Review articleA survey on privacy and security of Internet of Things
Introduction
The term “Internet of Things (IoT)” was first used in 1999 by Kevin Ashton, a British technology pioneer [1], [2], [3], [4], [5], [6]. According to Kevin Ashton, Internet of Things defines the system of physical objects in the world that connect to the internet via a sensor. Internet of Things (IoT) comprises intelligent machines that interact with other machines, objects, environments, and infrastructures. This new technology has had tremendous impact on people’s lives as it helps people to live and work smarter, as well as gain complete control over their lives. In addition to offering smart devices to automate homes, IoT is essential to business. IoT provides businesses with a real-time look into how their systems really work, delivering insights into everything from the performance of machines to supply chain and logistics operations.
Consequently, this new technological reality involves collection and management of vast volumes of data from a rapidly growing network of devices and sensors, processing them and then sharing them with other related things. These new interactions create tremendous opportunities for new services. IoT enables companies to automate processes and reduce labor costs. It also cuts down on waste and improves service delivery, making it less expensive to manufacture and deliver goods, as well as offering transparency into customer transactions. As such, IoT is one of the most important technologies of everyday life, and it will continue to pick up steam as more businesses realize the potential of connected devices to keep them competitive.
The IoT global market is expected to witness a tremendous growth with the heterogeneous devices reaching 28 billion by end of 2020. The sheer amount of data generated by IoT objects can pose a serious threat to people’s privacy and security because their activities can be monitored anytime, anywhere [7]. The potential security threats that can be used to harm consumers are: (1) unauthorized access and improper use of personal information; (2) promotion of attacks on other systems; and (3) the increase of security risks.
The research community is currently engaged in IoT research in several domains of which quite a number have been published [2], [8], [9]. However, several issues for further research. For instance, Atzori et al. [8], addressed authentication and data integrity concerns in IoT security and suggested the development of new software applications to control access to personal data during their life cycle. However, their work did not discuss other equally important security concerns such as trust, data privacy and access control. Meanwhile, Miorandi et al. [9] identified only three key security issues to be investigated: data confidentiality, privacy and trust. They did not give adequate attention to authentication, integrity and access control, which were only discussed superficially. Sicari et al. [10] divided the security aspects into three categories: security requirements (authentication, confidentiality and access control), privacy, and trust. The main limitation of this work is the taxonomy of the IoT, which remains unclear and, consequently, the lack of classification of the listed research activities according to a clear sorting logic. Riahi et al. [11] considered security issues that may occur due to interactions among all the system elements, and analyzed their consequences on the global system. They focused their analysis on specific interactions which are directly related to security: privacy, trust, identification, and access control. They however did not consider other interactions such as autoimmunity, safety, reliability and responsibility that are effected during the system design phase as they do not involve enhancing technologies. Farooq et al. [1] analyzed the security issues and challenges and provided well-defined security architecture to guarantee the user’s privacy and security to encourage wider adoption of IoT by masses. Specifically, they addressed authentication, integrity, data confidentiality and data privacy as elements of the IoT security. However, this was not comprehensive enough as they left out trust and access control. Neshenko et al. [12] while having nine IoT vulnerability classes only considered two main vulnerabilities, that is, unnecessarily open ports, and weak programming practices coupled with improper software update capabilities as being responsible for most IoT attacks. The other vulnerabilities were accorded lesser attention. This paper seeks to comprehensively address the main limitations of existing work which can be summarized as: identification, authentication, data integrity, trust, data confidentiality, access control, data privacy and data availability.
Therefore, the main objective of this paper is to provide the reader with a comprehensive discussion on the current state of the art of IoT, with particular focus on what have been done in the areas of privacy and security threats, attack surface, vulnerabilities and countermeasures and to propose a threat taxonomy. This paper examines the privacy and security of the IoT from the users’ point of view, addresses the security requirements on a wider dimension and frames the IoT security framework taking into account the resource constraints of the IoT devices. By fusing IoT architecture with privacy and security principles, the paper proposes IoT threat taxonomy. The paper brings out the latest developments in IoT privacy and security, highlighting the open issues and suggestions for further research. As a result, the contributions of this paper are as follows: The paper: (a) provides an overview of Internet of Things concepts, architecture, technology and applications relating to IoT with intent to establish the connection between IoT privacy and security from the users’ perspective; (b) provides a systematic summary of IoT user security requirements and challenges and analyzes how the security and privacy of users is implemented within the IoT framework; (c) tabulates known and documented attack surfaces, threats, vulnerabilities and recommended measures toward securing IoT devices; (d) develops a threat taxonomy for the IoT system that classifies threats and vulnerabilities in categories of low, medium, and high with regard to their contribution to data privacy and security of IoT users; and finally, (e) identifies countermeasures and links them to threats, vulnerabilities.
The rest of this article is organized as follows: Section 2 describes how the review was conducted. Section 3 describes the IoT concept and presents the need for user centric security and privacy design. Section 4 reviews current research on privacy and security of IoT and identifies threats and vulnerabilities. Section 5 highlights the mitigation measures against IoT vulnerabilities. Section 6 presents the proposed threat taxonomy while Section 7 presents important research issues for future research. Finally, Section 8 concludes the survey.
Section snippets
Literature survey process
This survey adopts a mixture of qualitative and quantitative systematic literature review approach to the problem. According to [13], this method has advantages over the narrative style. It can also identify areas covered by existing studies and highlight gaps. Get closer to literature from various perspectives and promote new insights.
This IoT privacy and security survey uses an online database and other resources to find all articles that meet specific criteria, enter information about each
Overview of IoT
The IoT is a technological phenomenon generated by innovative advancements in information and communication technologies related to ubiquity, pervasiveness and Intelligence [15]. The Internet of Things is a global concept that requires a general, specific, and acceptable definition. The ITU-T 13 research team explains Internet of Things (IoT) as data that provides advanced services by connecting things (physical and virtual) based on existing and evolving communication and information
Recent advances in IoT privacy and security
This section reviews the literature on the recent advances in IoT privacy and security focusing on the users of the IoT. The users of IoT systems and devices face various privacy and security challenges. While the research in IoT is still at infancy, there is literature to show that some significant research is going on in this field. This section therefore explores the state of the art in IoT privacy and security with a focus on the user.
Countermeasures
In this section, we describe countermeasures necessary to mitigate the IoT vulnerabilities, threats and attacks identified in Section 3.
Bringing users into the fold requires designers and developers to understand that users hold the potential to be capable and informed about the elements of a system. Considering users and the various interactions they have with the system can allow designers to have a more well-rounded approach to understanding and ensuring IoT security [108]. To highlight the
Threat taxonomy
In this section we propose threat taxonomy based on the security and privacy threats enumerated in Sections 4.1.3 IoT Security challenges, 4.2.3 Privacy threats, respectively. The taxonomy also captures the vulnerabilities and the mitigation strategies.
Threat taxonomy divides the types of threats into different levels of detail. The purpose of this taxonomy is to create a point for solving problems, the ability to mix, adjust, change, and mitigate threats. In order to expand it, the threat
Open research challenges
With more IoT devices entering the uncontrolled, complex world and being deployed in hostile environments, securing IoT systems poses unique challenges. The survey identified a number of areas that still confound researchers in IoT privacy and security.
Conclusion
The aim of this study was to provide a review of the most critical aspects of IoT with specific focus on the security issues and challenges involved with IoT devices with specific focus on the human user. We have identified many security and privacy issues that need to be addressed by the research community to make it a safe and secure platform that can enhance user adoption of the technology. Research focuses are much needed in this area to address these security issues and challenges in IoT
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
References (131)
- et al.
The Internet of Things: A survey
Comput. Netw.
(2010) - et al.
Ad Hoc Networks Internet of things, : Vision, applications and research challenges
Ad Hoc Netw.
(2012) - et al.
Security, Privacy & Trust in Internet of Things : the road ahead
Comput. Netw.
(2015) - et al.
A roadmap for security challenges in the Internet of Things
Digit. Commun. Netw.
(2018) - et al.
The Internet of things (IoT): Applications, invest- ments, and challenges for enterprises
Bus. Horiz.
(2015) - et al.
A critical analysis on the security concerns of internet of things (IoT)
Int. J. Comput. Appl.
(2015) - et al.
Internet of things (IoT): A vision, architectural elements, and future directions
Future Gener. Comput. Syst.
(2013) - et al.
Internet of things: Applications and challenges in technology and standardization
Wirel. Pers. Commun.
(2011) Design of architecture for efficient integration of internet of things and cloud computing
Int. J. Adv. Res. Comput. Sci.
(2017)- et al.
The internet of things: An overview
Des. Internet Things
(2013)
Dynamic Context-Aware Scalable and Trust- Based IoT Security, Privacy Framework
Demystifying IoT security: An exhaustive survey on IoT vulnerabilities and a first empirical look on internet-scale IoT exploitations
IEEE Commun. Surv. Tutor.
Systematic quantitative literature reviews what are they and why use them ?
ITU, ITU-t y.2060 Overview of the Internet of things
A survey on Internet of Things, : Security and privacy issues
Int. J. Comput. Appl.
Internet of things, : Architecture and security
Int. J. Comput. Appl.
SecIoT, : a security framework for the internet of things
Secur. Commun. Netw.
Security and privacy in the internet of things: current status and open issues
Internet of things-IOT, : Definition, characteristics, architecture, enabling technologies, application & future challenges
Int. J. Eng. Sci. Comput.
Smart Nest Thermostat : A Smart Spy in Your Home
An adaptive method for user profile learning
Derivation of user profiles from social networks: a community approach of egocentric networks
Ingénierie Syst. Inform.
From the internet of things to the internet of people
IEEE Internet Comput.
Trustworthiness management in the social internet of things
IEEE Trans. Knowl. Data Eng.
A review of security concerns in internet of things
J. Comput. Commun.
Literature review of the internet of things : Anticipating tomorrow ’ s challenges for privacy and security
Security in the internet of things
Information Science and Applications
Security issues in the internet of things (IoT): A comprehensive study
Int. J. Adv. Comput. Sci. Appl.
Vision and Challenges for Realising the Internet of Things
Internet of Things : Security and Privacy Issues, No. December
Proposed security model and threat taxonomy for the internet of things (IoT)
Authentication Protocols for Internet of Things: A Comprehensive Survey
The transport layer security (TLS) protocol version 1.3, Netw. Work. Gr.
Privacy in the internet of things : Threats and challenges
Secur. Commun. Netw.
A comprehensive study of security and privacy guidelines, threats, and countermeasures: An IoT perspective
J. Sens. Actuator Netw.
IoT Security evolution: Challenges and countermeasures review
Int. J. Commun. Netw. Inf. Secur.
Cited by (104)
Securing massive IoT in 6G: Recent solutions, architectures, future directions
2023, Internet of Things (Netherlands)A Systematic Security Assessment and Review of Internet of Things in the Context of Authentication
2023, Computers and SecurityCitation Excerpt :Each connected device must be authenticated to ensure that the correct device has access to the proper resources in the right location. It is a method for avoiding various common attacks, including replay attacks, man-in-the-middle attacks, impersonation attacks, and denial of service attacks (Ogonji et al., 2020). If an authentication algorithm is not implemented correctly in a network, an attacker can steal critical credentials, posing a risk to the network or user.
Authentication schemes in wireless internet of things sensor networks: a survey and comparison
2024, Indonesian Journal of Electrical Engineering and Computer Science