Elsevier

Computer Science Review

Volume 38, November 2020, 100312
Computer Science Review

Review article
A survey on privacy and security of Internet of Things

https://doi.org/10.1016/j.cosrev.2020.100312Get rights and content

Abstract

Internet of Things (IoT) has fundamentally changed the way information technology and communication environments work, with significant advantages derived from wireless sensors and nanotechnology, among others. While IoT is still a growing and expanding platform, the current research in privacy and security shows there is little integration and unification of security and privacy that may affect user adoption of the technology because of fear of personal data exposure. The surveys conducted so far focus on vulnerabilities based on information exchange technologies applicable to the Internet. None of the surveys has brought out the integrated privacy and security perspective centered on the user. The aim of this paper is to provide the reader with a comprehensive discussion on the current state of the art of IoT, with particular focus on what have been done in the areas of privacy and security threats, attack surface, vulnerabilities and countermeasures and to propose a threat taxonomy. IoT user requirements and challenges were identified and discussed to highlight the baseline security and privacy needs and concerns of the user. The paper also proposed threat taxonomy to address the security requirements in broader perspective. This survey of IoT Privacy and Security has been undertaken through a systematic literature review using online databases and other resources to search for all articles that meet certain criteria, entering information about each study into a personal database, and then drawing up tables summarizing the current state of literature. As a result, the paper distills the latest developments in IoT privacy and security, highlights the open issues and identifies areas for further research.

Introduction

The term “Internet of Things (IoT)” was first used in 1999 by Kevin Ashton, a British technology pioneer [1], [2], [3], [4], [5], [6]. According to Kevin Ashton, Internet of Things defines the system of physical objects in the world that connect to the internet via a sensor. Internet of Things (IoT) comprises intelligent machines that interact with other machines, objects, environments, and infrastructures. This new technology has had tremendous impact on people’s lives as it helps people to live and work smarter, as well as gain complete control over their lives. In addition to offering smart devices to automate homes, IoT is essential to business. IoT provides businesses with a real-time look into how their systems really work, delivering insights into everything from the performance of machines to supply chain and logistics operations.

Consequently, this new technological reality involves collection and management of vast volumes of data from a rapidly growing network of devices and sensors, processing them and then sharing them with other related things. These new interactions create tremendous opportunities for new services. IoT enables companies to automate processes and reduce labor costs. It also cuts down on waste and improves service delivery, making it less expensive to manufacture and deliver goods, as well as offering transparency into customer transactions. As such, IoT is one of the most important technologies of everyday life, and it will continue to pick up steam as more businesses realize the potential of connected devices to keep them competitive.

The IoT global market is expected to witness a tremendous growth with the heterogeneous devices reaching 28 billion by end of 2020. The sheer amount of data generated by IoT objects can pose a serious threat to people’s privacy and security because their activities can be monitored anytime, anywhere [7]. The potential security threats that can be used to harm consumers are: (1) unauthorized access and improper use of personal information; (2) promotion of attacks on other systems; and (3) the increase of security risks.

The research community is currently engaged in IoT research in several domains of which quite a number have been published [2], [8], [9]. However, several issues for further research. For instance, Atzori et al. [8], addressed authentication and data integrity concerns in IoT security and suggested the development of new software applications to control access to personal data during their life cycle. However, their work did not discuss other equally important security concerns such as trust, data privacy and access control. Meanwhile, Miorandi et al. [9] identified only three key security issues to be investigated: data confidentiality, privacy and trust. They did not give adequate attention to authentication, integrity and access control, which were only discussed superficially. Sicari et al. [10] divided the security aspects into three categories: security requirements (authentication, confidentiality and access control), privacy, and trust. The main limitation of this work is the taxonomy of the IoT, which remains unclear and, consequently, the lack of classification of the listed research activities according to a clear sorting logic. Riahi et al. [11] considered security issues that may occur due to interactions among all the system elements, and analyzed their consequences on the global system. They focused their analysis on specific interactions which are directly related to security: privacy, trust, identification, and access control. They however did not consider other interactions such as autoimmunity, safety, reliability and responsibility that are effected during the system design phase as they do not involve enhancing technologies. Farooq et al. [1] analyzed the security issues and challenges and provided well-defined security architecture to guarantee the user’s privacy and security to encourage wider adoption of IoT by masses. Specifically, they addressed authentication, integrity, data confidentiality and data privacy as elements of the IoT security. However, this was not comprehensive enough as they left out trust and access control. Neshenko et al. [12] while having nine IoT vulnerability classes only considered two main vulnerabilities, that is, unnecessarily open ports, and weak programming practices coupled with improper software update capabilities as being responsible for most IoT attacks. The other vulnerabilities were accorded lesser attention. This paper seeks to comprehensively address the main limitations of existing work which can be summarized as: identification, authentication, data integrity, trust, data confidentiality, access control, data privacy and data availability.

Therefore, the main objective of this paper is to provide the reader with a comprehensive discussion on the current state of the art of IoT, with particular focus on what have been done in the areas of privacy and security threats, attack surface, vulnerabilities and countermeasures and to propose a threat taxonomy. This paper examines the privacy and security of the IoT from the users’ point of view, addresses the security requirements on a wider dimension and frames the IoT security framework taking into account the resource constraints of the IoT devices. By fusing IoT architecture with privacy and security principles, the paper proposes IoT threat taxonomy. The paper brings out the latest developments in IoT privacy and security, highlighting the open issues and suggestions for further research. As a result, the contributions of this paper are as follows: The paper: (a) provides an overview of Internet of Things concepts, architecture, technology and applications relating to IoT with intent to establish the connection between IoT privacy and security from the users’ perspective; (b) provides a systematic summary of IoT user security requirements and challenges and analyzes how the security and privacy of users is implemented within the IoT framework; (c) tabulates known and documented attack surfaces, threats, vulnerabilities and recommended measures toward securing IoT devices; (d) develops a threat taxonomy for the IoT system that classifies threats and vulnerabilities in categories of low, medium, and high with regard to their contribution to data privacy and security of IoT users; and finally, (e) identifies countermeasures and links them to threats, vulnerabilities.

The rest of this article is organized as follows: Section 2 describes how the review was conducted. Section 3 describes the IoT concept and presents the need for user centric security and privacy design. Section 4 reviews current research on privacy and security of IoT and identifies threats and vulnerabilities. Section 5 highlights the mitigation measures against IoT vulnerabilities. Section 6 presents the proposed threat taxonomy while Section 7 presents important research issues for future research. Finally, Section 8 concludes the survey.

Section snippets

Literature survey process

This survey adopts a mixture of qualitative and quantitative systematic literature review approach to the problem. According to [13], this method has advantages over the narrative style. It can also identify areas covered by existing studies and highlight gaps. Get closer to literature from various perspectives and promote new insights.

This IoT privacy and security survey uses an online database and other resources to find all articles that meet specific criteria, enter information about each

Overview of IoT

The IoT is a technological phenomenon generated by innovative advancements in information and communication technologies related to ubiquity, pervasiveness and Intelligence [15]. The Internet of Things is a global concept that requires a general, specific, and acceptable definition. The ITU-T 13 research team explains Internet of Things (IoT) as data that provides advanced services by connecting things (physical and virtual) based on existing and evolving communication and information

Recent advances in IoT privacy and security

This section reviews the literature on the recent advances in IoT privacy and security focusing on the users of the IoT. The users of IoT systems and devices face various privacy and security challenges. While the research in IoT is still at infancy, there is literature to show that some significant research is going on in this field. This section therefore explores the state of the art in IoT privacy and security with a focus on the user.

Countermeasures

In this section, we describe countermeasures necessary to mitigate the IoT vulnerabilities, threats and attacks identified in Section 3.

Bringing users into the fold requires designers and developers to understand that users hold the potential to be capable and informed about the elements of a system. Considering users and the various interactions they have with the system can allow designers to have a more well-rounded approach to understanding and ensuring IoT security [108]. To highlight the

Threat taxonomy

In this section we propose threat taxonomy based on the security and privacy threats enumerated in Sections 4.1.3 IoT Security challenges, 4.2.3 Privacy threats, respectively. The taxonomy also captures the vulnerabilities and the mitigation strategies.

Threat taxonomy divides the types of threats into different levels of detail. The purpose of this taxonomy is to create a point for solving problems, the ability to mix, adjust, change, and mitigate threats. In order to expand it, the threat

Open research challenges

With more IoT devices entering the uncontrolled, complex world and being deployed in hostile environments, securing IoT systems poses unique challenges. The survey identified a number of areas that still confound researchers in IoT privacy and security.

Conclusion

The aim of this study was to provide a review of the most critical aspects of IoT with specific focus on the security issues and challenges involved with IoT devices with specific focus on the human user. We have identified many security and privacy issues that need to be addressed by the research community to make it a safe and secure platform that can enhance user adoption of the technology. Research focuses are much needed in this area to address these security issues and challenges in IoT

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

References (131)

  • W. Mingjun, et al. A research on experimental system for Internet of Things major and application project, in: 3rd...
  • NeisseR. et al.

    Dynamic Context-Aware Scalable and Trust- Based IoT Security, Privacy Framework

    (2015)
  • NeshenkoN. et al.

    Demystifying IoT security: An exhaustive survey on IoT vulnerabilities and a first empirical look on internet-scale IoT exploitations

    IEEE Commun. Surv. Tutor.

    (2019)
  • PickeringC. et al.

    Systematic quantitative literature reviews what are they and why use them ?

  • B. Pejcinovic, Using Systematic Literature Reviews to Enhance Student Learning, in: 122nd ASEE Annual Conference &...
  • A. Dohr, R. Modre-Osprian, M. Drobics, D. Hayn, G. Schreier, The internet of things for ambient assisted living, in:...
  • ITU, ITU-t y.2060 Overview of the Internet of things

    (2012)
  • KumarJ.S. et al.

    A survey on Internet of Things, : Security and privacy issues

    Int. J. Comput. Appl.

    (2014)
  • UttarkarR. et al.

    Internet of things, : Architecture and security

    Int. J. Comput. Appl.

    (2014)
  • HuangX. et al.

    SecIoT, : a security framework for the internet of things

    Secur. Commun. Netw.

    (2016)
  • AbomharaM. et al.

    Security and privacy in the internet of things: current status and open issues

  • Keyur K PatelS.M.P.

    Internet of things-IOT, : Definition, characteristics, architecture, enabling technologies, application & future challenges

    Int. J. Eng. Sci. Comput.

    (2016)
  • N. Aleisa, K. Renaud, Privacy of the Internet of Things: A Systematic Literature Review, in: Proc. 50th Hawaii Int....
  • S. Notra, M. Siddiqi, H.H. Gharakheili, V. Sivaraman, R. Boreli, An Experimental Study of Security and Privacy Risks...
  • HernandezG. et al.

    Smart Nest Thermostat : A Smart Spy in Your Home

    (2014)
  • M. Harbach, S. Fahl, M. Smith, Who’s afraid of which bad Wolf? A survey of IT security risk awareness, in: Proc....
  • K. Zhao, L. Ge, A survey on the Internet of things security, in: Proceedings of 9th International Conference on...
  • L.F. Cranor, A Framework for Reasoning About the Human in the Loop, in: Proc. 1st Conf. Usability, Psychol. Secur.,...
  • Zghal RebaïR. et al.

    An adaptive method for user profile learning

  • M. Mezghani, et al. Analyzing tagged resources for social interests detection To cite this version: HAL Id :...
  • TchuenteD. et al.

    Derivation of user profiles from social networks: a community approach of egocentric networks

    Ingénierie Syst. Inform.

    (2013)
  • E. Khanfir, C. El Hog, R.B. Djmeaa, I.A.B. Amor, A web service selection framework based on user’s context and qos, in:...
  • MirandaJ.

    From the internet of things to the internet of people

    IEEE Internet Comput.

    (2015)
  • NittiM. et al.

    Trustworthiness management in the social internet of things

    IEEE Trans. Knowl. Data Eng.

    (2014)
  • LelogluE.

    A review of security concerns in internet of things

    J. Comput. Commun.

    (2017)
  • RimaviciusM.

    Literature review of the internet of things : Anticipating tomorrow ’ s challenges for privacy and security

    (2015)
  • Wind River Systems

    Security in the internet of things

    (2015)
  • Information Science and Applications

    (2017)
  • AbdurM. et al.

    Security issues in the internet of things (IoT): A comprehensive study

    Int. J. Adv. Comput. Sci. Appl.

    (2017)
  • SundmaekerH. et al.

    Vision and Challenges for Realising the Internet of Things

    (2010)
  • KamraniF. et al.

    Internet of Things : Security and Privacy Issues, No. December

    (2016)
  • T. Xu, J. Wendt, M. Potkonjak, Security of IoT Systems: Design Challenges and Opportunities, in: IEEE/ACM International...
  • M. Hossain, M. Fotouhi, R. Hasan, Towards an Analysis of Security Issues, Challenges, and Open Problems in the Internet...
  • BabarS. et al.

    Proposed security model and threat taxonomy for the internet of things (IoT)

    (2010)
  • AmineM. et al.

    Authentication Protocols for Internet of Things: A Comprehensive Survey

    (2016)
  • RescorlaE.

    The transport layer security (TLS) protocol version 1.3, Netw. Work. Gr.

    (2018)
  • ZiegeldorfJ.H. et al.

    Privacy in the internet of things : Threats and challenges

    Secur. Commun. Netw.

    (2014)
  • R. Kang, L. Dabbish, N. Fruchter, S. Kiesler, My data just goes everywhere:’ User mental models of the internet and...
  • Abdul-GhaniH.A. et al.

    A comprehensive study of security and privacy guidelines, threats, and countermeasures: An IoT perspective

    J. Sens. Actuator Netw.

    (2019)
  • AbuagoubA.M.A.

    IoT Security evolution: Challenges and countermeasures review

    Int. J. Commun. Netw. Inf. Secur.

    (2019)
  • Cited by (104)

    • A Systematic Security Assessment and Review of Internet of Things in the Context of Authentication

      2023, Computers and Security
      Citation Excerpt :

      Each connected device must be authenticated to ensure that the correct device has access to the proper resources in the right location. It is a method for avoiding various common attacks, including replay attacks, man-in-the-middle attacks, impersonation attacks, and denial of service attacks (Ogonji et al., 2020). If an authentication algorithm is not implemented correctly in a network, an attacker can steal critical credentials, posing a risk to the network or user.

    • Authentication schemes in wireless internet of things sensor networks: a survey and comparison

      2024, Indonesian Journal of Electrical Engineering and Computer Science
    View all citing articles on Scopus
    View full text