nology will interact. For example, a nanny cam would allow an adversary to spy
on children; a networked storage server
might hold backups of tax records or
other financial data; and an electronically controlled door lock might allow full
access to a home, whereas an electronic
garage door opener would only allow
access to the garage. While one cannot
always anticipate how a device might be
repurposed, it is important to consider
future usage scenarios.
Sensors. If a device has sensors that
record data then it might be a target of
increased interest. The value of a sensor depends upon how much interest
the raw or mined data holds for the adversary: for example, microphones and
cameras have obvious value for voyeurs,
blackmailers, or even private investigators or industrial spies; accelerometers
might indicate whether or not a person
is awake; and devices with GPS or Wi-Fi
can be used to track an individual.
Actuators. A device holds increased
value for an adversary if it can be used
to effect changes in the physical world,
since cyber-physical systems are both
more efficient and less risky to use than
physically traveling to a home. Cyber-
physical effects of interest might in-
clude: locking or unlocking doors, cut-
ting off electricity or water, changing
thermostat temperatures, controlling
lights, and turning appliances such as
fireplaces on or off.
tying things together
We tie together our framework with
an example of how one might use it to
analyze or compare the potential risks
posed by different technology designs.
We present a conceptual investigation
of three technologies: a mobile webcam
toy, a wireless scale, and a siren for a
home security system. These technologies are not meant to be specific products, but rather amalgamations of products or exemplars of product categories.
They represent a range of target audiences, technical capabilities, and application scenarios.
˲ Mobile webcam toy. Consider a
mobile robotic webcam designed as a
telecommunications toy for children.
The toy can be used to drive around the
house, chat with a friend, or communicate with a parent away on business. The
toy broadcasts an ad hoc Wi-Fi wireless
network to which a client computer can
connect to view the webcam or drive the
robot; alternatively, port forwarding can
table 3. an approximate risk evaluation of the three example technologies via potential exposure to attack and attractiveness
of the attack target. the cells are color-coded to indicate the approximate severity of the concern: dark orange (serious),
light orange (moderate), and light blue (minor).
Mobile Webcam toy Wireless scale
Communication
Capabilities
Long-range (internet),
short-range (Wi-Fi),
uSB (physical)
Long-range (internet),
short-range (Wi-Fi),
uSB (physical)
Communication
Behavior
Communication with
external server;
Low inter-home mobility;
Accepts incoming
connections
software
updates
Manual
via uSB
Configuration Defaults,
user interfaces, and users
global default password;
Minimal ui inputs1;
Minimal notification of
connection (Led);
Children admins
Market share
Marginal
With external server;
Low inter-home
mobility; Rejects
incoming
connections
no
no default data protection;
Minimal ui inputs1; no visual cue
when data is accessed;
Adult admin
Marginal
security siren
Short-range
(Z-wave)
1. Configured with PC via uSB. 2. Programmed over short-wave.
Low inter-home mobility;
Highly connected to other
automation devices
no
Manual reset required to join
automation network; no ui inputs2;
no ui feedback; Adult admins
Marginal
