IoT Cybersecurity: Research Challenges and Opportunities Ahead

Urban Sedlar, Leon Štefanič Južnič, Matej Kren, Matej Rabzelj, Andrej Kos, and Mojca Volk
May 14, 2020



In the past decade, we have witnessed an unprecedented expansion of the "world-sized robot," as various security researchers call the Internet of Things (IoT). This term is quite apt, as this is no longer just a mere sensor: it actuates, it moves, and it drives critical – and expensive – decisions, such as: when to unlock your car or your apartment door; when to turn on the heat; and when to stop the conveyor belt.

On one hand, IoT promises to solve numerous inefficiencies across whole industries, but on the other hand, our collective approach to it seems to have been rather negligent [1]. This problem started long ago, in the consumer IoT sector, with low-cost devices that were affordable exactly because of the various compromises – including a neglected focus on security. With quickly decreasing margins and cutthroat competition, the only features that can be left out are the invisible ones. And security is a prime candidate for that [2]. Unfortunately, the consequential lack of security provisions is also something that cannot be easily tacked on after the fact. The term "security by design" implies that such work needs to start at the beginning, with robust architecture design, and must continue from the ground up, across the whole system: from the device, communication stack, cloud backends, to user-facing interfaces. 

This, however, is hardly the usual course of action; several studies have found a lack of long-term support and software upgrades across the industry, thus leading to large deployments of the so-called IoT abandonware. This means there already exist large numbers of publicly exposed and poorly protected devices, many of which are a security liability with direct consequences for safety, privacy, and security of citizens. Furthermore, numerous devices are built on unproven designs, are relying on hardcoded secrets, attempt to roll their security schemes (which is something one should never do), or rely on security by obscurity. Especially the latter seems quite tempting when you're building 100 devices on Kickstarter; however, it is not uncommon for such projects to eventually succeed and become household names, without much change in the source code.

This is where IoT cybersecurity comes into play. Several prominent cyberattacks happening in recent years have gained access to such poorly protected devices and performed distributed denial of service (DDoS) attacks, exposed users’ private data, stolen identities, or just caused inconvenience.

So What Can Be Done About This?

In our view, there are three approaches. Firstly, if built-in security is neither mandatory nor visible, the end-users can hardly be expected to know what to choose – until it's too late. To solve this, the regulatory bodies should step in and mandate companies producing or selling connected devices to make the necessary steps. We have seen a similar approach with GDPR, which has already caused a major shift in the industry with regards to data management and privacy. Even though there’s a large body of ongoing efforts in this respect, including with the prominent SDOs such as ITU, IEEE, IETF and so on, the domain is fragmented and right now there is no one single owner committed to delivering a completed IoT security standardization to address the overall problem space [3].

Next, if the device itself cannot be trusted – either because the software can never be guaranteed to be bug-free, or because the manufacturer is purposefully deceptive – someone else needs to enforce the rules. And that someone should be the network. After all, the network is the one thing that every connected device needs. This is a rehashed idea of intrusion detection and intrusion prevention systems, applied to heterogeneous networks of IoT devices [4]. For example, it would be quite feasible to determine that a smart scale should only connect to its cloud backend once a day, usually at 8 in the morning, and should never connect to Facebook, should never accept an incoming connection, nor open any ports on the home router using Universal Plug And Play (UPnP). In this way, a network connectivity profile could be established for each device, and any anomaly could trigger a block and an alert that something is going on. Of course, such profile templates could someday be included with the device but, in the meantime, they are perfectly well discoverable with current machine learning (ML) techniques. After all, credit card companies have perfected similar anomaly detection with much less data (only dozens of transactions per user per month), while in IoT, we're talking about packets per second, which yields enormous datasets to train the models.

Finally, real-world attack data would be of immense help when training such models – and for that, we need a way to see and capture what the attackers are doing. A lot of research has been done to classify various attacker types (from script kiddies to state actors), and what motivates them. Different classes of attackers have different available resources and different skills. A sad trend in this regard is how quickly the bleeding edge cybersecurity expertise becomes commonplace, and is included in publicly available GitHub repositories. What is today in the domain of state actors and top researchers, might be tomorrow in the arsenal of every script kiddie with too much time on their hands. There’s ample evidence from cybersecurity research firms proving this point [5][6].

Figure 1: Network telescope and statistics showing the exponential growth of probing events (available live at ).

Figure 1: Network telescope and statistics showing the exponential growth of probing events (available live at ).

Therefore, we need fresh insight into ongoing reconnaissance, probing, attack, and exploitation methods; having this kind of cyber-threat prediction would be akin to checking weather prediction before leaving home. There are several already established ways to do that. A simple one is a network telescope or a black hole. This is used to passively monitor traffic coming to a completely dark IP range, and most of such traffic is indeed port scanning attempts, revealing what are the most popular services. In our lab, we have been operating such a telescope for almost a decade, and the most worrying bit of statistics is the trend of all the probing events, which has been growing exponentially for the entire decade. We now receive the same amount of probing events per day as we did in 2011 in an average month.

Honeypots present the next level of interaction; since they are at least a little interactive, they represent a much better tool to study cyberattacks in progress; however, they need to be convincing enough to keep the attacker occupied. The simplest kind of honeypots are called "low interaction", and only present a weak facade that disintegrates after modest engagement – imagine a simple answering machine with prepared answers to common questions. There’s a handful of low-interaction IoT honeypots out there, including for example Cowrie (Telnet/SSH), Dionaea(HTTP, MQTT, FTP, TFTP, UPnP), HoneyPy (CoAP, TFTP, TR-069) and TelnetIoT (Telnet) [7] [8] [9].  High interaction honeypots, on the other hand, are perfectly faithful representations of a target system, but this can usually only be achieved by having a real system as a target. Both low and high interaction approaches are readily available for typical server infrastructure, where there is a limited number of extremely popular and regularly maintained services (such as Secure Shell, Telnet, Microsoft Remote Desktop, etc.). In contrast, the landscape of IoT comprises thousands of different device types, with possibly dozens of exposed services and dozens of software versions in the wild [10] [11]. Such a long tail makes it extremely hard to study and mimic a useful subset of devices and services. 

Figure 2: Cybersecurity observation portal with live statistics based on an SSH and Telnet distributed honeynet (available live at ).

Figure 2: Cybersecurity observation portal with live statistics based on an SSH and Telnet distributed honeynet (available live at ).

For example, we have been running a 50-node SSH and Telnet honeynet for the last year that we have upgraded from low to high interaction. Although Telnet is one of the common protocols of more powerful IoT devices, we have found very little features that could be used to classify IoT and non-IoT attacks.

On the other hand, HTTP (in server mode) is also a very common protocol for devices such as cameras, modems, routers, and similar. In a single node experiment that has been running since February 2020, we have set up a simple HTTP honeypot listening on all TCP ports of a machine and capturing all probing requests. We were able to identify several IoT devices based on the URL structure and keywords, using regular and IoT-specialized search engines such as As a proof-of-concept, we have tested an iterative approach, where we learned from attackers about probing requests, and then learned about the device responses by scraping a real device found through By doing this we have refined models of several devices that are now collecting data as publicly-exposed honeypots. Other researchers have gone beyond that and automated the procedure further. We believe this is a promising step in the direction of intelligence-gathering and presents unique data that could in the future power advanced ML algorithms to detect and prevent IoT intrusions.


  1. Alladi, Tejasvi, Vinay Chamola, Biplab Sikdar, and Kim-Kwang Raymond Choo. "Consumer iot: Security vulnerability case studies and solutions." IEEE Consumer Electronics Magazine 9, no. 2 (2020): 17- 25.
  2. Neshenko, Nataliia, Elias Bou-Harb, Jorge Crichigno, Georges Kaddoum, and Nasir Ghani. "Demystifying IoT security: an exhaustive survey on IoT vulnerabilities and a first empirical look on internet-scale IoT exploitations." IEEE Communications Surveys & Tutorials 21, no. 3 (2019): 2702-2733
  3. Brass, L. Tanczer, M. Carr, M. Elsden, and J. Blackstock, "Standardising a moving target: The development and evolution of IoT security standards," Living in the Internet of Things: Cybersecurity of the IoT - 2018, London, 2018, pp. 1-9.
  4. Amouri, V. T. Alaparthy, and S. D. Morgera, "Cross layer-based intrusion detection based on network behavior for IoT," 2018 IEEE 19th Wireless and Microwave Technology Conference (WAMICON), Sand Key, FL, 2018, pp. 1-4.
  5. Kaspersky report: DDoS attacks in Q3 2019; November 11, 2019; available at Cited April 30, 2020
  6. Flashpoint: An After-Action Analysis of the Mirai Botnet Attacks on Dyn; October 25, 2016; available at
  7. Sethia, Vasu, and A. Jeyasekar. "Malware Capturing and Analysis using Dionaea Honeypot." In 2019 International Carnahan Conference on Security Technology (ICCST), pp. 1-4. IEEE, 2019.
  8. Shrivastava, Rajesh Kumar, Bazila Bashir, and Chittaranjan Hota. "Attack detection and forensics using honeypot in IoT environment." In International Conference on Distributed Computing and Internet Technology, pp. 402-409. Springer, Cham, 2019
  9. Banerjee, Mahesh, and S. D. Samantaray. "Network Traffic Analysis Based IoT Botnet Detection Using Honeynet Data Applying Classification Techniques." International Journal of Computer Science and Information Security (IJCSIS) 17, no. 8 (2019).
  10. Pa, Yin Minn Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, and Christian Rossow. "IoTPOT: A novel honeypot for revealing current IoT threats." Journal of Information Processing 24, no. 3 (2016): 522-533.
  11. Luo, Tongbo, Zhaoyan Xu, Xing Jin, Yanhui Jia, and Xin Ouyang. "Iotcandyjar: Towards an  Intelligent-interaction honeypot for iot devices." Black Hat (2017).



Urban SedlarUrban Sedlar is an assistant professor and senior researcher at the Laboratory for Telecommunications, Faculty of Electrical Engineering, University of Ljubljana. His recent work focuses on the area of cybersecurity threat assessment using large scale honeypots. He has also been involved in several EC and national research and development projects on the topics of emergency response systems, cloud computing, and the Internet of Things.


Leon Stefanic JuznicLeon Štefanič Južnič is a research member of the Laboratory for Telecommunications at the Faculty of Electrical Engineering, University of Ljubljana. His main research interests are cybersecurity, cloud architectures, and data analysis. He has received his B.Sc. from the University of Ljubljana in the field of telecommunications and is now working towards his M.Sc. degree.


Matej KrenMatej Kren is a research assistant at the Laboratory for Telecommunications. He has a high level of expertise and experience in the design and construction of systems dedicated to saving and mining a massive amount of data.  His main research interests include data visualization and pattern mining in massive datasets. He is involved in several research and development projects, including cybersecurity and smart metering solutions in the energy industry.


Matej RabzeljMatej Rabzelj is a master's degree student of Information and Communications Technology at the Faculty of Electrical Engineering, University of Ljubljana. His areas of particular interest include cybersecurity, full-stack software development, and information-technology operations, as well as the design and development of custom-built IT solutions. He holds a bachelor's degree in Electronics engineering and complements his knowledge with several Cisco Networking certifications.


Andrej KosAndrej Kos is a full professor at the University of Ljubljana, Faculty of Electrical Engineering as well as the Head of the Laboratory for Telecommunications. He received his Ph.D. at the University of Ljubljana from the field of telecommunications. Currently, at the center of his work are 5G systems and services and the applications of cyber-physical systems including the Internet of things.


Mojca VolkMojca Volk is an Assistant Professor and Scientific Associate at the Laboratory for telecommunications, Faculty of Electrical Engineering at the University of Ljubljana. Her main areas of work are 5G, IoT, and cybersecurity in applied areas of technology development, prototyping and trials for security, critical infrastructures, and public protection and disaster relief (PPDR). She holds a Ph.D. in Telecommunications from the University of Ljubljana.