IoT is the next iteration of the internet that will incorporate human users as well as objects. Smart objects are capable of sharing information with human users, other smart objects, and the cloud in an IoT setup (Shammar & Zahary, 2019). Sensors placed on objects (smart objects) such as vehicles and conveyor belts collect vital decision-making data and send the data to the cloud in real-time. The data is acted upon by algorithms to produce output that is essentially instruction protocols that optimize the processes under consideration. At its core, IoT deals with huge amounts of data while also drawing in a multitude of users. Notably, IoT networks remain particularly vulnerable to security and data breaches. At the same time, there are several solutions that have been applied with varying success to this problem. This literature review interrogates existing literature to ascertain that data privacy problems in IoT systems are a result of security deficiencies inherent to IoT.
Purpose of the Study
The goal of this study is to narrow down the data privacy problem in IoT. The study will show a theoretical connection between security issues in IoT and data privacy concerns. Lastly, the potential impacts and solutions to the IoT data privacy problem will be proposed, and in particular, the union between Blockchain technology and IoT systems in a synergetic relationship that bolsters data safety.
Significance of the Study
IoT provides solutions for firms’ operations across all industries as automation takes over processes and value chains. It is a key driver of the fourth industrial revolution due to its considerable upside and utility. Nižetić et al. (2020) point out that by the year 2030, more than 125 billion devices will be connected to an IoT device. The application of IoT is evident in self-driving cars, virtual assistant technologies in smartphones, and remote fleet tracking applications (Avital et al. 2019). While increased implementation of IoT systems promises greater operational efficiency and reduction of wastage and downtime, there is overbearing uncertainty over whether users’ data remains safe in such a centralized system. Khan and Salah (2018) note that data privacy is a major vulnerability point for IoT due to the varied devices integrated into one network. This study adds to the existing literature by detailing how IoT systems can respond to the threat of data privacy breaches for firms in the commerce industry. It increases attention to the inherent vulnerabilities of an IoT system and how they can be exploited during data privacy breaches.
Data Privacy Breaches
Perpetual internet use for devices in an IoT system means that the network remains increasingly susceptible to external attacks from outside sources. Balaji et al. (2019) argue that IoT users must be convinced that their data is safe within an IoT network. Elgazzar et al. (2022) add that privacy concerns “hinder IoT from reaching its full potential”. Personal information is most at-risk of being illegally accessed and misused within an IoT system. Gunathilake et al. (2022) describe the transmission of personal information between IoT devices as “opaque” and, therefore, untrustworthy. On the other hand, Panchiwala and Shah (2020) highlight the perception problem of IoT fostered by data privacy concerns in the public domain. Potential loss of data privacy was ranked first in a list of disadvantages of IoT (Balaji et al., 2019). Data privacy concerns of IoT are therefore well documented and warrant particular investigation.
Some of the devices within an IoT network contain personal and confidential information. Liao et al. (2020) note that the smartphone is of vital importance to IoT owing to its ability to link to both the cloud and other devices within the IoT network. Additionally, smartphones are the nodes of the IoT that have sensors for human biometric information such as fingerprints and digital signatures. A compromised IoT network could potentially reveal personal information to external parties (Mohamed, 2019). Moreover, the evidence of an illicit alliance between device vendors and data brokers means there is an elevated risk of leaked personal data falling into the hands of nefarious elements (Elgazzar et al., 2022). However, Liao et al. (2020) note that smartphones themselves are relatively secure and cannot be easily hacked into as an entry point into an IoT network. Other IoT devices are the main source of concern, especially as they have constrained resources in terms of security and storage features (Khan & Salah, 2018).
Private data within an IoT network is particularly vulnerable during transmission. Notably, IoT networks commonly use IP addresses as their transport layer and, in particular, IPv6 network addresses. These IP addresses require specific security systems such as Datagram TLS (DTLS) to ensure that communication within a network is end-to-end encrypted (Elgazzar et al., 2022). Unfortunately, most in-use IoT devices are not capable of supporting this transport layer security. In such cases, the data is sent unencrypted and particularly prone to outside access. Man-in-the-Middle (MITM) attacks whereby an external miscreant element enters the IoT network and obtains a position between two communicating devices (Khan & Salah, 2018). Where the data is not encrypted, it can be pilfered and potentially used to further identity theft. In the course of transmission, private data can be captured, modified, and deleted within the system (Khan & Salah, 2018). Moreover, breached privacy data can be used to flood the system, whereby hackers access users’ private data and cause it to autogenerate users in real-time. These pseudo-users within the IoT add to the traffic by creating their demands on the system. This can easily cause the entire IoT network to collapse or for private user data to become increasingly obscured by alterations to the point it is unusable.
In commerce settings, loss of privacy can result in the loss of sensitive data. IoT is commonly used in the connection of suppliers to firm warehouses to transport to consumers. Each member of the IoT network shares data with their peers regarding their metrics, such as stock level, projected sales, delivery time, and consumer orders (Nižetić et al., 2020). The data is acted upon by algorithms and used to inform real-time decisions. Third parties accessing this information can gain access to proprietary information regarding the goods. Nižetić et al. (2020) note that product integrity can be lost in IoT systems. Third parties accessing confidential business information can use it to develop counterfeit brands to the detriment of the proprietor firm. Omolara et al. (2022) note that sensitive information, such as votes in a digital election, can potentially be accessed and used to create political profiles of persons, thus affecting their social and economic standing.
Vulnerabilities within an IoT Network
Inadequate access restriction to devices is a major vulnerability within IoT networks. In particular, physical access to devices connected to an IoT network is not adequately restricted, especially for devices such as smartphones. Most IoT networks have a common password to which all users in the network gain access. This creates a single layer of protection from the threat of unauthorized entry into the IoT network (Langkemper, n.d.). Once one smartphone is accessed by a malicious party, the malicious party can easily access all the devices within the network. This is made possible by the interoperability of countless devices as a prerequisite for IoT (Elgazzar et al., 2022). For instance, in a smart factory, both a perimeter security sensor and a security officer’s watch can automatically authorize the opening or closure of the main gate. Thus, accessing one of the interoperable devices can give access to many other devices.
Another source of vulnerability for IoT networks is having a large attack surface. The large attack surface exists in the form of overt exposure to the internet, where many threats lurk. The more a network is exposed to the internet, the more the possibility of external infiltration and hence the larger the attack surface (Langkemper, n.d.). Moreover, IoT systems rely on a multitude of users and sensor nodes, each of which can unknowingly facilitate the entry of malicious elements into the system. Due to the scale of an IoT system, miscreant elements with unauthorized entry can perpetrate a lot of damage ranging from flooding the system to deleting and pilfering user data. Thus, every component of an IoT network can potentially be attacked by miscreant elements, which similarly increases the attack surface.
Another potential vulnerability within an IoT network is the transfer of unencrypted data between devices. MITM attacks can be fairly easy to execute against IoT networks whereby an unauthorized third party enters the network and positions itself between two devices in the network (Langkemper, n.d). If the data being exchanged is not encrypted, the “MITM” can easily access it. Balaji et al. (2019) note that the “Man in the Middle” is essentially a hacker seeking to intercept, modify and delete messages between devices in an IoT network. In some cases, the MITM is after the data between the devices and, in particular, potentially important personal data such as credit card numbers. On the other hand, the MITM seeks to learn of the specific vulnerabilities of the IoT network to completely cripple its operations, as in a flooding attack or a Denial of Service (DoS) attack targeting key sensors.
Using outdated software within an IoT network can create and maintain a vulnerability that should have otherwise been eliminated in an update. Elgazzar et al. (2022) note that device vendors routinely withdraw technical and operational support to devices after a given period. Liao et al. (2020) point out that lagging behind updates can cause IoT devices to become increasingly “fragile”. Such withdrawals mean that the device is no longer supplied with firmware updates and patches addressing the most emergent threats in the cybersecurity sphere. Moreover, some sensors that detect and transmit data between devices in an IoT network are not designed to update their software automatically and must rely on the intervention of a technician (Liao et al., 2020). These sensors contribute to the vulnerability of the IoT to the latest malware. Khan and Salah (2018) note that where a regular update is possible, devices within an IoT should only access verified update files from a secure server. If one component of an IoT network is not safeguarded by the latest defenses, it is likely to facilitate the entry of malicious elements.
Potential Impacts of Data Privacy Breaches
Data privacy breaches can jeopardize users’ trust in IoT, leading to apathy and slow uptake and implementation of IoT systems. Elgazzar et al. (2022) note that users accessing IoT through an application often consent to various terms and conditions. Most users reasonably expect that their information will not be pilfered after they voluntarily share it with others in an IoT setting (Shammar & Zahary, 2019). Data breaches are, therefore, likely to be interpreted as IoT not respecting user boundaries and conditions of engagement. The loss of data privacy is likely to result in the public perceiving IoT technology as a concept that is not rooted in the integrity and confidentiality of data and, therefore, untrustworthy (Liao et al., 2020). For firms in the business industry, this can greatly hinder the uptake of an IoT system by other users, particularly consumers, constituting other nodes in the system. Slower uptake of IoT networks translates into the delayed conferment of benefits of IoT to the business.
In addition to reducing user confidence in IoT, data privacy breaches can result in costly legal suits for a business. Alenezi et al. (2019) propose that it is possible to carry out digital forensics on IoT devices or networks that have been sabotaged through a malicious cyber attack. Moreover, it will be possible to detail and document the findings of a digital forensics engagement such that culpability can be rightfully placed. With this in mind, it is possible for businesses to be dragged into lengthy suits if the chain of custody, as presented before the law by forensic experts, places any blame on the business (Alenezi et al., 2019). Such suits are likely to drain a business’s resources and time and occasion reputational damage to its brand. This is especially the case where the business utilizing or providing the IoT network has expressly committed to protecting the user against data breaches and other adverse events. Businesses keen to avoid such pitfalls while still enjoying the benefits of IoT must learn how to circumvent the weaknesses of IoT. Businesses may also have to engage qualified experts in digital forensics and lawyers as part of a precautionary stance against lawsuits stemming from malpractices within their IoT network.
Potential Solutions
Most literature examined in this review points to Blockchain as a potential solution to most of the data privacy concerns facing IoT. Avital et al. (2019) predict “a convergence” between Blockchain technology and IoT networks. Notably, Blockchain is the underlying security architecture for bitcoin and has therefore been tested for a prolonged period (Khan & Salah, 2018). A Blockchain is a shared and non-alterable digital ledger that contains a time-stamped record of deals across a peer-to-peer (P2P) network. Blockchain transactions are encrypted, and access requires the production of strong cryptographic evidence. Additionally, Blockchains are immutable, and data contained therein cannot be changed or deleted. Blockchain utilizes smart contracts, which can easily be adapted to IoT. A smart contract is a self-executing set of instructions that are added to the Blockchain by the user (Khan & Salah, 2018). Once the instructions, often a monetary transaction, are executed, the transaction is permanently recorded in the Blockchain ledger. Rejeb et al. (2022) note that IoT devices can send information to a separate Blockchain-based server that can only be accessed by authorized stakeholders within the network. This could potentially safeguard the data from access by third parties and thereby protect user data from pilferage.
Increasing dependence on mobile phones within the IoT network for security operations is another possible solution to the security and privacy problem. IoT devices and, in particular, sensors are, as stated earlier, highly vulnerable owing to their inability to contain security and storage features (Liao et al., 2020). Smartphones currently provide a relay between low-function IoT devices and cloud databases. Liao et al., (2020) note that smartphones can additionally provide secure end-to-end encryption and relay of data for low-function devices communicating with cloud servers. The smartphones would have to employ Bluetooth Low Energy (BLE) technology which is additionally recommended for its energy efficiency compared to other wireless connectivity networks (Nižetić et al., 2020). Chander & Kumaravelan (2020) note that smartphones are ubiquitous in the general population and should therefore be leveraged by IoT. One possible setback to this solution is smartphone users who turn off their phone’s GPS or internet connectivity and thus preclude it from being used as an encryption and relay pod in an IoT system (Gunathilake et al., 2022). There is, therefore, a need for smartphone users willing to give IoT permission to use their devices for encryption.
Part of the solution for IoT systems is businesses increasing their investment in IoT cybersecurity. Gunathilake et al. (2022) note that the increased reliance of industries on Industrial IoT (IIoT) means that security risks cannot be allowed to persist due to the setbacks they can cause. Kuzlu et al. (2021) point out that one way IoT systems can defend themselves is through seemingly costly Artificial Intelligence (AI) whereby machines invariably learn how to detect and defend against cyber attacks. One of the ways that businesses will attempt to plug the security gaps in IoT is by hiring additional IT specialists and cybersecurity gurus. Elgazzar et al. (2022) note that the demand for highly skilled specialists to address problems in IoT is likely to exert significant strain on the bottom line. Khan and Salah, (2018) highlight that IoT is propped up by a myriad of heterogenous structures that may ultimately require the development of a standard security protocol. A process that is likely to consume significant time and resources.
Conclusion
In conclusion, data privacy is a problem that IoT as a concept must address to attain widespread acceptability going forward, especially for human users. Moreover, IoT places personal and confidential data in an accessible range for a multitude of parties and can therefore increase the possibility of important data leaking. For a business, data privacy breaches can be grounds for prosecution, especially where the data ought to be protected. Moreover, data privacy breaches can destroy the reputation of the IoT and associated businesses. The possible integration of Blockchain in IoT systems means that some of the cyber security concerns in an IoT system can be adequately covered. An expanded role for smartphones can also contribute to the diminution of some of the mentioned data security and privacy risks.
References
Alenezi, A., Atlam, H., Alsagri, R., Alassafi, M., & Wills, G. (2019). IoT forensics: A state-of-the-art review, challenges and future directions. Proceedings of the 4th International Conference on Complexity, Future Information Systems and Risk. Web.
Avital, M., Dennis, A. R., Rossi, M., Sørensen, C., & French, A. (2019). The transformative effect of the internet of things on business and society. Communications of the Association for Information Systems, 44(1), 129–140. Web.
Balaji, S., Nathani, K., & Santhakumar, R. (2019). IoT technology, applications and challenges: A contemporary survey. Wireless Personal Communications, 108, 363–388. Web.
Chander, B., & Kumaravelan, G. (2020). Internet of things: Foundation. In: Peng, SL., Pal, S., Huang, L. (Eds.), Principles of internet of things (IoT) ecosystem: Insight paradigm (pp. 3-33). Springer.
Elgazzar, K., Khalil, H., Alghamdi, T., Badr, A., Abdelkader, G., Elewah, A., & Buyya, R. (2022). Revisiting the internet of things: New trends, opportunities and grand challenges. Frontiers in the Internet of Things, 1. Web.
Gunathilake, N. A., Al-Dubai, A., & Buchanan, W.J. (2022). Internet of things: Concept, implementation and challenges. In: Dahal, K., Giri, D., Neogy, S., Dutta, S., Kumar, S. (Eds.), Internet of things and its applications (pp. 145-155). Springer.
Khan, M. A., & Salah, K. (2018). IoT security: Review, Blockchain solutions, and open challenges. Future Generation Computer Systems, 82, 395–411. Web.
Khaled Salah Mohamed. (2019). The era of internet of things: Towards a smart world. Springer International Publishing.
Kuzlu, M., Fair, C., & Guler, O. (2021). Role of artificial intelligence in the internet of things (IoT) cybersecurity. Discover Internet of Things, 1(1). Web.
Langkemper, S. (n.d.). The most important security problems with IOT devices. Eurofins. Web.
Liao, B., Ali, Y., Nazir, S., He, L., & Khan, H. U. (2020). Security analysis of IoT devices by using mobile computing: A systematic literature review. IEEE Access, 8, 120331–120350. Web.
Nižetić, S., Šolić, P., López-de-Ipiña González-de-Artaza, D., & Patrono, L. (2020). Internet of Things (IoT): Opportunities, issues and challenges towards a smart and sustainable future. Journal of Cleaner Production, 274, 122877. Web.
Omolara, A. E., Alabdulatif, A., Abiodun, O. I., Alawida, M., Alabdulatif, A., Alshoura, W. H., & Arshad, H. (2022). The internet of things security: A survey encompassing unexplored areas and new insights. Computers & Security, 112, 102494. Web.
Panchiwala, S., & Shah, M. (2020). A comprehensive study on critical security issues and challenges of the IoT world. Journal of Data, Information and Management, 2. Web.
Rejeb, A., Rejeb, K., Zailani, S. H. M., & Abdollahi, A. (2022). Knowledge diffusion of the internet of things (IoT): A main path analysis. Wireless Personal Communications, 126. Web.
Shammar, E. A., & Zahary, A. T. (2019). The internet of things (IoT): A survey of techniques, operating systems, and trends. Library Hi Tech, 38(1). 5-66. Web.