Authors: He Yueying, Sun Zhonghao
Abstract: With the rapid development of 5G networks, while promoting the development of various IoT application scenarios and increasing the scale of IoT device access, it also brings more security threats. This paper starts from the actual threats faced by IoT application scenarios based on 5G, combines the challenges of massive device access, and studies the security access technology for IoT devices in 5G scenarios to meet the security access needs of massive IoT devices and reduce related network security risks.
1. Introduction
The development of 5G technology can not only provide more convenient mobile internet services for people but also, relying on its high speed, large capacity, and low latency and high reliability, become a key technology for the Internet of Everything. According to predictions by IoT Analytics, the number of IoT connections by operators is growing exponentially, and it is expected that by 2021, the number of global IoT connections will exceed that of human connections. According to the International Data Corporation (IDC), by 2025, the number of IoT devices worldwide will exceed 40 billion.With the continuous high-speed access of massive IoT devices in 5G networks, various network security issues have become a difficult problem for government supervision and enterprises.[1].
2. Problems Faced by IoT Device Access in 5G Scenarios
Currently, the application methods of IoT mainly focus on data collection. Limited by the latency of 3G/4G networks, data load, and single base station capacity, the application modes are mainly environmental monitoring, device status monitoring, anomaly alarms, etc., including automatic meter reading for electricity and gas, smart city street lights, environmental monitoring, and other application scenarios[3]. The millisecond latency and theoretical peak data bandwidth of 10Gb/s brought by 5G communication technology have promoted the transformation of IoT application methods and driven the development of new IoT application scenarios such as smart healthcare, industrial control, vehicle networking, and smart living, but also brought greater security risks[2].
2.1 Smart Healthcare
Currently, the development of healthcare in China is uneven, and telemedicine technology has evolved from initial video monitoring and telephone remote diagnosis to comprehensive transmission of data, images, and voice using high-speed networks. With the popularization of 5G networks, doctors and patients can not only achieve real-time interaction without delay, but also diagnosis and treatment will break the original geographical limitations, further improving the diagnostic and medical levels in smart healthcare, reducing medical expenses, and decreasing the time spent on seeking medical care, balancing the uneven distribution of medical resources, and even remote surgery will become possible.
The application of smart healthcare is directly related to the personal safety of the public. Once the network suffers malicious attacks or damage, leading to abnormal remote medical services, delays or interruptions in emergency treatment guidance or remote surgery will cause irreparable losses. Therefore, how to ensure the availability of the network becomes a key issue in the development of smart healthcare.
2.2 Industrial Field
As a new generation of mobile communication technology, 5G technology meets the application needs of traditional industrial enterprises’ intelligent transformation for wireless networks, satisfying the needs for device interconnection and remote interaction in industrial environments. While meeting the traditional condition monitoring needs of industrial enterprises, 5G technology can also support industrial applications such as automation control, logistics tracking, industrial AR, and cloud robotics, playing a supporting role.
In recent years, security incidents such as the Stuxnet virus have raised significant concerns among governments and related enterprises regarding the trustworthiness of control data in industrial control. The lack of comprehensive security measures severely restricts the development of IoT in industrial enterprises.
2.3 Vehicle Networking
Currently, the development of vehicle networking is mainly based on navigation and vehicle body sensing, unable to achieve real-time interaction between vehicles and pedestrians, vehicles and roads, vehicles and infrastructure (traffic lights, etc.), vehicles and networks, and vehicles and clouds. The main reason is still insufficient transmission efficiency; since information cannot be transmitted in real time, it cannot be updated in real time. However, with the application of 5G technology in vehicle networking, real-time interconnection between vehicles and passengers, pedestrians, other vehicles, bicycles, traffic lights, toll stations, and other urban infrastructure will be achieved, relying on its millisecond latency to exchange data such as road conditions, surrounding vehicle conditions, traffic lights, and congestion levels in real time, allowing any vehicle to understand the surrounding vehicle conditions in real time, thereby improving the safety of autonomous driving and self-driving.
However, the development of vehicle networking also poses more severe challenges to its own security. Once the transmitted data in the vehicle networking is tampered with, it will directly lead to user or autonomous driving systems misjudging the surrounding vehicle conditions, seriously threatening the safety of users’ property and lives. Therefore, in the vehicle networking scenario, manufacturers and researchers need to collaborate more deeply to design more comprehensive and practical security defense measures to ensure the integrity of data accessed by IoT devices.
2.4 Smart Living
Smart homes have become a major application scenario for IoT. People can control home devices such as access control, televisions, refrigerators, and air conditioners using their mobile phones, enjoying smart home services anytime and anywhere. In 5G scenarios, manufacturers can use smart devices to collect more living information, such as users’ preferred room temperature and home time, and rely on big data technology to analyze users’ living conditions, automatically recommending or setting the living environment for users, thus making life more convenient for users.
However, in the scenario of smart living, the data collected by smart devices contains a large amount of user privacy. This privacy information not only includes traditional identity information such as bank cards and phone numbers but also includes users’ daily behavioral privacy information, such as temperature sensors recording the real-time temperature in various rooms of the home, and network cameras can directly view the home status remotely in real time. Network attackers can control these smart home devices to monitor users’ privacy behaviors. Therefore, how to ensure the confidentiality of data accessed by smart home devices is a key issue for the future development of the industry.
3. Challenges Faced by Massive IoT Device Access
Due to the complexity and large number of IoT devices, with the rapid development of 5G networks, while increasing the scale of IoT device access, it also enhances the widespread harm and transmission capability of IoT device security issues, presenting multiple challenges.
(1) IoT devices include a variety of types and architectures such as sensors, industrial PLCs, and smart cameras, making it difficult to achieve unified security management through a single measure.Currently, most enterprises use device IDs to manage the entire lifecycle of IoT devices. However, due to the limited resources of the devices themselves, they cannot provide protection functions against ID tampering and forgery, leading to frequent security incidents such as counterfeit terminals, forged data, and man-in-the-middle attacks in IoT. More secure identification methods must be adopted to achieve unified identification management of IoT devices.
(2) The access of massive IoT devices makes traditional security access measures overly complex, imposing an unbearable computational burden on the central security access protection system.Traditional boundary security access protection systems typically provide security access functions such as mutual authentication of identities, data encryption during transmission, and access control based on IPSec VPN or SSL VPN technologies. However, in the face of the security access needs of massive IoT devices in 5G scenarios, due to the limited resources of the devices themselves, directly deploying classic encryption, authentication, and other cryptographic algorithms on small embedded devices such as sensors will severely reduce the processing efficiency of the devices. More efficient and streamlined authentication and encryption solutions must be adopted to reduce the security access pressure on the devices themselves.
4. Security Access Protection Technologies
Faced with the availability, integrity, confidentiality, and identifiability issues brought about by the massive device access in new IoT application scenarios under 5G, and combined with the challenges of simple device identification and insufficient resources faced by massive IoT device access, this paper outlines the following key security access protection technologies for massive IoT devices in 5G scenarios:
4.1 IoT Device Intrusion Detection Technology
There are many types of IoT devices and communication protocols, and traditional intrusion detection systems have low adaptability and are prone to high false positive rates, which cannot meet the availability requirements of IoT for device access networks. It is necessary to have a broader range of intrusion detection and defense systems. Applying machine learning-based algorithm models to detect attacks in the network is an efficient, broad coverage, strong generalization, and easily portable intrusion detection method suitable for the diverse and constantly increasing communication protocols in IoT scenarios.
For intrusion detection during the IoT device access process, it is necessary to capture and record connection events when an intrusion attack occurs under normal information processing conditions (i.e., with a normal network connection), then extract and vectorize the feature data from these recorded data, and input this vector into the detection model to obtain a judgment result. The feature extraction process should also integrate the information of the relevant enterprise systems (such as host feature information) with the network detection results to reduce false alarms. For example, the system’s vulnerability information needs to include specific operating systems and services running on the host.
4.2 IoT Device Intelligent Identification Technology
If IoT connects unverified terminals, it will create significant security risks. Existing IoT identity authentication schemes based on device IDs face security threats such as identity leakage, identity forgery, and terminal capture, necessitating the identification of an unforgeable identity that is strictly bound to the device.
The identification technology for IoT devices can use device fingerprints as their identity identifier. Device fingerprints are automatically generated when the IoT device is first online and consist of a set of features of the device, including device ID, open port status, service categories, and operating system types. The device ID is preset at the factory, while the open port status, service categories, and operating system types are generated by the central system through active probing when the device first comes online. The features of the device can be hashed to generate a fixed-length device fingerprint, serving as the unique identifier for IoT devices for subsequent matching authentication and traceability at the central node.
4.3 Lightweight Security Authentication Technology
Currently, mainstream security authentication technologies are mainly based on Public Key Infrastructure (PKI), which is based on asymmetric encryption technology and provides a series of supporting services for public key cryptographic applications (encryption and decryption, signing and verifying signatures), widely used in IPSec VPN, SSL VPN, and other mainstream security access protection systems. However, the PKI system includes digital certificates, issuing certificate authorities (CA), key management centers, online certificate status query systems, certificate revocation systems, etc. For the access of massive IoT devices in 5G scenarios, the costs of key distribution and management are relatively high. Identity-Based Cryptography (IBC) is developed based on traditional PKI, using the unique identifier of the device as the public key, thus significantly reducing the complexity of certificate and key management.
The access of IoT devices should adopt a lightweight IBC security architecture based on the SM9 algorithm, which can be combined with the device fingerprint to complete device access authentication, eliminating the cumbersome processes of certificate authentication, using private key signing and public key verification methods, and combined with a challenge-response mechanism, fundamentally solving the security access issues of massive IoT devices. In the IBC security architecture, each IoT device has a pair of associated public and private keys, where the device fingerprint serves as the public key, and the corresponding private key is calculated by the Key Generation Center (KGC) based on the master key and the device fingerprint.
The IoT device submits its ID as a request for authentication to the upper-level platform. The upper-level platform uses the SM9 password identifier generated from the device fingerprint as the public key and calculates the IoT device’s SM9 algorithm private key using the KGC, jointly issuing it along with the challenge value. Subsequently, when the upper-level platform receives the signature from the lower-level terminal, it verifies the signature using the device fingerprint. If the verification is consistent, it means that the identity authentication of the lower-level terminal is successful; conversely, if the verification is inconsistent, it means that the identity authentication of the lower-level terminal has failed. When IoT devices undergo firmware upgrades or other operations that may cause fingerprint changes, the upper-level platform needs to delete the device fingerprint, causing the IoT device’s SM9 password identifier to be regenerated.
4.4 Data Encryption Technology Based on National Cryptography Algorithms
Cryptography is the core supporting technology for information security, and using cryptography can effectively meet the development needs of IoT in 5G scenarios. National cryptography algorithms (domestically recognized cryptography algorithms by the National Cryptography Administration) refer to cryptographic technologies and products used for encrypting or securely authenticating information that does not involve state secrets. Their application fields are very broad, mainly used for encrypting sensitive internal information, administrative information, economic information, etc., that do not involve state secrets. For example, commercial cryptography can be used for the transmission encryption and storage encryption of various sensitive information within enterprises, preventing unauthorized third parties from accessing the information; it can also be used for various security authentication, online banking, digital signatures, etc.
During the access process of IoT devices, the transmitted data can be encrypted using the SM1 or SM4 algorithms from national cryptography algorithms to ensure data confidentiality, and during critical data processes (such as user privacy data, industrial control instructions, etc.), the SM3 algorithm from national cryptography algorithms can be used to sign the data to ensure data identifiability[4].
5. Conclusion
This paper starts from the actual threats faced by IoT application scenarios such as smart healthcare, industrial control, vehicle networking, and smart living under 5G scenarios, combined with the challenges faced by massive device access. It summarizes the key technologies for intrusion detection, intelligent identification, security authentication, and data encryption for IoT devices in 5G scenarios. By utilizing these technologies, comprehensive protection can be provided for the availability, integrity, confidentiality, and identifiability of data accessed by IoT devices, effectively reducing network security risks in IoT and promoting the development of IoT based on 5G communication technology, which has practical value.
References:
1. Zhang Yuqing. Overview of IoT Security [J]. Computer Research and Development, 2017, 54(10): 2130-2143.
2. Zhang Tao. Research on Big Data Analysis Method System for IoT Aimed at 5G [J]. Postal and Telecommunications Design Technology, 2020, (05): 13-17.
3. Wu Jinyu. Trusted Security Access Scheme for Ubiquitous Power IoT [J]. Computer and Modernization, 2020(4).
4. Liu Jie. Research on IoT Security System Architecture Based on Domestic Cryptography Algorithms [J]. China Metal Bulletin, 2014(11): 41-43.
