Security in Internet of Things: A Review

Internet of Things (IoT) is the paramount virtual network that enables remote users to access connected multimedia devices. It has dragged the attention of the community because it encompasses real-world scenarios with implicit environs. Despite several beneficial aspects, IoT is surrounded by provocations for successful implementation, as data travels in different layers. One of the critical challenges is the security of the data in these layers. Researchers conducted numerous studies focusing on the level of security at a single technique, creating loopholes to address the entire scenario of securing an IoT network. This study aims to comprehensively review current security issues, wireless communication techniques, and technologies for securing IoT. This work’s utmost significance is addressing all the security perspectives at a glance. For this purpose, research contributions from the previous years are investigated for better understanding. Some countermeasures and snags from security perspectives have also been analyzed in detail concerning the current industry trends. Blockchain, machine learning, fog, and edge computing are possible solutions to secure IoT. After studying these techniques and their immunity to attacks, machine learning can become a hope if incorporated with end-to-end security. This comprehensive review will provide adequate understanding and knowledge in defining security lines of action for the successful implementation of IoT.


I. INTRODUCTION
Internet of Things (IoT) is the inter-networking of the physical parameters embedded with transducers, sensors, actuators, and intelligent systems for an enhanced extent of applications. The data retrieval between these devices is in a seamless manner, accompanying minimal physical interaction. Prevailing IoT applications are highly promising in terms of efficiency, comfort, and automation, as nowadays, industries are developing a huge number of smart IoT devices with intelligent applications. IoT escalated individual elegance through its smart services like retail [1], homes, smart cities [2], [3], farming, agriculture, smart grids [4], [5], and automation [6], [7]. The drastic increase of intelligent IoT devices and programs surrounds the entire world. Especially The associate editor coordinating the review of this manuscript and approving it for publication was Giovanni Pau . when countries are implementing industrial revolutions and taking industries to the next generation of the digital economy. Operators worldwide are supporting such applications with the existing communication and networking technologies. According to Cisco numbers, data exchange will exponentially increase in the upcoming decade to a market value of 14 trillion dollars [8]. This data communication between numerous smart digital devices is conventionally insecure and resource-hungry regarding computations and bandwidth constraints [9]. Especially, in the Pandemic situation, these multimedia devices played a vital role in reducing physical interaction, but on the other hand, information became more vulnerable. Researchers contributed by proposing different protocols such as CoAP, RPL, and IPv6 for IPv4 internet to develop secure IoT networks [10]. These protocols help in machine-to-machine interaction and data transfer [11]. Securing IoT has tremendous challenges that still need to VOLUME 10, 2022 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ be resolved, including privacy concerns, user authentication, data management, information storage, recovery from attacks, etc. Some historical disasters are a living example to understand the importance of the issue. In 2017, the Food and Drug Administration Authority of the United States reported modifications to some of their bio-sensors and received threats regarding it [12]. Distributed Denial of Service (DDoS) attacks had tremendous hype from 2019 to 2021 due to the spread of covid-19 [13]. Cortier et al. claimed massive security flaws in South Wales state elections happened online in Australia with 280,000 e-votes [14], [15]. Tariq et al. claimed the unawareness of 48 percent of people from such cyber threats on their multimedia devices [16], and according to the Government of the UK, almost 40 percent of people do not perform firmware updates [17]. From users' perspective, it is the duty of industries that design systems and applications to resolve the protection risk issue [18], [19], [20]. On the other hand, industries focus on increasing the number of smart IoT devices with minimal cost, smaller size, and low power-consumption rather than providing adequate quality and security features [16].
The paper's organization is shown in Fig. 1. The concise summary of the paper organization is as follows: Section I is an introduction, and Section II is about related surveys. Section III includes wireless communication trends and their compatibility with IoT. Section IV indicates all possible security threats. Requirements and defined standards for efficient security algorithms are explained in sections V and VI respectively. Section VII comprises the presented solutions to date. Section VIII and IX includes discussions and future directions, and section X concludes the paper. In this article, a comprehensive study of more than 250 articles is conducted, including but not limited to surveys, reviews, industrial projects, and publications. This review provides a detailed study of the IoT, its security requirements, threats, wireless communication techniques, open issues, and the possible solutions to date.

II. RELATED SURVEYS
This section of the article discusses the brief introduction of IoT and the contributions from the literature regarding the security in IoT.

A. BRIEF INTRODUCTION OF IoT
IoT has completely revolutionized the networks world, by the diversity in its smart applications. These applications include smart health care, smart grids, smart banking, and other smart services. The entire IoT system is based on four main layers [6] as shown in Fig. 2. The antecedent one is the sensing layer that involves sensors and actuators to observe  data or control signals from physical scenarios. The gathered information from the external environment is converted to electrical signals and forwarded to a wireless communication channel under the network layer. The next layer is renowned as evolving layer or middleware layer as it provides a bridge between the prior two layers. The last layer imparts endto-end applications to accommodate smart devices, smart transport, smart health, and smart factories, etc. At every layer, there are several security threats concerned with them along with various gateways and numerous privacy issues. Researchers tried to endeavor these security challenges by applying different approaches [21] and proposed solutions classified as, blockchain solutions, fog computing, edge computing, and machine learning-based solutions [6]. Several contributions are added to the literature but unfortunately due to limited and distinct studies, one is not able to gain the entire and diverse perspectives of the security analysis. To cope with this gap a review is required with in-depth analysis. The required analysis should not only highlight issues but also discuss solutions in a broader way. In this review, we aim to provide a broader perspective and focused on each possible point in pursuance to secure IoT. To accomplish the aim we scrutinized different threats and current communication technologies and analyzed solutions to provide a clear image of the current scenario at securing IoT.

B. SECURITY IN IoT
Securing IoT is a susceptible and critical problem when some of the applications are already deployed, and others future is facing severe risk. The prior task is to identify the open issues. In this regard, the authors of [22] have summarized different security threats in IoT applications. Similarly, [23] indicates many possible vulnerabilities to IoT systems. The authors of [24] identified security issues based on the IoT device location, particularly regarding localization and positioning. Article [25] enlightened middleware issues and analyzed a detailed review of existing protocols and security threats. In [26], authors analyzed various trust management techniques along with their pros and cons. Securing IoT by software-defined networking (SDN) and network function virtualization (NFV) by different mechanisms are discussed in [27]. Some researchers focused on the analysis of security areas based on threats in IoT [28], [29], [30], [31], [32], [33], and others focused on the countermeasures and immunity VOLUME 10, 2022 towards these vulnerabilities [34], [35], [36], [37], [38], [39]. From the literature study, we can classify the contributions in general categories, which further proposes different dimensions and techniques to secure IoT. These include blockchain, machine learning, and computing-based solutions. Still, some authors focused on the design, and hardware-based security. Another perspective is to secure IoT by using the existing security algorithms, but they are not feasible due to constrained resource architecture of IoT.
The authors of [40] proposed blockchain as an upcoming hope for security in IoT. The major area of blockchain focuses decentralized computing, which is unsuitable for the huge amount of data in IoT. This attracts the use of cloud computing in the field due to its centralized nature. Similarly, the entire data in a single cloud is a huge vulnerability [41]. This leads to the use of fog computing and edge computing to compete with security requirements in IoT. The coherent use of edge computing [42] with a traditional cloud scheme [41]  was proposed to secure IoT systems. A similar approach was implemented to correlate fog computing to IoT [43]. Some researchers used other techniques like authentication and key exchange-based protocol for mobile networks. Similarly, real-time intrusion detection in [44] and use of probabilistic tools like random coefficient selection and mean modification for confidentiality and security in IoT [45] are some common examples. Authors of [46] focused on the use of mobile computing issues and [47] proposed a solution for mobile D2D communication based on android OS. A similar approach for health applications is discussed in [48]. Later on, a survey-based study was implemented in [49] for the analysis of security in smartphones for IoT and [50] proposed a mobile application tool for the analysis of IoT threats. An authentication technique for mobile devices was proposed in [51] using biofeatures. The contribution, in turn became a hope for using supervised and unsupervised learning to be the upcoming hope for securing IoT. As discussed earlier, some authors proposed infrastructure-based solutions [52], [53], [54], [55], [56], [57], [58], [59] to design a separate secure framework at the application layer [58]. In this regard, A study shows that current networking techniques like AWS IoT, Calvin, Brillo/Weave, Kura, ARM Mbed, Homekit, Azure IoT can benefit hardware-based security [60]. A mobile relay-based architecture for Bluetooth has also been discussed in [61]. Similarly, In [62], the authors focused on the security of practical devices like electric bulbs and cameras present in the market and their relation to basic security parameters like confidentiality, integrity, availability, and authentication. A similar approach based on ipv6-enabled RFID tags has been introduced for enhancing authentication in [63]. A brief overview of the work from the previous decade is added in Table 2. There are numerous reviews and survey articles since IoT is an emerging field and is being under observation for its physical implementation from previous years. Still, these articles are unsuccessful in performing a complete study and focus on divergent studies. That's why a review is required, which can converge all concepts in just one paper. It will also help the reader to get sufficient knowledge about securing IoT and explore adequate ideas and understanding of the field. The major contributions of this survey are as follows: 1. A detailed study of layer-based threats and privacy concerns. 2. Identification of the security requirements in IoT system.

III. SOME WIRELESS COMMUNICATION TECHNOLOGIES FOR IoT
Current wireless communication technologies play a vital role in the network layer for intercommunication between the physical and application layers. For IoT, it is much more important to know about wireless communication technologies and their level of security. Moreover, the compatibility of the technology towards security protocols. IoT devices are connected in layers via these wireless communication technologies. So, this section provides a better understanding of security requirements with respect to the practical communication procedure. Inspired by [64], current wireless communication technologies have been incorporated in Table 3. Following are the communication technologies known to date,

A. NEAR FIELD COMMUNICATION AND RADIO FREQUENCY IDENTIFICATION
Near Field Communication (NFC) facilitates its users with short-range RFID-based communication with a high frequency of 13.56 MHz. The only constraint in NFC is that both communication devices must obey their compatibility [10]. NFC provides easy network access and information sharing, making it susceptible to growth in current communication trends. Its high-speed configuration and accessibility provides it an exponential growth. Radio Frequency Identification (RFID) usage in NFC offers some user authentication which can be used in IoT security. NFC has the only drawback in that it reduces connectivity with incresing distance. Texas instruments claimed their current contributions to NFC sensors for IoT applications [10]. RFID is an embedded systems technology with multi-frequency ranges [74]. It supports Low Frequency (125 kHz), High Frequency (13.56 MHz), Ultra High Frequency (860-960 MHz), and microwave communication frequency (2.45-5.8 GHz). RFID offers a license-free communication channel under constrained power. There is no built-in security protocol in NFC and RFID, which means that the security should be provided externally.

B. BLUETOOTH
Based on IEEE 802.15.1 standard, Bluetooth offers a low-cost and low-power wireless communication using 2.4 GHz frequency [64]. It is highly efficient and cost-effective under short ranges of 8 to 10 m. Its data rate varies from 1 Mbps to 24 Mbps. Its ultra-low power and low-cost versions are also introduced as Bluetooth Low Energy (BLE) or Bluetooth Smart. The security perspective in the bluetooth is better authentication. The devices entering a bluetooth network are authenticated properly, but for data communication, bluetooth is not a secure channel.

C. WIRELESS FIDELITY AND WIRELESS HART
Wi-Fi offers WLAN communication under IEEE 802.11 standard [64]. This standard is further classified into 802.11a which operates in the 5 GHz band, 802.11b and 802.11g operate in the 2.4 GHz band, 802.11n and 802.11ac operate in 5 GHz bands, and 802.11ad operates in the 60 GHz band.
Wi-Fi provides 20 m indoor and 100 m outdoor ranges with data rates ranging from 1 Mbps to 6.75 Gbps. Wif-Fi offers a highly secure features including Wireless Protected Access (WPA) and Advanced Encryption Standard (AES). Wireless HART is a Highway Addressable Remote Transducer Protocol (HART) designed for Industrial IoT (IIoT). It was introduced as a multivendor, interoperable wireless protocol. Wireless HART supports the 2.4 GHz ISM band under IEEE 802.15.4 standard radio communication [64]. As the primary focus in Wireless HART was to provide effective communication for industrial applications, so the security was not a major focus in it, but the AES can be implemented as an external encryption.

D. ZigBee, 6LoWPAN AND WiMAX
ZigBee Alliance follows IEEE 802.15.4 specifications with meager cost and power consumption [75]. It can be used for low-power digital radios i.e., home automation, medical devices having line of sight (LoS) communication up to 100 m holding 250 kbps. It can be used for the sensor to sensor and to relay communication in IoT. Zigbee also offers an encryption for the security of the travelling data. The 6LoWPAN allows IPv6 packet communication over IEEE 802.15.4-based communication channels. 6LoWPAN offers both secure and secure-less modes for transmission [76]. There is no proper built in security algorithm in 6LoWPAN but it can be externally powered by some encryption algorithms. WiMAX stands for Worldwide Interoperability for Microwave Access, defined under IEEE 802.16, having data rate ranging from 1.5 Mbps to 1 Gbps [77]. A recent IEEE 802.16m provides data rate efficiency from 100 Mbps for mobile stations and 1 Gbps for stationary. Another beneficial perspective of WiMAX includes its internal built in security feature. LTE-Advanced [64]. Data rates for these standards range from 9.6 kbps (2G) to 100 Mbps for 4G communication systems. The fifth and sixth generation of mobile communication systems are being deployed and tested worldwide.
From the security perspective, cellular networks do not provide any built in feature but nowaday, smart phones come along internal security and encryption algorithms.
As discussed earlier, the IoT system can be sub-divided into four significant layers. The sensing layer comprises sensors and actuators, which involves a human-machine interface for gathering information from the physical world. Next to the sensing layer is the network layer, responsible for communication between devices, switches, and control units. Further is a middleware that behaves as data storage and provides cloud services. The last one is the application layer which facilitates human life by having a human-machine interface. From the previous section, one can easily understand that vulnerabilities can happen according to the layers. These vulnerabilities can depend upon layer distribution, application, and diverse technologies discussed earlier. Inspired from [6] and based on these dependencies, IoT can face different threats which are described in Section IV. Fig. 3 shows the classification of security discussed in this article. The sensing layer deals with the physical placement of sensors to gather information from the surrounding world [78], [79], [80]. Based on this information, actuators act to control the changes in the physical environment. Sensors can be humidity sensors, smoke detectors, ultrasonic sensors, cameras, temperature sensors, etc or they can be mechanical, electrical, electronic, or chemical sensors to collect information from surroundings. These sensors and actuators hold zero level built-in security.

IV. SECURITY ISSUES
Similarly, the Network layer is responsible for communication; the primary task is establishing a transmission network with a computational unit without focusing on adequate security. The data in transit flows from the wireless and wired channels via different communication technologies. Such a type of data reaching at receiver end is not trustworthy.
The middleware layer is just an abstraction between the network and application layers. Moreover, it enhances both layers computing and storage resources [81]. It also comprehends persistent data storages, queuing systems, machine learning techniques, etc. The middleware layer is highly reliable and robust for IoT applications, but on the other hand, it is exceedingly susceptible to several attacks. This layer's immense threat is securing databases and clouds from unknown entities. Adversaries can easily access the entire IoT system by attacking the middleware layer.
Gateways provide intercommunication between services, i.e., devices, people, things, and the cloud. They also offer different solutions and data manipulation involving encryption, decryption, and translation of protocols between different layers [82]. Gateways, being access points, are highly vulnerable if not properly authenticated and reliable.
The application layer deals with services to end-users including smart homes, smart meters, smart cities, and smartgrids, etc. Specific to the applications, security protocols such as data theft and privacy issues are not present in this layer. The middleware layer behaves as a supporting layer for the application layer by intelligent learning of resources and computations. Some of the severe threats encountered by IoT layers are discussed in detail below:

A. SECURITY ATTACKS IN THE SENSING LAYER
Sensing layer is also known as physical layer because of the physical infrastructure. Such a layer involves a large number of devices, for example sensors, actuators, and other smart devices. The security threats and attacks in the sensing layer include the following:

1) NODE CAPTURING
A single sensor or an actuator behaves as a node in the sensing layer. Especially in IoT systems, these nodes are mostly resource-constrained, making them vulnerable to attacks. Adversaries can easily create a node their substrate by capturing or replacing it with a malicious node. The security can be compromised in both cases [83].

2) MALICIOUS CODE INJECTION (MCI) ATTACK
A Malicious Code Injection (MCI) attack involves the injection of malicious code into the node's memory [6]. One can use such nodes as a gateway to perform some unintended operations such as giving falsified information and accessing or hijacking a complete IoT system.

3) FALSE DATA INJECTION (FDI) ATTACK
An attack in which one black sheep can easily inject erroneous data onto the cloud is False Data Injection (FDI). It results in the generation of false results and malfunctioning of the whole system. This attack can cause a denial of service [6].

4) SIDE CHANNEL ATTACKS (SCA)
In some cases, attackers do not attack the nodes directly, but their target is to leak sensitive information [6]. Adversaries focus on the micro-architectures of processors, electromagnetic emanation, and other resource consumption to get sensitive information. Side Channel Attacks (SCA) can be laser-based attacks or timing attacks based upon power consumption. In modern electronics designs, SCA prevention is focused on implementing cryptographic techniques on new FPGA chips.

5) EAVESDROPPING AND INTERFERENCE
Data transmission between different nodes and improper authentication can give eavesdroppers a chance to get access to sensitive data [84].

6) SLEEP DEPRIVATION ATTACK (SDA)
Sleep Deprivation Attack (SDA) refers to the drain out the batteries of low-powered nodes leading to the denial of service [6]. The objective can be achieved by running infinite iterative malicious algorithms into the edge devices, which can cause battery drainage, ending with a sleep deprivation attack.

7) BOOTING ATTACKS
At the time of booting a system, all the devices and security algorithms are at zero potential which is the severely vulnerable stage from a security perspective [6]. Especially for IoT systems, a malicious node can easily enter during booting sessions. Adversaries often take advantage of this stage through sleep-wake cycles during the boot.

B. SECURITY ATTACKS IN THE NETWORK LAYER
The key function of the network layer is to provide communication channel with minimal latency, but on the other hand there are some factors who want to manipulate this data in transit. The security attacks in the network layer include the following:

1) PHISHING SITE ATTACK
Phishing Site Attack includes a whole area to be the substrate, and as a result, some devices are endangered [85]. This can happen with minimal effort by an attacker to access these devices, especially in an IoT system where our nodes are things connected with the worldwide web. If a single user's id or password is compromised, the whole system can become vulnerable to cyber attacks; that is why the network layer is always highly fertile for phishing sites attacks.

2) ACCESS ATTACK
Referring to Advanced Persistent Threat (APT), an access attack aims to get the entry of an unauthorized entity to the network [6], [86]. In such a scenario, adversaries remain undetected for a longer duration and their major intention is to gain valuable data instead of providing any damage to the network. IoT systems continuously transceive important information i.e., location of a person, banking accounts, and medical information, which can be highly sensitive for such attacks.

3) DENIAL OF SERVICE (DoS) ATTACK
In DoS attacks, cryptanalysis is done by flooding target servers with numerous unwanted requests, which incapacitates the server from responding [87]. Secondly, it disrupts the server to communicate with genuine nodes resulting in a denial of service. When using multiple sources to flood substrate servers, such attacks are termed as Distributed-DoS attack. IoT systems have enough heterogeneity and complexity, but the network layer is still prone to DDoS attacks. Due to the weak configuration of devices and applications, attackers can get accessible gateways to launch DDoS attacks onto the servers. Such a type of attack was experienced in the Mirai botnet attack [87] in 2017.

4) DATA TRANSIT ATTACK
IoT is nothing without exchanging data and valuable information stored in local servers or the cloud [6]. This data storage is highly unsafe if it is not encrypted properly, but the data in transit is more impuissant and resistless from adversaries. In the network layer of IoT systems, data swing between sensors, actuators, cloud, etc., occur by using numerous communication techniques, making it susceptible to data breaches.

5) ROUTING ATTACK
Routing attacks refer to redirecting the communication channels during data transmission [6]. A sinkhole attack is one of the most renowned kinds of routing attacks in which artificial displacement paths entice nodes as their more feasible communication channel [88]. A wormhole attack is another kind of routing attack which provides a fast transmission path between two nodes [89]. An adversary can bypass security protocols by creating a wormhole between a node and another device. When combined with any other technique, wormhole can become a severe threat to the IoT system [6].

6) UNLAWFUL ATTACK
There are some parameters which define that every attack is not unlawful because some attacks are for the betterment of mankind. There are some attacks in which attackers intend to perform criminal offense. Such a type of atttacks are considered as unlawful attacks.

7) COMMON ATTACK
Common attacks involves some common type of attacks which sometimes are to steal information from sender to receiver and sometimes they are to modify the message from the sender to receiver. Such a type of attacks can be considered as common attacks.

C. SECURITY ISSUES IN THE MIDDLEWARE
Middleware is to provide a connection between network layer and application layer. The security attacks in the middleware include the following:

1) CLOUD FLOODING ATTACK (CFA)
Similar to the DoS attack, clouds are also flooded with unnecessary commands or requests [6]. Executing such requests results in zero quality of service (QoS) and cloud depletion just by an extensive workload increase in the form of unfavorable recommendations.

2) CLOUD MALWARE INJECTION (CMI) ATTACK
Cloud Malware Injection is an attack in which the target is to get control of the cloud by injecting an imaginary machine using malicious code [6]. This virtual machine pretends to be a genuine network member to obtain access to the services provided by the IoT system.

3) SIGNATURE WRAPPING ATTACK (SWA)
For authentication purposes, XML signatures are used at the middle-ware layer [95]. During SWA, the attacker aims to break the signature algorithm to gain the executed targets using the Simple Object Access Protocol (SOAP) [96].

4) STRUCTURED QUERY LANGUAGE (SQL) INJECTION ATTACK
Structured Query Language (SQL) injection means to embed mischievous commands in a program [91], [92] to get and to alter sensitive information of a user [93]. Open Web Application Security Project (OWASP) enlisted SQL injection as the top web security threat in 2018 [94].

5) MAN-IN-THE-MIDDLE ATTACK
IBM introduced the Message Queuing telemetry Transport (MQTT) protocol in 1999, providing the basis for lightweight message transmission [90]. This protocol wields a publish-subscribe model allying clients and subscribers to intervene as a proxy. If the attacker behaves as an agent between the sender and receiver in an IoT environment, he can become man-in-the-middle and can easily get information from both nodes. Similarly, a man-in-the-middle can access sensitive data and inject falsified information throughout the IoT system. This may lead him to complete control of the system any client node's notification [6].

D. SECURITY ISSUES AT THE GATEWAY
Gateways are the entry points of every layer. The basic intention of a gateway is to authenticate the devices and applications to provide end user services. The security attacks in the gateway include the following:

1) SECURE ON-BOARDING
Installing a new device to an IoT system requires proper authentication and integration, which is done by cryptographic algorithms. Such scenarios require the protection of encryption keys. Gateways provide the role of a channel between devices and management of services that's why all keys travel through them [6]. Especially during a man-in-themiddle attack, one can easily get capture the encryption keys during the onboarding of a new device.

2) EXTRA INTERFACES
Minimizing the probability of attacks can be the only possible strategy in the security of IoT especially during the installation of new devices in the system [97]. If some of the services and functions are restricted for end-users, backdoor authentication and information breach can be reduced.

3) END-TO-END ENCRYPTION
The only way to establish a highly secure and reliable channel is to develop high-profile end-to-end encryption [98]. Due to this end-to-end encryption, only genuine users can decrypt the encrypted messages. ZigBee protocols have built-in encryption techniques but they do not support endto-end encryption. Gateways translate information due to inter-switching protocols, where making decryption of enciphered messages makes gateway more vulnerable to data breaches.

4) FIRMWARE UPDATES
Generally, most IoT devices are resource constrained in terms of power and spectrum even though they do not have decision power to install any firmware. Installing updates depends on gateways by performing a simple validity check.

E. SECURITY ATTACKS IN THE APPLICATION LAYER
The key function of the application layer is to provide the end user services. The devices in the application layer varies with respect to applications. The security attacks in the application layer include the following:

1) ACCESS CONTROL ATTACK
Access control refers to the authorization of the legitimate users to process of the authentic entities. Compromising this access leads to a susceptibility of the entire IoT system.

2) SERVICE INTERRUPTION ATTACKS
Service interruption attacks are referred as illegal interruption attacks, which mean depriving of users performing their operations and exploiting current processing entities resulting in a denial of service.

3) INTERVENTION ATTACK 4) SNIFFING ATTACKS
Sniffing applications allow adversaries to get knowledge about network traffic and sometimes provide a username and pass-keys creating a system quite vulnerable. The adversary can gain access to confidential information if they are just left with zero security [99].

5) RE-PROGRAMMING ATTACKS
Every embedded system has some system software that can be manipulated and the whole system can be misused by inserting some commands inside its programming. Attackers can reprogram IoT objects and gain their desired negative intentions, hijacking the whole IoT system [100].

6) DATA THEFT
Data theft is the possibility in which some of the data is stolen. In such a scenario some other devices outside the network wants to hide their identity and copy the valuable data. Data theft can be done at node level or can be performed at data in transit. Such data theft can be minimized by using techniques of data encryption. This can also be reduced by proper authectication of all of the devices over the network.

7) MCI ATTACK
An MCI attack has been discussed earlier in the subsection A.

8) DDoS ATTACK
A Distributed Denial of Service (DDoS) attack has been discussed earlier in subsection B. VOLUME 10, 2022

V. SECURITY REQUIREMENTS IN IoT
In the light of the above mentioned threats to the IoT system, we can extract some security requirements recommended to improve the privacy and security concerns. Security features in computer systems can also be added, including firewalls, anti-virus, security software, etc. Some metaheuristic cryptographic algorithms can appropriately fulfill the requirement but at physical layer, there should be some specific algorithms to meet the demands making security in IoT a challenging issue. A well defined and highly secure end-to-end encryption algorithm is still an open issue for the IoT environment. A typical IoT system has a large number of connected devices by using above mentioned wireless communication technologies for example in a smart home system, smart lights and door locking can easily be used to extract user Wi-Fi passwords [101], [102]. Some of the security requirements are as follows, 1. Risk estimation with respect to the location during deployment of devices. 2. Intelligent use of encryption techniques and cryptographic algorithms on the basis of layers and vulnerabilities. 3. Proper authentication to the switching and connected devices can mitigate confidentiality issues. 4. Proper strategies and planning for securing a complete IoT network regardless of focusing on some specific area. 5. Algorithms like RSA, AES, SHA-256, or hash chains to secure the entire IoT environment. 6. Cost and capacity domains should have no constraint [103] due to the rapid increase i.e. IoT should be as public with zero restrictions. Devices should be secure and free to communicate with IoT making it a centralized environment. 7. Cloud, being centralized data storage must be shielded properly. Encrypted data in the cloud can mitigate its chances of being stolen [104]. 8. Validation of data-flow mechanism helps in easy handling of errors [105]. 9. Intelligent machine learning and artificial intelligence techniques should be used to reduce computational burden and human intervention [106]. Existing literature described several approaches and tactics for IoT security, which can be further classified into four major groups i.e. blockchain-based solutions, fog computing, machine learning and edge computing-based solutions, as explained in Table 4.

VI. SECURITY STANDARDS FOR IoT
On the basis of security requirements for the IoT, some standards have been defined [64]. Once these requirements are met, one can claim the highly secure IoT system. Table 5 shows the security standards defined for IoT in available literature and projects. Some basic standards to secure IoT are as follows:

A. AUTHENTICATION
The most prior task for the IoT security provider is to authenticate the users. IoT system is interconnected with  switching nodes and sensors making it enough complex and most important operation. Even if a single node is compromised of the sensing layer, the entire system can become vulnerable. There must be some new authentication standard based on autonomous configuration comparative to current standards.

B. PRIVACY
IoT without any privacy concerns is relatively easy for cryptanalysis. With such a backdrop, data sharing within IoT layers become highly susceptible. There should be some end-to-end encryption protocol with high standard security to secure data and messages from black entities.

C. INTEGRITY
The term integrity refers to data integrity, which means whether that received data is from an authentic sender or not. Conventional information security trend is to use public-key cryptography for authentication and keyless-signature infrastructures for communication which can be further extended for data integrity [159].

D. CONTROL
Access control means knowing the entire user library, which plays a vital role [168], [169], [170]. UCON defined three sub-decision factors for control involving authorization, obligation, and conditions with two decision variables of mutability and continuity in [168]. Control is a minor factor as compared to the prior three standards that is the reason behind its negligence.

VII. CURRENT SECURITY MECHANISM FOR IoT
All communication systems should be shielded by applying appropriate security tactics. One of the methods is to secure them based on the layers i.e. Middleware layer security is a hop-based mechanism with trusted nodes [171]. In such a network, a single pre-shared secret key is used for secure communication. The advantage of a hop-based mechanism is, if an adversary succeeds in attacking a device, it will remain accessed to a single device rather than compromising the entire system. This characteristic limits down the chances of attacks on the system and blocks attackers to a limited range.
IPsec can achieve layer security by providing end-to-end security along with authentication, confidentiality, integrity, and compatibility with any network layer [176]. For this purpose, IPsec uses Encapsulated Security Protocol (ESP) [177] and Authentication Header (AH) protocol [178]. Due to these advantages of IPsec, IPv6 uses IPsec as its built-in feature [179].
Securing information and private data rather than securing the entire network is also an efficient technique [180], [181], [182], [183] known as data encryption. This data encryption further enhanced in the shape of selective encryption [11]. Codo [180] provides a security extension for Coffee machine [184], having system software in Contiki OS [185].
Based on the studies performed in the previous decade and different malware detection techniques are discussed in Table 6. Some of the approaches for the security of IoT is shown in Fig. 4. Moreover, the approaches to provide solutions to secure IoT are explained in a systematic way as follows

A. BLOCKCHAIN METHOD
The secure blockchain method is a high-impact process for IoT security using distributed and decentralized security for real-time data [186], [187], as shown in Fig. 4. In this method, the target is accomplished using cryptographic hash keys, which induces enough complexity for the adversaries to tamper within blocks [188], [189]. There are several benefits of the blockchain method i.e., secure data storage assisting distributed blockchains [190], encryption and prevention of data loss from spoofing attacks via authentication and certification [191], [192], proxy-based architecture favors resource-constrained devices [193]. Fig. 5 shows the applicattions of the blockchain in various fields for example, smart devices, health, electricity and smart grids, and financial transactions.
Merkle tree is an addition to block-chain offering enhancement to security in IoT. Merkle is a binary tree with leaf nodes of data or transactions and roots with hash values of data [194]. It also supports multi-level hashing and reduction in block number endeavoring security compliance [195], making Merkle-based blockchain a promising solution for IoT security [196]. Blockchain, on the one hand, is the current centre of interest due to cryptocurrencies and banking. Still, on the other hand, due to standardization problems and issues, it is pretty vulnerable too [65].
IoT-Advanced is also Distributed Ledger Technology (DLT) that offers another promising technique of security for IoT. It is designed to focus validation on resource-constrained IoT devices. It is based on the tangle data structure rather than chain-type [197].

B. CLOUD COMPUTING
Cloud Computing offers centralized computing to reduce processing burden. Such a method is helpful in reducing the computational time over IoT network, but in terms of security, it is not an effective method. If an adversary gets access to the cloud then security of the whole system is compromised.

C. FOG COMPUTING
Complementary to cloud computing, fog computing provides better management of IoT data as mentioned in Fig. 6. The figure shows the shielding ppower of the fog computing to overcome different security threats. Fog computing has two frameworks in its architecture, including the Fog-Device framework and the Cloud-Device framework [198]. Each framework is sub-divided into layers. Fog nodes provide services without involving the cloud layer, but VOLUME 10, 2022 the Cloud-Device layer involves the cloud in its complex decisions [199]. In [200] the authors claim fog computing is more efficient than the cloud based on latency and energy efficiency. Authors of [201] claim to be 90 percent efficient in latency reduction and twenty percent towards power consumption.
Fog computing also offers better performance than mobile edge computing with real-time video analytics, augmented reality, and big data analysis applications. Another advantage of fog is reducing the frequency of duplex communication between IoT devices and the cloud by consuming minimal network bandwidth [202]. Fog architecture supports data collection at fog nodes having analyzing power of 40 percent, which can reduce the computational burden on cloud and latency issues. Most fog nodes also support cryptographic computations for secure communications, but mere ones require external resources.
On the other hand, the fog layer invites a new type of threats and challenges towards itself [198]. Fig. 7 shows new challenges and threats that can attack fog. These challenges can be distributed into, real-time services, decentralized computation, data aggregation, data dissemination, and transient storage [6]. On the other hand, Fog computing also provides some solutions for the security of the IoT. Fig. 8 shows the beneficial perspectives of the fog computing for IoT data.

D. MACHINE LEARNING
Machine learning is one of the leading fields in recent years, which provide significant changes in magnificent ways. Many domains use machine learning and IoT is one of them. Several techniques of machine learning are being used to provide solutions to various attacks in new ways, as shown in the Table 7. The solutions of machine learning are far away from conventional methods, e.g., pulse swarm optimization and backpropagation [203] are new trends with promising solutions in the field. The use of neural networks [204] and learning-based algorithms may enhance the concept eventually [205], [206], [207], [208], [209], [210], [211], [212], [213], [214], [215], [216].

E. EDGE COMPUTING
Like fog, edge computing is an add-on to cloud computing, with differing architectures, power, and computing resources. Clouds are mainly at a considerable distance from users, giving a broader concept, especially since a large amount of data is shared in them [217]. Edge computing proposes promising solutions for small cells or edge servers to overcome the issue. Table 8 shows the attack-based immunity of edge computing. The architecture of edge computing constitutes edge devices, cloud servers,s and fog nodes [218]. The inter-cooperation and inter-networking of devices enable them to compute data  among themselves [219]. This enhances the security level by preventing data from traveling outside the device node, which reduces communication costs, as it avoids data travel to the cloud and back [220].
Edge computing provides enough solutions but also comes with various challenging situations, i.e., entirely relying on edge nodes for all computation reduces the system's reliability. The edge or physical layer includes sensors, actuators, other embedded devices, etc., which are highly susceptible to attacks. Compromising the edge layer will make the entire IoT system vulnerable. MQTT and COAP are popular protocols of the edge layer, interestingly, both of them have zero built-in security. So, they can be protected externally, i.e., TLS for MQTT and DTLS for COAP, but this also increases bandwidth and computational burden over IoT systems. Other related issues to edge computing are sleep deprivation, battery draining [224], and node attacks, etc.

VIII. DISCUSSION
Solutions proposed to date are highly effective and endeavors to performance, but they also have some security and quality issues in using of blockchain, fog computing, edge computing, and machine learning.
Block-chain has a severe issue in its implementation at soft and hard levels, i.e., all transactions being publically transmitted increases the probability of revelation of information. Similarly, due to the increase in the miner's number, cost and speed control becomes another challenging task, leading to scalability and availability issues [225].
The challenges and issues related to fog computing are discussed in [221], as fog computing shares some data with the cloud for decision taking, increasing the vulnerability of sensitive data sharing.
Machine learning algorithms are efficient for IoT but provide heuristic algorithms rather than meta-heuristic nature, so the selection of improper algorithm may lead to an entire system breakdown resulting in garbage outputs. Similarly, the incorrect training data for learning algorithms may lead to erroneous results. The efficiency of machine learning algorithms depends upon factors like diversity in training data selection, improper clustering, and classification of data impact prediction accuracy badly.
Edge computing is mainly concerned with data security and user privacy; compromising a node from a cyber-attack may leak someone's private information. Since edge nodes are involved in all computations, risking a node means risking the entire system.
The whole drill down of the studies indicate that machine learning has minimal constraints, which makes it a bright hope for security in IoT. There is no clear literature on the techniques especially in term of machine learning and edge computing to provide security to IoT. Hence, machine learning and fog computing can be the future of IoT security if their mentioned issues have been resolved.

IX. FUTURE PERSPECTIVES OF IoT SECURITY
IoT security is highly fertile and still needs plenty of contributions. There are several open studies and challenges that require researchers concern in the field. Some open challenges in IoT security are given as follows: 1. Edge devices need to be highly secure and intelligent to understand adversary attacks. 2. Gateways between different nodes still need enough shielding practices and end-to-end encryption algorithms. 3. In fog sharing, the only target is to secure fog-cloud computation. If achieved, it can be a promising solution. 4. Enhancing the fog layers through machine learning and optimization techniques such as deep learning and artificial intelligence. 5. Blockchain is highly constrained in the case of a number of nodes. The alternative to nodes can be some high efficiency algorithms, and multiple resources can become a prominent solution to solve the issue. 6. Real-time data analysis and efficient hardware design require enough intelligent systems engineering to be developed by using some machine learning and intelligent algorithms.

X. CONCLUSION
This review presents, layer-based threats to IoT covering sensing, middleware, network, and application layer. We have reviewed nearly 200 articles in this area and we have also summarized the promising areas for the research in the IoT security, including blockchain, edge computing, fog computing, and machine learning-based solutions. Some issues and loopholes of these presented solutions have also been highlighted, making IoT susceptible. According to recent studies, blockchain and machine learning are considered promising solutions to IoT. Blockchain is the principal axis of focus, but its implementation in IoT is yet unsupported due to the standardization issue. Fog computing is a prominent solution but requires a lot of processing burden, resulting in increase in latency. Moreover, it is also infeasible for resource-constrained multimedia devices. Machine learning and end-to-end encryption can be the hope even if it involves a lot of future contributions in terms of newly designed algorithms. The current state of the art and future direction will help enhance IoT security to the premier level. This survey is expected to help understand the entire IoT security issues, challenges, solutions, and further enhancement for the readers, especially the students, researchers, or industry personnel. It will also be a valuable resource for developments in the green future of IoT.