Threat Model and Risk Management for a Smart Home Iot System
Abstract
The rapid growth and technology development have led to what is known as a smart home. IoT technology play a key role in the development of smart homes as it provides convenience and contribute to the human wellbeing. However, this comes with a price. The incorporation of IoT devices into smart homes and their connection to the Internet have created new security and privacy challenges in terms of the CIA triad (Confidentiality, Integrity, Availability) of the data sensed, collected, and exchanged by the IoT devices. These challenges have opened many security threats which make IoT devices inside smart home insecure and vulnerable to different vector attacks. Thus, it is essential to look at different possible risk factors to create a complete picture of the level of the security of smart homes. In this paper we apply STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Elevating of privilege) threat model to the smart home IoT devices and identify the potential threats at different layers namely: IoT device layer, communication layer and application layer. Then, a risk rating security threats model DREAD (Damage potential, Reproducibility, Exploitability, Affected Users and Discoverability) is used to assess the threats’ risks. Finally, a risk response for the rated risks and a risk mitigation strategy is presented. The aims of this paper are to understand better the various security threats and provide a security baseline to improve the security of smart home IoT systems.
Full Text:
PDFReferences
https://learn.microsoft.com/en-us/previous- versions/commerce server/ee823878(v=cs.20)?redirectedfrom=MS DN
https://www.statista.com/topics/2430/smart- homes/#dossierKeyfigures
https://www.mobileworldlive.com/mwc16- articles/iot-experts-fret-over-fragmentation/
https://www.zdnet.com/article/android-security- a-market-for-lemons-that-leaves-87-percent- insecure/
Saman Fatima et al 2020 IOP Conference Series: Materials Science and Engineering. 899 012011
Mada Albany et all, A review: Secure Internet of thing System for Smart Houses,Procedia Computer Science, Volume 201, 2022,Pages 437-444,ISSN18770509, https://doi.org/10.10.16/j.procs.2022.03.057.
Karimi, K., & Krit, S. (2019, July). Smart home- smartphone systems: Threats, security requirements and open research challenges. In 2019 International Conference of Computer Science and Renewable Energies (ICCSRE) (pp. 1-5). IEEE
Arabo, A., Brown, I., & El-Moussa, F. (2012, September). Privacy in the age of mobility and smart devices in smart homes. In 2012 International Conference on Privacy, Security, Risk and Trust and 2012 International Conference on Social Computing (pp. 819-826). IEEE.],[Al-Qahtani, A. S., & Khan, M. A. (2021), Predicting Internet of Things (IOT) Security and Privacy Risks–A Proposal Model
Huraj, L., Šimon, M., & Horák, T. (2020). Resistance of IoT sensors against DDoS attack in smart home environment. Sensors, 20(18), 5298.
Sanchez, V. G., Pfeiffer, C. F., & Skeie, N. O. (2017). A review of smart house analysis methods for assisting older people living alone. J ournal of Sensor and Actuator Networks, 6(3), 11
Guhr, N., Werth, O., Blacha, P.P.H. et al. Privacy concerns in the smart home context. SN Appl. S ci. 2, 247 (2020). https://doi.org/10.1007/s42452-020-2025-8
Zheng, S.; Apthorpe, N.; Chetty, M.; Feamster, N. User Perceptions of Smart Home IoT Privacy. Proc. ACM Hum.-Comput. Interact. 2018, 2, 1– 20.
Klobas, J.E.; McGill, T.; Wang, X. How perceived security risk affects intention to use smart home devices: A reasoned action explanation. Comput. Secur. 2019, 87, 101571
Haney, J.; Acar, Y.; Furman, S. “It’s the Company, the Government, You and I”: User Perceptions of Responsibility for Smart Home Privacy and Security. In Proceedings of the 30th USENIX Security Symposium (USENIX Security 21), Online, 11–13 August 2021
Nemec Zlatolas, Lili, Nataša Feher, and Marko Hölbl. 2022. "Security Perception of IoT Devices in Smart Homes" Journal of Cybersecurity and Privacy 2, no. 1: 65-73. https://doi.org/10.3390/jcp2010005
https://www.cvedetails.com/cve/CVE-2018- 9162/
https://www.cvedetails.com/cve/CVE-2018- 15123/
https://www.cvedetails.com/cve/CVE-2018- 20299/
https://www.cvedetails.com/cve/CVE-2017- 11634/
https://www.microsoft.com/en- us/securityengineering/sdl/threatmodeling
https://learn.microsoft.com/en-us/windows- hardware/drivers/driversecurity/threat- modeling-for-drivers.
DOI: https://doi.org/10.31449/inf.v47i1.4526
This work is licensed under a Creative Commons Attribution 3.0 License.