ADVANCE REQUIREMENT ENGINEERING

Research Paper
Submitted To: Dr Shahid N Bhatti
Abdul Basit Shahzad Enrollment No: 01-241182-002

11/17/2018

.
 Security Requirements and Privacy Issues in Internet of Things

Abdul Basit Shahzad

Department of Computer Science
Bahria University Islamabad

Abstract – There are large number of IoT devices

Now a day’s Internet of Things (IoT) are rapidly
deploying in the real world. This rapid
deployment of IoT devices including smart
watches, sensors and other embedded devices
lead to a serious problem of security and privacy.
Some of these devices are vulnerable to attacks
hence privacy is compromised. Security of the
IoT devices is very critical because it may
physically harm or even take a life of someone.
The purpose of this study is to provide detail
knowledge of challenges of IoT device’s privacy
and the security requirements mixed with quality
attributes, need to be considered at earlier stage
in order to avoid those challenges.
interconnected with the network to provide help
to individuals or large businesses. These devices
are bound to through data to server or made their
data available to their subscribers (users). But
providing this data to user in such a way that
security is not compromised is the main thing
from whom everyone should worry about.
If we take the example of safe home there are
number of devices interconnected in the network.
This network sometimes have one or two devices
for whom not enough security measurements are
taken because of that other devices in the
network may also be compromised.

1 Introduction Water Pump

Internet of Things (IoT) has bombarded at
market in last few years which includes the wide
range of IoT devices and their managing
software built on different architecture and Laptop
separate set of requirements. And while Smart
designing these devices, most of the security Phone
requirements are not in the consideration.
Because of this, many security problems
occurred e.g. compromised anonymity, sensitive
data loss and many other security related issues. Fire Door Lock
Detector

Figure 1: Safe-Home with interconnected IoT

devices.
In the above figure laptop is connected with fire
detector and fire detector connected with door
lock and other devices as well. If the hacker
gains access to the water pump he can eventually
get access to door lock of the home and security
is compromised as whole.
The above mention problem become a
motivation to make the security requirements a
desirable part of the requirement elicitation
process.
2 Literature review
Hewlett-Packard organizes the study [1] on
commercial devices of internet of Things in the
year of 2014. This study states that about 80
percent of commercial IoT devices the privacy of
personal bio-data, also 80 percent of devices
unable to require a secure password to access,
and 70 percent does not have encryption.
In 2003 there was one of the first attacks on the
monitoring components of USA nuclear power
plant [2].
R. H. Weber in his review of computer law and
security [3] explains the legal framework to deals
with security concerns and privacy constraints of
individuals and discuss the legislation of right to
information for everyone.
Research organized on the architecture of some
trusted IoT systems elaborates the security
aspects of the trusted user, perception and agent
modules.
3 Analysis of security
requirements
With the evolution of IoT industry, the
manufacturers are facing number of challenges
with variety of aspects including standardization
of IoT, social and legal aspects of IoT and also
the security and privacy concerns.
Defining the security and privacy requirements
of the IoT system is not the easy task as there are
number of different issues analyzing these
requirements [5]:
➢ Environment change is the key obstacle
while specifying requirements for
security and privacy of IoT devices.
➢ Another challenge is how we can define
that which data is restricted to whom,
when to restrict it and who can access
that data under what specific conditions.
➢ Numbers of technologies are
interconnected to form an IoT system.
When integrating those technologies in
our system there are a lot of risks
associated with them.
To achieve our ultimate goal of gaining security
and privacy requirements we divide these
requirements in number of quality attributes that
can address these requirements at both
architecture and development level.
4 Architecture
This section presents a brief view of overall
architecture of IoT network which help us to
critically evaluate the security concerns and
privacy constraints on the devices connected to
the network.
Four different components coordinate together to
form an IoT system. Now we further explain the
interoperability and services of each component
[6].
i) IoT Device
Any type of device with sensor, operating
system, application software, and an interface for
communication can be considered as IoT device.
These devices collect data from their working
environment and perform some necessary action
needed.
 ii) IoT services
User can access services of IoT from anywhere
they want because most of the services are
hosted at cloud. The role of these services is to
automate the IoT process and making decisions
on the basis of device data.
iii) Bridge
The functionality of the bridge is to provide
gateway between the IoT device and the cloud
service of IoT. Bridges are actually protocols
from which IoT devices and services can
communicate with each other.
iv) Controllers
Controllers are responsible for controlling IoT
devices. Mobile phone or laptops or tablets can
act as controllers of IoT devices that can give
command to IoT devices.
5 Security requirements and
constraints
There are many things that should be considered
while proposing the secure solution for IoT
system.
a) Device Anonymity
Hiding the source of the device or data is the
core concern about security to make secure IoT
system. There should be a service in IoT system
which deals with secrecy of origin of data.
b) Data Safety
Data protection is the most important attribute
while discussing privacy. The information about
person such as e-health care device sending the
critical data of patient’s health to the doctor or
medical specialist should be secure at both nodes
and must not be accessible by unauthorized
persons.
c) Live feed
This attribute ensures that data should be up-to-
date after each message. This is also critical
attribute because system must have known the
current state of every sensor or IoT device.
d) Consistency
Integrity of the system is changed when data loss
occurs in the transmission process or someone
intervenes to change the data after it is
dispatched from device. This will cause a false
alarm or something even more dangerous.
e) Authorization and access control
These two attributes ensure that only
authenticated device access the data authorized
to it. No other data is displayed or accessed by
that IoT device that is not authorized to it.
f) Exception Handling
There must be mechanism defined in the IoT
devices to handle the known exceptions and
should continue to provide their services in
adverse situations. Devices must be robust in
nature to ensure exception handling.
g) Flexibility
The overall IoT system should have bit of
resilience so that when some of the
interconnected devices are under attacked the
security and availability of the other devices
must not be compromised.
h) Tempering
The attacker creates an extra activity which is not
happened actually by gaining unauthorized
access to the data. The purpose behind this is to
create confusion or misleading the stakeholders
of that IoT system by altering the correctness of
the message [7].
To cope with this kind of situation an alteration
detection system is used to protect us from these
kind of attacks [8].
6 Future Directions gaining access to the large industry in near
To protect the IoT system from all kinds of the future.
above discussed security and privacy threats we
need an attack defending mechanism in which all 7 References
the layers of the entire IoT system is covered. [1] “Internet of Things research study,” 2014,
Here is the brief description of an attack accessed on 19-April2014. [URL]:
defending mechanism. https://www8.hp.com/us/en/hp-news/press-
release.html?id=1744676
Threats Precautions Layer
[2] K Poulsen, Slammer Worm and David-Besse
Reprograming Authorization Application Nuclear Plant, 2003.
[3] R. H. Weber. Internet of things - new security
Squeezing Spatial Physical
and privacy challenges. Computer Law &
retreating
Security Review, 2010.
Intrusion Intrusion Transport
Detection [4] L. Wen, X. Li and Z. Xuan. Architecture of
System trusted security system based on IoT. Intelligent
Electromagnetic Shielding Transport Computation Technology and Automation
interference (ICICTA), 2011.
Sink holing [9] Cryptographic Network
routing [5] Davor Svetinovic and Israa Alqassem.
protocol Taxonomy of Security and Privacy Requirements
Crash Error- MAC for the Internet of Things (IoT). Masdar Institute
correcting of Science and Technology Abu Dhabi, UAE.
code
Fabrication Filtering, Network [6] Mahmud Hossain, Maziar Fotouhi, and Ragib
Authentication Hasan. Towards an Analysis of Security Issues,
Challenges. Department of Computer Sciences
University of Alabama at Birmingham.
7 Conclusion [7] A. Zomaya and T. Zia. “Security issues in
Internet of things is mainly influenced by attacks wireless sensor networks.” in Proceedings of the
at various layers of its framework which is one of International Conference on Systems and
the common reasons of small scale development Networks Communications, ICSNC, 2006.
of IoT in industry. Although it is hard to attend
all the security and privacy concerns of an IoT [8] Y. Zhang and W. Lee, “Intrusion detection in
environment by in this paper, I have tried to wireless ad-hoc networks,” in Proceedings of the
survey the most important security concerns 6th annual international conference on Mobile
which includes confidentiality, end-to-end computing and networking. ACM, 2000, pp.
security, authentication and data safety. 275–283.

If these issues are addressed properly in [9] Sengul, Papadimitriou and Fessant.
development process of IoT system then these Cryptographic protocols to fight sinkhole attacks
system can transform the way of business by on tree based routing in WSN. In Secure
Network Protocols, 2009. 5th IEEE Workshop.