The goal of this research is to improve the security of smart home hubs by developing a standard against which hubs can be evaluated. This was done by first reviewing existing standards, guides, and collections of best practices. I determined that adapting or extending an existing standard was the best way to proceed. Potential candidates were selected, and after thorough comparison, I chose to extend the OWASP Application Security Verification Standard (ASVS). Extensions were composed of additional security requirements to address smart home hub functionality not covered by the existing requirements of the ASVS. These additional requirements were developed based upon existing best practices and are referred to as the Smart Home Extensions. Where a best practice or guidance did not yet exist for a particular hub functionality, guidance from related fields was adapted. The entire set of Smart Home Extensions were reviewed by industry experts, updated based on feedback, and then sent on for further peer review. Four smart home hubs – VeraLite, Wink, Connect, and SmartThings – were evaluated using the ASVS with the Smart Home Extensions. The evaluation uncovered security vulnerabilities in all four hubs, some previously disclosed by other researchers, and others new. Analysis of the evaluation data suggests that authentication is a common problem area, among others. Based on the performance of the hubs and the data collected, I suggest that the ASVS and Smart Home Extensions can be an effective tool to provide insight into the security posture of smart home hubs.
- smart home,
- internet of things,
- home automation,
- OWASP ASVS,
- application security verification standard,
- smart home extensions
Available at: http://works.bepress.com/steve-christiaens/1/