Literature Review

Discuss about the Security And Privacy Issues In Iot. 

The IOT or Internet of Things is a futuristic concept wherein everyday objects and accessories would be able to connect to each other, be aware about their surroundings as well as be connected to the internet. IOT is close associate with technologies such as Sensor, RFID and Wireless networks. According to Gartner, approximately 25 to 30 Billion IOT devices would be in use in the world. The rate at which this is growing possess big security concerns as IOT devices have multiple vulnerability while at the same time the potential growth attracts the attention of malicious actors. IOT security is an important concern because: a) IOT is considered to be an extended version of Wireless Sensor Networks, Mobile communication and Broadband which and since they itself possess multiple security flaws, it also translates over to IOT b) Since every device is connected to the internet and has itself low defence mechanisms c) IOT objects communicate with each other leaving scope of security and privacy. This paper aims to summarize the potential security and privacy threats of IOT (Schneier, 2017).

The characteristics of IOT that points to out it’s dynamic behaviour, mobility, intelligence, undefined parameters make it’s a high-end technological domain and a scalable technological revolution but also highly vulnerable in terms of security. As a result, it’s important to understand the concept of IOT before moving ahead to its security vulnerabilities.

• Presentation
• Middleware
• Hardware

Also, the same pattern could be observed in determining different paradigms of IOT, and they include:

• Semantic-oriented
• Things-oriented
• Internet-oriented

As a result, the similar concept could applied to the structure of IOT. The IOT architecture, comprises of:

• The application layer
• The perception layer
• The network layer

The application layer that consists of the bulk of the logic interacts with the end-users to satisfy their needs. The perception layers gathers environment related data and network layer consists of wireless and wired systems is intended to transmit and process information (“Cloud Computing Security, Privacy and Forensics: Issues and Challenges Ahead”, 2018). The IOT needs solutions related to architecture that helps manage heterogeneous states so as to work effectively. 

Privacy is considered to be a fundamental human right and the Universal Declaration of Human Rights mentions this in 1948. In the US, the first biggest piece of legislation that was passed was the 1974 Privacy Act. However, even today the level of privacy protection offered by the legislation are insufficient because of the day-to-day spillages and unpunished breach of privacy and security issues. This issue is greatly enhanced with IOT as it creates many new grey areas wherein legislative boundaries disappear. First of this is the notion of PII or Personally Identifiable Information as the definition of PII quickly deprecates in lieu of IOT as it becomes increasingly difficult to distinguish between Non-PII and PII. Many privacy breaches today go unnoticed. For example, websites that allow constant tracking of users on the web (“Cloud Computing Security, Privacy and Forensics: Issues and Challenges Ahead”, 2018) or for instance smartphone companies and carriers that constantly collect location of the users or even smart meter readings that track people’s lifestyles. Also, too many privacy breaches go unnoticed among users as data collection of everyday things become a normality and the data collection is more passive.  

Privacy Threats

Privacy theats

Identification

Identification means the threat of being identified by a name, pseudonym, address or contact number or by other means. This is a rapidly growing issue within IOT as the usage of surveillance cameras in IOT devices have become a norm for non-security contexts such as marketing and analytics purposes by non-government units. The images captured by these cameras can be automatically recognized using advanced facial recognition techniques. Apart from this, the increasing interconnection among devices (Song, Fink & Jeschke, 2014) make fingerprinting possible. Finally, the integration of speech and phrase recognition technology used in everyday consumer products such as speaker systems or calendars have made a huge data-base not just individual speech samples but also what they speak into, what they demand constantly among others. This could potentially be used to recognize and identify people by government and non-government organizations.

Localization and Tracking

Localization and tracking means constant or in-frequent accessing and / or recording of person’s location through space and time. As IOT objects become smarter and more intuitive, their accuracy and frequency of recording location to provide meaningful feedback and help increases as well. Simultaneously, the recording of location also becomes more passive and users are unaware about the same. This is a among the most concerning privacy issues associated with IOT.

Profiling

Profiling means compiling details of an individuals and tracking his likes, preferences, background and other details in order to understand the individual better. These methods are typically used on social media sites and ecommerce sites to provide better recommendation to users. However, with so many IOT devices in the wild, it gets easier to track and profile an individual’s lives those parts which were previously inaccessible. 

Security Threats

Perception layer security issues: It stands at the lowest level in IOT structure and is the main source of access for the information within IOT. There isn’t enough security mechanisms built into this layer and is vulnerable to attack owing to its limited energy use, diversity and a weak protection that relies on the security of RFID, M2M and WSN. Perception layer is susceptible to attacks such as congestion attack, DoS attack, forward attack, physical capture, capture gateway node and node replication attack.  Within Perception layer, WSN and RFID also have separate vulnerabilities:

Wireless Sensor Networks

WSN sense and control various environment around them and the security issues can be categorized under :

• Authentication based attacks
• Network availability based attacks
• Service integrity based attacks.

Security Threats

RFID technology

RFID is used for automatic exchange of information without user intervention and have various vulnerabilities within them that includes :

• Unauthorized disabling of tag
• Replay attacks
• Unauthorized cloning of tags
• Unauthorized tracking of tags

Security issues in physical layer

Physical layer is used to perform various functionalities including generation and selection of carrier frequency, demodulation and modulation, decryption and encryption as well as reception and transmission of data (“The IoT threat to privacy – TechCrunch”, 2013). Vulnerabilities and attack vectors for this includes jamming of radio signals. This is a type of Denial of Service attack wherein the attack constantly occupies the entire communication channel between different nodes effectively preventing them from communicating to each other. This type of attack is either performed continuously or in isolation. In either of the cases, the networks typically suffer great consequences. The second type of attack on Node tampering includes node tampering. In node tampering, the attackers extract sensitive information from within the physical layer. 

Internet of Things faces a great deal of vulnerabilities when it comes to network layer. These includes illegal network access, eavesdropping on data, destruction, man-in-the-middle type of attacks, DoS attacks, virus and malware based attacks and so on. IoT that has a large sensing capabilities as it’s connected by multiple devices and have multiple sources of data that feed on them would also have additional security concerns. These concerns range from ineffective network data transfer speeds, large number of nodes causing network congestion and thereby resulting in various DoS styled attacks. The DoS attacks that take place in the network layer include the following:

• Hello Flood attack: A hell flood attack typically causes a very high traffic in various channels by congesting them with many different messages that is constantly being replaced by an attacker. The single malicious node constantly sends a useless message which is then replayed by the attacker to create the unusually high traffic.
• Homing attack: In this type of attack, a single search is made in the system for different cluster heads as well as key managers that allow for shutting down of the entire network.
• Selective forwarding: In this type of attack, a single compromised node ends up sending a few electing nodes in place of all the nodes. The selection of these nodes is made as per choice by the attacker in order to achieve his malicious intent and therefore such nodes do not forward all of the packets of data (“Future Internet | Special Issue : IoT Security and Privacy”, 2018).
• Sybil attack: In this type of attack, an attacker would try to replicate a single node and thereafter present it with different identifies to other respective nodes.
• Wormhole attack: In this type of attack, the attack causes relocation of several data bits from this original position to a different position. This relocation of data packets is ideally carried out with several; data bits over low latencies.
• Acknowledgement flooding: In this type of attack, a routing algorithm is typically and afterwards acknowledgement is needed during the sensor networks. In this type of flooding attack, the malicious node spoofs other acknowledgements by providing them with false information about the targeted neighbouring nodes.

Application Layer security issues

Internet of Things application is a result of tight integration between computer technology, industry professionals and communication technology and thus it has multiple applications. The security issues that typically riddle Application layer includes tampering as well as eavesdropping. This particular layer carries out different responsibilities of the traffic management. It is also responsible for providing software for multiple applications that help in carrying out translation of data into something which is comprehensible and also in collecting of information. This is done by sending the queries. A DoS attack that is path-based can be initiated within the application layer by way of simulating various sensor nodes so as to create huge traffic towards base station.

Technological solutions should intimately involve humans in the process. Some of the solutions deploy several access control methods or even privacy awareness applications. For instance, study proposed by the DPA or Dynamic Privacy Analyser, recommended a solution wherein the owner of a ‘smart meter’ should be made aware that he or she is sharing the data with 3^rd parties and that it involves privacy risks in that context. Whereas half of the solutions proposed took the human completely out of the loop. They had (“Security Challenges in the Internet of Things (IoT)”, 2016) proposed cryptographic techniques as well as data minimization and information manipulation techniques so as to prevent data being sniffed on to servers. Apart from this, an original scheme known as PEM or Path Extension Method was presented that allowed for a powerful protection of location based privacy and this was accomplished using an encryption technique that made sure that adversaries would not be able to eavesdrop on any form of communication.

A vast majority of researchers had been quite fundamentalist when it comes to privacy. This is also something that can be expected and some unconcerned researchers might never have the interest in the first place to carry out any research in this domain. It also means, however, there might also be some unrealistic standards about a woman and a man on the street as well as their stance on privacy. Some unconcerned consumers (Hussain & Kaliya, 2018) are likely to be unwilling when it comes to taking any action on preserving their privacy as they don’t care much about it. Much of the solutions proposed in this regard take into the assumption that consumers might always be concerning about their privacy and unwilling to share information or unwilling to spend time in engaging their rights to defend privacy. In both the cases, the assumption could be flawed as well.

The main question here that demands attention and investigation is whether or not consumers having different privacy stances are sure to be putting in extra effort to interact, question the authority and fight for their right to privacy. This becomes extra difficult when narratives thrown by corporations suggest that by learning and tracking consumers, they can better tailor their services and systems to consumer’s needs. As a result, the researchers who are constantly coming up with various innovative solutions that might prove to be futile when it comes to the face of consumer’s complacency or their unwillingness to engage on matters of privacy. 

There are many limitations in the research report presented above. The biggest limitation is perhaps the omission of smartphones from the research. Smartphones perfectly qualify as an IoT device as it has nearly all the characteristics of an IoT device and it has still not been included in the report. This is because smartphones open up an entirely new form of discussion that has sometimes different privacy and security (Basu, 2005) issues than IoT although many of those issues do overlap. This report was meant to focus entirely on privacy and security related issues with the IoT devices such as the smart speakers, smart lights or the technologies being used in smart cities and so on.

As an extension to this research, a follow up research report should assess several privacy perception that relates to IoT in order to find out whether the people would come forward to protect their privacy. Moreover, it should also determine if they would value a management tool through which they can manage their privacy and prevent it to some degree if some efforts were needed from their end in order to do so. For instance, enabling encryption which isessentially a security tool but practically preservers any communication to and from IoT devices to the server. A further research should also be carried out that assesses the security-specific solutions for IoT.

Conclusion

The ongoing state of IOT reveals that there are still a significant amount of work that needs to be done in order to secure these embedded smart devices. Even though the total number of IoT devices along with newer technological solutions as well as scientific research has soared in the past few years, the solutions to secure them has not been able to keep the same pace. There are multiple known security beaches that affect the IoT devise and there are multiple cases of security breaches happening as of this minute. At the same time, the amount of data being generated and passed through these IoT devices is also increasing at an unprecedented rate which means nothing but more exposure to sensitive data which in turn brings the need for a discussion among privacy and Security Council. Efforts made recently in regards to IoT has not been able to cover the entire breadth of security challenges posed by IoT and it reveals that many research opportunities are still pending in several areas that includes smart detection capabilities and object hardening. Present challenges and issues should be taken as the background for improvement opportunities that helps organizations incorporate security mechanisms in the early design of these IoT devices. Finally, users would also need to understand the core objective of these smart devices and what it is meant to be used for so that they can incorporate some extra security and prevention from their end to ensure the risk of exposing sensitive data about them is kept at minimum. 

References

Basu, S. (2005). On issues of Convenience, Privacy and Security. Journal Of Information Privacy And Security, 1(2), 1-3. https://dx.doi.org/10.1080/15536548.2005.10855764

Cloud Computing Security, Privacy and Forensics: Issues and Challenges Ahead. (2018). International Journal Of Recent Trends In Engineering And Research, 4(3), 10-13. https://dx.doi.org/10.23883/ijrter.2018.4083.xwpna

Cloud Computing Security, Privacy and Forensics: Issues and Challenges Ahead. (2018). International Journal Of Recent Trends In Engineering And Research, 4(3), 10-13. https://dx.doi.org/10.23883/ijrter.2018.4083.xwpna

Future Internet | Special Issue : IoT Security and Privacy. (2018). Retrieved 2018, from https://www.mdpi.com/journal/futureinternet/special_issues/and_Privacy

Hussain, M., & Kaliya, N. (2018). An Improvised Framework for Privacy Preservation in IoT. International Journal Of Information Security And Privacy, 12(2), 46-63. https://dx.doi.org/10.4018/ijisp.2018040104

Schneier, B. (2017). IoT Security: What’s Plan B?. IEEE Security & Privacy, 15(5), 96-96. https://dx.doi.org/10.1109/msp.2017.3681066

Security Challenges in the Internet of Things (IoT). (2016). Retrieved 2018, from https://resources.infosecinstitute.com/security-challenges-in-the-internet-of-things-iot/

Song, H., Fink, G., & Jeschke, S. (2014). Security and privacy in cyber-physical systems.

The IoT threat to privacy – TechCrunch. (2013). Retrieved 2018, from https://techcrunch.com/2016/08/14/the-iot-threat-to-privacy