This is a lightly edited transcript (in three parts) of a docent lecture given by Andreas Jacobsson, IOTAP, Malmö University.
That was the introduction to the area of the Internet of Things and security and privacy in general. I will now shift the focus to some examples of the research results that I’ve contributed over the years. And I will begin by some studies we have done on privacy and security in smart homes.
What is a smart home?
A smart home is a home that’s connected to the Internet and thus uses IoT technology. A smart home allows for remote control, often through a smartphone or some other handheld computing device. In a smart home, you are able to acquire and apply knowledge about the home and its inhabitants in order to improve their experience in the home environment. Whereas this can seem rather novel, it’s actually not. The first smart home came already back in 1969. It was offered by the department store Neiman Marcus and was called the Honeywell Kitchen Computer; it weighed 45 kilos and you could basically do two things with it: add recipes and store recipes.
Smart home industries
These are some examples of actors on the smart home market, which attracts a lot of attention from both commercial actors but also from standardization organizations and governmental institutions, as well as — probably the most important group — the end users. The global smart home market was valued to 9.8 billion U.S. dollars in 2015 and it’s expected to grow to 43 billion dollars in 2020. This is a complex, dynamic, scalable ecosystem, characterized by fierce competition, which leads to the observation that not much time and effort is generally spent on security.
Why study security and privacy?
Why should one study security and privacy in this context?
1. Massive amounts of data. It’s all about the information that is generated in the smart home and distributed to third parties outside of the smart home. Smart homes can collect massive amounts of data, some of which can be really sensitive for instance in terms of behavioral patterns. In the home, that’s where you do the things you do when nobody’s watching, but if the machines are watching, maybe the home is not really the home anymore? But also information about your location, the residents location, where are they (or rather where are they not!), health and medical status. A few years back, there were many examples of people who had integrated smart security cameras in their homes but unfortunately had the “bad luck” to have their video clips ended up for public this display on the world wide web.
2. The information and distribution process in the smart home is typically done out of the control for the users. This too is an example of where much of the things are done without user awareness or control.
3. Just as all other things that can be found on the Internet, smart home systems can be manipulated, hijacked or attacked, impacting not only the personal but also the private, and not only the digital but also the offline lives of users. In essence, to me, this is why this area is so interesting to study. Here we have a scenario where the digital threats don’t remain digital, they come to life and impact your physical surrounding.
A state-of-the-art study on security and privacy in smart homes
Enforcing security has in a number of papers been identified as one of the main barriers for realizing the vision of smart homes. That means that a lot of effort should be put into studying security and privacy in this context. In the research that I’m currently involved in, we are doing state-of-the-art surveys.
This is one example (above) of a state-of-the-art study on security and privacy in smart homes that was reported in an article published early this year, but the study was done in the beginning of 2015. These contributions are basically all the high-quality contributions from academic perspectives on security and privacy that could be found.
You can see that most of the contributions have focused on security issues, security solutions and to some extent on privacy issues and privacy solutions. Only three of them, a small amount in my opinion, has focused on risk analysis. While this may not be surprising, it’s still a bit strange because when you want to analyze and define a comprehensive security strategy for some digital assets that you want to protect, this must be something that follows a risk analysis. Because in the risk analysis, you define what you want to protect and what level of importance it has. This information is crucial if you’re going to make a resource efficient yet sustainable information security strategy.
On the last row in the table above is how we position a risk analysis methodology that we developed and applied on a smart home automation system. Here you can see that we focused on risk analysis but also on stating the problems in connection to security and privacy. This was an empirical evaluation and a scenario-based study.
A risk analysis study applied on a smart home automation system
The risk analysis study we did was on a smart home automation system intended for a more efficient use of energy. This system enabled end-users to both monitor their energy consumption and remotely control the electronic devices that were connected to the system in the buildings and homes that were in question.
Based on the main observations from the state-of-the-art study, we applied a risk analysis approach that was a modified version of the well-known Information Security Risk Analysis (ISRA). It was modified in the sense that we made a classification of the system that we reviewed along the lines of Information System Science perspectives. The whole point of the ISRA is to evaluate a system’s ability to meet the basic goals of security, or rather the “CIA” — Confidentiality, Integrity and Availability — of security. In the risk analysis approach, we made a review of the technical documentation of the system as well as the system architecture. We had group interviews with the system developers and the domain experts in two sessions. We identified 32 risks that were then analyzed and evaluated. Of those, 19 were classified as moderate and 4 as high; the remaining were considered low.
A compilation of the main results
In the table, you can see that the most severe risks were related to human use (poor “security hygiene”, as we call it; that is, when you are sloppy with password selection and you have a lot of gullible users around you). We found that human users constitute the main risk sources with implications primarily to confidentiality and user privacy.
Software related risks were also severe, especially those found in the software that was included in the in-house gateways, the mobile apps and the APIs used. They brought on implications to system confidentiality, integrity and availability.
Information related risks were mainly connected to security procedures such as authentication and acts of control processes that were placed on the cloud server of the system, and that impaired primarily implications to availability of user and home data, rendering in the long run that the smart home could be exposed to a denial of service attack.
Main observations from the study
The smart home market is an area with a lot of different stakeholders. When this is the case, it’s always very difficult to analyze the risk exposure. Things are connected to each other in ways that are difficult to analyze.
The most sensitive part we found was information registry about users energy consumption. This might seem harmless, but if you associate this information with other types of information, you can draw conclusions about the inhabitants’ daily life: Where they are, where they are not, how they live, when they get back, when they leave, etc. From this point of view, both user privacy and home security is at risk.
We could also confirm that the general system constraints in these types of systems is the limited computing capacity for, for instance, encryption. When thinking about security design for such a system, we could conclude that it was primarily important to be particularly conscious about authentication and access control procedures.
A reflection: We evaluated security based on a risk analysis on a system that was almost already in place. Ideally, security should not be handled that way. It should be integrated in the very design or the development phase of the system. And this is not a new insight. This has been a challenge to researchers within this area for many years. We’ve talked about security in design and the difficulties in actually adding security. There have been many papers that have pointed in this direction but very few have been able to back their statements up with empirical data.
Andreas Jacobsson leads the IOTAP project Intelligent Support for Privacy Management in Smart Homes (iSMASH).