Abstract

The term Internet of things is a recent topics in the IT world. Behind this phrase there lies a
true picture of the future of computing for both in technological and social perspective. It is
generally accepted that the (IoT) will provide numerous other, and potentially radical, benefits to
human beings. However, the term Internet of things is recent there are many problems in
security of (IoT) devices which may present a variety of potential security risks that could be
exploited to harm users. Generally, when thinking about Internet of Things devices, it is
important to realize that security of these devices is not complete. These report examines issues
and challenges behind (IoT) privacy and security, current remedies and suitable solution for
future computation.

1. Introduction
The term Internet of Things (IoT) was first used in 1999 by British technology pioneer Kevin
Ashton to describe a system in which objects in the physical world could be connected to the
Internet by sensors.1 (IoT) refers to the capability of routine objects to connect to the Internet and
to send and receive data. Research predicts that there will be more than 2.9 billion connected
(IoT) devices in consumer smart home environments in 2015

2.

These linked devices ought to

provide a much larger surface for attackers to target home and industrial networks.
In the near future, the number of things connected to the Internet will exceed the number of
people and it will added a spread of potential security risks that would be exploited to harm
users.by: (i) enabling misuse of personal information and unauthorized access; (ii) facilitating
attacks on other systems; and (iii) creating risks to personal safety.
Currently, most attacks are centered desktop or laptop computers; it turns into supply of profit for
attackers. This reality shows that attackers will shift their target into (IoT) devices in the near
future. Among, observed security vulnerabilities the use of susceptible passwords is a security
issue that has repeatedly been seen in (IoT) devices.
The purpose of this report is to examine the security and privacy issues on (IoT) device and their
implications for users. Also discussed will be the evolution of the (IoT) and associated security
issues, (IoT) security consideration, and some possible methods to enhance security of (IoT).
The four parts of this report will discuss (1) a technological overview of (IoT), (2) issues on
(IoT) security and privacy (3) Existing security measures, and (4) Proposed security measures.
The technological overview section will show the evolution of (IoT) and related security issues
on (IoT) developmental path. The vulnerability section identify and explains various security
vulnerabilities with regard to (IoT) device. The section covering current security measures
1
2

Ashton was working on RFID (radio-frequency identification) devices.

Gartner Press Release, Gartner Says 4.9 Billion Connected Things Will Be in Use in 2015, published November
11, 2014,http://www.gartner.com/newsroom/id/2905717

examines existing security and how they are currently being used today. Finally, the proposed
solution section includes effective security measures to tackle (IoT) vulnerabilities.

2. Technological Overview of (IoT)

The concept of a network of smart devices was discussed as early as 1982, with a modified Coke
machine at Carnegie Mellon University becoming the first internet-connected appliance, able to
report its inventory and whether newly loaded drinks were cold. However, only in 1999 did the
field start gathering momentum. Bill Joy envisioned Device to Device (D2D) communication as
part of his "Six Webs" framework, presented at the World Economic Forum at Davos in 1999.3

3 https://en.wikipedia.org/wiki/Internet_of_things#cite_note-24

The term (IoT) become popular in 1999 after Kevin Ashton, who is considered as The father of
the Internet of Things & network trailblazer4 , introduce Radio-frequency identification (RFID)
concept. According to Cisco Internet Business Solutions Group (IBSG), the Internet of Things
was born in between 2008 and 2009 at simply the point in time when more things or objects
were connected to the Internet than people.5 In 2011, to address the limitation of IPV4 address
and to include all (IoT) device in the future, IPV6 was introduced.
Now a days (IoT) in the context of integrated location-based implementations such as smart
homes or smart cities.6 Whatever the application, it is clear that (IoT) use cases could extend
to nearly every aspect of our lives. Based on forecasts made by Gartner Inc. (Technology
Research and Advisory Corporation), there will be approximately 20.8 bl. Devices on (IoT) by
2020.7 Governments in developed country has begun to increase their budget towards the
development of (IoT) technology and implementation of smart cities. Generally, (IoT) has
brought a dynamic change on worlds social, technological and industrial fields and involves
inanimate (IoT) devices will change the way we live and work.
(IoT) promises to create a world where all the objects (also called smart objects) around us are
connected to the Internet and communicate with each other with minimum human intervention.
The ultimate goal is to create a better world for human beings, where objects around us know
what we like what we want, and what we need and act accordingly without explicit instructions
[1].

4 https://newsroom.cisco.com/feature-content?articleId=1558161
5 http://www.cisco.com/web/about/ac79/iot/
6 IEEE Smart Cities." IEEE, 2015. Web. 06 Sept. 2015. http://smartcities.ieee.org/
7 http://www.gartner.com/newsroom/id/3165317

Internet of Things integrates multiple wired and wireless communication, control, and IT
technologies, which connect various terminals or subsystems under a unified management
platform that employs open and standardized data presentation technologies.

2.1 Architecture of Internet of Things

IoTs can be divided into three important layers i.e; Perception, Network and Application. As
shown in Fig.3, perception layer (also called as recognition layer) gathers data/information and
identifies the physical world. Network layer is the middle one (also called as wireless sensor
networks), which accountable for the initial processing of data, broadcasting of data, assortment
and polymerization. The topmost application layer offers these overhauls for all industries.
Among these layers, the middle one network layer is also a "Central Nervous System" that takes
care of global services in the IoTs, since it acts the part of aggregating with upward application
layer and makes the link downward of perceptual layer.
Smart Environment, Smart
Business, Smart e-health

NETWORK LAYER
APPLICATION LAYER
4G, 3G, 2G, WIFI, Satellite
Access, GSM..
Smart Business, Smart ehealth
NETWORK LAYER
Sensor Network, RFID, M2M, Home,

network.

PERCEPTION LAYER
Figure 1 (IoT) Architecture

Various basic networks including, mobile/ private network, wireless and wired network offers
and affirms the underlying connection. IoTs are set up in this new network which is composed
Business applications of networks [2].
Regarding the IOT Protocol Stack, as shown in the Fig 3.b, from a PHY perspective, the current
IEEE 802.15.4-2006 PHY layer(s) suffice in terms of energy efficiency. Given that a large
amount of IoT applications however will require only a few bits to be send. It may be advisable
to commence looking into a standardized PHY layer which allows ultra-low rate

APPLICATION LAYER
IETF COAP
TRANSPORTATION LAYER
IETF COAP
NETWORK LAYER
IETF 6LOWPAN
MAC LAYER
IEE 802.15.4e
PHYSICAL LAYER
IEE 802.15.4-2006

Figure 2 (IoT) Protocol Stack

From a networking perspective, the introduction of the IETF 6LoWPAN protocol family has
been instrumental in connecting the low power radios to the Internet and the work of IETF
ROLL allowed suitable routing protocols to achieve universal connectivity. From the transport
layer and an application perspective, the introduction of the IETF CoAP protocol family has been
instrumental in ensuring that application layers and applications themselves do not need to be reengineered to run over low-power embedded networks [3].

2.2 Application of IoT

IoT widely used in various application areas such as media, environmental monitoring,
infrastructure management, manufacturing, energy management, medical and healthcare
systems, building and home automation, and transportation systems. In the home, smart meters
can enable energy providers to analyze households energy use, recognize issues with home
appliances, and enable users to be conscious. On the street, sensors on a vehicle can notify
drivers about road conditions, and software updates can carry out wirelessly, reduce the need for
consumers to visit the dealership. It is generally accepted that the (IoT) will provide numerous
other, and potentially radical, benefits to human beings.

3. Security and Privacy Concerns In (Iot)s

IoT essentially is a network of real world systems with real-time interactions. The development
of the initial stage of (IoT), is Machine to Machine (M2M), having unique characteristics,
deployment contexts and subscription. Operation without human intervention is possible for long
periods of time by the wireless area network WAN or WLAN. Though providing improvements
in social efficiency it creates an array of new problems concerning breach of privacy and that
information security [8]. Various threats in the security of (IoT) is shown in the below Fig 12.

Security Concerns in (IoT)

Front-end Sensors & Devices

Network

Unauthorized access to data

Unauthorized access to data
Threats to the internet
Unauthorized access to service
Denial of service attack
Steal or Change the
Attacks and privacy analysis of
communication information
M2M or contact information Viruses or Malware Attacks
Attacks Availability of M2M
Network Security
contact information

Table 1 Security Threats of (IoT)

Back-End of IT Systems
Safety Management of
Code Resource
Replacement of Operator

3.1 Privacy Concerns in (IOT)s

3.1.1 Front-end Sensors and Devices
Front-end sensors and devices receives data through the built-in sensors, then transmit the data
using modules or M2M device, thus achieving networking services of multiple sensors. This
approach involves the security of machines with business implementation and node connectivity
[8].
Machine or perception nodes are mostly distributed in the absence of monitoring scenarios. An
attacker can easily access these devices which imply damage or illegal actions on these nodes
can be done. Potential threats are analyzed and are categorized to unauthorized access to data,
threats to the Internet and denial of service attack.
3.1.2 Network
Network plays an important role providing a more comprehensive interconnection capability,
effectualness and thriftiness of connection, as well as authentic quality of service in (IoT)s. Since
a large number of machines sending data to network congestion, large number of nodes and
groups exist in (IOT)s may be resulted in denial of service attacks.
3.1.3 Back-end of it systems
Back-end IT systems form the gateway, middleware, which has high security requirements, and
gathering, examining sensor data in real time or pseudo real-time to increase business
intelligence. The security of (IoT) system has seven major standards viz; privacy protection,
access control, user authentication, communication layer security, data integrity, data
confidentiality and availability at any time.

3.2

Privacy Concerns in (IOT)s

The Internet security glossary [9] defines privacy as "the right of an entity (normally a person),
acting in its own behalf, to determine the degree to which it will interact with its environment,
including the degree to which the entity is willing to share information about itself with others".
Typically in (IoT)s, the environment is sensed by connected devices. They then broadcast the
gathered information and particular events to the server which carries out the application logic.
This is performed by Mobile or/and fixed communication which takes the responsibility.
Privacy should be protected in the device, in storage during communication and at processing
which helps to disclose the sensitive information [10].The privacy of users and their data
protection have been identified as one of the important challenges which need to be addressed in
the (IoT)s.

3.2.1 Privacy in Device

The sensitive information may be leaked out in case of unauthorized manipulation or handling of
hardware and software in these devices. For example, an intruder can re-programme a
surveillance camera could such that it sends data not only to the legitimate server, but also to the
intruder. Thus, for devices that gather sensitive data robustness and tamper-resistance are
especially important. To ensure (IoT)s security trusted computing technologies including device
integrity validations, tamper-resistant modules and trusted execution environments are useful.
In order to provide the privacy in the devices, there exists so many problems one need to address
such as it could be the location privacy of the device holder , non-identifiability means protecting
the identification of the exact nature of the device, protecting the personal information in case of
the device theft or loss and resilience to side channel attacks. Location Privacy in WSN is
achieved by using the algorithm Multi-Routing Random walk [11] in the wireless sensors, in the
case of the Protecting of display privacy and Protection of personal Identifiable Information(PII)
in case of device loss, theft could be achieved by having QR codes(Quick Response Code)
technique [12] were selected. In the case of Non-Identifiability and side channel attacks adding
randomness or noise, having synchronous CPUs, Blind values used in calculations could be used.
3.2.2 Privacy during Communication
To assure data confidentiality during the transmission of the data, the most common approach is
encryption. Encryption on certain occasions adds data to packets which provides a way for
tracing, e.g. sequence number, IPsec- Security Parameter Index, etc. These data may be
victimized for linking packets to the analysis of same flow traffic. Secure Communication
Protocol could be the suitable approach [13].
During the communication Pseudonyms can be replaced for encryption in case it is not feasible
to the devices identity or users in order to decrease the vulnerability. One of the long-familiar
examples is Temporary Mobile Subscriber Identity (TMSI). Devices should communicate if and
only if when there is a need, to derogate privacy disclosure induced by communication. In 3GPP
machine type communications, in order to avoid unnecessary collection of location information
by the network after a certain period of inactivity the devices will detach from the network.
3.2.3 Privacy in Storage
For protecting privacy of information storage, following principals should be considered.

Only the least possible amount of information should be stored that is needed.
In case of mandatory then only personal information retained.

Information is brought out on the basis of need-to-know.

To conceal the real identity tied with the stored data Pseudonymization and Anonymization could
be used. Without disclosing any specific record, a database could allow access only to statistical
data (sum, average, count, etc.). To ensure the output (typically aggregate queries) is independent
of the absence or presence of a particular record adds noise called as differential privacy [14]
could be the appropriate technique.
3.2.4 Privacy at Processing
It is mainly of two folds. Firstly, personal data must be treated in a way that it should be
simpatico with the intended purpose. Secondly, without explicit acceptance and the knowledge of
the data owner, their personal data should not be disclosed or retained to third parties.
By considering the above two points, Digital Rights Management (DRM) systems [15] is most
suitable which controls the consumption of commercial media and defends against redistribution illegally. One can define privacy policies for personal data in a rights object or
license instead of exercising principles for commercial media which must be obeyed during the
data processing. DRM requires trusted devices, secure devices to work efficiently and
effectively.
Users permission and their awareness are requirements for distribution of personal data. User
notification aids to avoid abuse.
3.2.5 IoT Security Vulnerabilities
Security vulnerabilities in a particular device may facilitate attacks on the consumers network to
which it is connected, or enable attacks on other systems. Vulnerabilities could enable these
attackers to assemble large numbers of devices to use in such attacks. Another possibility is that a
connected device could be used to send malicious emails.
The Open Web Application Security Projects (OWASP) List of Top Ten Internet of Things
Vulnerabilities sums up most of the concerns and attack vectors surrounding this category of
devices8:

Insecure web interface

Insufficient authentication/authorization

8
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=OWASP_Internet_of_Things_Top_
10_for_2014

Insecure network services

Lack of transport encryption
Privacy concerns
Insecure cloud interface
Insecure mobile interface
Insufficient security configurability
Insecure software/firmware
Poor physical security

In order to address those vulnerabilities, various IoT security considerations must be employed
through effective user account management, applying web application firewall, advanced
authentication and password management, ensure security of network ports, applying advanced
encryption, minimizing collected data, securing cloud and mobile interface, secure login and
secure update.

3 Existing Security Measures

Among existing security measures currently applied in IoT, in these report we are stating some of
them as follows:
1. Secure booting: When power is first introduced to the device, the authenticity and integrity
of the software on the device is verified using cryptographically generated digital signatures.
In much the same way that a person signs a check or a legal document, a digital signature
attached to the software image and verified by the device ensures that only the software that
has been authorized to run on that device, and signed by the entity that authorized it, will be
loaded. The foundation of trust has been established, but the device still needs protection
from various run-time threats and malicious intentions.
2. Access control: Next, different forms of resource and access control are applied. Mandatory
or role-based access controls built into the operating system limit the privileges of device
components and applications so they access only the resources they need to do their jobs. If
any component is compromised, access control ensures that the intruder has as minimal
access to other parts of the system as possible. Device-based access control mechanisms are
analogous to network-based access control systems such as Microsoft Active Directory: even
if someone managed to steal corporate credentials to gain access to a network, compromised
information would be limited to only those areas of the network authorized by those

particular credentials. The principle of least privilege dictates that only the minimal access
required to perform a function should be authorized in order to minimize the effectiveness of
any breach of security.
3. Device authentication: When the device is plugged into the network, it should authenticate
itself prior to receiving or transmitting data. Deeply embedded devices often do not have
users sitting behind keyboards, waiting to input the credentials required to access the
network. How, then, can we ensure that those devices are identified correctly prior to
authorization? Just as user authentication allows a user to access a corporate network based
on user name and password, machine authentication allows a device to access a network
based on a similar set of credentials stored in a secure storage area.
4. Firewalling and IPS: The device also needs a firewall or deep packet inspection capability
to control traffic that is destined to terminate at the device. Why a host-based firewall or IPS
is required if network-based appliances are in place? Deeply embedded devices have unique
protocols, distinct from enterprise IT protocols. For instance, the smart energy grid has its
own set of protocols governing how devices talk to each other. That is why industry-specific
protocol filtering and deep packet inspection capabilities are needed to identify malicious
payloads hiding in non-IT protocols. The device neednt concern itself with filtering higherlevel, common Internet trafficthe network appliances should take care of thatbut it does
need to filter the specific data destined to terminate on that device in a way that makes
optimal use of the limited computational resources available.
5. Updates and patches: Once the device is in operation, it will start receiving hot patches and
software updates. Operators need to roll out patches, and devices need to authenticate them,
in a way that does not consume bandwidth or impair the functional safety of the device. Its
one thing when Microsoft sends updates to Windows users and ties up their laptops for 15
minutes. Its quite another when thousands of devices in the field are performing critical
functions or services and are dependent on security patches to protect against the inevitable
vulnerability that escapes into the wild. Software updates and security patches must be
delivered in a way that conserves the limited bandwidth and intermittent connectivity of an

embedded device and absolutely eliminates the possibility of compromising functional

safety.

4 Proposed Security Measures

Securing IoT at a single point can play an important role in securing internet of things; unless all
stakeholders in IoT communication are not take due responsibility and practicing effective
security measures, IoT security will be impossible. Therefore, in order to be safe at all points and
to tackle related security threats, there must be a collaboration between those stakeholders
involved in IoT communication.
In these report, as an effective and suitable security measure we propose an approach, presented
by Internet Society9, i.e Collaborative Security Approach. In collaborative security
approach, we can employ various security measures at any point, we can easily trace and tackle
any threats and will make world safe.
Collaborative Security is an approach that is characterized by five key elements. These are
described below. (I.Society, April 2015)
1.
2.
3.
4.

Preserving opportunities and building confidence

Collective Responsibility
Security solutions should be fully integrated with rights and the open Internet
Security solutions need to be grounded in experience, developed by consensus and

evolutionary in outlook
5. Targeting the point of maximum impact: think globally, act locally
Generally, these approach can be effective if we use it in securing IoT and its users; therefore,
device manufactures, developer must consider this in order to build their consumers confidence.
In addition, stockholders must take collective responsibility, integrate security solutions with the
important objectives of preserving the fundamental properties of the Internet, experience open
consensus-based participatory approach by making an existing solution responsive to new
challenges and through employing all rounded thought.

9 http://www.internetsociety.org/sites/default/files/CollaborativeSecurity-v1-0.pdf

5 Conclusion
The (IoT) technology draws huge changes in everyones everyday life. In the (IoT)s era, the
short-range mobile transceivers will be implanted in variety of daily requirements. The
connections between people and communications of people will grow and between objects to
objects at any time, in any location. The efficiency of information management and
communications will arise to a new high level. The dynamic environment of (IoT)s introduces
unseen opportunities for communication, which are going to change the perception of computing
and networking. The privacy and security implications of such an evolution should be carefully
considered to the promising technology. The protection of data and privacy of users has been
identified as one of the key challenges in the (IoT).
In this survey, we presented Internet of Things with architecture and design goals. We surveyed
security and privacy concerns at different layers in (IoT)s. In addition, we identified several open
issues related to the security and privacy that need to be addressed by research community to
make a secure and trusted platform for the delivery of future Internet of Things. We also
discussed applications of (IoT)s in real life. In future, research on the (IoT)s will remain a hot
issue. Lot of knotty problems are waiting for researchers to deal with.

REFERENCES
[1] C. Perera, A. Zaslavsky, P. Christen, and D. Georgakopoulos, Context Aware Computing for The Internet of Things: A
Survey IEEE Communications Surveys & Tutorials, 2013, pp. 1-41
[2] G. Gang, L. Zeyong, and J. Jun, Internet of Things Security Analysis, 2011 International Conference on Internet
Technology and Applications (iTAP), 2011, pp. 1-4.
[3] M. Palattella, N. Accettura, X. Vilajosana, T. Watteyne, L. Grieco, G. Boggia, and M. Dohler,
"Standardized protocol stack for the internet of (important) things," Proceedings of IEEE, 2012, pp. 118.
[8] D. Jiang, and C. ShiWei, A Study of Information Security for M2M of IoT, 3rd International
Conference on Advanced Computer Theory and Engineering (ICACTE), 2010, pp. 576-579.
[9]

RFC

2828,

Internet

Security

Glossary,

May

2000,

[Online].

Available:

https://www.ietf.org/rfc/rfc2828.txt.
[10] Y. Cheng, M. Naslund, G. Selander, and E. Fogelstrm, Privacy in Machine-to-Machine
Communications: A state-of-the-art survey, International Conference onCommunication Systems
(ICCS),Proceedings of IEEE, 2012, pp. 75-79.
[11] L. Zhou, Q. Wen, and H. Zhang. "Preserving Sensor Location Privacy in Internet of Things." In Computational and
Information Sciences (ICCIS), proceedings of IEEE, 2012, pp. 856-859.
[12] B. Tepekule, U. Yavuz, and A. E. Pusane, "Modern Kodlama Tekniklerinin QR Kod Uygulamalarna Yatknlg, On the Use
of Modern Coding Techniques in QR Applications.", Proceedings of IEEE, 2013. pp.1-4.
[13] M.Giannikos, K. Korina, N. Fotiou, G. F. Marias and G. C. Polyzos, "Towards secure and context-aware information lookup
for the Internet of Things." In Computing, Networking and Communications (ICNC,) Proceedings of IEEE , 2013, pp. 632-636.
[14] R. Hall, A. Rinaldo, and L. Wasserman, "Differential Privacy for Functions and Functional Data," Journal of Machine
Learning Research, 2013, pp.703-727.
[15] E. Liu, Z. Liu, and F. Shao, "Digital Rights Management and Access Control in Multimedia Social
Networks" In Genetic and Evolutionary Computing, Springer International Publishing, 2014,pp.257-266.