the LTE frequency band.

In NB-IoT uplink transmission, for a single tone, BPSK or QPSK modulation is used with 3.75 and 15 kHz subcarrier spacing. For a multi-tone case, the transmission is based on SC-FDMA with 15 kHz subcarrier spacing. For downlink transmission, QPSK modulation is used with 15 kHz subcarrier spacing with OFDMA technology.

Fig. 12

NB-IoT operation modes

4.2 Network Architecture

NB-IoT network architecture given in Fig. 13 is divided into four sections

1. 1.

   NB-IoT device This layer is the physical layer consisting of the various NB-IoT sensor nodes which receive the commands and transmit the data to the base station.

2. 2.

   NB-IoT network It consists of gateway nodes and base stations which transfer the NB-IoT device’s sensing data.

3. 3.

   NB-IoT cloud This layer receives, and stores sensing data from the base station and further performs data analysis. This platform may be a commercial platform like Amazon web services or any other end-user platform. NB-IoT Cloud platform consists of the Application Programming Interface (API). The main security issues concerned with NB-IoT originate in this layer.

4. 4.

   NB-IoT application server It consists of various user applications, by which the user can interact with NB-IoT objects. The companies develop it according to their requirements. When any user requests for the data of any IoT device, this request will go through the NB-IoT cloud platform in the form of an HTTP request, then it forwards the request to the NB-IoT device. According to the request, the device will execute and reply to the cloud platform. Further, the cloud platform sends this data to the application server.

Fig. 13

NB-IoT network architecture

5 Security Issues and Proposed System Architecture related to NB-IoT

There are various LPWAN technologies that have been proposed by various network operators. Out of them, NB-IoT and LTE-M both are licensed LPWAN technologies, standardized in June 2016, by 3GPP release 13. NB-IoT network supports to design IoT devices. As IoT devices are small and cheap, security is neglected in most of the cases. That is the reason; the standardization is done by 3GPP, took no compromise when they defined this technology. NB-IoT devices have the capability of security directly from LTE, but NB-IoT is devised of any standardized security architecture. Some possible security attack scenarios based on applications and resource allocation are mentioned below, which can take place on NB-IoT.

5.1 Smart Home

We are living in a world of smart objects. These objects are not intelligent, just smart enough to be dangerous. Most of these devices are connected to the Internet, and hence IP enabled. These smart devices contribute to the pool of things that can be recruited into botnets or other platforms used for distributed attacks. These attacks make it more difficult to detect the source of the attack and also make it easier to overwhelm the target. In the past year, DDoS has become the attack of choice for attackers or blackmailers. In security attacks, IP spoofing [74] is the most common type of attack. Typically, this attack is performed over the stateless protocol named User Datagram Protocol (UDP). NB-IoT enabled devices, such as Digital Video Recorders (DVRs) and IP Cameras are the most vulnerable devices for the attack, in case of smart home security. There are approximately 1,20,000 IP cameras detected that are vulnerable to ELF_PERSIRAI.A, detected by Trend Micro Inc. Out of these vulnerable users, many users are unaware that their IP Cameras are exposed to the Internet.

5.1.1 Possible Security attacks

Smart home appliances and household IoT devices are easy targets to eavesdropper for compromising the security. These devices are typically secure and in the reach of the attacker. Fig. 14 shows some possible attacks that could impact on smart home objects/devices.

1. 1.

   Social attack Social attacks may occur in many steps. In one of these, an eavesdropper investigates the victim’s information, like which low-security protocol the victim is using and what is its trapdoor. After that, the attacker performs his action and gains the victim’s trust. Then he takes the subsequent actions that break the security.

2. 2.

   Bandwidth spoofing In this attack, we flood the communication channel to an extent, that legitimate traffic starts affecting the communication. While the bandwidth is being assigned to the NB-IoT device, there is more probability of acquisition of the bandwidth by the Attacker. Due to which communication between the base station and the device will be compromised. A possible solution to this type of attack is by using game theory [75].

Fig. 14

Proposed system architecture of NB-IoT related attack

5.1.2 Proposed Security Attack Architecture of NB-IoT Enabled Security Camera (Fig. 14)

In our proposed system model, we highlight mainly smart home security attacks and attacks on various sensitive inner implanted NB-IoT device. These devices consume very less amount of power, as they send and receive very less amount of data in a range of byte to few KB’s to users. The battery life of these devices may extend up to 10 years.

In smart home security, a smart security wireless camera is connected with the gateway, and using the bandwidth of NB-IoT is the crucial device to attack. Thief primarily attacks the device physically by switching off lights and may break it. If the attacker\eavesdropper (ED) is situated remotely, he can compromise that device in various manners like (a) IP spoofing, (b) flooding attack, and (c) Bandwidth spoofing, etc. As in IP spoofing, ED-2 may spoof the stationary device’s (camera) IP packets, containing source (camera) IP address that is forged (spoofed) and may send the altered IP address to the base station. In the second case of flooding attack, eaves transmit a large number of requests to the device making it busy, due to which device is not able to respond to the request coming from a legitimate user (base station). In the third case of bandwidth spoofing attack, as the NB-IoT devices work on very low bandwidth, this type of attack is relatively easy in comparison with other technologies.

5.1.3 Mathematical Modeling

For physical layer Security, Shannon theory is used for analyzing the impact of eavesdropper in the NB-IoT device. First, we evaluate the secrecy capacity of the narrowband channel. In this section, we have derived the equation to calculate the secrecy rate and secrecy outage probability of the system model proposed above. Here we compare the complexity of the channel in an ideal situation with the secure transmission and after the attack of an eavesdropper. NB-IoT devices are working on half duplex-frequency division multiplexing operation mode with 60 kbps peak rate in uplink and 30 kbps peak rate in downlink transmission. [76,77,78,79,80] define the secrecy rate and secrecy outage probability for different scenarios.

In the first case, Base Station (BS) allocates the channel to the NB-IoT enabled security camera, which is stationary and situated in a smart home. Let us consider a scenario in Smart Device (SD), i.e., that receives a signal \(y_{bs}\) from the base station, having the signal strength, i.e., SNR is Δ. Simultaneously, an ED has intercepted the signal and spoof the original signal (Δ) fully or partially, coming from BS to SD. ED has introduced the noise \(n_{ed}\), due to which signal strength received by the NB-IoT enabled camera is now (Δ′), where (Δ ≫ Δ′). The same phenomena are incorporated with the mathematical analysis is shown below.

For notation, we are considering that BS transmits the signal \(x_{s}\).

The signal received from the base station is given by:

$$y_{bs} = \sqrt {P_{bs} } h_{bs} x_{s} + n_{bs}$$

(1)

where, \(P_{bs}\) is the average transmitted power from the base station, \(h_{bs}\) is the wireless fading channel coefficient and \(n_{bs}\) is the AWGN with variance \(\sigma_{bs}^{2}\).

Simultaneously, the received signal from eavesdropper is given as:

$$y_{ed} = \sqrt {P_{bs} } h_{ed} x_{s} + n_{bs } + n_{ed}$$

(2)

Here,\(P_{bs}\) is the average transmitted power from the base station, \(h_{ed}\) is the wireless fading channel coefficient from ED to SD, \(n_{bs}\) is the Additive White Gaussian Noise (AWGN) and \(n_{ed}\) is AWGN due to eavesdropper signal, with variance \(\sigma_{ed}^{2}\).

From (1), the channel capacity (BS- SD) can be written as:

$$C_{bs} = \log_{2} \left( {1 + \beta_{bs} } \right)$$

(3)

where effective SINR:

$$\beta_{bs} = \frac{{P_{bs} \left| {h_{bs} } \right|^{2} }}{{\alpha + \sigma_{bs}^{2} }}$$

(4)

Here channel gain is \(\left| {h_{bs} } \right|^{2}\), and \(\alpha\) is interference due to the intruder.

From (2), the channel capacity \(C_{ed}\) has been affected by ED, and an intruder also inspects it. Hence channel capacity has been reduced as per equation is written as:

$$C_{ed} = \log_{2} \left( {1 + \beta_{ed} } \right)$$

(5)

where effective SINR:

$$\beta_{ed} = \frac{{P_{bs} \left| {h_{ed} } \right|^{2} }}{{\alpha + \sigma_{bs}^{2} + \sigma_{ed}^{2} }}$$

(6)

With the consideration of a cooperative eavesdropping attack, there is n number of attacker attacks simultaneously. Hence the channel capacity for n eavesdropper cooperative attack is:

$$C_{edn} = \log_{2} \left( {1 + \beta_{edn} } \right)$$

(7)

where effective SINR,

$$\beta_{edn} = \frac{{P_{bs} \left| {h_{edn} } \right|^{2} }}{{\alpha + \sigma_{bs}^{2} + \sigma_{{ed_{1} }}^{2} + \sigma_{{ed_{2} }}^{2} + \sigma_{{ed_{3} }}^{2} - - - + \sigma_{{ed_{n} }}^{2} }}$$

(8)

\(\beta_{edn}\) is SINR due to n cooperative eavesdroppers on the channel, \(\left| {{\text{h}}_{\text{edn}} } \right|^{2}\) is the channel gain and \(\sigma_{{ed_{1} }}^{2} ,\sigma_{{ed_{2} }}^{2} ,\sigma_{{ed_{3} }}^{2} , \ldots ..,\sigma_{{ed_{n} }}^{2}\) are the variance of n eavesdroppers respectively.

Secrecy capacity is denoted by the difference between the capacities of the base station channel and the eavesdropper channel. As the channel capacity has a non-negative value, therefore the secrecy capacity (SD–BS) in the presence of eavesdroppers is given by:

$$\begin{aligned} C_{{Secrecy}} & = [C_{{bs}} - C_{{ed}} ]^{ + } = [\log _{2} \left( {1 + \beta _{{bs}} } \right) - \log _{2} \left( {1 + \beta _{{ed}} } \right)]^{ + } \\ C_{{Secrecy}} & = \left\{ {\begin{array}{*{20}l} {\log _{2} \frac{{\left( {1 + \beta _{{bs}} } \right)}}{{\left( {1 + \beta _{{ed}} } \right)}}} \hfill & {\beta _{{bs}} > \beta _{{ed}} } \hfill \\ 0 \hfill & {\beta _{{bs}} \le \beta _{{ed}} } \hfill \\ \end{array} } \right. \\ \end{aligned}$$

(9)

i.e., Secrecy capacity is positive if the SINR of the base station is greater than the eavesdropper, and it becomes zero when eavesdropper’s SINR is greater than the base station.

From Eq. (9):

$$C_{{Secrecy}} = \left\{ {\begin{array}{*{20}l} {\log _{2} \frac{{\left( {1 + \beta _{{bs}} } \right)}}{{\left( {1 + \beta _{{ed}} } \right)}}} \hfill & {\quad \beta _{{bs}} > ~~\beta _{{ed}} ~} \hfill \\ 0 \hfill & {\quad \beta _{{bs}} ~ \le ~~\beta _{{ed}} } \hfill \\ \end{array} } \right.$$

Putting values of \(\beta_{bs}\) and \(\beta_{ed}\) from Eqs. (4) and (6) the equation becomes:

$$C_{{Secrecy~~}} = \left\{ {\begin{array}{*{20}l} {\log _{2} \frac{{\left( {1 + \frac{{P_{{bs}} \left| {h_{{bs}} } \right|^{2} }}{{\alpha + \sigma _{{bs}}^{2} }}} \right)}}{{\left( {1 + \frac{{P_{{bs}} \left| {h_{{ed}} } \right|^{2} }}{{\alpha + \sigma _{{bs}}^{2} + \sigma _{{ed}}^{2} }}} \right)}}~~} \hfill & {\quad \beta _{{bs}} > ~~\beta _{{ed}} ~~} \hfill \\ 0 \hfill & {\quad \beta _{{bs}} ~ \le ~~\beta _{{ed}} } \hfill \\ \end{array} } \right.$$

In the case of n collaborative eavesdroppers, the Secrecy Capacity of the channel is given by:

$$\begin{aligned} C_{{Secrecy}}^{n} & = ~[C_{{bs}} - C_{{edn}} ]^{ + } ~ = \left[ {\log _{2} \left( {1 + \beta _{{bs}} } \right) - \log _{2} \left( {1 + \beta _{{edn}} } \right)} \right]^{ + } \\ C_{{Secrecy}}^{n} & = \left\{ {\begin{array}{*{20}l} {\log _{2} \frac{{\left( {1 + \beta _{{bs}} } \right)}}{{\left( {1 + \beta _{{edn}} } \right)}}} \hfill & {\quad \beta _{{bs}} > ~~\beta _{{edn}} ~~} \hfill \\ 0 \hfill & {\quad \beta _{{bs}} ~ \le ~~\beta _{{edn}} } \hfill \\ \end{array} } \right. \\ \end{aligned}$$

(10)

i.e., in the above situation, in cooperative eavesdropping attack, when SINR of the base station is greater than the SINR of cooperative attacks of an eavesdropper, secrecy rate will be positive. Otherwise, it will be zero, and eavesdropper will compromise the system.

Now, Channel capacity becomes

• Case-I When eavesdropper trapped the mail channel, additional noise added with the channel. The same has been reflected in equation (9).

• Case-II In NB-IoT, operating devices are associated with low power, and if intruder spoofs the bandwidth using game theory against the valid user, then bandwidth spoofing plays a vital role in NB-IoT security issues because this attack directly affects the bandwidth assigned to the valid user (capacity assigned to the valid user). Let us assume that if λ is a factor associated with the bandwidth spoofing attack, then resultant capacity is reduced by C/λ, so in this case from equation (5) the channel capacity is

  $$C_{ed}^{'} = \frac{{C_{ed} }}{\lambda } = \frac{1}{\lambda }\log_{2} \left( {1 + \beta_{ed} } \right)$$

  (11)

• Case-III (protection phenomena) In the case of IPsec, an encapsulation phenomenon appears, so there is a tunnel between NB-IoT device (Camera) and the base station. So eavesdropping and bandwidth spoofing can be avoided.

  $$C_{ed'}^{'} = \frac{{C_{ed} }}{{\lambda^{\prime}}} = \frac{1}{\lambda '}\log_{2} \left( {1 + \beta_{ed} } \right)$$

  (12)

Hence the value \(\frac{{C_{ed} }}{{\lambda^{\prime}}} > \frac{{C_{ed} }}{\lambda }\), when \(\lambda^{\prime} > \lambda\), due to the protection of the spoofed channel by IPSec.

Secrecy Outage Probability Analysis

In this section, we find the secrecy capacity of the channel in terms of the Secrecy outage probability (SOP). This performance measurement is used to characterize the secrecy performance of the NB-IoT channel communication system. The SOP is termed as the probability that the instantaneous secrecy capacity \(C_{Secrecy }\) is less than a predetermined threshold secrecy rate \(R_{sec}\) (i.e., if \(C_{Secrecy } < R_{sec}\)). NB-IoT devices security will not be guaranteed to spoofed information, and so that the system is said to be in outage; otherwise, it will be secured.

$${\mathcal{P}}_{out} \left( {R_{Sec} } \right) = {\mathcal{P}}(C_{Secrecy } < R_{Sec} )$$

(13)

Equation (13) can be rewritten as

$${\mathcal{P}}_{out} \left( {R_{Sec} } \right) = {\mathcal{P}}(\frac{{\left( {1 + \beta_{bs} } \right)}}{{\left( {1 + \beta_{ed} } \right)}} < 2^{{R_{Sec} }} )$$

(14)

The operational significance of this definition of outage probability is when we set the secrecy rate \(R_{sec} > 0\).

Let us assume that the capacity of the eavesdropper channel is given by:

$$C_{ed}^{'} = C_{bs} - R_{Sec}$$

As \(R_{Sec} < C_{Secrecy }\), eavesdropper channel is worse than base station channel i.e. \(C_{ed} < C_{ed}^{'}\), so it will ensure perfect secrecy. Otherwise, if \(R_{Sec} > C_{Secrecy }\), then \(C_{ed} > C_{ed}^{'}\) and information is compromised.

In Case-I when additional noise is added by an eavesdropper, SOP comes from (14)

$$\begin{aligned} {\mathcal{P}}_{out} \left( {C_{Secrecy } \left\langle {R_{Sec} } \right| \beta_{bs} > \beta_{ed} } \right) & = {\mathcal{P}}(\beta_{bs} < 2^{{R_{Sec} }} \left( {1 + \beta_{ed} } \right) - 1\left| { \beta_{bs} } \right\rangle \beta_{ed} ) \\ & = \mathop \int \limits_{{}}^{\infty } \mathop \int \limits_{{\beta_{ed} }}^{{2^{{R_{Sec} }} \left( {1 + \beta_{ed} } \right) - 1}} {\mathcal{P}}(\beta_{bs} ,\beta_{ed} | \beta_{bs} > \beta_{ed} )d\beta_{ed} d\beta_{bs} \\ & = \mathop \int \limits_{0}^{\infty } \mathop \int \limits_{{\beta_{ed} }}^{{2^{{R_{Sec} }} \left( {1 + \beta_{ed} } \right) - 1}} \frac{{{\mathcal{P}}(\beta_{bs} {\mathcal{P}}\left( {\beta_{ed} } \right)}}{{ {\mathcal{P}}(\beta_{bs} > \beta_{ed } )}}d\beta_{ed} d \\ \end{aligned}$$

(15)

Now since secrecy rate \(R_{sec} > 0\)

$${\mathcal{P}}_{out} \left( {C_{Secrecy } \left\langle {R_{Sec} } \right| \beta_{bs} \le \beta_{ed} } \right) = 1$$

Considering case-II of bandwidth spoofing and case-III of game theory and encapsulation phenomena will be proposed for future work.

Let us assume that

• C = \(C_{bs}\) → Capacity of the channel without attack

• Cs = \(C_{ed}\) → Capacity of the channel in the presence of an eavesdropper

From Eq. (3)

$$C = \log_{2} \left( {1 + \beta_{bs} } \right)$$

(16)

From Eq. (5)

$$C_{S} = \log_{2} \left( {1 + \beta_{ed} } \right)$$

(17)

The ratio of \(C/C_{S}\) can be calculated as

$$C/C_{S} = \log_{2} \left( {1 + \beta_{bs} } \right)/ \log_{2} \left( {1 + \beta_{ed} } \right)$$

(18)

\(n_{bs}\) is the Additive White Gaussian Noise (AWGN) and \(n_{ed}\) is AWGN due to eavesdropper signal, with variance \(\sigma_{ed}^{2}\).

If \(n_{bs} \le n_{bs} + n_{ed}\)\(\to \sigma_{bs}^{2} \le \sigma_{bs}^{2} + \sigma_{ed}^{2}\)

So from Eqs. (4) and (6)

$$\beta_{bs} \ge \beta_{ed}$$

Hence from Eqs. (3) and (5) channel capacity of the eavesdropper signal is less than the channel capacity of base station.

$$C_{bs} \ge C_{ed}$$

$$\frac{{C_{bs} }}{{C_{ed} }} \ge 1 i.e. \frac{C}{C}_{S} \ge 1$$

(19)

For example, if we have taken \(\beta_{bs} = \left[ {3,7,15,31, \ldots } \right]\) and \(\beta_{ed} = \left[ {1,3,7,15, \ldots } \right]\), then ratio of both capacity comes \(\frac{C}{C}_{S} = \left[ {2.0, 1.5, 1.33, 1.25, \ldots towards \,\,1} \right]\) (Table 5).

Table 5 List of symbols

5.2 Smart Healthcare

If we go towards smart healthcare devices, they are tiny in size and consume very less amount of battery power for transmitting the information to the end-user. Some of these device implants in the inner body of the human/animal and are very critical. If an eavesdropper sends a fake request to the device continuously, the battery power starts draining quickly, i.e., battery life is reduced from 10 years to a few days. It will make the patient’s condition critical. Another attack shown in the system architecture is the source code attack, i.e., if the attacker changes the hardware source code anyhow, the device will not perform as usual and give wrong results, which can also result in severe problems with the patient. Figure 15 shows the small overview of attacks on health implants devices. Many smart wearable healthcare devices use NB-IoT technology due to long battery life and deep indoor coverage features.

Fig. 15

NB-IoT device Case-I scenario

5.2.1 Proposed Healthcare Security Attack Architecture

In the first case, we consider another attack possible on the pacemaker device, i.e., the source code attack in which the code written on EEPROM is altered or erased so that it will give wrong information of the patient. These devices are implanted inside the human body or are wearable in the wrist or other body parts. Attacks on these type of devices are critical due to concern with the health. The scenario of these attacks is shown in Fig. 15. Attacks on healthcare monitoring devices come under this category.

Pacemaker, a medical heart implant device, delivers an electrical impulse to the heart muscles to regulate the beating of the heart. This pacemaker is programmed by a cardiologist to select optimal pacing modes for individual patients. This device consists of two main components [81]. The first one is the device controller monitor (DCM), and the second is the pulse generator (PG). DCM has a graphical user interface with three tabs, consisting of current pacemaker configuration, system default value, and patient information. All the information and parameters of DCM are written in EEPROM on the pacemaker board so that pacemaker can also operate in off mode without any intervention. The work of DCM is to: (a) review battery status, (b) program the system before implementation, (c) Evaluate ventricular and atrial lead signal amplitudes, impedances, and pacing thresholds, (d) set up appropriate parameters (e) test the pacemaker in the patient and (f) Interrogate the system.

A second most important part of the pacemaker is PG. Its work is sensing and generating the pulse signals as needed to keep the patient’s heart beating. PG code divides into two parts: Hardware dependent and hardware independent. The first one has a device driver, timers, and the second one consists of a model used to verify the correctness of the pacemaker.

In the second case, an eavesdropper (ED-5) sends a large number of request signals to a pacemaker. As a result of which, the battery drains rapidly, and the patient’s organs information will not transfer to the respective caretaker. This type of flooding attack may generate a problem for the patient.

5.2.2 Proposed Healthcare Attack

1. 1.

   Source code attack Source code attack is among the deadliest attack on NB-IoT operated healthcare devices. In this attack, the device code written on PROM, are the main target of the attacker. This code can be changed by the programmer (attacker) partially or erased, and a new code can be written on the compromised device. Details of this attack have been provided in the previous section.

2. 2.

   Battery drainage attack Another attack possible on the tiny size, healthcare devices, is the attack on battery power. As the battery life of the NB-IoT device is more than 10 years, its battery drains very slowly. In this type of attack, eavesdropper sends a large number of request messages to the device. The device responds according to request, which consumes much energy, i.e., battery usage is very high. As a result, the device’s battery drains rapidly. It will create a critical condition for the patient, who implants this healthcare device.

5.3 Smart Agriculture

Smart agriculture is not as popular as smart health or smart consumer connected devices. Smart agriculture consists of crop Management, Cattle monitoring in dairy form, climate monitoring, greenhouse automation, etc. Attacks on NB-IoT enabled agriculture system monitoring devices are not as critical as human body implant devices, but it will affect crop production, cattle health, fish farming, etc. Somewhere it is also called e-farming. IoT technology can support precision agriculture, whose aim is to provide maximum return on investment in agriculture with the help of soil ph detection/humidity/temperature sensors. Usually, the agriculture system runs on an unmonitored network, due to which attacks attempted on it go unobserved. An eavesdropper can easily access the irrigation control system, pesticide administration, Cattle health information and manipulate it, without the farmer knowing. These are some attacks that are possible in the agriculture system.

5.4 Attacks Based on NB-IoT Resource Allocation

It is a big task to allocate proper resources to the NB-IoT object so that it operates without any external intervention. The allocation of the resource is performed in a manner to minimize the maximum risk, controlling the range of operation of the attacker. There are various types of possible risks/attacks that reduce the effectiveness of their activity.

5.4.1 Possible Resource Allocation Attacks

1. 1.

   Resource exhaustion It happens when the NB-IoT base station does not control the amount or size of resources properly that are requested by the object [82]. By which more resources are utilized, intended by the resource allocator. These limited resources may be a memory, file system storage, or processing unit. If this resource allocation is monitored and triggered by an attacker and the amount of the resource is not controlled, the attacker can consume all the available resources and can perform DoS attack, due to which legitimate devices may not be able to use the resources appropriately and face the problem to access it. For example, memory exhaustion attack against an application used by NB-IoT object could slow down the application as well as the resource allocator operating system.

2. 2.

   Selective forwarding attack In this attack, attacker nodes act like normal nodes and selectively drop the packets. These drop packets may be random, and sometimes it is impossible to identify such attacks. In [83], the authors simulate the selective forwarding attack for more than 500 nodes. These nodes are not protected for a long time duration when the defense strategy is changed, and the security resource that maximizes the risk is removed.

3. 3.

   Bandwidth spoofing As already discussed previously [75], it is one of the significant resource allocation attack possible due to the limited amount of bandwidth (180 kHz) available for NB-IoT device. This bandwidth allocation attack possibility is high at the time of the bandwidth assignment.

4. 4.

   DDoS attack Distributed denial of service [45] is a significant threat in resource allocation for IoT/NB-IoT. As discussed in Table 2, in this attack, the NB-IoT device refuses to respond to the request coming from the legitimate user due to the non-availability of the resource. Earlier, this attack was performed by underground attackers. DDoS attacks on unsecured IoT devices are doubled every year, as per the report published in 2017 by a security firm Corero. Mirai, the most successful DDoS attack, occurred in September 2016. It almost disabled a website with 620 Gbps of network traffic attack.

5.4.2 Proposed NB-IoT Based Resource Allocation Attacks

1. 1.

   Node failure attack At the time when sender node transfers the information to the receiver node, an outside attacker sends multiple requests to the sender for data, due to which the sender node’s Signal to noise ratio (SNR), which is greater than one, comes down to less than one. To increase the SNR, the sender node increases power.

   This process continuously runs between the sender, attacker, and transmission channel. After a certain period, due to limited power constraints of NB-IoT device, the sender power is drained out, and the node becomes down or fails to transmit the data signal. Fig. 16 helps to understand the node failure attack.

   Fig. 16

   

   Node failure attack

2. 2.

   Shared node attack This resource allocation attack is possible when sender A is not able to send the data from S₁ to S₆, and hence sends the data through node S₇. This mediator node S₇ is known as a shared node. As shown in Fig. 17, among these shared nodes, the attacker acts like a black hole and shows themselves that it provides a better transmission path to send the data at the destination node with good channel conditions. While in reality, the attacker node captures the packets and after alteration, shares these packets to other nodes or with the destination node. This attacked node shows to other adjacent nodes that it is a reliable node and can forward the adjacent node’s data efficiently to the destination node, that it captures the network data and forwards the altered data to the receiver node.

   Fig. 17

   

   Shared node attack

3. 3.

   Synchronization attack In synchronization attack, transmitter node N_A synchronizes with the receiver node N_B by sending a timestamp with the data packet, as shown in Fig. 18.

   Fig. 18

   

   Synchronization attack

In between this communication channel, an attacker C captures the data from Node N_A and forwards it to the receiver N_B via another attacker D. However, the data sent via D does not synchronize with the receiver N_B and discards it in starting, due to synchronizing with the sender node N_A. Response time of the attacker node D is less than N_A because hop count associated with N_B is less than N_A. Hence, the response time of D is less than N_A. So, after a certain period, D synchronizes with N_B instead of N_A.

5.4.3 Protections Approach for Resource Allocation Based Attacks

More than 25% of the cyber-attacks will be on the connected devices till 2025 (according to the report on IoT security by Digital security). These connected devices may be using any of the IoT technology. Among these technologies, NB-IoT connected devices will also get affected by the attackers. However, NB-IoT provides LTE level security. Various protection strategies like game theory, artificial intelligence, deep learning may be some good sources to secure data communication between low resourced NB-IoT devices. Rullo et al. [83], proposed a security model using Pareto optimality solution, by which the probability of a successful attack is minimized. He also provides a resource allocation plan for different large-scale network topologies. Another game theory oriented security approach using a Nash equilibrium is defined in [84]. In the game model, the defender’s objective is to maintain the highest security of the whole IoT system, through the selection of respective detection threshold value, while the attacker’s goal is to optimize the attack on the device/node with limited attacking resources. Article [85] contributes the Machine Learning (ML) based on an unauthorized IoT device’s detection approach. This experimental technique is based on supervised ML, and provides approximately 99% accuracy on test data results, collected from 17 IoT devices with 9 different types of devices.

Another ML-based IoT security enhancement technique, named RF-PUF proposed in [86], uses the preexisting asymmetric radio frequency communication framework, so it does not require extra circuits for physically unclonable function (PUF) generation. He employed an Artificial Neural Network (ANN) as a learning engine. Simulation results employ 99% accuracy using supervised learning. [87] provides a deep learning based approach for detecting Internet of Battlefield Things (IoBT) malware and junk code detection. He proposed a method consisting of two-phases. One is the OpCode-Sequence Graph Generation phase, and the other is the Deep Eigenspace Learning phase.

The security issues in NB-IoT can be dealt with blockchain coding because NB-IoT operation is based on energy efficient optimization. In a real-time scenario, the same group of applications demanded by IoT devices can be grouped, and security techniques/protocol can be applied on the basis of grouped numbers (behavior or types of IoT devices). Blockchain techniques are beneficial in such problems because, through blockchain techniques, tunneling phenomena can be applied based on the group instead of IoT devices secured separate channels. Hence this technique is beneficial for energy efficient resource allocation. As per the report produced in i-scoop.in, 20% of IoT deployment is based on the basic blockchain services till 2019.

6 Conclusion and Future Work

This paper provides an extensive survey of security issues related to IoT and NB-IoT technologies. At the same time, this paper provides a bridge between IoT and NB-IoT. Security issues play a vital role in the current IoT network. With the consideration of this as a researcher and academia, we have focused our work related to security issues in NB-IoT like social attack, health care attacks, bandwidth spoofing attack, IP spoofing attack, etc. To provide the real-time deployment of NB-IoT, we have addressed the resource allocations with mathematical analysis, and also different algorithms and techniques have been incorporated with the consideration of security issues in NB-IoT. Possibilities of security issues in NB-IoT architecture have been proposed with a consideration of real-time applications and also formulated, how we can overcome these possible security problems.

Artificial Intelligence-based optimizations will provide an excellent platform to protect spoofing attacks for future NB-IoT real-time deployment. It is based on adaptive prediction techniques for spoofing attacks by using data mining or stochastic process. The accuracy of this type of cross-layer optimization is very high as compared to general prediction scenarios.

Appendix

1.1 IoT Security Projects

Under various research projects, the most prominent research and innovation programs are funded by the European Union named Horizon 2020. The funding of this program is 80 billion euros and available for the 7-year duration (2014–2020) [88]. Stanford, University of Michigan, and UC Barkley are collaboratively working on a 5-year project named Secure Internet of Things Project (SITP). It was started in September-2016 to research fundamentally new and better ways to secure the IoT and make them easy to use. They are working in this area. Table 6 shown below describes the various projects running currently worldwide. Most of the projects aim to provide end to end secure transmission between devices, implementing security techniques, and working towards the smart city. Various IoT projects running in European countries are working towards smart business, smart country, and removing various security vulnerabilities.

Table 6 Current ongoing NB-IoT/IoT security-related activities

1.2 List of abbreviations

See Table 7.

Table 7 List of abbreviations