An official website of the United States government
Smart home IoT devices are becoming increasingly popular. Modern programmable smart home hubs such as SmartThings enable homeowners to manage devices in sophisticated ways to save energy, improve security, and provide conveniences. Unfortunately, many smart home systems contain vulnerabilities, potentially impacting home security and privacy. This paper presents Vigilia, a system that shrinks the attack surface of smart home IoT systems by restricting the network access of devices. As existing smart home systems are closed, we have created an open implementation of a similar programming and configuration model in Vigilia and extended the execution environment to maximally restrict communications by instantiating device-based network permissions. We have implemented and compared Vigilia with forefront IoT-defense systems; our results demonstrate that Vigilia outperforms these systems and incurs negligible overhead.
more »
« less
This content will become publicly available on November 1, 2025
To Share or Not to Share: Feature Analysis of Smart Home Management Systems to Assess Access Control with External Users
In the smart home landscape, there is an increasing trend of homeowners sharing device access outside their homes. This practice presents unique challenges in terms of security and privacy. In this study, we evaluated the co-management features in smart home management systems to investigate 1) how homeowners establish and authenticate shared users’ access, 2) the access control mechanisms, and 3) the management, monitoring, and revocation of access for shared devices. We conducted a systematic feature analysis of 11 Android and iOS mobile applications (“apps”) and 2 open-source platforms designed for smart home management. Our study revealed that most smart home systems adopt a centralized control model which necessitates shared users to utilize the primary app for device access, while providing diverse sharing mechanisms, such as email or phone invitations and unique codes, each presenting distinct security and privacy advantages. Moreover, we discovered a variety of access control options, ranging from full access to granular access control such as time-based restrictions which, while enhancing security and convenience, necessitate careful management to avoid user confusion. Additionally, our findings highlighted the prevalence of comprehensive methods for monitoring shared users’ access, with most systems providing detailed logs for added transparency and security, although there are some restrictions to safeguard homeowner privacy. Based on our findings, we recommend enhanced access control features to improve user experience in shared settings.
more »
« less
- Award ID(s):
- 2326901
- PAR ID:
- 10530831
- Publisher / Repository:
- Future Technologies Conference (FTC 2024)
- Date Published:
- Format(s):
- Medium: X
- Location:
- London, United Kingdom
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
We developed “MiSu” an Android and iOS app that allows smart home homeowners to share their devices (e.g., Ring doorbell, security alarm, smart door lock, smart light bulb) with people outside of their home to control what, when, and how they can engage with the smart devices. MiSu provides options for fine-grain access control, the ability for guests to control smart homes using their own device and login, and provides homeowners real-time logs where they can view all actions taken by guests invited to interact with their smart homes.more » « less
-
A key feature of smart home devices is monitoring the environment and recording data. These devices provide security via motion-detection video alerts, cost-savings via thermostat usage history, and peace of mind via functions like auto-locking doors or water leak detectors. At the same time, the sharing of this information in interpersonal relationships---though necessary---is currently accomplished on an all-or-nothing basis. This can easily lead to oversharing in a multi-user environment. Although prior work has studied people's perceptions of information sharing with vendors or ISPs, the sharing of household data among users who interact personally is less well understood. Interpersonal situations make data sharing much more context-based and, thus, more complicated. In this paper, we use themes from the theory of contextual integrity in an online survey (n=1,992) to study how people perceive data sharing with others in smart homes and inform future designs and research. Our results show that data recipients in a smart home can be reduced to three major groups, and data types matter more than device types. We also found that the types of access control desired by users can vary from scenario to scenario. Depending on whom they are sharing data with and about what data, participants expressed varying levels of comfort when presented with different types of access control (e.g., explicit approval versus time-limited access). Taken together, this provides strong evidence that a more dynamic access control system is needed, and we can design it in a more usable way.more » « less
-
Smart home devices transmit highly sensitive usage information to servers owned by vendors or third-parties as part of their core functionality. Hence, it is necessary to provide users with the context in which their device data is collected and shared, to enable them to weigh the benefits of deploying smart home technology against the resulting loss of privacy. As privacy policies are generally expected to precisely convey this information, we perform a systematic and data-driven analysis of the current state of smart home privacy policies, with a particular focus on three key questions: (1) how hard privacy policies are for consumers to obtain, (2) how existing policies describe the collection and sharing of device data, and (3) how accurate these descriptions are when compared to information derived from alternate sources. Our analysis of 596 smart home vendors, affecting 2, 442 smart home devices yields 17 findings that impact millions of users, demonstrate gaps in existing smart home privacy policies, as well as challenges and opportunities for automated analysis.more » « less
-
User authentication is a critical process in both corporate and home environments due to the ever-growing security and privacy concerns. With the advancement of smart cities and home environments, the concept of user authentication is evolved with a broader implication by not only preventing unauthorized users from accessing confidential information but also providing the opportunities for customized services corresponding to a specific user. Traditional approaches of user authentication either require specialized device installation or inconvenient wearable sensor attachment. This paper supports the extended concept of user authentication with a device-free approach by leveraging the prevalent WiFi signals made available by IoT devices, such as smart refrigerator, smart TV and thermostat, etc. The proposed system utilizes the WiFi signals to capture unique human physiological and behavioral characteristics inherited from their daily activities, including both walking and stationary ones. Particularly, we extract representative features from channel state information (CSI) measurements of WiFi signals, and develop a deep learning based user authentication scheme to accurately identify each individual user. Extensive experiments in two typical indoor environments, a university office and an apartment, are conducted to demonstrate the effectiveness of the proposed authentication system. In particular, our system can achieve over 94% and 91% authentication accuracy with 11 subjects through walking and stationary activities, respectively.more » « less
