Abstract: The aim of this review report is to gain a broad understanding of privacy and security in IoT and the problems and open issues concerning this area.
Internet of Things (IoT) use mainly Wireless Sensor Networks (WSN) or Radio Frequency IDentification (RFID) to communicate and connect to the outside physical world. IoT, and WSN and RFID technologies are regarded by many researchers as insecure and still partly in the development stages. The key challenges for making IoT more widespread is adding better security between the layers of the IoT devices, and when communicating with the outside world.
The security aspect will help in dealing with the privacy aspect which is equally important, since users have to be able to trust that the data the IoT device collects, are not leaked to unauthorised parties. IoT is built upon the idea of the Internet, however IoT is a more challenging area to secure than the Internet, since IoT devices have limited resources.
We have searched for literature using Malmö University’s Summon and Google Scholar. The search terms used are “IoT“, “Internet of Things“, “privacy“, “security”, “survey”, “state of the art“ either as single terms or in combination. We have accessed and read abstracts of some hundred papers, downloaded about 30 papers of which we find seven papers to be relevant to our aim of getting an overview of the domain of security and privacy in IoT, and where it is heading. Thus our focus for the chosen papers are on surveys, reviews and state of the art.
Here we present and discuss the papers we find relevant to privacy and security in IoT.
Internet of Things Architecture and Security
A discussion and review of the current research on security requirements of IoT based on the four layers of the IoT technology (Perceptual, Network, Support and Application Layer) is presented by Suo, Wan, Zou, & Liu . The authors highlight security in IoT as more challenging than security on Internet, since it is difficult to verify that devices have been breached, and that the research community should pay more attention to confidentiality, integrity and authenticity of data.
There are four levels of an IoT application:
- The Perceptual Layer
- The Network Layer
- The Support Layer
- The Application Layer
Below we describe each layer, their security features and security requirements using definitions by Suo, Wan, Zou, & Liu .
The Perceptual Layer
- Description: Gathers data from equipment (RFID readers, GPS sensors, etc.) it is attached to. The data can be of such as a devices’ geo-position data or surrounding temperature etc.
- Security Features: Access to storage and power is limited, thus it is difficult to set up protection or monitoring security breaches.
- Security Requirements: To deal with authentication, the authors highlight cryptographic algorithms and cryptographic protocols with a small foot-print.
The Network Layer
- Description: The network layer communicates information from the perceptual layer wirelessly to the outside world.
- Security Features: The layer is relatively well protected, however data congestion and ID spoofing are the main concerns.
- Security Requirements: Dealing with Distributed denial of service (DDoS) attack and prevention, and identity authentication.
The Support Layer
- Description: The Support Layer deals with data processing and decision-making based on the collected information. The layer also unites the Network Layer and the Application Layer.
- Security Features: Difficulties lie in actually knowing whether the data being processed is valid input or a virus.
- Security Requirements: Anti-virus protection, encryption algorithms and encryption protocols with a small foot-print.
The Application Layer
- Description: The Application Layer is the out most layer facing the users of the IoT device or service, and will often feature some kind of user interface.
- Security Features: Controlling who has access to the device’s data and which parts of the data, and to whom the device is allowed to share the data with.
- Security Requirements: Access authentication to protect user privacy and education of users about password management.
Using two case studies of smart homes and medical implants, Kermani, Zhang, Raghunathan, & Jha  methodically highlight the problematic areas of embedded systems, how they can be exploited, and further describe possible solutions and workarounds for better hardware and software security for IoT devices.
IoT challenges and opportunities
A good historical background of Internet of Things and definition of “thing” is discussed by Agrawal & Das , where the authors explain the underlying technologies (WSN and RFID) and pick at the security and privacy concerns and problems of these technologies, as well as the interoperability issues of trust and heterogeneous sources communicating. The authors list many challenges and opportunities for Internet of Things. We acknowledge that the elements are highly connected, however we choose to only highlight and comment on challenges and opportunities of security and privacy in IoT.
Security and privacy challenges
The challenges regarding security and privacy highlighted by  are:
- Standards: Mass IoT rollout requires standardisation of many elements.
- Privacy: Securing user-device security.
- Identification and Authentication: Privacy control via authentication.
- Security: Device communication and inter-communication must be secure.
- Trust and Ownership: User-trust in collected data.
Security and privacy opportunities
The opportunities regarding security and privacy highlighted by  are:
- Insecure and not Secure: Security software vendors will have an entirely new area to safeguard, however IoT security is complex to manage.
- Reachability: Ipv6 addresses on every element will make every device reachable, if standards are in place to secure interoperability.
- Efficiency: Tied to Reachability above, where devices sense and communicate with their surroundings, to help with logistics, tracking and management of data.
Internet of Things and standardisation
The security perspective of IoT from a standardisation point of view, is argued by Keoh, Kumar & Tschofenig , methodically mapping problems facing IoT security to how they can be – and in many ways already are – solved by standardisation. They highlight the efforts of the Internet Engineering Task Force to standardise security within the IoT. Although slightly biased towards their own achievements, they thoroughly examine, evaluate and analyse many problems and levels of security. The also conclude by adding perspectives to Moore’s law and the problem of many new devices’ high power consumption.
Internet of Things contrasted to Internet
The analysis of the security aspects of each layer in IoT objects, their cross layer issues with heterogeneous integration and the security aspects of IoT is addressed by Jing, Vasilakos, Wan, Lu & Qiu , contrasting these issues to how they are dealt with on the Internet. The authors thoroughly go into details with all aspects of the pros and cons of each layer‘s security problems with clear references, contrasting their findings with other internet protocols, namely:
- IoT is composed of mostly RFID and WSN nodes with limited resources, whereas the Internet is made up of computers, servers and smart devices with many resources.
- The Internet uses advanced algorithms and security measures, and heavy computation, in IoT power is scarce, thus we have to rely on lightweight solutions.
- Communication in IoT is through slower and less secure wireless band, which can result in information being leaked to third parties.
- PC and other devices connected to Internet have operating systems with underlying security, where IoT devices only have some code to run the device.
Internet of Things and Privacy
The aim of the note by Mashhadi, Kawsar & Acer  is to start a discussion within the HDI and IoT communities to better understand and reflect on the issues of who owns the data created and produced in the IoT environment, and find relevant models to allow users to give permission and control over when and how they share information. The authors do not critically reflect on who owns the data, but indirectly take the stance that the data produced by users is owned by users, not directly backing up this position by any arguments or references. It is just assumes, even thought the title of the paper is “Human Data Interaction in IoT: The Ownership Aspect”.
However they argued that IoT devices collect data from and about people. The authors argue the pros and cons, through many examples, of using secure multi-party computations (SMC) for enforcing and protecting users’ privacy in the IoT domain. The author concludes that the main obstacles are immature technology, but does not touch on another important aspect, namely that IoT devices do not necessarily have the computational powers to carry out computations. The authors provide a model to solve the problems they define, and discuss possible side effects of their solutions, including illustrating the overlapping application domains vs. data sensitivity.
Internet of Things and the Future Internet of Things
Khan, Khan, Zaheer, & Khan  take a perspective view of privacy and security in IoT and Future IoT (FIoT), contrasting it with where it currently is. The authors summarise and categorise several key challenges for IoT and point to government bodies currently working to solve these problems.
The authors also point out not only interoperability issues, but also findability of devices, since IoT devices need not only be aware of their surroundings, but also surrounding devices, which they might need to communicate with to accomplish task or to collect data from. However it is difficult to deploy awareness measures and authentication logic in these rudimentary IoT devices to allow socialising.
In this paper we have briefly looked at the security and privacy issues facing Internet of Things. We have described the four layers of IoT devices and mapped their security challenges. We find that IoT is still in a development stage with security challenges that need to be ironed out before the vision of truly smart devices and mass adoption of the technologies can succeed. Security and privacy are hampered by devices with little power to deal with the complex tasks of encryption and authentication.
It seems that most research base their ideas of the Internet and World Wide Web, where in fact, as many point out, the Internet of Things domain is more complex, since IoT devices are highly autonomous units with little power to make authentication or encryption. We have touched on another need for security, namely privacy of the collected data, so unauthorised third parties cannot gain access to the device and scrape the data for unauthorised use. This is however also a challenge for IoT, since devices are meant to communicate with the outside world and with each other. The question still remains open, as to who and how communication should be controlled.
-  Suo, H., Wan, J., Zou, C., & Liu, J. “Security in the internet of things: a review”, Computer Science and Electronics Engineering (ICCSEE), 2012 International Conference on. Vol. 3. , 2012. IEEE
-  Kermani, M. M., Zhang, M., Raghunathan, A., & Jha, N. K. “Emerging Frontiers in embedded security”, VLSI Design and 2013 12th International Conference on Embedded Systems (VLSID), 2013 26th International Conference on, 2013. IEEE
-  Agrawal, S., & Das, M. L. “Internet of Things – A paradigm shift of future Internet applications”, Engineering (NUiCONE), 2011 Nirma University International Conference on, 2011. IEEE
-  Keoh, S., Kumar, S. & Tschofenig, H. “Securing the Internet of Things: A Standardization Perspective”, , 2014.
-  Jing, Q., Vasilakos, A. V., Wan, J., Lu, J., & Qiu, D. “Security of the Internet of Things: Perspectives and challenges”, , 2014.
-  Mashhadi, A., Kawsar, F., & Acer, U. G. “Human Data Interaction in IoT: The ownership aspect”, Internet of Things (WF-IoT), 2014 IEEE World Forum on, 2014. IEEE
-  Khan, R., Khan, S. U., Zaheer, R., & Khan, S. “Future Internet: the internet of things architecture, possible applications and key challenges”, Proceedings of the 2012 10th International Conference on Frontiers of Information Technology, 2012. IEEE Computer Society