Threat model and risk management for a smart home IoT system

Abstract

The rapid growth and technology development have led to what is known as a smart home. IoT technology play a key role in the development of smart homes as it provides convenience and contribute to the human wellbeing. However, this comes with a price. The incorporation of IoT devices into smart homes and their connection to the Internet have created new security and privacy challenges in terms of the CIA triad (Confidentiality, Integrity, Availability) of the data sensed, collected, and exchanged by the IoT devices. These challenges have opened many security threats which make IoT devices inside smart home insecure and vulnerable to different vector attacks. Thus, it is essential to look at different possible risk factors to create a complete picture of the level of the security of smart homes. In this paper we apply STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Elevating of privilege) threat model to the smart home IoT devices and identify the potential threats at different layers namely: IoT device layer, communication layer and application layer. Then, a risk rating security threats model DREAD ( D amage potential, R eproducibility, E xploitability, A ffected Users and D iscoverability) is used to assess the threats’ risks. Finally, a risk response for the rated risks and a risk mitigation strategy is presented. The aims of this paper are to understand better the various security threats and provide a security baseline to improve the security of smart home IoT systems.