A Review of Security and Privacy Concerns in the Internet of Things (IoT)

,


Introduction
Current trends of technology "connect the unconnected," which means every object that can be connected will be connected in the upcoming years.The IoT is the network of physical objects containing sensors and processing powers embedded in devices to connect the end-users to wide-area networks for transmission [1].It can be seen everywhere around us, including automobiles, public lights, domestic appliances, health-care systems, and personal digital assistants like Google Home.For example, IoT gateways allow fast and easy access to the IoT world, and they are compatible with IoT servers (Microsoft Azure, Amazon AWS, IBM Cloud, Google Cloud, etc.) and customized servers that support MQTT.Globally, IoT devices are attached to the Internet and communicate information through embedded sensors and software [2].These devices minimize the human effort to create easiness in life and maximize resource utilization.These devices help humans to make better decisions for upgrading the standard of a user's life [3].The idea of connecting the unconnected devices is almost 188 years old.It was introduced in 1832 when the first electromagnetic telegraph was invented.At that time, the idea was translated into the terms "Embedded Internet" or "Pervasive Computing," and the first-ever connected device was Coca-Cola vending machine [4].
Today's term "The Internet of Things (IoT)" was first introduced by Kelvin Ashton in 1999 to advance communication and facilitate human interaction in a virtual environment.According to a survey, the number of connected devices touches the figure of 50 billion by the end of 2020 and will grow to 14.7 billion by 2023 [5].Nowadays, IoT technology is primarily seen in industries and commercial sectors.The interconnected divergent kinds of intelligent gadgets vary from simple wearable and household devices to large machines.These objects contain chips that are used to inspect and pursue the facts.It is predicted that the IoT market will touch the figure of 5.8 billion by the end of 2020, which is 21% higher than in 2019.This technology is used in intelligent projects, i.e., smart cities, smart farming, smart homes, and health-care systems.According to Grand View Research, the small patient market generates around $1.8 billion by the end of 2026 [6].
The significance and contribution of this research on IoT security and privacy are the well-being of humanity according to people's likes, needs, wishes, and desires without any explicit instruction to IoT devices.These devices also serve the community by aiding in surgery, weather forecasting, animal identification, and automobile tracking.
The rapid growth of intelligent devices made IoT a growing technology, so it is essential to understand the privacy and security challenges.It is necessary to understand and address these issues for human sake.Humans can get benefit to handle these security and privacy threats in IoT.This systematic literature review (SLR) provides significant guidelines for IoT security and privacy issues.In this study, 170 research articles have been used as a reference to conduct the survey for security and privacy issues in IoT.

Literature Review
Tremendous work and effort have been made recently to cope with safety and confidential problems in IoT.Many reports and surveys are published to address IoT security-related issues and challenges.Yang et al.'s survey presents the safety and personal issues with solutions directly related to low-end systems [7].Different authors briefly discuss the IoT security-based issues and challenges for networks, devices, and systems [2].Weber and Gopi and Rao's surveys discuss the challenges and issues concerned with security in four steps such as (1) limitations of IoT devices like battery life extension, (2) lightweight com-putation, (3) classification of security attacks, and (4) control access mechanisms and architecture [8,9].The discussion is also available on different IoT architecture layers (presentation, network, transport, and application).
Weber's survey discusses security and privacy challenges, and researchers also present a security framework for IoTbased devices [8].The IoT devices are getting fame globally that involve other innovating technologies widely used in the whole world to transport goods from region to region.This technology is visibly becoming familiar.The lowended devices contain different sensing gadgets and also have the capacity to interconnect with other similar gadgets and can transmit facts or information.The main challenge of IoT devices is related to privacy and security.The administration of that extensive data to process reliably and securely in machines is a real problem.These IoT also present challenges for individuals' protection, safety, and confidentiality.In this research article, the authors discuss the growing requirement of this technology for appropriate regulatory and technicalities to heal the gap between automated surveillance by IoT-based devices and the official rights of people unaware of their safety and confidentiality risk.Aleisa and Renaud identify the issues and challenges related to IoT privacy, its principles, threats, and proposed solutions [10].
Tewari and Gupta presented another survey for securityrelated problems in IoT devices.This article analyzes IoT devices' layered architecture and highlights new security issues.They discussed the crosslayer heterogeneous integration problems and provided tools and techniques for research in IoT [11].The comparison of different studies in various aspects (simulation tools, mechanisms, IoT devices security, and privacy) was made by Noor and Hassan in 2019.It explores the current IoT security mechanisms such as authentication, security encryption, trust management, and emerging technologies to secure IoT devices [12].
Further, a study is presented on personal and safetyrelated problems identified by the experts in IoT devices and highlights how privacy is different from the other fields.It contains facts belonging to IoT specialists who tried to perceive safety and confidential problems and proposed new security protocols for efficient security and privacy mechanisms (SPMs) [13].Most all connected devices have high risks and threats and can be hacked.
The objective behind this malicious act may differ depending upon the intruder's intention.There are mainly two types of threats, i.e., natural threats and human threats.The data can be protected from natural hazards, but devices may be physically damaged and not be restored.Moreover, many researchers have made tremendous efforts to protect IoT devices from human-generated threats and attacks.Table 1 shows the comparison of different types of attacks in IoT.
Cybersecurity threats can be categorized into two main types based on their objectives.The intruder intends to knock out the targeted device in the first type completely.In the second type, the attacker aims to get the privileges of admin or unauthorized access privileges to targeted devices.Divergent methods are utilized to gain unauthorized access, i.e., malware, denial of service, SQL injection, and cybercriminal.With the advancement of technologies, these A mobile code-driven trust mechanism for detecting internal attacks in sensor node-powered IoT [25].

Internal attacks 03 2019
Introduced the energy-efficient mobile code-driven trust mechanism (MCTM) to identify and handle malicious forwarding attacks, like a black and grey hole.
Analytical model for Sybil attack phases in the IoT [26].

Sybil attacks 03 2019
Sybil attacks from the IoT perspective comprehensively.Introduced and implemented an algorithm based on K-means clustering.RAV: relay aided vectorised secure transmission in physical layer security for the IoT under active attacks [27].
Active attacks 05 2019 Introduced a transmission scheme for IoT networks to secure downlink communication.
An efficient collision power attack on AES encryption in edge computing [28].

Power analysis attack 04 2019
Discussed three AES implementations in edge computing.Introduced a new type of collision attack for masked linear layers and masked S-boxes.IoT-FBAC: function-based access control scheme using identity-based encryption in IoT [29].

Access control 06 2019
They have proposed a new scheme to control access to IoT devices.They named it the function-based access control scheme.
A real-time intrusion detection system for wormhole attacks in the RPL-based IoT [30].
Wormhole attack 09 2019 Proposed a system to detect wormhole attacks.This intrusion detection system runs on Contiki OS and Cooja simulator.Detection of multiple-mix-attack malicious nodes using perceptronbased trust in IoT networks [31].

Malicious node 03 2019
We mainly discussed three attacks: replay, tamper, and drop.Suggest an approach of perceptron detection (PD) to identify malicious nodes.
Averaged dependence estimators for DoS attack detection in IoT networks [32].

DoS attacks 06 2020
They have proposed a framework for DoS detection.Experimentally tested this framework with an actual IoT attack.
Deep recurrent neural network for IoT intrusion detection system [33].

Intrusion detection System 03 2020
Proposed an automatic intrusion detection system to implement fog computing security against cyberattacks.
3 Journal of Sensors cyberattacks are also getting advanced.Cyberattacks pull the attention of researchers [2,7,9,13,18,30] to address these issues, but still, these issues are needed to be addressed.
With the growth of connected devices, problems and challenges are also increasing rigorously.Many new and emerging technologies are integrated with IoT to overcome these issues, i.e., fog computing, artificial intelligence, and blockchain.These advanced technologies are also used in collaboration with IoT to solve security and privacy issues.These technologies, especially blockchain, are gaining the attention of researchers and playing the role of a trusted third party.The blockchain can protect IoT devices, security, and safety-critical data.Integrating blockchain with IoT technology can provide an effective solution for securityand privacy-related issues and the challenges of IoT gadgets.Many researchers [3,8,15,20,28,34,37,39,43] also address the collaboration of these technologies and provide a robust solution.Table 2 presents some work done by researchers in recent years to address IoT security threats and attacks.
IoT applications are used globally to facilitate users, but there are still issues with security and privacy.Many researchers have discussed significant guidelines and solutions to cater to these issues.Table 3 shows the comparison of cyberattacks in IoT applications.
Another study is conducted by Sengupta et al. about the industrial IoT issues.It classifies the security and privacy attacks on their destructibility that explains to provide a blockchain-based solution [74].Further, Wang et al. and Weber have discussed blockchain technology and explored some features such as access management, decentralization, asymmetric encryption, and smart contracts [75,76].Khan and Salah discussed the layered architecture networking, management, and communication protocols [77].Another study conducted by Qian et al. explores layer-based architecture security and privacy problems for IoT [78].The proposed security mechanisms eliminate the need for a third party to protect IoT terminal devices [79].The security mechanism using blockchain technology's decentralization feature in two conditions has been discussed in the remote cloud, network terminal, and devices [80,81].Bitcoin currency is a modern and visibly growing blockchain-based technology [82,83].IoT devices are progressively inclined to assault and cannot ensure themselves [84].Besides that, it cannot be handled after the execution of the blockchain [85].The solution for blockchain to eliminate safety is to use confidential transmission of the facts and figures [86][87][88].

Review Methodology
The study is grounded in an SLR on IoT security and privacy issues by analyzing a significant data stream of substantial literature.There are three classified phases: planning, conducting, and reporting the review.Figure 1 describes the classified phases for this study.
3.1.Phase 1: Planning the Review.To conduct SLR on security and privacy issues in IoT, we followed the methodology proposed by Kitchenham [89].The main work is divided into three steps: planning, conducting, and reporting the reviews.4 shows a list of general questions to measure the quality of selected papers by using two scales for the quality assessment checklist: yes = 1 and no = 0.
3.1.3.Identification of the Need for Review.The main objective of this study is to closely analyze the existing literature on IoT security, privacy, and threats to IoT systems.The study highlights significant research findings in the field of IoT security.The other purpose of this study is to emphasize utilizing emerging technologies for better solutions.

Inclusion/Exclusion
Criteria.The criteria of inclusion and exclusion of papers are decided based on the significance of the literature.Initially, 500 papers were downloaded in IoT security and privacy.After the slight screening, 345 articles were filtered according to their duplication and irrelevance.The best 245 articles were identified in the next round by carefully reading their titles, abstracts, and introductions.Finally, we read full papers to further categorize them according to work needs, and 176 were selected to answer the questions related to our research problem.Figure 2 shows the inclusion and exclusion criteria for the selection of papers.The research questions for this study are described below.
RQ1: How has IoT evolved drastically in the modern era?
RQ2: What types of challenges and issues of IoT systems are essential to be addressed?RQ3: Why do IoT security and privacy challenges need to be reported?RQ4: How the security and privacy challenges are classified?
RQ5: How do emergent technologies can resolve these issues in IoT applications?3.1.6.Bibliographic Database.We use some digital libraries to search for the required material: Academia, Science Direct, Google Scholar, Google Search, Springer, IEEE Xplore, and Research Gate to conduct this survey.These automated libraries comprise literature linked to the discipline of security and IoT.In this research article, the studies are limited to research journals and conference papers published between 2003 and 2021.Figure 3 describes the detailed information of the digital libraries used for this article.
We classified the papers based on the discussed attacks.Only 1% of the articles addressed access-level attacks, 16% described cryptanalysis attacks, and 10% discussed networkbased security issues.The percentage of other attacks is presented in Figure 4.

Phase 2:
Conducting the Review.Figure 5 shows the three subphases for the review: (i) study selection, (ii) data extraction and quality assessment, and (iii) data extraction and synthesis.
The umbrella terms such as security, privacy, low-ended devices, and small automatic and fully automated devices are identified to determine the search engine.In the end, the Boolean operators "OR" and "AND" combine the various keywords and create different combinations for searching terms related to research questions.Some examples of keywords and operators to extract data are given: (i) Security "OR" privacy issues "OR" security "OR" privacy challenges "OR" problems

Reference paper Cited by Year Objectives
Cyberentity security in the IoT [69].111 2013 The cyberentity domains in the U2IoT.Cybersecurity requirements, security attacks, and system vulnerabilities in the context of the cyberentities in the U2IoT.Cybersecurity and the IoT: vulnerabilities, threats, intruders, and attacks [70].
221 2015 Cybersecurity attacks.Identification and vulnerabilities of threats.Malicious attacks.Defense against black holes and selective forwarding attacks for medical WSNs in the IoT [71].43 2016 Issues in wireless routing.Cyberattacks on IoT devices, especially black holes, and selective forwarding (SF) attacks.Intrusion detection system to detect sinkhole attack on RPL protocol in the IoT [72].
76 2017 Identify the sinkhole attack in the network.Introduced an intrusion detection system (IDS) based on RPL as a routing protocol.Cybersecurity threats to IoT applications and service domains [73].30 2017 Discussed IoT applications and also presented significant cybersecurity challenges and issues.

6
Journal of Sensors Gartner, it is predicted that the IoT market will touch the figure of 5.8 billion by the end of 2020, which is 21% higher than in 2019 [6].According to a current report for the year 2018-2023 that Cisco IBSG conducts, the number of connected devices was 6.1 billion in 2018 and will grow to 14.7 billion by 2023.The growth of IoT devices is shown in Figure 6.

RQ2: What Types of Challenges and Issues of IoT
Systems Are Essential to be Addressed?Nowadays, the rapid growth of intelligent devices made IoT a growing technology.
It is essential to understand all challenges and deal with issues related to these devices; the advancement and maintainability of IoT devices make these systems complex to manage.The system cannot prevail due to these IoT issues such as outdated software and hardware, compatibility issues, security issues, cloud attacks, modifications, difficulties related to passwords, low-ended worms, facts related to security, and confidential provocations.Further, IoT discrepancies may also occur due to untrustworthy communication, problem finding the device's effectiveness, automation systems for data management, limited IoT device management, low power network support, IoT operating systems, and processor-related issues [77,90].

RQ3: Why Do IoT Security and Privacy Challenges
Need to Be Reported?Advancements in technology can be seen in recent years, introducing variant types of IoT devices.These devices are connected to many networks and each other, making them vulnerable and easy to attack.To mitigate the vulnerabilities of the devices that share sensitive information/data, it is essential to identify all possible attacks to make countermeasures or defense strategies.Figure 7 shows the different issues and challenges in IoT devices.

RQ4: How the Security and Privacy Challenges Are
Classified?The security threats in IoT are classified into various types like physical attacks, network attacks, softwarebased attacks, data attacks, side-channel attacks, cryptanalysis attacks, access-level attacks, and strategy-level attacks.
Figure 8 shows the classification of IoT security attacks.
(1) Physical Attack.In physical attacks, direct physical access to the devices is required.Physical attacks utilize the hardware components of IoT devices [70,91].Based on interaction with the targeted systems, the physical attack is classified into three categories, i.e., invasive attacks, noninvasive attacks, and semi-invasive attacks [92,93].
Invasive attacks: the category of attacks in which the attacker needs to approach the chips or detach the targeted devices physically is known as invasive attacks.High skills and specialized tools are required to launch invasive physical attacks depending on what type of attack is to be established and IoT device [92].
Noninvasive attacks: in this category of physical attacks, the attacker approaches the targeted devices using the device's input interface.These attacks harm the targeted IoT devices without physical damage.
Semi-invasive attacks: in this category of physical attacks, the attacker approaches the targeted IoT devices without interacting with internal structures and wires.
Jamming attacks: these attacks are designed to block IoT network wireless communication channels by employing malicious nodes that generate noise signals [94].Other categories known as reactive jamming attacks generate the interfering signals only when the transmission channels communicate [95].
Object replication: this type of attack intruder injects a duplicate node into the IoT network to alter its function.The objective of object replication attacks is to steal the information and authentication credentials by introducing a replicated malicious node [96,97].
Malicious node injection attacks: in malicious node injection attacks, attackers physically inject a malicious node between two or additional existing nodes of an IoT network.The term "man in the middle attacks" can also be referred to as "malicious node injection attacks" [91,98].
Sleep denial attack: these attacks affect the sleep mode and keep the device awake to increase the battery consumption and affect IoT devices.In some cases, these attacks transfer unauthenticated packets; the decoding of these transmitted packets causes wastage of battery.The intruder observes the IoT networks to determine when to reseal the packet [99,100].
Tampering attacks: the main objective behind node tampering attacks is to access the IoT device to alter other communication layers' functions or steal the data like cryptographic keys [101,102].
Permanent denial of service (PDoS): permanent denialof-service attacks (PDoS), also known as plashing, is an attack that damages the device so severely that it requires replacement or reinstallation of hardware.BrickerBot, coded to exploit hard-coded passwords in IoT devices and cause a permanent denial of service, is one such example of malware 7 Journal of Sensors that could be used to disable critical equipment on a factory floor wastewater treatment plant or an electrical substation [103].
Fake node injection: fake node injection attacks are one of the most damaging attacks for IoT devices in which attackers insert a malicious node or generate a false identity with the help of a fake node to access the IoT network and flow the incorrect information hits all the nodes in the network [104].These attacks also lead to poor performance by consuming whole IoT system resources.In worse cases, false node injection attacks can destroy the entire IoT network or help the attacker take complete control of the IoT network [105].
Hardware Trojan: in HT, attackers physically insert a malicious circuit or modify an existing circuit in IoT devices to alter the circuit's operation.The primary purpose behind Trojan attacks is to bypass the authentication and access control mechanisms, steal information, or seriously damage the chips [106].In HT, attackers physically insert a malicious circuit or modify an existing circuit in IoT devices to alter the circuit's operation [107].
Outage attack: outage attacks prevent remote IoT devices from completing their routine task.In worse cases, these attacks turn off IoT devices.Outage attacks may launch a sleep denial attack and drain the battery to shut down the remote IoT device [108].An example of these attacks is Stuxnet, inserted in Iran's nuclear process control program.Due to the Stuxnet attack, the system cannot detect emergency conditions.Therefore, it does not turn off [109].
Tag cloning: the tag cloning attacks scan the RFID tags from the targeted device into the attacker's defined RFID tag, providing access to confidential information about individuals.The tag cloning attacks can cause financial loss and damage the manufacturer's image in the market [110].Tag cloning attacks are launched to access highly confidential data such as information account bank accounts [111].
Radio frequency interference attacks: in RF interference attacks, powerful radio frequency signals are utilized to disrupt RFID communication between IoT devices.Attackers use radio frequency signals to generate solid interfering signals, known as radio jamming attacks [96,112].

Journal of Sensors
A detailed comparison of physical attacks in IoT devices has been summarized in Table 5.
(2) Network Attacks.The network attacks are classified into the following subtypes.
Sinkhole attack: to launch sinkhole attacks, intruders inject a malicious node that presents itself to other IoT network nodes as the best shortest channel for communication.This malicious node collects and "sinks" all of the information packets which flow on the targeted IoT network.Therefore, this malicious node is called a "sinkhole," and these attacks are named "sinkhole attacks" [113].These attacks reduce the performance of targeted networks because the whole traffic of the IoT network flows towards the sinkhole.Still, this malicious node does not drop even a single message packet; they also harm the other performance-related attributes like efficiency and reliability of communication and disrupt the network protocols, especially the RPL protocol of IoT networks [114,115].
Wormhole attack: in wormhole attacks, the attackers generate private channels between two or more nodes of an IoT network by controlling these nodes or injecting malicious code into the network to alter the transmission path, and attackers receive the transmitted information and send only the selective packet to the destination.Wormhole attacks are launched to damage network topologies and disturb network traffic [116][117][118].
Sybil attack: in Sybil attacks, attackers generate multiple fake identities by injecting a malicious node that pretends as multiple ordinary users.They are single user or attacker who launches divergent identities by utilizing a single platform.Fake profiles on social media sites like Twitter, Facebook, or Instagram also fall into Sybil attacks [119].They also can be launched to attack routing algorithms [14].
Selective forwarding: in selective forwarding attacks, the attacker launches a malicious node placed on the route between the source and a destination node, which acts like a black hole that receives all the message packets flowing on the IoT network, but in this case of selective forwarding, the malicious node sends only the particular message packets to the destination and drops the remaining message packets.Selective forwarding attacks can filter all types of traffic [120,121].
Traffic analysis attack: in traffic analysis attacks, the attackers launch a malicious node to notify the daily traffic routines to collect the routing information.The encryption of message packets is not enough to protect the IoT network from traffic analysis attacks.The distance from the root node and the less information is collected [122].
Man in the middle attack: man in the middle attacks attackers launch a malicious node between two nodes to intercept the two nodes' communication without their permission.The concept of man in the middle attacks is similar to the middle person who intercepts the communication between two persons by opening the letters before handing them over to the original recipient.IoT devices can launch these attacks by implementing various SSS hijacking, session hijackings, DSN spoofing, or side jacking [111,123].
Routing information attack: routing information attacks are launched to redirect, spoof, misdirect, and drop the information packets.These attacks are projected to alter the way of message routing [104].The altering attacks also fall in this category, launched to modify the routing information.Network partitioning, routing loop, rushing, and replay routing information are also subtypes of routing information attacks [120].
RFID spoofing: in RFID unauthorized access, attackers read the information of RFID tags without user permission.RFID systems do not have robust mechanisms to protect IoT devices because RFID tags are readable to everyone [124].
RFID unauthorized access: in RFID unauthorized access, attackers read the information of RFID tags without user permission.RFID systems do not have robust mechanisms to protect IoT devices because RFID tags are readable to everyone [124].Replay attack: in replay attacks, an attacker receives, stores, intercepts the message packet, replays or resends it, and presents it as its packet.Intruders gain the trust of the targeted IoT node by sending a message packet.Once attackers develop confidence, they access specific information such as packets received by the sensors or message packets sent to a cloudbased server [125].The replay attacks are deceptive attacks that decrease network performance because they utilize network resources like bandwidth and are launched against protocols used for authentication [126].
DoS/DDoS attack: DoS attacks also affect network communication.DoS attacks are launched to affect data transmission between nodes by jamming the radio signals or injecting the fake malicious node on the IoT network [104].
A detailed comparison of network attacks in IoT devices has been summarized in Table 6.
(3) Software Attacks.Software attacks are malicious programs or codes that are put down purposefully to damage, harm, or gain unauthorized access to someone's device.
Operating system attacks: operating systems have to run many services and many open ports; by using these open ports, attackers installed malicious programs to alter the functions and steal the data or information.
Viruses: it is a computer program that can make copies by replicating itself and can infect other devices by transmitting via transferring infected files through wire or wireless networks, USBs, or different such types of portable devices.Due to limited memory and storage space and lack of update mechanisms, it is challenging to secure IoT gadgets from viruses, so they quickly become victims of attackers.Mirai, SILEX, Stuxnet, and BrickerBot are some types of viruses created to attack IoT devices [112].CIH is a virus that attacks BIOS, and due to the CIH Virus attack, IoT devices are unable to boot [130].
Worms: a worm is a virus that can replicate itself but cannot alter the system's files or functions.Worms continuously repeat themselves to create copies and fill the entire disk and memory space, so worms slow down or crash IoT devices.UbootKit is a worm that infects divergent types of IoT devices and affects the bootloader of IoT gadgets.This worm can transfer from one device to another and fully control these devices [130].Linux bricking worm can disable the infected IoT device [131].Silex is another worm that overwrites IoT devices' storage disks [132].BrickerBot is a worm that destroys or bricks the infected IoT devices [133].
Trojan horse: Trojans are malicious programs that seem harmless to the user and are downloaded and installed into the device by tricking them.After activation, it harms the user's devices by stealing data, deleting user files, or spreading viruses, worms, or other malicious applications.Hackers can control IoT devices through Trojan attacks or capture username, passwords, screenshots, bank details, and account information [134].Hackers use Zeus Game over Trojan to attack IoT devices to access bank account details [135].
Phishing attacks: in phishing attacks, the malicious program is usually intruded on by a fraud communication that appears to come from reliable sources.Phishing attacks' objective is to steal information like the device's password or username or activate a malicious application into an IoT device [91,136].
Backdoor attacks: back door is a malicious and complex code that can bypass authentication processes to remotely access system resources.The operating systems for IoT devices like RTOS or Contiki have back doors that can be used to gain unauthorized access [137].This type of attack has been designed to hack an IoT system by breaking its security mechanisms such as cryptography and authentication using different techniques.
Brute force search attacks: brute force search attacks are programs that use divergent techniques to hack and break IoT applications' security mechanisms [138].
A detailed comparison of operating system attacks in IoT devices has been summarized in Table 7.
(4) Web Attacks.IoT web applications have numerous weaknesses due to poor coding.Hackers use these weaknesses to Journal of Sensors access these IoT web applications' databases or servers containing sensitive personal or finical information.In some cases, the IoT web applications are linked with other infected applications, due to which these software applications become vulnerable to divergent attacks [112].The standard web applications attacks are the following.
DDoS attacks: in DDoS attacks, hackers block the system or network resources.A most common example of a DDoS attack in IoT is access denial to a resource by flooding it with too many requests [23,139].
Explication of a misconfiguration: security misconfiguration is improper configuration settings or mistakes in the configuration which cause misuse of data, privileges, and passwords.The poorly configured IoT applications lead to security-and privacy-related issues.In many IoT devices, the poor configuration, default settings, or technical issues of databases, operating systems, and other such components arise many security problems.
Malicious code injection: malicious code injection is when attackers attempt to control IoT devices or IoT networks by physically introducing malicious code into the device or IoT network nodes.The main goal of injecting this code is to steal data and bypass the access controls [91,112,140].
SQL injection attacks: SQL injection attacks are the subcategory of injection attacks.In these SQL injection attacks, attackers inject malicious SQL queries to access a database server to retrieve the information inaccessible to attackers [141].
Path-based DoS attacks: in these types, attackers attack multiple hop paths end-to-end communication by flooding data packets.The path-based DoS attacks can quickly have launched and affect or destroy a very large portion of IoT networks, usually wireless sensor-based networks.The path-based DoS attacks harm the IoT networks by sending too many legitimate packets and engaging the whole network resources to the desired device [142,143].
Malware is an abbreviation of malicious software intentionally designed to damage computers and IoT devices to steal personal data, bypass access controls, and harm computers and IoT devices without the user's permission.IoT malware such as Aidra, Mirai, and Bashlite are IoT malware families that scan the machine to look for open ports to gain access [144].
Spyware: malicious hackers attack IoT devices by using spyware.Spywares are malicious software applications that collect information about users' activities without their knowledge instead of physically damaging IoT devices.Some IoT Spywares like Duqu are designed to monitor users' web bowering habits [145].IoT spyware can record videos and send them to intruders through emails.sKy Wiper is another example of spyware.This spyware can record microphone signals or communication and send them to intruders through a Bluetooth connection [134].
Reprogram attack: in reprogramming attacks, intruders attack the IoT devices by using weakly protected programming codes; attackers modify or reprogram the code to control IoT devices or in some cases; they hijack the code to contain the entire IoT network.IoT devices can easily be reprogrammed remotely by modifying network programming systems [146].
A detailed comparison of web application attacks in IoT devices has been summarized in Table 8.
(5) Firmware Attacks.New vulnerabilities are designed to attack the Internet every day, so installing new security patches and updating the firmware in IoT devices are very important.The diverse variety of IoT devices cannot update their systems regularly.
Control hijacking: in this type of attack, intruders made modifications in coding to hijack the IoT systems' control and affect the control flow.These attacks are format string vulnerability, buffer overflow attacks, and integer overflow attacks [147].
Reverse engineering: in reverse engineering attacks, intruders damaged the embedded IoT devices and generated serious issues by analyzing IoT software applications such as firmwares.Attackers look for input parsing errors in the program's code, and then, the attacker advertised his skills to resolve the issue and get access to the device's sensitive data [148,149].
Eavesdropping: eavesdropping attacks are passive attacks in which attackers take advantage of poorly secured network transmission and steal information during transmission from IoT devices.We can say that intruders hear or read the victim's conversation secretly.The eavesdropping attacks are hardly detected because they do not affect the IoT network's normal working [70,150].
A detailed comparison of firmware attacks in IoT devices has been summarized in Table 9.
(6) Side-Channel Attacks.The side-channel attacks are the most hardware-based severe IoT attacks.IoT devices are more vulnerable to these attacks due to limited resources like battery power, storage and processing power, open doors for 11 Journal of Sensors side-channel attacks, and the problematic detection of these malicious programs [151,152].
Timing attacks: timing attacks are launched by implementing timing variations such as overclocking, which is frequently utilized to inject malicious nodes or other IoT gadgets' faults to leak sensitive information [107].These attacks can measure the time an application takes to finish specific tasks and then utilize it to steal sensitive data like bank account numbers, PIN codes, passwords, and cryptographic keys.The purpose behind side-channel timing attacks is to extract the key of encryption algorithms [93,153].
Power analysis attacks: in power analysis, attackers closely measure the power consumed by various cryptographic hardware components of IoT devices and then analyze electric current change to extract the confidential information stored in devices.The power analysis attacks are further classified into three subcategories, i.e., simple power analysis attacks (SPA), differential power analysis attacks (DPA), and correlation power analysis attacks (CPA), which are described below [20,93,107,154].
Fault analysis attacks: in fault analysis attacks, the attacker introduced a crypto node with fault and then analyzed the difference between correct and faulty text to extract the cryptographic key value.To launch this attack, intruder required special knowledge about the design of hardware devices.To inject the fault, attackers use various techniques like voltage glitching, tampering with clock pin, EM disturbances, and laser glitching [65,154,155].
Electromagnetic attacks: attackers capture and analyze electromagnetic radiations to extract sensitive personal information from IoT devices' hardware components like display screens.In some cases, attackers place a microan-tenna closer to the integrated circuit (IC) to capture electromagnetic signals.These electromagnetic attacks are used in military operations [93,107,156].
Cryptanalysis attacks: the ciphertext-only attacks are launched to access encrypted information or ciphertext only; these attacks cannot let the attacker get the corresponding plaintext.The main challenge in these attacks is to convert the ciphertext into plaintext which determines these attacks' success in IoT systems [157].
Known-plaintext attacks: in known plaintext attacks, the attacker's main challenge is to extract the plaintext from the crypto text with some known plaintext, which is a small portion of this crypto text.To guess the remaining part of the crypto text, attackers may implement various methods like detecting the encryption key, or divergent shortcut techniques can also be applied [157].
Chosen-plaintext: in chosen-plaintext attacks, attackers access the encryption devices to extract the algorithm that encrypted the plaintext.The attacker then utilized this encryption algorithm to determine the encryption key by converting various time-divergent chosen-plaintext into crypto text and then analyzing and comparing the resultant crypto text through which the attacker generates the encryption key of an IoT-based cryptosystem [157,158].
Chosen-ciphertext attacks: in chosen-ciphertext attacks, attackers attempt to get temporary access to the decryption mechanisms by converting the chosen-ciphertext into plaintext and then this plaintext to descript the subsequent ciphertext.Chosen-ciphertext attacks are related to decryption mechanisms in IoT systems [158].(7) Access-Level Attacks.The IoT system contains limited resources and infrastructure, making them more vulnerable Active attacks: in active attacks, attackers read and attempt to modify the IoT-based system's message packets or hardware.The vigorous attacks affect the working of IoT networks.They can disrupt routing protocols by altering routing information [159].The primary purpose is to insert errors or noise signals in message transmission [113,160].
Masquerade attacks: in masquerade attacks, the attacker presents itself as another authenticated or real user and transmits data on the IoT network by using this fake identity [159].
Modification of message: in modification attacks, attackers tamper the message packets; they modify data, change the sequence of message packets, or cause delays in the delivery of the targeted message packets [159].
Repudiation: in repudiation attacks, attackers successfully send or, in some cases, receive the message, and after sending or receiving, he denies that he has received or sent any such type of message [159].
Replay: in replay attacks, intruders read, modify, and send it to the original recipient without their knowledge [126].
Denial of service attacks: in denial of service attacks, attackers made too many requests for resources to decrease IoT networks' performance [104].
(8) Passive Attacks.In passive attacks, the attacker accesses the message or steals the information stored in an IoT system and utilizes this data, but he does not modify the steeled content.These attacks do not damage the targeted IoT systems but affect confidentiality.The main objective behind passive attacks is to steal secret sensitive information like bank account numbers, PIN codes, and passwords.In passive attacks, intruders observe circumstances and can switch from passive to active attacks [113,160,161].
Traffic analysis attacks: in a traffic analysis, the attacker secretly observes and stores the information about the IoT network.They record the various transmitted message packets like length, size, or sequence of message packets, which may help the attacker guess the conversation's nature [122].
Privacy attacks: in this type of attack, the intruder observes and records confidential, sensitive information and publically leaks this information later.These attacks are known as the "release of message content" [162].
(9) Strategy Attacks.To target IoT devices, attackers utilize divergent techniques that extract confidential information for an attacker.These techniques implement various strategies to inject malicious code, malicious nodes, or errors in IoT devices.Some systems require physical interaction and damage the hardware devices, while others can implement remotely.
Logical attacks: in logical attacks, attackers remotely access the IoT devices to launch the bug without physically damaging the device.In other words, the attacks in which attackers logically access the IoT devices by utilizing communication channels are named "logical attacks" [163].
Physical attacks: to launch physical attacks, attackers need to physically approach the targeted IoT device.These attacks also severely damage and modify the settings and configuration of the target IoT device.Tempering attacks and malicious node injection are examples of physical attacks [164,165].
(10) Adversary-/Location-Based Attacks.An attacker can be an insider who understands the targeted IoT system or reside inside the boundary of the targeted IoT network, or it can be an outsider without any knowledge about the system or launch the attack from anywhere; therefore, based on adversary location, IoT attacks are classified into two main types, i.e., internal attacks or external attacks.
Internal attacks: an insider who has access to the device injects the malicious code or nodes in the IoT network.In these attacks, attackers belong to the same IoT network; they have deep knowledge about the implemented software technology, hardware devices, and complete IoT infrastructure [166].These attacks are divided into four categories, i.e., unintentional actors, technology perception actors, compromised actors, and emotional attackers.These attacks affect the network layer and physical layer [167].
External attacks: an outsider remotely accesses the IoT network to inject an error or bug in external attacks.Attackers launch these attacks from anywhere or can utilize any other public network.Attackers have almost zero or very little knowledge about implemented technology and architecture of the targeted IoT system [168,169].
(11) Host-Based Attacks.In host-based attacks, attackers target IoT devices' operating systems to extract cryptographic keys and other confidential information.Host-based attacks are launched by attacking host systems of IoT devices.These attacks are classified into three types, i.e., user-compromised attacks, software-compromised attacks, and hardwarecompromised attacks.
User-compromised attacks: user-compromised attacks are launched to extract confidential data from IoT devices such as passwords, keys, and bank account details.In some cases, attackers launch these attacks to read or even hear their conversation [119].
Software-compromised attacks: software-compromised attacks are launched to exhaust IoT systems by overflowing the resource buffers.One example of softwarecompromised attacks suddenly runs out of the battery of IoT battery-operated devices [168].
Hardware-compromised attacks: IoT systems' attacker tamper hardware devices to steal data or inject bugs and malicious nodes in hardware-compromised attacks.To launch these attacks, attackers need to physically access the IoT devices [119].
3.3.5.RQ5: How the Advanced Technologies Resolve These Security and Privacy Issues?Undoubtedly, putting all the things on IoT gives us many intelligent devices to enhance digitalization.But still, there are many security and privacy 13 Journal of Sensors issues in the IoT that can be solved by integrating some advanced technologies to become more secure.
The blockchain technique can ensure the security of IoT that got compromised.A blockchain is a decentralized approach that makes an immutable database.The following features make it more trustworthy while discussing security.The miners do timestamp a chain of blocks and perform validation.Blockchain uses a powerful hashing technique, SHA-256, to authentic and integrate data.Digital signatures were implemented for the verification.All the changes are made by verifying other blocks, i.e., having the valid node address.Putting in or retrieving data from a partnership does not involve any third that gains global trust.The connectivity of IoT with so many other devices makes it easy to attack.Blockchain is considered to get IoT out of vulnerability.
Especially in IoT, it becomes difficult to detect any countermeasures with the growing threats and their complexity level when numerous devices are attached [170].Artificial intelligence (AI) could play a valuable role here, and the concept works as a system/machine is trained by giving some data.The given data makes a cognitive memory, and the system becomes artificial intelligence for the desired scenarios [171].
Artificial intelligence is followed by machine learning and deep learning algorithms that make machines artificially intelligent and efficient to make intelligent decisions [172,173].While discussing the IoT, an artificially intelligent system that uses an algorithm and machine/deep learning for processing the data can be trained to detect any threat and perform specific actions [174,175].

Conclusion
This study emphasizes IoT systems' major security concerns to let the users know about the risks associated with these gadgets.To better understand, the classification of IoT threats into divergent categories has been made.Further, a detailed comparison of each class is provided.
The attacks launched by injecting malicious nodes to steal information packets and reduce the network's performance are classified as network attacks.To target both security and privacy simultaneously, attackers float side-channel attacks.In cryptanalysis attacks, the attacker accesses the decryption key to convert cipher text into plaintext.In access-level attacks, attackers take advantage of the limited resources to steal or alter the information.In active attacks, attackers read and modify the message packets, while in passive attacks, attackers can read the message but do not make any modifications.In strategy-level attacks, attackers implement various strategies to inject malicious code into the IoT devices.Some attacks require physical interaction and damage the hardware devices, so they are called physical attacks, while others can implement them remotely; therefore, they are called logical attacks.An attacker can be an insider who understands the targeted IoT system or can be an outsider without any knowledge about the system; therefore, IoT attacks are classified into internal or external attacks based on adversary location.In hardware-compromised attacks, the attacker tampers hardware to steal data.Software attacks are the injection of malicious programs purposefully to gain unauthorized access to the device.Due to poor coding, hackers access these IoT web applications, databases, or servers.Attacks launched due to a lack of firmware updates are called firmware attacks.
Further, we have classified these categories into subcategories.More than 75 IoT security threats are discussed in this systematic literature review to help manufacturers to secure IoT systems.In this modern era, new emerging technologies like blockchain, artificial intelligence, machine learning, and other advanced technologies (fog and cloud computing) are integrated with IoT technology to resolve security and privacy challenges.These emerging technologies, especially blockchain technology, can provide a better and more cost-efficient solution for IoT security issues.In the end, we sum up this review paper by suggesting some future research ideas in IoT security, which still need researchers' attention.

3. 1 . 1 .
Study Selection.This step describes the criteria to select material by studying the abstract, introduction, and conclusion sections of different research papers.Only those research articles are selected that fulfill the following requirements: (i) Written in the English language (ii) Describe the security challenges of IoT devices (iii) Discuss the emerging technology-based solutions to IoT devices' security and privacy issues (iv) Provide information about IoT devices (v) Provide information about IoT threats (vi) Present techniques to solve the problems of IoT devices (vii) Published between 2003 and March 2021 Further, some absolute principles are excluded: (i) Papers are not written in the English language (ii) Papers related to IoT devices and applications were issued before 2003 (iii) Papers do not relate to IoT devices (iv) Papers with less than four pages (v) Papers that do not report any empirical study and solution (vi) Papers without significant opinions and viewpoints (vii) Irrelevant theses

3. 1 . 5 .
Specifying the Research Questions.The research questions are made based on the existing research studies.The significant articles and in-depth knowledge motivate us to create questions.

Figure 2 :
Figure 2: Flow diagram for the inclusion and exclusion criteria.

Figure 3 :Figure 4 :
Figure 3: Databases used to search research papers.

Figure 5 :Figure 6 :
Figure 5: Phases for conducting the review.Growth in IoT

3. 4 .( 3 ) 4 )( 5 ) 6 )
Future Research Directions.Future directions provide the door for researchers to continue research in this significant area.(1)There is a need to develop a standard platform to share IoT-based research datasets(2) Keeping in mind the limited resources of IoT devices is the cost-efficient way to resolve IoT systems' security issues There is a need to develop a cost-efficient blockchainbased solution to resolve IoT systems' security issues (There is a need to develop the most efficient artificial intelligence-based solution to resolve IoT systems' security issues Secure the data stored in a remotely located publically accessible IoT system under the control of attackers (Implementing emerging technologies can resolve maximum security issues of IoT systems

Table 1 :
Comparison of security and privacy attacks in IoT.

Table 2 :
IoT security threats and attacks.
4Journal of Sensors 3.1.2.Data Extraction and Quality Assessment.To perform the quality assessment of this article, both qualitative and quantitative methods are used.There is no restriction in terms of experimental design.A quality assessment study checklist ensures the data extraction fulfills the quality criteria.Table

Table 3 :
Comparison of cyberattacks in IoT applications.

Table 4 :
Quality assessment of the survey.

Table 5 :
Comparison of physical attacks in IoT.

Table 6 :
Comparison of network attacks in IoT.

Table 7 :
Comparison of operating system attacks in IoT.

Table 8 :
Comparison of web application attacks in IoT.

Table 9 :
Comparison of firmware attacks in IoT.