Within the phenomenon known as the Internet of Things (IoT), an enormous growth is taking place. IoT systems exist in different ways, ranging from industrial applications to user focused systems. A specific subset of a user-focused IoT system is found as Smart Home environments.
...
Within the phenomenon known as the Internet of Things (IoT), an enormous growth is taking place. IoT systems exist in different ways, ranging from industrial applications to user focused systems. A specific subset of a user-focused IoT system is found as Smart Home environments. At Smart Homes, themultiple Smart Objects or Smart Devices are working together, frequently based on sensor input, to increase the comfort and user experience of the home inhabitant(s) and guest(s). Smart Objects can have automated tasks, home security enabling functions or efficiency improving functionality. Apart from great applications of Smart Home devices, threats from a cyber security perspective are present: cyber risks arise due to a variety of threats on such IoT systems. We show that in the development of new Smart Home products or systems, vendors fail to meet requirements for security and privacy are not met. Comparing the current state of the market, the four most used Smart Home ecosystems (Samsung Smartthings, Apple Homekit, Amazon Echo and IFTTT) are surveyed based on three key focus areas: 1. The regulatory compliance of the systems according to the upcoming General Data Protection Regulation (GDPR). 2. The commercial threats due to data profiling. 3. The risk of data leaks due to insufficient security. This analysis results in four key observations: 1. Security- and Privacy-By-Design is usually not in place due to the fact that the focus lies on launching a product as soon as possible, e.g. due to market competition; 2. Vendors process (meta)data on the vendors locations resulting in data profiling, which can compromise user privacy; 3. Smart Home ecosystems are not ready for the GDPR; 4. A trade off between privacy, security and utility usually results to the detriment of the first two and favors the latter. We propose a new design for a Smart Home ecosystem. In this design, the focus lies at the privacy of the end-user. We design a network for device-fitting encrypted communication between Smart Devices and User Devices and the Privacy Enforcing Arbiter (or Peter). Peter functions like a hub in the network, managing among others all traffic, user privileges and key distribution. With Peter, the centralized cloud party (vendor) for data storage and data analysis is replaced with a decentralized personal storage and computation entity at home. With our network design, we facilitate the use of IoT devices in home in a privacy-friendly way. Within the network, devices are authenticated using PhysicallyUnclonable Function technology and users are authenticated with a Zero Knowledge Proof. We analyze the privacy and security of our proposed network, based on a series of possible cyber attacks and the upcoming GDPR. Furthermore, we analyze the computational complexity and scalability of the network, based on market conform device power.