In the future home, we have some great examples of devices and technologies that can make our lives easier. However, can a smart home be attacked in the same way than a non-smart one?
For example, “smart plugs” or “active plugs” can be used to remotely control domestic heating using a smartphone or tablet. But the flipside is that we may expose ourselves to more possible criminal activity by unknowingly making data available or even giving attackers control of our home.
In this article we’ll look at a variety of different crimes or attacks involving the future home. As you read through them, think about what they might have in common, how they might be categorised and what the consequences might be.
Smart meters and smart grids
Smart meters are increasingly being used in a domestic setting. They aim to help consumers make the most efficient use of their electricity, by showing which devices use the most power. At the supplier level, the data from smart meters helps them to plan for high levels of activity and smooth out the stresses on the grid at these times. But this data, if it is intercepted, can be very revealing about a consumer’s personal habits and routines, leading to the possibility that an attacker can find out whether or not the house is occupied based on electricity usage patterns.
Until recently the idea of a cyber attack on a smart grid was theoretical, a possibility that had been identified by security researchers. In December 2015 a large area of Ukraine experienced a power outage leading to over 100 cities being plunged into blackout for several hours, with services only resumed after the operators were able to return to manual mode. Three different distribution companies were attacked, with over 225,000 consumers affected. The attack had been meticulously planned over several months, with very detailed reconnaissance, and different attack profiles to match the different defences of the three target companies: spear phishing emails, malware, even a denial-of-service attack on the company’s call centres to deny customers access to report the outages. There is a link to a detailed report from the US Department of Homeland Security below.
Of course, crime has been around for much longer than computer systems and burglary does not need to be a sophisticated cyber-attack. Examples can be as simple as the opportunistic thief looking for an unlocked house or car, walking in and stealing high-value items, or gaining access to a property by pretending to have a right to access (via a fake identification for example). More high-value burglaries will involve observing the targets for a period of time to identify patterns in occupation and find the right time to break in.
Big data refers to collections of structured or unstructured data across many different datasets: Big Data Analytics is the analysis of these collections to identify trends and patterns. Companies use this type of analysis to target adverts, and criminal investigators make use of big data analytics to help to map out crime reports, to identify areas more likely to experience crime. In this sense big data is seen as a weapon for reducing crime and financial fraud, by predicting attacks based on analysis of large quantities of data. However, the availability of this data can lead to further concerns about privacy: although data should be anonymous, the combination of different datasets can lead to sufficient information being available to identify individuals, giving potential attackers information about shopping preferences, sleeping patterns, holiday destinations etc.
What sort of threats?
These examples are all quite diverse, but can be compared together in terms of the type of threat they represent: for example, a fake user identity may be used (spoofing) to gain access to a house, using a simple fake id or by pretending to be the authorised user of a smart meter; breaches of privacy or leaking of data can occur with big data or smart devices; the attack on the smart grid coordinated a number of threats including denial of service, escalating privileges and identify spoofing. In the next section we’ll look in more detail at this idea of threat modelling.
© Newcastle University