Skip to main content
SpringerLink
Log in

Security and privacy in the Internet of Things: threats and challenges

  • Special Issue Paper
  • Published:
Service Oriented Computing and Applications Aims and scope Submit manuscript

Abstract

In the past few years, the Internet of Things (IoT) has emerged, grown and gradually affected the daily lives of human beings in many new application domains, ranging from wearable devices, smart manufacturing, to smart homes and ambient intelligence just to mention a few. However, realizing the full potential of IoT while ensuring user security and privacy remains an open research challenge. Existing security solutions and techniques are mainly conceived for centralized and distributed information systems and are not directly applicable to IoT-based systems. In fact, IoT systems have unconventional characteristics such as intermittent connectivity, high scalability, dynamic changes and limited resources and thus require a paradigm shift to develop innovative security and privacy solutions. In this survey, we firstly give an overview of security and privacy in IoT. After defining the context of IoT systems, we identify four main characteristics, which imply unprecedented threats and challenges to existing security solutions and techniques. From the perspective of these characteristics and IoT security requirements, we identify and elaborate specific threats and challenges related to the radio-frequency identification (RFID), wireless sensor networks (WSNs) and mobile delay tolerant networks (MDTNs), which are building blocks in many IoT-based systems. In addition, we discuss potential countermeasures to handle IoT threats and challenges.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3

Similar content being viewed by others

References

  1. ITU-T (2012) ITU-T Recommendation Y.2069 Terms and Definitions for the Internet of Things, Series Y: Global Information Infrastructure, Internet Protocol Aspects and Next-Generation Networks. http://www.itu.int/ITU-T/recommendations/rec.aspx?rec=11700

  2. IDC (2019) The Growth in Connected IoT Devices Is Expected to Generate 79.4ZB of Data in 2025. (2019). https://www.idc.com/getdoc.jsp?containerId=prUS45213219

  3. SANS Institute (2014) Securing the Internet of Things Survey. https://www.sans.org/reading-room/whitepapers/analyst/securing-internet-things-survey-34785

  4. Wind River (2015) Security in the Internet of Things: Lessons from the Past for the Connected Future

  5. Weber Rolf H (2010) Internet of Things new security and privacy challenges. Comput Law Secur Rev 26:23–30

    Article  Google Scholar 

  6. Medaglia CM, Serbanati A (2010) An overview of privacy and security issues in the Internet of Things. The Internet of Things. In: Giusto D, Iera A, Morabito G, Atzori L (Eds.). Springer, pp 389–395

  7. Roman R, Zhou J, Lopez J (2013) On the features and challenges of security and privacy in distributed internet of things. Comput Netw 57(10):2266–2279

    Article  Google Scholar 

  8. Sicari S, Rizzardi A, Grieco LA, Coen-Porisini A (2015) Security, privacy and trust in internet of things: the road ahead. Comput Netw 76:146–164

    Article  Google Scholar 

  9. Sen J (2010) Privacy preservation technologies in internet of things. In: The international conference on emerging trends in mathematics. Technology and Management, pp 496–504

  10. Jing Q, Vasilakos AV, Wan J, Lu J, Qiu D (2014) Security of the internet of things: perspectives and challenges. Wirel Netw 20(8):2481–2501

    Article  Google Scholar 

  11. Vikas BO (2015) Internet of things (IoT): a survey on privacy issues and security (2015)

  12. Covington MJ, Carskadden R (2013) Threat implications of the internet of things. In: 5th international conference on cyber conflict (CyCon). IEEE, pp 1–12

  13. Deng J, Han R, Mishra S (2003) Security support for in-network processing in wireless sensor networks. In: Proceedings of the 1st ACM workshop on Security of ad hoc and sensor networks. ACM, pp 83–93

  14. Fremantle P (2015) A reference architecture for the internet of things. https://wso2.com/whitepapers/a-reference-architecture-for-the-internet-of-things

  15. Padmavathi DG, Shanmugapriya M (2009) A survey of attacks, security mechanisms and challenges in wireless sensor networks. arXiv preprint. arXiv:0909.0576

  16. Ren Y, Oleshchuk V, Li FY, Ge X (2011) Security in mobile wireless sensor networks a survey. J Commun 6(2):128–142

    Article  Google Scholar 

  17. ITU-T (2012) ITU-T Recommendation Y. 2060 Overview of the Internet of Things, Series Y: Global Information Infrastructure, Internet Protocol Aspects and Next-Generation Networks. http://www.itu.int/ITU-T/recommendations/rec.aspx?rec=11559

  18. Greenemeier L (2015) Recall shows that a hack attack on car controls is a credible threat. Scientific American

  19. Walters JP, Liang Z, Shi W, Chaudhary V (2007) Wireless sensor network security: a survey. Security in distributed, grid, mobile, and pervasive computing 1(2007):367

  20. Roman R, Najera P, Lopez J (2011b) Securing the internet of things. Computer 44(9):51–58

    Article  Google Scholar 

  21. Agrawal P, Trivedi B (2019) A survey on android malware and their detection techniques. In: 2019 IEEE international conference on electrical, computer and communication technologies (ICECCT), pp 1–6

  22. Mahmoud R et al (2015) Internet of things (IoT) security: current status, challenges and prospective measures. In: Proceedings of the 2015 10th international conference for internet technology and secured transactions (ICITST). IEEE, pp 336–341

  23. Vasilomanolakis E et al (2015) On the security and privacy of internet of things architectures and systems. In: 2015 International workshop on secure internet of things (SIoT). IEEE 2015, pp 49–57

  24. Isaac M, Frenkel S (2018) Facebook security breach exposes accounts of 50 million users. The New York Times. https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html (visited on 01/21/2019)

  25. CSPAN (2017) Senate Banking Committee Hearing on Equifax Data Breach. https://www.c-span.org/video/?434469-1/equifax-ceo-testifies-senate-banking-panel (visited on 04/28/2020)

  26. Borgohain T, Kumar U, Sanyal S (2015) Survey of security and privacy issues of internet of things. arXiv:1501.02211 [cs]

  27. Covington MJ, Carskadden R (2013) Threat implications of the internet of things. In: 2013 5th international conference on cyber conflict (CyCon). IEEE, pp 1–12

  28. Nada A, Omer R, Charith P (2021) Security and privacy requirements for the internet of things: a survey. ACM Trans Internet Things 2(1):202

    Google Scholar 

  29. Dimitriou T (2005) A lightweight RFID protocol to protect against traceability and cloning attacks. In: Security and privacy for emerging areas in communications networks, 2005. IEEE, pp 59–66

  30. Evans D, Eyers DM (2012) Efficient data tagging for managing privacy in the internet of things. In: Proceedings of the 2012 IEEE international conference on green computing and communications (GreenCom). IEEE, pp 244–248

  31. Wang Y, Wen Q (2012) A privacy enhanced DNS scheme for the internet of things. In: Proceedings of the international conference on communication technology & application. IET

  32. Liao B, Ali Y, Nazir S, He L, Khan HU (2020) Security analysis of IoT devices by using mobile computing: a systematic literature review. IEEE Access 8:120331–120350

    Article  Google Scholar 

  33. Alizadeh M, Zamani M, Shahemabadic AR, Shayan J, Azarnik A (2013) A survey on attacks in RFID networks. Open Int J Inf 1:1

  34. Mitrokotsa A, Rieback MR, Tanenbaum AS (2010) Classifying RFID attacks and defenses. Inf Syst Front 12(5):491–505

    Article  Google Scholar 

  35. Hancke GP, Kuhn MG (2005) An RFID distance bounding protocol. In: First international conference on security and privacy for emerging areas in communications networks (SecureComm). IEEE, pp 67–73

  36. Singelee D, Preneel B (2005) Location verification using secure distance bounding protocols. In: IEEE international conference on conference mobile adhoc and sensor systems. IEEE, 7 pp

  37. Rhee K, Kwak J, Kim S, Won D (2005) Challenge-response based RFID authentication protocol for distributed database environment. In: Security in pervasive computing. Springer, pp 70–84

  38. Tuyls P, Batina L (2006) RFID-tags for anti-counterfeiting. In: Topics in cryptologyCT-RSA. Springer, pp 115–131

  39. Mirowski L, Hartnett J (2007) Deckard: a system to detect change of RFID tag ownership. Int J Comput Sci Netw Secur 7(7):89–98

    Google Scholar 

  40. Kavitha T, Sridharan D (2010) Security vulnerabilities in wireless sensor networks: a survey. J Inf Assur Secur 5(1):31–44

    Google Scholar 

  41. Karlof C, Wagner D (2003) Secure routing in wireless sensor networks: attacks and counter-measures. Ad hoc Netw 1(2):293–315

    Article  Google Scholar 

  42. Saxena M (2007) Security in wireless sensor networks-a layer based classification. Department of Computer Science, Purdue University

  43. Yu Y, Govindan R, Estrin D (2001) Geographical and energy aware routing: a recursive data dissemination protocol for wireless sensor networks. Technical Report. Technical report ucla/csd- tr-01-0023, UCLA Computer Science Department

  44. Raymond DR, Midkiff SF (2008) Denial-of-service in wireless sensor networks: attacks and defenses. IEEE Pervasive Comput 7(1):74–81

    Article  Google Scholar 

  45. Parno B, Perrig A, Gligor V (2005) Distributed detection of node replication attacks in sensor networks. In: IEEE symposium on security and privacy. IEEE, pp 49–63

  46. Karygiannis Tom, Eydt Bernard, Barber Greg, Bunn Lynn, Phillips Ted (2007) Guidelines for securing radio frequency identification (RFID) systems. NIST Spec Publ 80(2007):1–154

    Google Scholar 

  47. Sarma S, Weis S, Engels D (2002) RFID systems and security and privacy implications. In: Cryptographic hardware and embedded systems (CHES). Number 2523 in Lecture Notes in Computer Science. Springer, Berlin Heidelberg, pp 454–469

  48. Wang Y, Attebury G, Ramamurthy B (2006) A survey of security issues in wireless sensor networks. (2006)

  49. Wood AD, Stankovic J (2002) Denial of service in sensor networks. Computer 35(10):54–62

    Article  Google Scholar 

  50. Sen J (2010) A survey on wireless sensor network security. arXiv preprint. arXiv:1011.1529 (2010)

  51. Newsome J, Shi E, Song D, Perrig A (2004) The sybil attack in sensor networks: analysis & defenses. The 3rd international symposium on Information processing in sensor networks. ACM, pp 259–268

  52. Zhang Q, Wang P, Reeves DS, Ning P (2005) Defending against sybil attacks in sensor networks. In: 25th IEEE international conference on distributed computing systems workshops. IEEE, pp 185–191

  53. Sarma D, Kumar H, Kar A (2006) Security threats in wireless sensor networks. In: The 40th annual 2006 international carnahan conference on security technology. IEEE, pp 243– 251

  54. GS1 (2014) EPC Tag Data Standard (2014). http://www.gs1.org/epc/tag-data-standard

  55. Weis SA, Sarma SE, Rivest RL, Engels DW (2004) Security and privacy aspects of low-cost radio frequency identification systems. In: Hutter D, Mller G, Stephan W, Ullmann M (Eds) Security in pervasive computing. Number 2802 in Lecture Notes in Computer Science. Springer, pp 201–212

  56. Juels A, Brainard J (2004) Soft blocking: flexible blocker tags on the cheap. In: The ACM workshop on privacy in the electronic society. ACM, pp 1–7

  57. Rieback MR, Crispo B, Tanenbaum AS (2005) RFID guardian: a battery-powered mobile device for RFID privacy management. In: Information security and privacy. Springer, pp 184–194

  58. Kinoshita S, Hoshino F, Komuro T, Fujimura A, Ohkubo M (2004) Low-cost RFID privacy protection scheme. IPS J 45(8):2007–2021

    Google Scholar 

  59. Jøsang A, Pope S (2005) User centric identity management. In: Proceedings of the AusCERT Asia Pacific information technology security conference, Brisbane, Australia, pp 22–26

  60. Jøsang A, Zomai MA, Suriadi S (2007) Usability and privacy in identity management architectures. In: Proceedings of the Fifth Australasian symposium on ACSW frontiers, Ballarat, Australia, 30 January–2 February 2007

  61. Maler E, Reed D (2008) The venn of identity: options and issues in federated identity management. IEEE Secur Priv 6:16–23

    Article  Google Scholar 

  62. Nakamoto S (2008) Bitcoin: a peer-to-peer electronic cash system. https://bitcoin.org/bitcoin.pdf. Accessed 31 Aug 2018

  63. Ethereum—A next-generation smart contract and decentralized application platform. https://github.com/Ethereum/wiki/wiki/White-Paper. Accessed 31 Aug 2018

  64. Zhu X, Badr Y, Pacheco J, Hariri S (2017) Autonomic identity framework for the internet of things. In: Proceedings of the 2017 international conference on cloud and autonomic computing (ICCAC), Tucson, AZ, USA, 18–22, pp 69–79

  65. Adrian P, Robert S, Justin DT, Victor W, Culler DE (2002) SPINS: security protocols for sensor networks. Wirel Netw 8(5):521–534

    Article  Google Scholar 

  66. Zhou Y, Fang Y (2006) A scalable key agreement scheme for large scale networks. In: The 2006 IEEE international conference on networking, sensing and control (ICNSC). IEEE, pp 631–636

  67. Zhou Y, Fang Y (2006) Scalable link-layer key agreement in sensor networks. In: Military communications conference (MILCOM). IEEE, pp 1–6

  68. Yun Z, Yuguang F, Yanchao Z (2008) Securing wireless sensor networks: a survey. Commun Surv Tutor 10(3):6–28

    Article  Google Scholar 

  69. Shi C, Luo X, Traynor P, Ammar MH, Zegura EW (2012) Arden: anonymous networking in delay tolerant networks. Ad Hoc Netw 10(6):918–930

    Article  Google Scholar 

  70. Zhu B, Wan Z, Kankanhalli MS, Bao F, Deng RH (2004) Anonymous secure routing in mobile ad-hoc networks. In: The 29th Annual IEEE international conference on local computer networks. IEEE, pp 102–108

  71. Lu X, Hui P, Towsley D, Pu J, Xiong Z (2010) Anti-localization anonymous routing for delay tolerant network. Comput Netw 54(11):1899–1910

    Article  Google Scholar 

  72. Defrawy K, Tsudik G (2011) Privacy-preserving location-based on-demand routing in MANETs. IEEE J Sel Areas Commun 29(10):1926–1934

    Article  Google Scholar 

  73. Gruteser M, Grunwald D (2003) Anonymous usage of location-based services through spatial and temporal cloaking. In: The 1st international conference on mobile systems, applications and services. ACM, pp 31–42

  74. BUTLER (2014) uBiquitous, secUre inTernet-of-Things with Location and contExt-awaReness. https://cordis.europa.eu/project/rcn/101349_en.html (visited on 08/19/2018)

  75. NIST (1998) Skipjack and KEA Algorithm Specifications Version 2.0

  76. Ronald R (1992) The MD5 message-digest algorithm. http://tools.ietf.org/html/rfc1321?ref=driverlayer.com

  77. Rivest RL (1995) The RC5 encryption algorithm. In: Fast software encryption. Springer, pp 86–96

  78. Daemen J, Rijmen V (2002) The design of Rijndael, AES—The Advanced Encryption Standard. Springer-Verlag (238 pp)

  79. Schneier B, Kelsey J, Whiting D, Wagner D, Hall C (1998) Twofish: a 128-bit block cipher. Current 21(1):1–27

    Google Scholar 

  80. Matsui M (1997) New block encryption algorithm MISTY. In: Fast software encryption. Springer, pp 54–68

  81. 3GPP (1999) Specification of the 3GPP confidentiality and integrity algorithms document 2: KASUMI specification. ETSI/SAGE Specification Version 1:SAGE

  82. Aoki K, Ichikawa T, Kanda M, Matsui M, Moriai S, Nakajima J, Tokita T (2001) Specification of Camellia – a 128-Bit Block Cipher. http://info.isl.ntt.co.jp/camellia/

  83. Yee WL, Jeroen D, Pieter H (2006) Survey and benchmark of block ciphers for wireless sensor networks. ACM Trans Sens Netw 2(1):65–93

    Article  Google Scholar 

  84. Schneier Bruce (1997) Cover and title pages. Appl Cryptogr 1997:125–147

    Google Scholar 

  85. Eastlake D, Paul J (2001) US Secure Hash Algorithm 1 (SHA1). Technical Report. http://www.rfc-editor.org/info/rfc3174

  86. Ganesan P, Venugopalan R, Peddabachagari P, Dean A, Mueller F, Sichitiu M (2003) Analyzing and modeling encryption overhead for sensor network nodes. In: The 2nd ACM international conference on Wireless sensor networks and applications. ACM, pp 151–159

  87. Rabin MO (1979) Digitalized signatures and public-key functions as intractable as factorization. Technical Report, DTIC Document

  88. Hoffstein J, Pipher J, Silverman JH (1998) NTRU: a ring-based public key cryptosystem. In: Algorithmic number theory. Springer, pp 267–288

  89. Rivest RL, Shamir A, Adleman L (1978) A method for obtaining digital signatures and public-key cryptosystems. Commun ACM 21(2):120–126

    Article  MathSciNet  Google Scholar 

  90. Miller V (1986) Use of elliptic curves in cryptography. In: Advances in cryptologyCRYPTO85 proceedings. Springer, pp 417–426

  91. Gura N, Patel A, Wander A, Eberle H, Shantz S (2004) Comparing elliptic curve cryptography and RSA on 8-bit CPUs. In: Cryptographic hardware and embedded systems (CHES). Springer, pp 119–132

  92. Wander AS, Gura N, Eberle H, Gupta V, Shantz SC (2005) Energy analysis of public-key cryptography for wireless sensor networks. In: 3rd International conference on pervasive computing and communications (PerCom). IEEE, pp 324–328

  93. Ning P, Liu A, Kampanakis P (2007) TinyECC: elliptic curve cryptography for sensor networks. Online (September, 2005)

  94. Rodrigo R, Cristina A, Javier L, Nicolas S (2011) Key management systems for sensor networks in the context of the internet of things. Comput Electr Eng 37(2):147–159

    Article  Google Scholar 

  95. Aristides M, Damianos G, Charalampos K, Grammati P (2009) A survey on jamming attacks and countermeasures in WSNs. Commun Surv Tutor 11(4):42–56

    Article  Google Scholar 

  96. Stoyanova M, Nikoloudakis Y, Panagiotakis S, Pallis E, Markakis EK (2020) A survey on the internet of things (IoT) forensics: challenges, approaches, and open issues. IEEE Commun Surv Tutor 22(2):1191–1221

    Article  Google Scholar 

  97. Mohanta BK, Jena D, Ramasubbareddy S, Daneshmand M, Gandomi AH (2021) Addressing security and privacy issues of IoT using blockchain technology. IEEE Internet Things J 8(2):881–888

    Article  Google Scholar 

  98. Ma M, Lin W, Pan D, Wang P, Zhou Y, Liang X (2017) Data and decision intelligence for internet of things: putting human in the loop. In: IEEE international conference on big data security on cloud, IEEE international conference on high performance and smart computing (HPSC), and IEEE international conference on intelligent data and security (IDS), pp 190–195

  99. Garrido-Hidalgo C, Hortelano D, Roda-Sanchez L, Olivares T, Ruiz MC, Lopez V (2018) IoT heterogeneous mesh network deployment for human-in-the-loop challenges towards a social and sustainable industry 4.0. IEEE Access 6:28417–28437

    Article  Google Scholar 

  100. Lorrie FC (2008) A framework for reasoning about the human in the loop. UPSEC, 15 p

  101. Salam MA, Koone ME, Thirumuruganathan S, Das G, Roy SB(2019) A human-in-the-loop attribute design framework for classification. The World Wide Web Conference (WWW). Association for Computing Machinery, pp 1612–1622

Download references

Funding

This research work is supported by the IndustryXchange seed Grant, Pennsylvania State University and the Research Council (TRC), Sultanate of Oman (Block Fund-Research Grant)

Author information

Authors and Affiliations

  1. The Pennsylvania State University, Malvern, USA

    Youakim Badr

  2. INSA Lyon, LIRIS, UMR5205, University Lyon, Villeurbanne, France

    Xiaoyang Zhu

  3. Dhofar University, Salalah, Sultanate of Oman

    Mansour Naser Alraja

Authors
  1. Youakim Badr
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xiaoyang Zhu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mansour Naser Alraja
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

Y.B. initiated the research. X.Z wrote the original draft preparation. Y.B wrote, reviewed, edited and prepared revised versions. Y.B. and X.Z. have contributed equally. M.A. wrote, reviewed and prepared the final version. All authors have read and agreed to the published version of the manuscript.

Corresponding author

Correspondence to Youakim Badr.

Ethics declarations

Conflict of interest

The authors declare no conflict of interest.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Badr, Y., Zhu, X. & Alraja, M.N. Security and privacy in the Internet of Things: threats and challenges. SOCA 15, 257–271 (2021). https://doi.org/10.1007/s11761-021-00327-z

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11761-021-00327-z

Keywords

Search

Navigation