its security efforts on the webcam toy
over the wireless scale; nevertheless, given the scale’s potential effects on emotional well-being, eating, or exercise activities, the integrity of sensor readings
might become a security priority if the
product were being marketed toward users with eating disorders (Table 4).
Security siren. Finally, we turn to the
security siren. Table 4 suggests the primary security goals for the siren are
related to device operability and command authenticity. If an attacker can
disable the siren, then the attacker
might be able to enter a home without
alerting those nearby, thereby rendering the short-term benefits of the home
alarm system ineffective; the home security system might still automatically call
the police, but the police will not arrive
immediately. Since the market share is
listed as small in Table 3, the likelihood
of an attacker choosing to target this
system today seems small; however, the
market share may increase over time.
Having identified device operability as
a particularly pertinent security goal,
the device manufacturer can once again
implement techniques to harden the device. For example, the device could issue
a distinctive alert if a denial-of-service attack renders the siren unavailable to the
rest of the home automation network.
The continuous sounding of an alarm
could also cause a service interruption
by tempting the user into turning off or
ignoring the system; therefore, it is also
important for the manufacturer to deploy defenses such as transmitting logs
and incident reports to a monitoring
agency.
Stepping back. As these examples illustrate, our framework can guide the
analysis of potential security risks with
technologies in the home. Devices in
the home will likely incorporate varying
degrees of security defenses, due in part
to oversights by designers and developers, but also due to the costs associated
with implementing security measures.
By methodically evaluating a device’s
potential exposure to attack and its attractiveness to adversaries (Table 3), as
well as the potential impacts on security
goals and human assets if the device is
compromised (Table 4), one can assess
the degree to which security might be
important for a given device, as well as
which security goals are the most important to address. This information
can help developers focus their energies
on the most significant risks of a design
and help consumer advocacy groups direct their attention toward the computer
security properties of the most concerning home technologies.
Conclusion
Our homes are increasingly becoming
hubs for technologies with a wide variety
of capabilities. While it would be ideal
to strive for “perfect” security on all consumer devices, the reality is that resources such as time and money constrain
these efforts. In the coming years, it will
become increasingly important to improve the efficacy, interoperability, and
usability of computer security solutions
for the home. It remains to be seen what
such a security solution would look like.
It might take the form of a centralized
security console that displays and controls device permissions and traffic. 28
The security system could incorporate
trusted hardware, network intrusion
detection systems, tiered security, 6, 20
or cryptographic trust evidence of past
transactions or device state.
We need a strategy for how to secure
devices in the home. We need to understand the potential risks: risks that are
a function of a device’s potential exposure to attack, its attractiveness as an
attack target, and the potential impacts
on human assets if the device is compromised. In this article, we explored
the landscape of technological attacks
on the home and provided a strategy for
thinking about security in the home. In
particular, we have identified human
table 4. an approximate risk evaluation of the three example technologies considering how human assets might be impacted
if defensive goals are not met. the cells are color-coded to indicate the approximate severity of the concern: dark orange (serious),
light orange (moderate), and light blue (minor).
Mobile Webcam toy Wireless scale
Device
Privacy
device is
interesting target
device is not
sensitive;
not a theft target
Device
operability
Replaceable but
not cheap; non-essential device
Device
availability
non-essential
Command
authenticity
Potential minor
property damage;
Could send spam
or launch similar
attacks
Data
Privacy
videos of
household,
including children
Data
integrity
Could add
disturbing images
or sounds into
stream
Data
availability
non-essential
Replaceable but
not cheap; non-
essential device
non-essential
Could send spam
or launch similar
attacks
Weights are private;
online account
credentials
inaccurate weights
could cause shame,
affect eating and
exercise
non-essential
security siren
device is interesting
target, may indicate
affluent household
Replaceable;
destruction would
disable security
siren
if unavailable
weakens home
security
Continuous alarm
an annoyance,
could cause user
to disable or ignore
alarm
n/A—does not store
data
n/A—does not store
data
n/A—does not store
data
