Security and Privacy of Data in Internet of

Things
Areej Mohyudin Syeda Kisa Naqvi Osama Sohail Talha Naqash
Department of Department of Department of Department of
Computer Science Computer Science Computer Science Computer Science
Bahria University Bahria University Bahria University Bahria University
Islamabad, Pakistan Islamabad, Pakistan Islamabad, Pakistan Islamabad, Pakistan
[email protected] [email protected] [email protected] [email protected]

Abstract
Privacy breaching attacks are the major concern in the intelligent and are being used in industries, transportation,
development and deployment of Internet of Things (IoT) education and medicine which leads to the arise of security
based applications. Recent advancements tend to collect the concerns of data protection and privacy. There have been
data and store them using sensors-based systems, IoT, data many researches on the collection of data and statistics
analytics, cloud computing which are making possible to
collect data more efficiently and effectively. However, such
which were based on sensors-based systems, IoT, data
collection of data requires security for the connected devices. analytics and cloud computing. The major concern for all
Overabundance of data increases the number of connected the people now is that their data is not secure. The
devices and concern for security. In this paper a remedy is challenge is to make sure that the intelligent connected
proposed to make the devices protected enough for not to be objects are secure and reliable. The communication using
intruded by unauthorized users and attacks when using the these objects is protected in uncontrolled environment.,
Internet of Things (IoT) devices. communication between these devices are confidential and
Keywords—Cloud computing, Internet of Things, the users are authenticated while connected to the device,
Encryption, Decryption, Cipher Text. services and data without compromising their privacy.
There are many IoT based devices which lack efficient
I. INTRODUCTION encryption methods. Many companies implemented the IoT
in their systems, later they discovered that the text they
Everything in the current era is connected to the internet. were sending was plaintext and it was easily possible for
There has never been a world which is connected as the any intruder to capture the data. It was bad news for the
world today. Internet of things (IoT) is to connect objects of organization because their data was confidential and anyone
the internet, which further monitors and exchanges the data could have captured their data and analyzed it without them
with each other without involving any human effort. knowing. Lack of confidentiality is a major concern for all
According to a research, it is expected that in 2020, 50 the organizations and after the advancements in IoT, cyber-
billion objects will be connected and the number is already attacks have increased dramatically. Internet of things (IoT)
generated to 400 zettabytes. [11] Data protection is uses various cameras, RFID equipment, GPS, capturing
particularly difficult in internet-based devices. As it has behavior of humans and their physical signs which includes
become an essential part in every field. For example, heath blood pressure, pulse, disease etc. Gathering information is
care devices there are applications which are being increasing with respect to the advancement in IoT. [12]
deployed into the market which gives details about the Internet of Things (IoT) is a recent technology that
patient A device is launched into the market to monitor permits the users to connect anywhere, anytime,
patient at daily basis which is a small chip and is placed anyplace and to anyone. [8]
under the skin. Such devices are useful for regulating
patients and to give them first aid as soon as possible.
There is a wide use of IoT based devices which are
 Fig1.1 Devices connected in IoT

I. Security factors in IoT II. Possible cyber-attacks in an IoT system:

What will happen if an attack is launched on a smart
A. Confidentiality home developed on IoT devices. It will definitely be
IoT devices must be ensured that they will be access bad news for the owner because getting access to one
by the authorized people. Still, confidentiality is a of the devices will allow the intruder to access all the
major concern. There is also a problem which can devices and control them. This attack is launched on
arise that when misconfiguration of the wireless the connected devices easily which is an example of
access point (WAP), when any user chooses a Man in-the-middle attack (MITM). [13] Consider a
password less strong which means that he has not person name Adam has bought a new remote IP
used a good combination of upper case, lower case, camera which monitors all the actions of Adam when
special characters and numbers. [14] This means that he is moving around in his home. A malicious hacker
any encryption technique when applied in the IoT comes near the house with such a device which can
device will still limit the security die to less strength capture packets by sniffing and further analyses the
in the password. Confidentiality can be achieved by packet using tools like Wireshark. Adam can only
algorithms like DES (Data Encryption Standard) and prevent himself from the attacks if his IoT system has
Blowfish. followed some encryption methods. The process in
B. Integrity which the intruder captures, analysis and them
During the entire life cycle of the IoT system it is temper the communication link by any attack is
necessary that the entire integrity data which is being called the man-in-the-middle attack.
transmitted among the IoT system must remain There are various attacks now possible on the IoT
unchanged. For instance, if there is a patient in a based systems which are categorized in two types.
particular hospital expecting some medical reports to One is passive and other is active attack. Active
come for further treatment and those reports get attacks can be easily hinder its functionality and can
tempered and hacked during the connection and the nullify the benefits of using its services. Whereas,
doctor treats the patient wrong. This can cause death Passive attacks can recover information from the
of the patient due to the false information. Integrity in networks and it does not affect the behavior of the
IoT can successfully be verified using the hash system. However. Active attacks hinder the service
functions such as SHA (Secure Hash Algorithm). provisioning directly. [15]
[14]
II. Related Work authenticates the sender key and then generates a
IoT has connected four main components i.e. public and private key for both the receiver and the
physical devices, humans, hardware, and software sender. It can use four algorithms which include
which can communicate through network. As things Encryption, Decryption, setup or Keygen. In the
are connected among people and data is exchanged initial stage the authority key generates the pair of
so the privacy issues securing information are the public keys and the master key which are based on
leading and sensitive subject of many research work. some parameters which are initialized from the
IoT has a higher risk of vulnerable information and pairing cryptography. It keeps the private key with
users. It provides attackers to attack on the databases. itself and distributes the public key. Further the
Research shows that many IoT vulnerabilities arise Keygen algorithm is run to generate the receiver’s
because of the lack of security systems in devices and private keys. Then the Encryption and Decryption
businesses. Adoption of security techniques would algorithm is run several times to prevent any person
help to prevent those issues. These techniques are to attack. In this work they have used KP-ABE and
been described in previous sections. CP-ABE for the encryption purpose. In KP-ABE the
Data privacy requires access control to data which cipher text is encrypted with the attributes and the
keeps the information secure and protected. Early access policy to the data is embedded in the sender’s
work on temporal and location-based access control private key. The data can only be accessed when the
today is very important. Such an access control is receiver’s key is correct and then only, he can
referred as context-based data-collection control [3]. decrypt the data successfully. The following figure
Different terminologies [1] are used for access shows the concept of AES embedded in the IoT
control which includes Radio Frequency system. [16]
Identification (RFID) and Role Based Access Control
(RBAC). Access Control. Data can also be collected
through sensors and that data is send to the cloud to
store data and information of users for keeping
privacy and protection. A technique is used to
maintain privacy and security is virtual sensor.
Virtual sensor in sensor-cloud architecture [2]
provides communication between heterogeneous
computers, and distributed systems. Multiple users
can access that data through virtual sensor without
data Duplication.
Three models are been suggested by different authors
which gave a layered approach with different
functionalities.
According to the number of layers. These are
hardware, middle ware, application ware.
In hardware layer, devices are identified and
communication between systems is initialized [4].
Data is processed in this layer through wireless Fig1.2 KP-ABE algorithm
sensor network and heterogeneous devices.
Middle-ware allows to create an adaption layer in a
plug n play mode. There are many middle-ware
domains like Wireless Sensor Network (WSN),
Radio Frequency Identification (RFID) which
supports it.
I. Attribute Encryption:
An attribute-based system has the authority key of
the sender and the receiver. The Authority key first
  Secure reconfiguration.
 Access control.
 Peer trusting.
 Access control.
 Data protection.
 Authorization/authentication.
 Depersonalization of data.
 Denial of services
 Control and tracking of energy loss.
By keeping the context of data privacy and control
we come up to the analysis of regular checking and
tracking of data as well as keeping passwords and
keys to important data and routine change so it can
help to minimize the threats and fear of data hacking.
The storage is done on the cloud applications and
sometimes on the servers which are safe according to
the makers, but data is vulnerable and all the
Fig1.3 CP-ABE operating details are insecure and are unknown to the
This paper proposed a solution to make data private key logger. The attacks which are possible on the IoT
and secure, by general techniques which have been based application are:
implemented already but are modified for further  Operating System theft.
more protection and privacy of data. There are two  Man-in-the-middle attack.
major algorithms to setup data private and secure is  Sniffing.
encryption, decryption [5].  Device hacked.
We propose that in an IoT based system where
III. Proposed Structure for internet access is required to control the system and
Unresolved Issue store data on the cloud. We make sure that the data
The involvement of massive population and being received via internet will be encrypted using
integration of several technologies with the one huge the Data Encryption Standard Algorithm. The data
network leads to a challenge of privacy, control, then will be transferred to a local server (Database).
safety, security and hacking of personal data, it needs The defined data (objects) include personal
to be modified and adapt new changes and information of the user for example: location, blood
functionalities for the betterment of security and pressure, heart beat rate, temperature, camera
privacy. Internet is accessible by many users so the positions in the place and all the other operational
safety is critical, there are plenty of methods and conditions. From the server the data is available to all
technologies coming from various branches of the devices attached to it. Once the data which is
science be it Software engineering, hardware encrypted has been received by the system. It is
technologies, IT professional or data encryption and secure in the local server. Whenever the user accesses
security. Data encryption is a technology where only the IoT system, the data is fetched from the local
the key holder gets accessible to the right database and decrypted in response to the user output
information. Internet of things requires trust, belief and sent to the controlling devices where the required
and assurance of these factors in privacy to be able to action will be performed accordingly. The control
get attention and attraction of people. [9] IoT threats system has sensors and actuators to execute the
for data privacy and control includes: decrypted information received.

 Software updating in case of viruses and

bugs to be identified and removed.
 Secure hardware initialization.
Algorithm: The other way can be that user will have to enter any
function des_Encryption (M, K) combination of his password rather than entering the
where M = (L, R) whole password. By entering such type of password,
MIP (M) the man in-the-middle attack is still possible but it
For round1 to 16 do will take time for the intruder to understand the right
KSK (K, round) combination of the password.
LL xor F(R,Ki)
swap(L, R)
end
swap (L, R)
MIP-1 (M)
return M
End

The mechanism of the above algorithm is that it uses

the same private key which is only shared between
the local database and the user. The figure shows the
flow chart of DES algorithm. Figure 1.4 Sample Program for entering password
combination
In the figure 1.4 we can see the protype of the
password authentication via a secure method. [10]
This one efficient approach to improve the security of
the login for the user in IoT environment. The
pattern requires less digits to enter and whenever the
number of variables matches the combination, the
user itself logs in to the IoT environment. We will be
using the same local database which was required for
the IoT system for the encryption and decryption
purpose. Therefore, the login system will also be
using the Data Encryption Standard (DES) algorithm
for encrypting the login information. There can be
additional features in the system that in IoT the user
can have multiple passwords for his login. Each login
Figure 1.5 Flow chart of DES algorithm allows the user access certain functions in the
Whenever the user enters the IoT based environment, environment. This will allow user to get access to
he has to enter his identification to make sure the specifically what is required for him.
known user and the real owner wants to enter. A Firewalls and gateways can also be added into the
random code will be generated for his email address system to make the system more secure.
or password which will allow the user to fill the
missing digits in his email address or password.
 Figure 1.6 System encryption flow

The major concern in the IoT is the middle man for hardware systems to avoid data from being
attack that any intruder can bring his device that hacked. Internet of things is an evolution for the
can sniff the internet packets and extract the user’s development era. Like any other system it has
personal information using tools like Wireshark. issues and threats that can be overcome by various
We have discussed how we can secure the IoT methods and techniques discussed in this paper
system using the local database and DES including [6] enabling sensors, data owner to
algorithm. On the other hand, we have shown assess the privacy of data sharing. This technique
concern on the login system for the user. For more is generic scheme and can be adapted to different
security it is mandatory for the user to at least use type of time-series pair of sensors data-based
12 characters and it must be in upper case and applications. [7] Privacy aware software
lower case. The password also uses some special engineering is continuously aiming to become
characters and at least one number digit. The more critical for IoT based systems. Cryptographic
we add digits to the password, it will make it more protocols and Engineering of software applications
difficult for the middle man to attack. lowercase = are sensitive and critical subject for privacy
26, uppercase = 26, special character =8 number = assurance. A solution to prevent from attackers
10. If the password is mixed and is set using these and hackers we need to make sure to store our data
60 character’s combinations. [10] It will not be an on local servers using the Blocked chain (DES)
easy task for the intruder to break the password. algorithm which will help encrypting the storage
from cloud based to local servers. Further we will
IV. CONCLUSION allow user to use his password in a unique way,
Internet of Things (IoT) involves the enormous that is by filling the missing digits. Any
amount of applications that are being used in combination of user’s password will grant him
modern era making the objects and things smart. access to his credentials.
IoT based systems are its users are increasing Intelligent interface and integrated system into a
rapidly and there are a lot of people who are network of information is the base. Privacy,
developing such system for their use. In this paper security and safety is the biggest challenge for
we have discussed privacy and control with Internet of things. [8] Radio frequency
respect to data encryption, software engineering Identification technique and the related
technologies makes the concept of IoT feasible Trends (CAST), International Conference on (pp. 294-
and trust worthy. The main concept of this 299). IEEE.
technology is to provide self-aware/ self- [9] Kakanakov, N., & Shopov, M. (2017, May). Adaptive
autonomous devices with smart environment. The models for security and data protection in IoT with Cloud
future of Internet of things lies within technologies. In 2017 40th International Convention on
authorization/authentication to the culture of Information and Communication Technology, Electronics
hundreds and thousands of devices forming a and Microelectronics (MIPRO) (pp. 1001-1004). IEEE.
network around the globe. [10] Sohail, O., & Naqash, T. (2018, April). Anti-theft cloud
application for android operating system (Nougats).
REFERENCES In 2018 IEEE International Conference on Applied
System Invention (ICASI) (pp. 321-324). IEEE.
[1] Abomhara, M., & Køien, G. M. (2014, May). Security
[11] Nzabahimana, J. P. (2018, May). Analysis of security and
and privacy in the Internet of Things: Current status and
privacy challenges in Internet of Things. In 2018 IEEE
open issues. In Privacy and Security in Mobile Systems
9th International Conference on Dependable Systems,
(PRISMS), 2014 International Conference on (pp. 1-8).
Services and Technologies (DESSERT) (pp. 175-178).
IEEE.
IEEE.
[2] Vermesan, O., Friess, P., Guillemin, P., Sundmaeker, H.,
[12] Lu, X., Li, Q., Qu, Z., & Hui, P. (2014, October). Privacy
Eisenhauer, M., Moessner, K., ... & Cousin, P. (2013).
information security classification study in internet of
Internet of things strategic research and innovation
things. In Identification, Information and Knowledge in
agenda. RIVER PUBLISHERS SERIES IN
the Internet of Things (IIKI), 2014 International
COMMUNICATIONS, 7.
Conference on (pp. 162-165). IEEE
[3] Bertino, E. (2016, December). Data privacy for IoT
[13] Bandyopadhyay, S., Sengupta, M., Maiti, S., & Dutta, S.
systems: concepts, approaches, and research directions.
(2011). Role of middleware for internet of things: A
In Big Data (Big Data), 2016 IEEE International
study. International Journal of Computer Science and
Conference on (pp. 3645-3647). IEEE.
Engineering Survey, 2(3), 94-105.
[4] Kakanakov, N., & Shopov, M. (2017, May). Adaptive
[14] Nzabahimana, J. P. (2018, May). Analysis of security and
models for security and data protection in IoT with Cloud
privacy challenges in Internet of Things. In 2018 IEEE
technologies. In 2017 40th International Convention on
9th International Conference on Dependable Systems,
Information and Communication Technology, Electronics
Services and Technologies (DESSERT) (pp. 175-178).
and Microelectronics (MIPRO) (pp. 1001-1004). IEEE.
IEEE.
[5] Wang, X., Zhang, J., Schooler, E. M., & Ion, M. (2014,
[15] Abomhara, M., & Køien, G. M. (2014, May). Security
June). Performance evaluation of attribute-based
and privacy in the Internet of Things: Current status and
encryption: Toward data privacy in the IoT.
open issues. In Privacy and Security in Mobile Systems
In Communications (ICC), 2014 IEEE International
(PRISMS), 2014 International Conference on (pp. 1-8).
Conference on (pp. 725-730). IEEE.
IEEE.
[6] Abomhara, M., & Køien, G. M. (2014, May). Security
[16] Wang, X., Zhang, J., Schooler, E. M., & Ion, M. (2014,
and privacy in the Internet of Things: Current status and
June). Performance evaluation of attribute-based
open issues. In Privacy and Security in Mobile Systems
encryption: Toward data privacy in the IoT.
(PRISMS), 2014 International Conference on (pp. 1-8).
In Communications (ICC), 2014 IEEE International
IEEE.
Conference on (pp. 725-730). IEEE.
[7] Ukil, A., Bandyopadhyay, S., & Pal, A. (2014, April). Iot-
privacy: To be private or not to be private. In Computer
Communications Workshops (INFOCOM WKSHPS),
2014 IEEE Conference on (pp. 123-124). IEEE.
[8] Pawar, A. B., & Ghumbre, S. (2016, December). A
survey on IoT applications, security challenges and
counter measures. In Computing, Analytics and Security