978-1-7281-0108-8/19/$31.00 ©2019 IEEE Internet of Things (IoT): Security and Privacy Threats Eman Shaikh, Iman Mohiuddin, Ayisha Manzoor Department of Computer Engineering and Science Prince Mohammad Bin Fahd University Al-Khobar, Kingdom of Saudi Arabia e-mail: {emanshaikh26, iman28198, ayishamazoor18}@gmail.com Abstract— Internet of Things (IoT) is used for providing connectivity amongst numerous devices. It is a system where objects that are embedded with a detector technology acts with another object through a wireless communication medium to exchange and transfer information without human interaction. These devices are prone to vulnerable attacks due to the simple and open nature of their networks. Therefore, privacy and security are the biggest concern in this technology. The focus of the security and privacy threats on IoT is crucial to promote the development of IoT. The goal of the paper is to put forward the different security and privacy concerns that an IoT environment is facing and the existing mechanisms used for its protection. The paper mainly focuses on the IoT privacy and security features such as the IAS-octave security requirements, security and privacy threats and the solutions that need to be maintained to avoid these security and privacy threats. Keywords - Privacy, security, RFID, WSN, IoT, CSP, ISP, sensor, security requirements, attacks, threats, challenges I. INTRODUCTION The Internet of Things plays a major role in every individual’s day to day life. It is a service that allows person- to-object, object-to-object or object-to-objects transmissions. The applications of IoT are used in many fields such as environmental monitoring, home automation, transportation, medical and healthcare systems, etc. The evolution of IoT is one of the essential and striking occurrences of the previous time period. Technologies like WSN and RFID tags are evolving with increasing development in the scope of Internet technologies [1]. The combination of these two technologies creates direct communication over the Internet. Consequently, there have been a drastic amount of possible attacks and dangers against the security and privacy of a smart thing. These security and privacy requirements are not yet widely known and without proper protection the IoT devices are more likely to be used and attacked for malicious purposes [2]. Therefore, it is important to understand the threats, challenges, and solutions for both security and privacy. II. SECURITY AND PRIVACY A PROBLEMATIC SCENARIO A. Potential Attackers and their Motivations IoT based systems manage a large amount of information that can be used for various services, thus making the IoT paradigm an interesting target for a multitude of attackers, such as occasional hackers, hacktivists, cybercriminals, etc. The potential attackers may be interested in stealing sensitive information such as, location data, credit card numbers, passwords of financial accounts etc. by hacking into the IoT devices. Furthermore, they may even try to compromise IoT components, such as, edge nodes so as to launch attacks against a third-party entity. Moreover, technology and machines have been rapidly growing leading to threats and privacy issues. Smart device communicates and exchanges data with each other within a network. If any device gets corrupted the whole infrastructure is at risk. Thus, security and privacy in the recent years are of great importance [1]. And there is a necessity to establish some security requirements because for instance, if a machine is hacked, the production can be at stake along with the crucial data involved. B. Definition of Security in the Scope of IoT Table 1 summarizes the IAS-octave security requirements. The key difference between a security thing and a security attack is that, a security thing is a thing which meets all of the IAS-octave security requirements, whereas a security attack is an attack which tends to threaten at least one of the IAS- octave security requirements [1]. TABLE 1. DEFINES EACH IAS-OCTAVE SECURITY REQUIREMENTS Requirement Definition Abbreviation Confidentiality Ensuring that only authorized users access the information C Integrity Ensuring completeness, accuracy, and absence of unauthorized data manipulation I Availability Ensuring that all system services are available, when requested by an authorized user A Accountability An ability of a system to hold users responsible for their actions AC Auditability An ability of a system to conduct persistent monitoring of all actions AU Trustworthiness An ability of a system to verify identity and establish trust in a third party TW An ability of a system to confirm