2021 IEEE 5th International Conference on Cryptography, Security and Privacy

A Study on Privacy Issues in Internet of Things (IoT)

Naqliyah Zainuddin Maslina Daud Sabariah Ahmad
Info. Security Mgmt Cyber Security Proactive Info. Security Mgmt Mayasarah Maslizan
CyberSecurity Malaysia CyberSecurity Malaysia CyberSecurity Malaysia Info. Security Mgmt
Cyberjaya, Malaysia Cyberjaya, Malaysia Cyberjaya, Malaysia CyberSecurity Malaysia
naqliyah@cybersecurity.my maslina@cybersecurity.my sabariah@cybersecurity.my Cyberjaya, Malaysia
mayasarah@cybersecurity.my
2021 IEEE 5th International Conference on Cryptography, Security and Privacy (CSP) | 978-1-7281-8621-4/21/$31.00 ©2021 IEEE | DOI: 10.1109/CSP51677.2021.9357592

Syafiqa Anneisa Leng Abdullah

Info. Security Mgmt
CyberSecurity Malaysia
Cyberjaya, Malaysia
anneisa@cybersecurity.my

Abstract—Internet of Things (IoT) is an interconnected

wireless network where smart nodes (IoT devices) interact with In order for users to enjoy the provided services thru various
each other in order to exchange data through the communicating applications of IoT, they have to access these services, provide
medium. IoT have rapidly increased in popularity, demand, and and exchange a lot of personal information in an open, unsafe
commercial availability within the past several years. Various IoT and interconnected environment. Due to the pervasive nature of
applications generate a huge amount of data from different types IoT enabled smart services and the limitless opportunities that
of resources, including smart cities, manufacturing industries, this technology provides, apart from security, privacy becomes
health institutions, and governments. Due to the pervasive nature
another key concern for the users of these smart offerings [3].
of IoT and the limitless opportunities that this technology
provides, security and privacy becomes two key concerns for the
users of these smart offerings. Most of the privacy threats [4] defined users’ privacy as the right of what, how, to what
disclosing the private information to unwanted party and gives extent and with whom their information will be shared with
rise to serious implications in various IoT application. Thus, this others. In order to come out with a privacy safeguard
paper will analyze existing literature related to various privacy framework, [5] has classified privacy concerns based on data
threats in IoT, privacy issues in different applications of IoT and
activities to unauthorized collection, unauthorized use,
present summary of the study.
unauthorized sharing, unauthorized access, insecure
Keywords—Internet of Things, IoT, privacy threat, privacy transmission and insecure storage. The collection of massive
issues, privacy challenges, smart homes, smart medical, smart city amounts of available data and powerful analytic tools that
transfer meaningless data to information lead to raise an
individual’s concern about the privacy [6]. [7] highlighted that
the perspective of the usefulness of the IoT is dependent on how
I. INTRODUCTION well it can respect the privacy choices of people. Privacy is an
This IoT consists of various devices that generate, process, important issue in IoT application on account of the ubiquitous
and exchange vast amounts of critical data as well as privacy- character of the IoT environment.
sensitive information. The natural characteristic of IoT
environment is the prevalence of devices, sensors, readers, and
applications which have the potential to collect a multiplicity of Thus, this paper will analyze existing literature related to
data types of individuals as they move through such various privacy threats in IoT (section II), privacy issues in
environments [1]. These devices offer various advantages, different applications of IoT and summary of the study (Section
including reduced energy consumption, more effective health III).
management, and better living spaces that react adaptively to fit II. COMMON PRIVACY THREATS IN IOT ECOSYSTEM
users’ lifestyles.
In a typical IoT ecosystem, all smart devices and people are
IoT involvement in our daily lives is witnessing drastic interconnected at any time and any place. However, most of
growth and development which can be noticed in IoT these devices connected to the internet are not equipped with
applications such as smart cities, smart cars, smart homes, and efficient security mechanisms and are vulnerable to various
various automation. Each ‘thing’ in the term ‘Internet of Things’ privacy and security threats [8].
refers to a device, and there are many types of connectable
devices, from cameras, scales, sensors, and home management [9] emphasized that privacy in the IoT is the threefold
systems, all the way to heart monitoring implants to cars or guarantee to the data subject for (i) awareness of privacy risks
sensors monitoring livestock [2]. imposed by smart things and services surrounding the data
subject, (ii) individual control over the collection and processing

978-1-7281-8621-4/21/$31.00 ©2021 IEEE 96

Authorized licensed use limited to: Somaiya University. Downloaded on April 04,2025 at 06:16:13 UTC from IEEE Xplore. Restrictions apply.
of personal information by the surrounding smart things, (iii) D. Jurisdiction Risk
awareness and control of subsequent use and dissemination of In IoT, cloud application often involves outsourcing to
personal information by those entities to any entity outside the multiple parties (and sub-parties) who operate in multiple
subject’s personal control sphere. jurisdictions, frequently without full transparency to the user of
the cloud service [22]. Besides, cloud computing also often
Next sub-sections briefly discuss the privacy threats such as
implies data transfer to, and backup in, many places [13].
eavesdropping, data leakage, impersonation, data tampering
[10], [3], [11], [12] and jurisdiction risks [13]. Some personal data elements are considered more sensitive
than others, although the definition of what is considered
A. Data Leakage sensitive personal information may vary depending upon
In IoT ecosystem, objects such as smart devices are tightly jurisdictions and even on particular regulations [23]. Even if the
coupled with human beings, since they are involved in too many same information is involved, there may be different data
systems around us such as cars, homes, and hospitals to provide protection requirements in different contexts due to factors
infinite services and solutions. including location and trust in the entities collecting and
[14] defined eavesdropping as an attack that threatened the processing it [23]. [24] emphasized that, the concerns of cloud
privacy when an intruder intercepting, reading, and modifying customers over sensitive data is often overlooked and
messages for further investigation. In eavesdropping, intruder underestimated as cloud providers continue to transfer data to
may only listen to the information while it is being transmitted other jurisdictions.
between the two nodes over the network. In this attack, Thus, this situation may threatened the privacy of the data
information remains the same but its privacy compromises [15]. due to improper use or disclosure of personal information that is
Threats posed by eavesdropping may significantly increase stored and accessible in multiple locations, by multiple parties
when packets convey access control information (e.g., object and across multiple jurisdictions.
identifier, object configuration, and shared key) [14].
In IoT, devices are connected with each other in order to III. PRIVACY ISSUES IN SMART THINGS
communicate and exchange data. The amount of data generated As discussed in previous section, smart things containing
by these connected devices has witnessed a massive growth and numerous internet connected devices raises substantial privacy
may include sensitive and private information. Hence, IoT issues. The following sub-sections will discuss on privacy issues
devices may leak private user data, both from the cloud (where in various IoT applications.
data is stored) and between the devices themselves.
A. Smart Home
In this regard, protecting privacy of these data is a key issue Smart home devices are hardware units typically comprising
because unauthorized devices handling can lead to leakage sensors, actuators, gateways, and smart objects. The connected
threatening of information [16]. [17] highlighted that data home may contain sensitive data (e.g. personal photos, videos,
leakage may take place during data storage, data transmission and digital diaries), and devices such as IP cameras that may be
and data sharing, which may lead to serious issues beyond remotely activated and accessible from anywhere.
financial loss for the providers of a particular IoT services.
In a smart home [15], windows, home ventilations, doors,
B. Impersonation lightings, air conditioning, refrigerators, washing machine, oven
According to [12], an impersonation attack is an attack in etc. can be manipulated by remote platforms or programs.
which an adversary is disguised as a legitimate party in a system Residents also can interact with IoT devices and manage their
or communications protocol. An adversary could try to smart home through different platforms such as PCs, smart
impersonate and act on behalf of a legitimate user [18] by phones, and tablets.
gaining access to users’ credentials or to any other information
that provide access to the IoT resources. [25] highlighted that smart homes expose the residents to
privacy risks as personal information becomes remotely
Impersonation threatened the privacy of the data when the accessible in new ways. [26] added that a passive network
attacker tries to fake the identity of a trusted individual to gain observer can infer sensitive information about consumers from
access to some sensitive data [19]. the network behaviour of their smart home devices, even when
C. Data Tampering those devices use encryption. Besides, [27] emphasized that an
Integrity of the data collected from smart devices must be attacker can illegally obtain unencrypted information generated
protected to prevent it from being tampered by unauthorized by a smart home using wireless data intercept tools.
parties. Data tampering and manipulation is an insidious threat B. Smart Meter
that not only affects data privacy but, if left undetected, could A smart grid is a system built on advanced ICT based
have imputable consequences to brand reputation, national infrastructures that manages electricity in a sustainable, reliable,
security or public health [20]. and economic manner [28]. Smart meter is one of the key
For example in smart meter application, a user might want devices that enable the smart grid concept by monitoring a
to pay less than the amount of power user used, so user is likely household’s electricity consumption and reporting it to the
to tamper the data [21]. utility provider i.e., the entity that sells energy to customers, or
to the distribution system operator, i.e., the entity that operates
and manages the grid, with high accuracy and at a much faster
pace compared to traditional meters [29].

97
Authorized licensed use limited to: Somaiya University. Downloaded on April 04,2025 at 06:16:13 UTC from IEEE Xplore. Restrictions apply.
 However, according to [30] the smart meter’s ability to [28] also gave an example how a vehicle’s license plate can
monitor a user’s electricity consumption in almost real-time be connected to the vehicle owner’s identity where the trajectory
entails serious implications about consumer privacy. This is of a vehicle can easily be traced even if all communications
supported by [29] where power consumption profiles may reveal between the vehicle and infrastructure are encrypted and each
sensitive information on the state of their businesses to their device is authenticated by others. [28] added that this is against
competitors. Not only to businesses, living pattern of individuals the common notion of privacy, which includes the right of
will also be observed by perpetrators that can pose serious people to lead their lives in a manner that is reasonably secluded
threats when they should or should not be at home at a certain from public scrutiny, whether such scrutiny comes from a
time. Such important privacy concerns in the use of smart meters neighbour’s prying eyes, an investigator’s eavesdropping ears,
has raised significant public attention and they have been highly or a news photographer’s intrusive camera.
debated in the media and by politicians, and, if not properly
addressed, they could represent a major roadblock for this multi- E. Cloud
billion dollar industry [30]. Cloud-based services are often considered as the essential
infrastructure in IoT ecosystem as it offers support for data
C. Smart Medical storage, data processing, and data sharing [33]. As IoT
Health and wellness is one of the most promising application applications allow data to be locally stored on IoT objects or
areas of IoT technology. Recently, there have been an increasing remotely on the cloud depending on their storage capabilities,
number of attacks where the victims have been hospitals or protecting the data at rest is of paramount importance in
health institutions. IoT in healthcare provides an environment preserving its integrity [34].
where a patient’s vital parameters get transmitted by medical
devices onto secure cloud based platforms where it is stored, If the data integrity of a single IoT application at rest has
been compromised, then there is a huge risk of dealing with
aggregated and analyzed [15].
cascading effects on the privacy of the data [35]. For example,
Smart medical devices are attractive targets for [35] stated that a thermostat deployed in a smart home relies
cybercriminals as the devices often employ weak security heavily on a smoke detector’s data to shut a heating system
measures, causes security compromise that lead to privacy down in case of danger. However, access of the smoke
breaches and safety threats in the real world. Types of attacks on detector’s data by unauthorised parties may put the entire smart
medical devices includes eavesdropping in which privacy of the home at risk.
patient is leaked, integrity error in which the medical
information is being altered, and availability issues which As a summary, Table 1 shows the mapping of privacy threats
in various IoT applications based on discussion in the reviewed
include battery draining attacks [8].
papers.
In IoT, Radio Frequency Identification (RFID) plays a lead TABLE I. PRIVACY ISSUES IN IOT APPLICATION
role because it identifies any number of objects simultaneously
[1]. RFID setup consists of several RFID tags and one or more IoT
RFID readers. [31] discussed that privacy threats brought by Privacy Threat Applications Discussion on Privacy Issues
RFID in smart medical devices where criminals can identify Smart Grids Power consumption profiles may
RFID tags in wearable monitoring devices so as to locate and [29] reveal sensitive information about
track patients, or illegally collect and utilize patients' health data the state of their businesses to
their competitors.
for analysis and mining. It is important for entities that have been Smart Homes Private data becomes accessible
using RFID to protect information related to the RFID tags used. [25] without the householders’
The protection should consider not only while using the tags, but awareness.
Smart Home A passive network observer can
also after using them, as discarded RFID may carry a lot of [26] infer sensitive information about
private information of hospitals or patients, which can be easily consumers from the network
collected by others [31]. behaviors of their smart home
devices, even when those devices
D. Smart City use encryption.
Smart • pairing and discovery
A smart city is an interconnected entity of IoT and intelligent Data Leakage
Home[36] protocols that leak
systems to provide quality services to its citizens in various information about devices
in the home;
sectors such as public safety, healthcare, transportation and • insecure communication
energy [5]. Smart city applications benefit people and the city in leaking sensitive
a variety of aspects such as energy, environment, industry, information about the home
and the residents;
living, and services. • vulnerabilities in the
devices that can allow an
Despite the benefits a smart city offer to its population, a attacker to remotely spy on
smart city is vulnerable to privacy leakage and information residents or disrupt their
lives.
inferring by outside attackers, due to on how private information
Smart Discarded RFID may carry a lot of
is collected, transmitted, and processed. [32] highlighted that Medical private information of hospitals or
the disclosed privacy in a smart city may contain a user’s [31] patients, which can be easily
collected by others.
identity and location in transportation, health condition in
Eavesdropping Smart Homes Eavesdrop on the wireless
healthcare, lifestyle inferred from intelligent surveillance, smart [25] transmission of sensors and detect
energy, home and community, and so on.

98
Authorized licensed use limited to: Somaiya University. Downloaded on April 04,2025 at 06:16:13 UTC from IEEE Xplore. Restrictions apply.
 IoT IoT
Privacy Threat Applications Discussion on Privacy Issues Privacy Threat Applications Discussion on Privacy Issues

activities such as showering, • meeting an organization’s

toileting, and sleeping. transparency obligations
Smart Criminals can identify RFID tags with regard to its privacy
Medical in wearable monitoring devices so and data protection
[31] as to locate and track patients, or practices, when often the
illegally collect and utilize full knowledge of how and
patients' health data for analysis where data is stored,
and mining. processed and shared can
Smart Cities Users (especially adolescents and be obscured in the Cloud
[28] the elderly) are not familiar with environment.
privacy issues, and they become
perfect targets for attackers when
they interact with many smart
cities’ services through their IV. CONCLUSION
smartphones, tablets, and
computers, revealing personal IoT has gained significant attention over the last decade.
data such as gender, age, and With the increase number of interconnected devices and the
location. growth of IoT, privacy aspect of IoT systems have become a
Smart Homes Malicious actor may remotely
[25] take over control of the home challenge and an important part of IoT systems apart from
devices using them to hack the security.
household or as a platform to
launch attacks to other domains, This study presents literature review conducted on existing
e.g., to overload the energy grid.
Impersonation
works on privacy related issues in the context of IoT application.
Smart Toys Third party advertisers can infer a
[37] great amount of information about The findings of this paper have provided an initial finding for us
a child based on their location and to continue our research and development in privacy initiatives
other context information,
collecting detailed behavioral
related to smart things in IoT environment.
profiles that may be used for
unknown or unwanted purposes.
Besides, we hope that this study will assist researchers,
Data Tampering Smart City • malicious attackers may policymakers, and device manufacturers to consider privacy by
Applications generate false data to design approach in offering solutions that contributes to the
[32] manipulate sensing results
such that services,
growing interests in the privacy implications of IoT devices.
decisions, and control in a
smart city are influenced REFERENCES
and not “intelligent”
enough; [1] A. S. Kumar, S. Brittoraj, and M. Rajesh, “Implementation of RFID with
• malicious attackers could Internet of Things,” no. 1, pp. 193–197, 2019.
also launch denial-of- [2] T. Anscombe, “IoT AND PRIVACY BY DESIGN IN THE SMART.”
service attacks, disrupting
[3] P. Podder, “Review on the Security Threats of Internet of Things,” vol.
the sensing, transmission,
and control to degrade the 176, no. 41, pp. 37–45, 2020.
quality of intelligent [4] C. Kalloniatis and Æ. E. Kavakli, “Addressing privacy requirements in
services in a smart city; system design : The PriS method Addressing privacy requirements in
• information collected and system design : the PriS method,” no. September, 2008.
managed by smart home
applications may pave the [5] A. A. Alghanim and A. S. City, “Privacy Analysis of Smart City
way to disclosing Healthcare Services,” pp. 0–4, 2017.
residences’ highly privacy- [6] B. Alsamani and H. Lahza, “A Taxonomy of IoT : Security and Privacy
sensitive lifestyle and even Threats,” pp. 72–77, 2018.
cause economic loss;
• attackers could still infer [7] L. Tawalbeh, F. Muheidat, M. Tawalbeh, and M. Quwaider, “applied
and violate privacy in many sciences IoT Privacy and Security : Challenges and Solutions,” pp. 1–17,
other ways, such as side 2020.
channel attack and cold [8] M. A. Razzaq, M. A. Qureshi, and S. Ullah, “Security Issues in the
boot attack.
Internet of Things ( IoT ): A Comprehensive Study,” vol. 8, no. 6, 2017.
Jurisdiction Cloud • increased risk of improper
Risk [13] use and disclosure of [9] J. H. Ziegeldorf, O. G. Morchon, and K. Wehrle, “Privacy in the Internet
personal information that is of Things : threats and challenges REFERENCE MODEL FOR THE,” no.
stored and accessible in June 2013, pp. 2728–2742, 2014.
multiple locations, by
[10] N. Waheed, X. He, M. Ikram, M. Usman, S. S. Hashmi, and M. Usman,
multiple parties, across
multiple jurisdictions;
“1 Security and Privacy in IoT Using Machine Learning and Blockchain:
• risk of disclosure to foreign Threats and Countermeasures,” vol. 53, no. 3, 2020.
law enforcement or [11] E. Luo, Z. A. Bhuiyan, G. Wang, A. Rahman, J. Wu, and M.
regulatory authorities Atiquzzaman, “PrivacyProtector : Privacy-Protected Patient Data
created by storage and Collection in IoT-Based Healthcare Systems,” no. February, pp. 163–168,
processing of data outside 2018.
of the home country of
individuals from whom the [12] M. E. Aminanto, R. Choi, H. C. Tanuwidjaja, P. D. Yoo, S. Member, and
information was collected; K. Kim, “Deep Abstraction and Weighted Feature Selection for Wi-Fi
• compliance with an Impersonation Detection,” vol. 13, no. 3, pp. 621–636, 2020.
organization’s data
[13] P. D. Flaherty and G. Ruscio, “• STORMY WEATHER :
retention and destruction
obligations; and,
JURISDICTION OVER PRIVACY AND DATA PROTECTION IN
THE CLOUD — PART 2 •,” vol. 13, no. 10, 2013.

99
Authorized licensed use limited to: Somaiya University. Downloaded on April 04,2025 at 06:16:13 UTC from IEEE Xplore. Restrictions apply.
[14] H. A. Abdul-ghani, “A Comprehensive Study of Security and Privacy [26] N. Apthorpe, D. Reisman, and N. Feamster, “Closing the Blinds : Four
Guidelines , Threats , and Countermeasures : An IoT Perspective,” 2019. Strategies for Protecting Smart Home Privacy from Network Observers.”
[15] S. E. E. Profile, “Internet of Things ( IoT ): Security and Privacy Threats,” [27] P. Biocco and P. Hines, “A Study of Privacy Policies across Smart Home
no. June, 2016. Companies.”
[16] D. K. Alferidah and N. Z. Jhanjhi, “A Review on Security and Privacy [28] R. Khatoun and S. Zeadally, “Cybersecurity and Privacy Solutions in
Issues and Challenges in Internet of Things,” vol. 20, no. 4, pp. 263–285, Smart Cities,” no. March, pp. 51–59, 2017.
2020. [29] G. Giaconi and G. Deniz, “Smart Meter Data Privacy,” pp. 1–36.
[17] Y. Lu, S. Member, and X. Huang, “Blockchain and Federated Learning [30] G. Giaconi, G. Deniz, and H. V. Poor, “Privacy-Aware Smart Metering :
for Privacy-Preserved Data Sharing in Industrial IoT,” vol. 16, no. 6, pp. Progress and Challenges,” no. January 2019, 2018.
4177–4186, 2020.
[31] D. He, R. Ye, S. Chan, M. Guizani, and Y. Xu, “Privacy in the Internet of
[18] D. Geneiatakis, I. Kounelis, R. Neisse, I. Nai-fovino, G. Steri, and G. Things for Smart Healthcare,” no. April, pp. 38–44, 2018.
Baldini, “Security and Privacy Issues for an IoT based Smart Home,” pp.
[32] K. Zhang, J. Ni, K. Yang, X. Liang, J. Ren, and X. S. Shen, “Security and
1292–1297, 2017.
Privacy in Smart City Applications : Challenges and Solutions,” no.
[19] B. K. Mohanta, U. Satapathy, S. S. Panda, and D. Jena, “A Novel January, pp. 122–129, 2017.
Approach to Solve Security and Privacy Issues for IoT Applications using
[33] J. Singh, T. Pasquier, J. Bacon, H. Ko, and D. Eyers, “Twenty security
Blockchain,” pp. 394–399, 2019.
considerations for cloud-supported Internet of Things,” no. 1, pp. 1–16.
[20] D. Kanngiesser, “These are the seven deadly sins of data tampering.”
[34] H. A. Abdulghani, N. A. Nijdam, and A. Collen, “SS symmetry A Study
[Online]. Available: https://www.techradar.com/news/these-are-the-
on Security and Privacy Guidelines , Countermeasures , Threats : IoT
seven-deadly-sins-of-data-tampering. [Accessed: 19-Nov-2020].
Data at Rest Perspective,” pp. 1–36, 2019.
[21] C. H. Lee and K. Kim, “Implementation of IoT System using BlockChain
[35] A. Mosenia, S. Member, and N. K. Jha, “A Comprehensive Study of
with Authentication and Data Protection,” pp. 936–940, 2018.
Security of Internet-of-Things,” vol. 5, no. 4, 2017.
[22] D. Patrick, “Abstra ct:,” pp. 1–16, 2012.
[36] E. Zeng et al., “End User Security and Privacy Concerns with Smart
[23] S. Pearson, “Privacy , Security and Trust in Cloud Computing Privacy , Homes This paper is included in the Proceedings of the End User Security
Security and Trust in Cloud Computing,” 2012. & Privacy Concerns with Smart Homes,” no. Soups, 2017.
[24] D. Kolevski and K. Michael, “Cloud Computing Data Breaches A socio- [37] P. C. K. Hung, M. Fantinato, and L. Rafferty, “A STUDY OF PRIVACY
technical review of literature,” pp. 1486–1495, 2015. REQUIREMENTS FOR SMART TOYS,” 2016.
[25] J. Bugeja, A. Jacobsson, and P. Davidsson, “On Privacy and Security
Challenges in Smart Connected Homes,” 2016.

100
Authorized licensed use limited to: Somaiya University. Downloaded on April 04,2025 at 06:16:13 UTC from IEEE Xplore. Restrictions apply.