IoT devices remain prime cyber targets in smart cities; PUFs and blockchain solutions may help

A new study warns that the foundation of smart cities, the countless interconnected IoT devices powering urban services, remains highly vulnerable to security threats. The research identifies lightweight cryptography, hardware-based authentication using physically unclonable functions (PUFs), and blockchain technology as the leading solutions to safeguard devices and maintain trust in urban data networks.

The study, titled “Securing IoT Devices in Smart Cities: A Review of Proposed Solutions”, systematically reviews five years of research to assess the strengths and limitations of current security mechanisms. By analyzing 31 key studies selected from over 4,400 publications, the author offers a roadmap for protecting the resource-constrained devices that collect and transmit the data underpinning everything from traffic management to public safety.

IoT Devices: The weakest link in urban digital security

Smart city infrastructure relies on millions of IoT devices, such as sensors, meters, and cameras, collecting continuous data to support essential services. However, their limited memory, processing power, and energy capacity make them prime targets for cyberattacks.

The author underscores that IoT devices cannot rely on traditional heavyweight encryption methods. Instead, they require specialized approaches that balance strong protection with minimal resource demands. The study identifies lightweight cryptography as the most widely deployed technique, appearing in 39 percent of the reviewed solutions.

Lightweight cryptography adapts standard encryption to suit low-power devices while maintaining data integrity and confidentiality. Several advances stand out: compact block ciphers using simple mathematical operations to save energy; elliptic curve cryptography optimized for 8-bit devices to ensure strong protection with smaller keys; and hybrid approaches that combine cryptography with steganography to reinforce confidentiality and authentication. In some cases, researchers recommend adding dedicated cryptographic co-processors to devices, offloading heavy operations from the main processors without overloading their limited resources.

Hardware fingerprinting and blockchain reinforce trust

While encryption protects data in transit, preventing device cloning and unauthorized network access requires more robust identity verification. The study highlights Physically Unclonable Functions (PUFs), circuit-level features that produce unique “fingerprints” for each device, as a promising defense. Representing 23 percent of reviewed solutions, PUF-based authentication adds a hardware layer of trust that is difficult for attackers to replicate.

Key developments include combining PUF authentication with device attestation to enhance integrity, as well as designing composite identities that use variations across all circuits in a device to make spoofing far more difficult. Improvements in PUF-based mutual authentication between devices and servers demonstrate practical steps toward more secure smart city ecosystems.

The study also points to blockchain technology, featured in 19 percent of solutions, as a decentralized, tamper-resistant tool for ensuring both device authenticity and data integrity. By maintaining an immutable ledger of device registrations and data exchanges, blockchain can make it far harder for malicious actors to manipulate records or inject fraudulent devices into networks. Permissioned blockchains, in particular, offer tighter control over access while supporting privacy and compliance with urban governance policies.

Despite its promise, blockchain introduces challenges of its own, including scalability issues, energy demands, and integration hurdles for resource-constrained devices. The study stresses the importance of optimizing blockchain frameworks to align with the lightweight nature of IoT hardware.

Toward a multi-layered zpproach to urban IoT security

No single solution is sufficient to address the diverse threats facing IoT devices. The review points out that a layered defense strategy is essential, blending lightweight cryptography for efficiency, PUFs for device identity protection, and blockchain for secure and transparent data management.

Complementary measures play a crucial role in this ecosystem. These include enforcing end-to-end secure communications to minimize exposure to public networks, implementing device fingerprint monitoring to detect anomalies and breaches in real time, and establishing robust legal frameworks to hold actors accountable for cyberattacks or data misuse. The study notes that regulatory efforts remain underdeveloped in many jurisdictions, leaving gaps that technical safeguards alone cannot fill.

The research also highlights the need for broader public-private collaboration. As cities deploy increasingly complex smart infrastructure, coordination among device manufacturers, network operators, urban planners, and policymakers is essential to ensure consistent standards, interoperability, and compliance with data protection laws.