heterogeneous topology and the idio-syncrasies of its occupants—help enable
novel or complex infection pathways.
Mobile devices, infrastructure electronics, cyber-physical systems, guest
devices, and machines brought home
from work all commingle in one hodgepodge environment, increasing the exposure to compromise. Understanding
the potential infection pathways—
particularly nontraditional pathways—that
malware might follow to compromise a
device helps us understand its exposure
to risk, which we use later in our characterization of device risk. The Infection
Pathways column of Table 1 provides an
overview of the kinds of pathways that
malware can take to infect a device in
the home.
Entry points. There are a number of
entry points an adversary could use to attack home technologies. Electronically,
a device on the home network might be
compromised by a direct attack from a
device external to the home, or compromised by an infected device within the
home (whether stationary, mobile, or belonging to a guest). If a device is mobile
and connects to an infected network,
it might become infected. Physically, a
device might be infected by a manual
interface such as USB or CD. 5, 9 Alternative physical attack vectors include: receiving an infected device as a gift; purchasing a used, compromised device
from a source such as eBay or Craigslist;
purchasing a “new” device that has previously been purchased, infected, then
returned; or purchasing a device that
was infected during its manufacture. 11
Additionally, an adversary has a number of opportunities to socially engineer
a user into installing malware, such as
via app stores. 15, 21 As another vector, an
adversary could take advantage of the
increasing number of “prosumers”—
consumers who jailbreak their devices
or perform similar automated modifications—whose devices allow behaviors
that go beyond the capabilities expected
by the manufacturer’s typical APIs and
might not receive security software updates.
Stepping back. As this survey of the at-
tack scenarios and infection pathways
shows, the risks with computer security
vulnerabilities in home technologies
are quite varied and, in some cases, sig-
nificant. Here, we present a framework
for more methodically identifying and
prioritizing the security risks within the
home.
Human assets and security Goals
To design a system for defending home
technologies, it is necessary to understand the human assets that are at stake
and the desired security goals. We present a casual taxonomy of goals for protecting human assets in the home (also
shown in the Defensive Goals column
in Table 1). The general goals of confidentiality, integrity, authenticity, and
availability are familiar security concepts; we frame the goals for defending
the home slightly differently in order to
highlight the domain in which they are
applied and the unusual consequences
of security failures. This taxonomy is
meant to approach security and privacy
goals from a variety of perspectives, and
as such items are not mutually exclusive.
Security failures can result in a variety
of kinds of harm to users. It is common
to consider harm to users in terms of fi-
nancial assets; it is less typical to consid-
er damaging users by, for example, wast-
ing their time or causing them stress.
We suggest considering the potential
negative impact of attacks on the follow-
ing assets (in the Human Assets column
in Table 1): emotional well-being, finan-
cial well-being, personal data, physical
well-being, and relationships. In addi-
tion to considering the assets of indi-
viduals, it can be beneficial to consider
the broader assets of societal well-being
and impact on the biosphere. The list is
derived in part from Value Sensitive De-
sign12—an area of human-computer in-
teraction that focuses on what different
individuals value—and in part from the
discussion sections of papers on emerg-
ing technologies. 5, 7, 16
table 2. an overview of the structure of attacks to the home ecosystem.
Low-level Mechanism
examples
viewing data
viewing or altering traffic
viewing sensors
intermediate Goals
Altering logs
Altering or destroying data
doS attacks
using actuators
Accessing financial data
Causing device damage
Causing environment damage
Causing physical harm
enabling physical entry
Blackmail
espionage
exposure
extortion
Framing
Fraud
Kidnapping
gathering incriminating data
Misinformation
Planting fake evidence
viewing private data
High-level Goals
Physical theft
Resource theft
Stalking
terrorism
vandalism
voyeurism
jAnuARY 2013 | voL. 56 | no. 1 | CoMMuNiCatioNs of tHe aCM 97
