Rethinking Access Control and Authentication for the Home Internet of Things (IoT)

Link to the Paper: https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-he.pdf

Summary:

This paper tries to ascertain how exactly an IOT connected home of the future might look - especially in a world that is no longer gives privileges by device like in the past but instead privileges by capability. IE unless you are a teenager you may not unlock the front door. While this paper does do a good idea of getting a lot of opinions on how people might feel about different roles getting different capabilities, it seems like the paper had some issues in the generalizability of the study.

 

What I Liked:

  1. The fact the study used a 425 participants in order to carry out this survey

  2. The study very early proves how home IOT devices are inherently different than those other security models are tailored for because IOT devices many times are shared

  3. The paper suggests a new paradigm for device security tailored to IOT devices specifically one that is capability based

  4. The paper prepares for insider attacks - which is many time under looked and will play a major role going into the future for people like domestic abuse survivors etc when IOT devices are used in the home

  5. The study very clearly focuses on the general population as a whole as opposed to early adopters to prevent biasing the study

 

What I Didn't Like:

  1. The fact the study was done online, meaning that is very hard to verify these people were real and actually put some thought into their responses

  2. I feel like the study's focus on creating some type of default setting is bad because a lot of these permissions really are based on the family

  3. The study referenced that they evaluated future capabilities that were "likely" to be deployed which really doesn't seem sound

  4. The use of free text responses which become very hard to evaluate and display in a concise matter

  5. The study does conclude that they do have issues with the ecological validity and generalizability of their data given that their surveys were done online.

 

 

 

 

New Ideas:

  1. Can we have one device or hub act as the quarterback for authentication for an entire IOT ecosystem?

  2. Why don't all new security features focus on having the hub authenticate the orders from the human? Would this single point create a point of failure?

  3. Devoting feature controls very specific to a cellphone - and then using that as the identifier for a specific user in a world where there is multiple users in the environment

  4. For children who are still developing will having less access to control the environment around them ie lights or like temperature affect how they grow up?

  5. Repeat the study with real people instead of an online survery

 

 

Discussion:

  1. What obstacles does voice based security need to overcome in order to be implemented in the future?

  2. How do database systems limit capability on a per user basis and enforce those permissions - can those be shared with IOT systems?

  3. Does creating security defaults for permissions open IOT companies to any liabilities in the future?

  4. Should we grant general access to anyone for certain cases where people are in close physical proximity to the device ie lights?

  5. What percentage of households are actually moving toward an IOT type house?