Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
153 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Privacy Engineering in Smart Home (SH) Systems: A Comprehensive Privacy Threat Analysis and Risk Management Approach (2401.09519v1)

Published 17 Jan 2024 in cs.CR

Abstract: Addressing trust concerns in Smart Home (SH) systems is imperative due to the limited study on preservation approaches that focus on analyzing and evaluating privacy threats for effective risk management. While most research focuses primarily on user privacy, device data privacy, especially identity privacy, is almost neglected, which can significantly impact overall user privacy within the SH system. To this end, our study incorporates privacy engineering (PE) principles in the SH system that consider user and device data privacy. We start with a comprehensive reference model for a typical SH system. Based on the initial stage of LINDDUN PRO for the PE framework, we present a data flow diagram (DFD) based on a typical SH reference model to better understand SH system operations. To identify potential areas of privacy threat and perform a privacy threat analysis (PTA), we employ the LINDDUN PRO threat model. Then, a privacy impact assessment (PIA) was carried out to implement privacy risk management by prioritizing privacy threats based on their likelihood of occurrence and potential consequences. Finally, we suggest possible privacy enhancement techniques (PETs) that can mitigate some of these threats. The study aims to elucidate the main threats to privacy, associated risks, and effective prioritization of privacy control in SH systems. The outcomes of this study are expected to benefit SH stakeholders, including vendors, cloud providers, users, researchers, and regulatory bodies in the SH systems domain.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (76)
  1. E. D. Alalade, “Intrusion detection system in smart home network using artificial immune system and extreme learning machine hybrid approach,” in 2020 IEEE 6th World Forum on Internet of Things (WF-IoT).   IEEE, 2020, pp. 1–2.
  2. B. Hammi, S. Zeadally, R. Khatoun, and J. Nebhen, “Survey on smart homes: Vulnerabilities, risks, and countermeasures,” Computers & Security, vol. 117, p. 102677, 2022. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S016740482200075X
  3. C. Hinde and J. Ophoff, “Privacy: A review of publication trends,” 2014 Information Security for South Africa, pp. 1–7, 2014.
  4. Y. Zhao, J. Zhao, L. Jiang, R. Tan, D. Niyato, Z. Li, L. Lyu, and Y. Liu, “Privacy-preserving blockchain-based federated learning for iot devices,” IEEE Internet of Things Journal, vol. 8, no. 3, pp. 1817–1829, 2020.
  5. A. C. Jose, R. Malekian, and N. Ye, “Improving home automation security; integrating device fingerprinting into smart home,” IEEE Access, vol. 4, pp. 5776–5787, 2016.
  6. D. Shin, V. Sharma, J. Kim, S. Kwon, and I. You, “Secure and efficient protocol for route optimization in pmipv6-based smart home iot networks,” IEEE Access, vol. 5, pp. 11 100–11 117, 2017.
  7. R. Xu, Q. Zeng, L. Zhu, H. Chi, X. Du, and M. Guizani, “Privacy leakage in smart homes and its mitigation: Ifttt as a case study,” IEEE Access, vol. 7, pp. 63 457–63 471, 2019.
  8. K. Nimmy, S. Sankaran, K. Achuthan, and P. Calyam, “Lightweight and privacy-preserving remote user authentication for smart homes,” IEEE Access, vol. 10, pp. 176–190, 2021.
  9. A. A. Abi Sen, F. A. Eassa, K. Jambi, and M. Yamin, “Preserving privacy in internet of things: a survey,” International Journal of Information Technology, vol. 10, pp. 189–200, 2018.
  10. A. Almohaimeed, S. Gampa, and G. Singh, “Privacy-preserving iot devices,” in 2019 IEEE Long Island Systems, Applications and Technology Conference (LISAT).   IEEE, 2019, pp. 1–5.
  11. Z. Wang, “A privacy-preserving and accountable authentication protocol for iot end-devices with weaker identity,” Future Generation Computer Systems, vol. 82, pp. 342–348, 2018.
  12. Y. Sun, Z. Tian, Y. Wang, M. Li, S. Su, X. Wang, and D. Fan, “Lightweight anonymous geometric routing for internet of things,” IEEE Access, vol. 7, pp. 29 754–29 762, 2019.
  13. B. A. Alzahrani and K. Mahmood, “Provable privacy preserving authentication solution for internet of things environment,” IEEE Access, vol. 9, pp. 82 857–82 865, 2021.
  14. P. C. Van Oorschot and S. W. Smith, “The internet of things: security challenges,” IEEE Security & Privacy, vol. 17, no. 5, pp. 7–9, 2019.
  15. D. R. Group. Getting started with pro. [Online]. Available: https://linddun.org/instructions-for-pro/
  16. J. Williams and L. Nee, “Privacy engineering,” Computer, vol. 55, no. 10, pp. 113–118, 2022.
  17. D. R. Group. Linddun privacy threat modeling tutorial. [Online]. Available: https://downloads.linddun.org/tutorials/pro/v0/tutorial.pdf
  18. J. Bugeja, A. Jacobsson, and P. Davidsson, “An analysis of malicious threat agents for the smart connected home,” in 2017 IEEE international conference on pervasive computing and communications workshops (PerCom Workshops).   IEEE, 2017, pp. 557–562.
  19. S. I. Al-Sharekh and K. H. Al-Shqeerat, “An overview of privacy issues in iot environments,” in 2019 International Conference on Advances in the Emerging Computing Technologies (AECT).   IEEE, 2020, pp. 1–6.
  20. E. D. Alalade, “Intrusion detection system in smart home network using artificial immune system and extreme learning machine,” Ph.D. dissertation, University of Cincinnati, 2020.
  21. M. Seliem, K. Elgazzar, and K. Khalil, “Towards privacy preserving iot environments: a survey,” Wireless Communications and Mobile Computing, vol. 2018, pp. 1–15, 2018.
  22. J. H. Ziegeldorf, O. G. Morchon, and K. Wehrle, “Privacy in the internet of things: threats and challenges,” Security and Communication Networks, vol. 7, no. 12, pp. 2728–2742, 2014.
  23. M. M. Ogonji, G. Okeyo, and J. M. Wafula, “A survey on privacy and security of internet of things,” Computer Science Review, vol. 38, p. 100312, 2020.
  24. E. Shaikh, I. Mohiuddin, and A. Manzoor, “Internet of things (iot): security and privacy threats,” in 2019 2nd International Conference on Computer Applications & Information Security (ICCAIS).   IEEE, 2019, pp. 1–6.
  25. N. Alhalafi and P. Veeraraghavan, “Privacy and security challenges and solutions in iot: A review,” in IOP conference series: Earth and environmental science, vol. 322, no. 1.   IOP Publishing, 2019, p. 012013.
  26. M. Al-Zyoud, T. Atkison, and J. Carver, “An overview of emerging privacy issues in the internet of things,” in 2016 International Conference on Computational Science and Computational Intelligence (CSCI).   IEEE, 2016, pp. 212–217.
  27. S. K. Jain and N. Kesswani, “Privacy threat model for iot,” in 4th International Conference on Internet of Things and Connected Technologies (ICIoTCT), 2019: Internet of Things and Connected Technologies.   Springer, 2020, pp. 278–293.
  28. S. Manoharan, “On gps tracking of mobile devices,” in 2009 Fifth International Conference on Networking and Services.   IEEE, 2009, pp. 415–418.
  29. N. Zainuddin, M. Daud, S. Ahmad, M. Maslizan, and S. A. L. Abdullah, “A study on privacy issues in internet of things (iot),” in 2021 IEEE 5th International Conference on Cryptography, Security and Privacy (CSP).   IEEE, 2021, pp. 96–100.
  30. S. Brooks, M. Garcia, N. Lefkovitz, S. Lightman, and E. Nadeau, “An Introduction to Privacy Engineering and Risk Management in Federal Systems,” National Institute of Standards and Technology, NISTIR 8062, January 2017. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf
  31. J. Bracy. What is a privacy engineer? [Online]. Available: https://iapp.org/news/a/what-is-a-privacy-engineer/
  32. A. Kung, F. Kargl, S. Suppan, J. Cuellar, H. C. Pöhls, A. Kapovits, N. N. McDonnell, and Y. S. Martin, “A privacy engineering framework for the internet of things,” Data Protection and Privacy:(In) visibilities and Infrastructures, pp. 163–202, 2017.
  33. “Information technology — Security techniques — Privacy framework,” International Organization for Standardization, Geneva, Switzerland, Standard, December 2011.
  34. A. Robles-González, J. Parra-Arnau, and J. Forné, “A linddun-based framework for privacy threat analysis on identification and authentication processes,” Computers & Security, vol. 94, p. 101755, 2020.
  35. L. Sion, K. Wuyts, K. Yskout, D. Van Landuyt, and W. Joosen, “Interaction-based privacy threat elicitation,” in 2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).   IEEE, 2018, pp. 79–86.
  36. K. Wuyts, R. Scandariato, and W. Joosen, “Empirical evaluation of a privacy-focused threat modeling methodology,” Journal of Systems and Software, vol. 96, pp. 122–138, 2014.
  37. S. Hofbauer, K. Beckers, and G. Quirchmayr, “Conducting a privacy impact analysis for the analysis of communication records,” in Perspectives in Business Informatics Research: 11th International Conference, BIR 2012, Nizhny Novgorod, Russia, September 24-26, 2012. Proceedings 11.   Springer, 2012, pp. 148–161.
  38. L. O. Nweke, M. Abomhara, S. Y. Yayilgan, D. Comparin, O. Heurtier, and C. Bunney, “A linddun-based privacy threat modelling for national identification systems,” in 2022 IEEE Nigeria 4th International Conference on Disruptive Technologies for Sustainable Development (NIGERCON).   IEEE, 2022, pp. 1–8.
  39. K. Wuyts, D. Van Landuyt, A. Hovsepyan, and W. Joosen, “Effective and efficient privacy threat modeling through domain refinements,” in Proceedings of the 33rd Annual ACM Symposium on Applied Computing, 2018, pp. 1175–1178.
  40. B. Chah, A. Lombard, A. Bkakria, R. Yaich, A. Abbas-Turki, and S. Galland, “Privacy threat analysis for connected and autonomous vehicles,” Procedia Computer Science, vol. 210, pp. 36–44, 2022.
  41. D. Cui and Y. Piao, “A study on the privacy threat analysis of phi-code,” Web and Big Data. APWeb-WAIM 2021 International …, 2021, query date: 2023-03-23 16:18:19. [Online]. Available: https://link.springer.com/chapter/10.1007/978-981-16-8143-1_9
  42. J. R. Nurse, O. Buckley, P. A. Legg, M. Goldsmith, S. Creese, G. R. Wright, and M. Whitty, “Understanding insider threat: A framework for characterising attacks,” in 2014 IEEE security and privacy workshops.   IEEE, 2014, pp. 214–228.
  43. T. Casey, “Threat agent library helps identify information security risks,” Intel White Paper, vol. 2, 2007.
  44. O. Arogundade, A. Akinwale, Z. Jin, and X. Yang, “Towards an ontological approach to information system security and safety requirement modeling and reuse,” Information Security Journal: A Global Perspective, vol. 21, no. 3, pp. 137–149, 2012.
  45. R. Walton, “Balancing the insider and outsider threat,” Computer fraud & security, vol. 2006, no. 11, pp. 8–11, 2006.
  46. J. P. Meltzer, “The internet, cross-border data flows and international trade,” Asia & the Pacific Policy Studies, vol. 2, no. 1, pp. 90–102, 2015.
  47. N. Ulltveit-Moe, H. Nergaard, L. Erdödi, T. Gjøsæter, E. Kolstad, and P. Berg, “Secure information sharing in an industrial internet of things,” arXiv preprint arXiv:1601.04301, 2016.
  48. A. Standard, “Iso/iec27002,” in Informationtechnology-security techniques-code of practice for information security controls,(AS ISO/IEC 27002: 2015), 2015. [Online]. Available: https://trofisecurity.com/assets/img/ISO-IEC_27002-.pdf
  49. J. R. Nurse, S. Creese, and D. De Roure, “Security risk assessment in internet of things systems,” IT professional, vol. 19, no. 5, pp. 20–26, 2017.
  50. C. Bloom, “Privacy threat modeling.”   Santa Clara, CA: USENIX Association, Jun. 2022.
  51. J. S. Hiller and R. S. Russell, “Privacy in crises: The nist privacy framework,” Journal of Contingencies and Crisis Management, vol. 25, no. 1, pp. 31–38, 2017.
  52. N. Computer Security Division, Information Technology Laboratory, “Standards for Security Categorization of Federal Information and Information Systems,” National Institute of Standards and Technology, FIPS PUB 199, 2004. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf
  53. M. M. Nair and A. K. Tyagi, “Privacy: History, statistics, policy, laws, preservation and threat analysis.” Journal of Information Assurance & Security, vol. 16, no. 1, 2021.
  54. J. Jang-Jaccard and S. Nepal, “A survey of emerging threats in cybersecurity,” Journal of Computer and System Sciences, vol. 80, no. 5, pp. 973–993, 2014.
  55. F. Alt and E. von Zezschwitz, “Emerging trends in usable security and privacy,” i-com, vol. 18, no. 3, pp. 189–195, 2019.
  56. L. L. Dhirani, N. Mukhtiar, B. S. Chowdhry, and T. Newe, “Ethical dilemmas and privacy issues in emerging technologies: a review,” Sensors, vol. 23, no. 3, p. 1151, 2023.
  57. D. Vatsalan, P. Christen, and V. S. Verykios, “A taxonomy of privacy-preserving record linkage techniques,” Information Systems, vol. 38, no. 6, pp. 946–969, 2013.
  58. N. Neshenko, E. Bou-Harb, J. Crichigno, G. Kaddoum, and N. Ghani, “Demystifying iot security: An exhaustive survey on iot vulnerabilities and a first empirical look on internet-scale iot exploitations,” IEEE Communications Surveys & Tutorials, vol. 21, no. 3, pp. 2702–2733, 2019.
  59. S. L. Garfinkel, “Nistir 8053. de-identification of personal information,” National Institute of Standards and Technology (NIST), 2015.
  60. S. Löbner, F. Tronnier, S. Pape, and K. Rannenberg, “Comparison of de-identification techniques for privacy preserving data analysis in vehicular data sharing,” in Proceedings of the 5th ACM Computer Science in Cars Symposium, 2021, pp. 1–11.
  61. W. She, Z.-H. Gu, X.-K. Lyu, Q. Liu, Z. Tian, and W. Liu, “Homomorphic consortium blockchain for smart home system sensitive data privacy preserving,” IEEE Access, vol. 7, pp. 62 058–62 070, 2019.
  62. Y. Huang, “Chapter 6 - secure multi-party computation,” in Responsible Genomic Data Sharing, X. Jiang and H. Tang, Eds.   Academic Press, 2020, pp. 123–134. [Online]. Available: https://www.sciencedirect.com/science/article/pii/B9780128161975000061
  63. M. Tao, J. Zuo, Z. Liu, A. Castiglione, and F. Palmieri, “Multi-layer cloud architectural model and ontology-based security service framework for iot-based smart homes,” Future Generation Computer Systems, vol. 78, pp. 1040–1051, 2018.
  64. M. E. Nergiz and C. Clifton, “Thoughts on k-anonymization,” Data & Knowledge Engineering, vol. 63, no. 3, pp. 622–645, 2007.
  65. M. Alshahrani and I. Traore, “Secure mutual authentication and automated access control for iot smart home using cumulative keyed-hash chain,” Journal of information security and applications, vol. 45, pp. 156–175, 2019.
  66. C. Dwork, “Differential privacy: A survey of results,” in International conference on theory and applications of models of computation.   Springer, 2008, pp. 1–19.
  67. Y. Tian, B. Song, T. Ma, A. Al-Dhelaan, and M. Al-Dhelaan, “Bi-tier differential privacy for precise auction-based people-centric iot service,” IEEE Access, vol. 9, pp. 55 036–55 044, 2021.
  68. A. Mitra, Y. Ngoko, and D. Trystram, “Impact of federated learning on smart buildings,” in 2021 International Conference on Artificial Intelligence and Smart Systems (ICAIS).   IEEE, 2021, pp. 93–99.
  69. M. Endres, A. Mannarapotta Venugopal, and T. S. Tran, “Synthetic data generation: a comparative study,” in Proceedings of the 26th International Database Engineered Applications Symposium, 2022, pp. 94–102.
  70. T. E. general data protection regulation. General data protection regulation (gdpr). [Online]. Available: https://gdpr-info.eu/
  71. P. Voigt and A. Von dem Bussche, “The eu general data protection regulation (gdpr),” A Practical Guide, 1st Ed., Cham: Springer International Publishing, vol. 10, no. 3152676, pp. 10–5555, 2017.
  72. C. M. of Justice. Personal information protection and electronic documents act. [Online]. Available: https://laws-lois.justice.gc.ca/PDF/P-8.6.pdf
  73. D. Jaar and P. E. Zeller, “Canadian privacy law: The personal information protection and electronic documents act (pipeda),” Int’l. In-House Counsel J., vol. 2, p. 1135, 2008.
  74. G. D. P. Law. Data protection management solutions. [Online]. Available: https://lgpd-brazil.info/chapter_01/article_01
  75. M. Barati, O. Rana, I. Petri, and G. Theodorakopoulos, “Gdpr compliance verification in internet of things,” IEEE access, vol. 8, pp. 119 697–119 709, 2020.
  76. S. Pérez, J. L. Hernández-Ramos, S. N. Matheu-García, D. Rotondi, A. F. Skarmeta, L. Straniero, and D. Pedone, “A lightweight and flexible encryption scheme to protect sensitive data in smart building scenarios,” IEEE Access, vol. 6, pp. 11 738–11 750, 2018.
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now