Communications - January 2013

table 1. an overview of topics discussed in this article.

infection Pathways

Physical
in-person
Secondhand via infected device
Found
gift
infected from Manufacture
Lent
Returned
used
technological
Remote or in-network
direct Compromise
eavesdropping
Man-in-the-Middle
Social engineering

Human assets the Biosphere emotional Well-being Financial Well-being Personal data Physical Well-being Relationships Societal Well-being

Defensive Goals
device Privacy
device Availability
device operability
Command Authenticity
execution integrity
data Privacy
data integrity
data Availability
environment integrity
Activity Pattern Privacy
Presence Privacy
occupant identities
Sensed data Privacy
Sensor validity
Sensor Availability

Device Risk axes
Potential exposure to Attack
Communication Capabilites
Communication Behavior
the Cloud
Software updates
Configuration defaults, user interfaces, and users
Sensors
Actuators
Power
Connectedness
Storage and Computation

the home is filled with a diverse range of technologies with varying levels of security, hybrid communication structures, and no centralized security management system. From a human perspective, the home contains private and semi-private spaces shared by children, parents, siblings, elderly, roommates, and guests. Interpersonal dynamics, varying levels of security expertise, and different social and technical preferences all contribute to complicating the home technology security landscape. In order to effectively create and evaluate defenses, it is important to first understand the threat landscape.

Attack Scenarios. One unique aspect of the new home technology space is the vast array of attacks that it enables— many of which differ in effect from Web or desktop attacks. The increasing presence of electronics in the home— controlling our houses and coordinating our lives—provides unique opportunities for the technically savvy criminal.

Table 2 breaks down attacks into
three tiers: low-level mechanisms, in-
termediate goals, and high-level goals.
The low-level mechanisms listed in Ta-
ble 1—such as denial-of-service attacks,
tampering with logs, or eavesdropping
on network traffic—will be familiar to
anyone who has experience with com-
puter security. However, the additional
focus on sensors and actuators is some-
thing that is not generally encountered
with traditional computing devices.
Similarly, the high-level goals behind
the attacks (blackmail, extortion, theft,
and vandalism, among others) are the
same motivations that one encounters
with all criminal activities. Arguably,
the most novel aspects of attacks on
the home ecosystem are the intermedi-
ate goals: the ways in which the unique
capabilities of devices or the assets to
which they have access enable criminal
opportunities.

Attack targets. For many types of attacks, an adversary could either attempt to target a particular person of interest or simply take advantage of known hardware and software flaws to indiscriminately attack any vulnerable victim. Attacks on a designated person require that the adversary identify useful exploits for the target’s particular technology configuration. On the other hand, for attacks on “low-hanging” targets—attacks of exploitative opportunity—the adversary need only focus on a known exploit and locate victims who are vulnerable to that exploit.

The physical and the electronic. At a high level, it is interesting that the presence of actuators and sensors in the new home environment allows interactions between the physical and electronic states of devices. It is possible to perform electronic attacks with physical consequences, but it is also possible to perform physical attacks with electronic consequences, or attacks that have both physical and electronic components. As an example of a physical attack that has electronic (then physical) consequences, an adversary might apply a bright, directed light source to an external light sensor in order to trick outdoor flood lighting into turning off. Similarly, one can imagine an attack where physically tricking a system sensor causes the system to enter a fail-safe mode that is more easily compromised via electronic attack.