Professional Documents
Culture Documents
This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2024.3359442
ABSTRACT The advent of the Internet of Things (IoT) and Artificial Intelligence (AI) have led to
the rising popularity of Smart Home Automation (SHAuto). SHAuto uses a variety of interconnected
smart devices to provide life-enhancing services such as smart energy control, smart entertainment,
smart healthcare, and so on. If these devices are compromised, sensitive data may be disclosed and the
compromised devices or other connected devices may be maliciously controlled, threatening the privacy and
safety of home occupants. Therefore, controlling access to devices in SHAuto is of paramount importance.
However, due to the characteristics of the SHAuto environment, this has become a challenging issue. As a
first step towards addressing this challenging issue, this paper provides a comprehensive problem analysis
of SHAuto. The problem analysis consists of two parts. The first part is an in-depth analysis of various
SHAuto use case scenarios covering three aspects, i.e., device control modes, automation modes, and
device communications. This analysis has led to the formulation of a generic model for SHAuto. Based
on this model, the second part analyses potential vulnerabilities and threats in relation to authorisation. The
comprehensive problem analysis has led to a hypothesis that access to the devices can be controlled by
governing device communications and the specification of a set of requirements for the design of secure and
usable communication-based access control solutions for SHAuto environments.
INDEX TERMS Access control, Authorisation, Internet of Things (IoT), Smart Home Automation
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2024.3359442
S. W. Tay et al.: Problem Analysis of Smart Home Automation: Toward Secure and Usable Communication-based Authorisation
device may not only pose threats to the home occupants’ analysis identified framework design flaws in two domains:
security and privacy but also cause physical harm to the the SmartThings permission/capability model and the event
occupants, putting their safety at risk. While security is subsystem. The authors also demonstrated how these design
essential to safeguarding an SHAuto system, safety is equally flaws can be exploited by attackers to steal lock pin-codes,
paramount. Ensuring the security of an SHAuto system is disable a vacation mode SmartApp, and cause fake fire
vital to guarantee its overall safety. In essence, security is alarms.
about keeping the system safe, and safety is about keeping the Geneiatakis et al. [16] conducted a security and privacy
occupants safe. It is, therefore, crucial to restrict how devices threat analysis on a smart home architecture, with a focus
can be accessed and controlled to preserve security and safety on the interactions among various off-the-shelf IoT devices.
in an SHAuto environment. This is where access control However, the architecture only considered scenarios where
comes into play. Access control encompasses authentication the IoT devices, organised in islands, were connected to a
and authorisation. hub, and were not directly accessed by other devices. Ali et
Authorisation is about granting or denying access privi- al. [17] used different scenarios to investigate security attacks
leges on system resources to subjects [5, 6]. While efforts which violate the security goals including confidentiality,
have been made to improve authorisation in SHAuto en- integrity, availability and so on. Ray and Bagwari [18] pre-
vironments, to the best of our knowledge, there is only a sented a set of security threats in existing IoT communication
limited amount of work (e.g., [7–13]) that has taken into protocols (e.g., Bluetooth, ZigBee, WiFi, LoRaWAN) and
account device-to-device communications. As a first step proposed a secure and cost-effective communication pro-
towards achieving secure and usable communication-based tocol with desirable attributes for smart homes. In a more
authorisation in SHAuto environments, in this paper, we have recent study, Girish et al. [19] conducted an analysis of
conducted an in-depth problem analysis of SHAuto, focusing local network communications involving a broad spectrum
on device-to-device communications. More specifically, the of consumer smart IoT devices and mobile apps. The study
contributions of this paper are summarised as follows. identified security and privacy threats associated with local
network traffic in smart homes. In another study, Li et al. [20]
• A comprehensive use-case analysis of SHAuto covering introduced ZPA, a system designed to investigate privacy
three aspects: device control modes, automation modes, and security issues in ZigBee-based smart home networks,
and communications among entities. The entities refer utilising ZigBee-encrypted traffic. ZPA employs state-of-the-
to a set of interconnected devices, services, and applica- art machine-learning models to identify smart home devices’
tions (apps) that collectively offer SHAuto services. type and status that could potentially leak users’ private
• The formulation of a generic SHAuto model which information.
captures different SHAuto use-case scenarios. Meng et al. [21] surveyed security challenges in smart
• A threat analysis that identifies potential vulnerabilities homes based on different attacking interfaces such as the
and authorisation-related threats in an SHAuto environ- physical layer, network layer, mobile applications, access
ment. control, and voice user interface. They also discussed the
• The specification of a set of functional, security, us- existing proposed countermeasures to these challenges. [22]
ability, and performance requirements for the design performed a threat analysis on the smart home ecosystem
of secure, usable, and efficient communication-based using the STRIDE (Spoofing, Tampering, Repudiation, In-
access control solutions for SHAuto environments. The formation Disclosure, Denial of Service and Elevation of
specification of the requirements has taken into account Privilege) threat analysis method and Microsoft’s threat mod-
the characteristics of SHAuto and the findings from the eling tool. The analysis focused on threats in relation to
problem analysis conducted above. the physical components of the ecosystem and information
transmitted between these components.
The rest of the paper is structured as follows. Section Different from the reviewed work discussed above, the
II reviews the existing security analyses of smart homes. risk analysis conducted on a smart home automation system
Section III describes the characteristics, architecture, and in [23] took into account the human factor. This analysis
communication model of SHAuto. Section IV presents the encompassed six components of the system: connected sen-
analysis of the SHAuto scenarios. Section V describes the sors/devices, in-house gateway, cloud server, API, mobile
generic SHAuto model. Section VI performs the threat anal- device, and smartphone apps. Each of these components
ysis based on the model. Section VII specifies the set of was analysed to identify vulnerabilities and threats related
requirements. Finally, Section VIII concludes the paper. to hardware, software, information, network communication,
and human aspects. Similar to [23], the study conducted by
II. RELATED WORK [24] took into account human-related attacks such as social
In recent years, several studies have examined security risks engineering attacks. This study explored security challenges
in smart homes. In a study conducted by Fernandes et al. in smart homes based on the four IoT layers, i.e., application
[14], an empirical security analysis was performed on Sam- layer, perception layer, physical layer, and network layer.
sung SmartThings [15], a popular smart home platform. The Many of the reviewed work focused on specific aspects,
2 VOLUME 15, 2022
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2024.3359442
S. W. Tay et al.: Problem Analysis of Smart Home Automation: Toward Secure and Usable Communication-based Authorisation
such as established smart home platforms ([14]), specific does not apply to an SHAuto system with only a single
device interaction scenarios ([16]), particular smart home occupant. In addition, the requirements may change from
applications ([17]), IoT communication protocols ([18, 20]), time to time due to context changes, e.g., a device relocation
and the local home network ([19]). In contrast, broader may cause a change in the role of the device, hence changing
aspects were explored in the studies ([21–24]), encompass- the requirements under which it can be accessed.
ing different IoT layers and the human factor. However,
threats associated with authorisation were not extensively Different access purposes: In an SHAuto system, a device
investigated in these studies. Unlike the reviewed work, may be accessed for data access, for controlling other de-
our analysis took a comprehensive approach to investigating vices, or for both of these purposes.
authorisation-related threats. We formulated a generic model
of smart home automation that encompasses a wide range of Due to the diversified access requirements and the dynamic
use case scenarios, including device control modes, automa- nature of SHAuto, SHAuto should support fine-grained and
tion modes, and device communications. context-aware access control that makes access decisions
based on device context. With the increased granularity and
III. SHAUTO CHARACTERISTICS, ARCHITECTURE AND the incorporation of device context into decision making,
COMMUNICATION MODEL managing authorisation in an SHAuto environment has be-
This section presents the characteristics, architecture and come complex and challenging. Unlike industrial IoT appli-
communication model of SHAuto. cations where access control is often managed by dedicated
security professionals, in SHAuto, access control adminis-
A. THE CHARACTERISTICS tration generally relies on homeowners who typically lack
SHAuto has a number of characteristics which make govern- security knowledge or expertise, and/or may not spend time
ing access to devices a challenging issue. These characteris- to configure the system or specify access policies or assign
tics include device heterogeneity, dynamic nature of SHAuto, access privileges adequately [25]. For example, assigning
varying access requirements, and access purposes. privileges for every single device can be a complex and
time-consuming process, requiring excessive user effort. The
Device heterogeneity: Smart devices may come from dif- process is also prone to human errors. All these factors
ferent vendors and have different functionalities, energy can prevent homeowners from implementing access control
capacities, processing and communication capabilities. For properly. Additionally, in a broader sense, human users’
example, in an SHAuto system, some devices support cook- decisions to grant permissions to technology elements (e.g.,
ing functions while others support lighting control, and so on. apps) or adopt these elements may also be affected by their
From a security perspective, devices can differ in sensitivity risk perception [27, 28], which could be influenced by the
levels. For instance, devices that produce health-related data ease or difficulty of retrieving relevant concerns for the
and/or perform safety-critical operations typically have a decisions [29].
higher sensitivity level. In addition, some devices may have
shared ownership [25]. For instance, in homes with multiple B. THE ARCHITECTURE
occupancies, a single occupant may own a subset of devices The SHAuto architecture used in our problem analysis is
and some devices may be owned by multiple occupants. derived based on the architectures of both the IoT and
Smart Home published by previous studies [30–42]. The
Dynamic system: An SHAuto system is typically a dynamic architecture, as shown in FIGURE 1, consists of four layers:
system where context changes are expected. New devices device layer, gateway later, cloud layer, and application layer.
may be added by the homeowners gradually and obsolete
devices may be removed when no longer needed. Addition- Device layer: This layer is also referred to as the object layer
ally, devices may be added to or removed from the system [32], the perception layer [39–42], or the physical layer [38],
in an ad hoc manner. They may also be powered off or in the literature. Its main tasks are to collect data and receive
disconnected from the home network from time to time [26]. commands [33]. These tasks are accomplished by a myriad
Furthermore, devices may experience a context change, e.g., of interconnected smart devices, including smart appliances
a device relocation. and IoT devices equipped with communication and sensing
and/or actuating capabilities [34, 35, 43]. As described in
Varying and changing access requirements: Depending on Section III-A, these devices can be heterogenous in terms of
various factors, access requirements may vary across differ- functionalities, processing and communication capabilities,
ent SHAuto systems and these requirements may change. For and so on.
example, SHAuto systems may differ in terms of household
sizes, the number of devices, and so on, thus imposing Gateway layer: This layer is responsible for mediating
different access requirements. For example, in an SHAuto communications between heterogeneous SHAuto devices. It
system with multiple occupants, access to devices could also serves as a gateway between a smart home and the cloud.
be based on device ownership. However, this requirement The gateway function is typically provided by connecting the
VOLUME 15, 2022 3
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2024.3359442
S. W. Tay et al.: Problem Analysis of Smart Home Automation: Toward Secure and Usable Communication-based Authorisation
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2024.3359442
S. W. Tay et al.: Problem Analysis of Smart Home Automation: Toward Secure and Usable Communication-based Authorisation
A. DEVICE CONTROL MODES that more steps are involved in this mode in comparison to
A device control mode determines how a device is, or should the manual control mode. The steps are: (1) a motion sensor
be, controlled. As discussed in Section III-C, there are two detects a motion in the room (an event); (2) the motion sensor
types of events, user-generated events and sensor-generated (an event producer) sends a message containing some sensed
events. Accordingly, device controls can also be classified data to a smart lighting control service (an event consumer);
into two modes, a manual mode and an automatic (auto) (3) the lighting control service (an event producer) processes
mode. A device controlled via a user-generated event is said the message and makes a decision to switch on the light
to be in the manual mode, whereas a device controlled via a bulb (an event); (4) the service sends a message containing
sensor-generated event is in the auto mode. a switch-on command to the light bulb (an event consumer);
(5) the light bulb switches itself on (an action) in response to
1) Manual Control Mode the command.
In the manual control mode, device control actions are trig- 2 4
1 3 5
gered by user-generated events. Current SHAuto platforms
generally allow users to control home devices via input "motion detected" "ON"
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2024.3359442
S. W. Tay et al.: Problem Analysis of Smart Home Automation: Toward Secure and Usable Communication-based Authorisation
temperature) of physical objects (e.g., a room in the house) connected devices, i.e., a temperature sensor and a smart fan.
and transforms them into digital data. It could also be an The workflow involves five steps: (1) the temperature sensor
entity that monitors devices and detects changes of state in sends room temperature data to the gateway; (2) the gateway
devices. Sensors are data producers. relays the data to the cloud; (3) a cloud service, which is
the Controller, processes the data and executes automation
Controller: An entity that enables automated controls of rules; (4) the cloud service sends the gateway a switch-on
smart devices. It has the capability of processing automa- command; (5) the gateway relays the command to the fan.
tions, i.e., it is capable of making automated SHAuto deci-
sions based on sensor data to determine how a device should
operate in response to the data. It could be a device pro- Cloud 3
grammed to make decisions for specific device operations, or
software such as an app or a service. The apps and services
can range from simple automation rules to complex services 2 4
(e.g., home climate control service). Controllers are typically 1 5
both data consumers and command producers.
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2024.3359442
S. W. Tay et al.: Problem Analysis of Smart Home Automation: Toward Secure and Usable Communication-based Authorisation
accordingly [57]. AI-powered devices can collect data via sensor; each of these two components (camera and sensor)
their interactions with other devices, the underlying environ- has a sensing capability. An example of the latter is a smart
ment, and the users, and make automated decisions based camera that, in addition to the camera function, can also make
on the collected data. We call this on-device automation automated decisions.
processing device-managed automation.
1) Automation Roles
From the scenarios discussed above, we can make two
observations. Firstly, an SHAuto Entity may operate across SHAuto Entities with different automation roles may com-
different layers of the SHAuto architecture. For example, a municate with one another. In the following, these commu-
Controller may reside in the cloud layer (in cloud-managed nications are explained using five scenarios. The commu-
automation), the gateway layer (in gateway-managed au- nication involving the User role is straightforward and has
tomation), or the device layer (in device-managed automa- already been discussed in Section IV-A1, hence is excluded
tion). Secondly, an SHAuto Entity (e.g., an AI-powered from discussion.
device) can take on more than one automation role. For
example, the air conditioner presented in Section IV-B2 has a: Scenario-1: Sensor, Controller and Actuator
the Sensor, Controller and Actuator automation roles. To This scenario describes communications involving three
capture such a device, we derive four automation roles from Simple Entities (a Sensor, a Controller, and an Actuator).
the original ones described in Section IV-A. These roles are: These inter-entity communications are of two types: (i) data
SensorActuator, ControllerActuator, SensorController, and communication between the Sensor and the Controller and
SensorControllerActuator. (ii) command communication between the Controller and the
Actuator, as shown in FIGURE 6. An example use case is
SensorActuator: An entity with sensing and actuating ca- an air conditioning service (Controller) that receives room
pabilities. Such an entity is usually an Actuator which is also temperature data from a temperature sensor (Sensor), and
a Sensor, and is capable of detecting a change in its state. sends a command to switch a smart air conditioner (Actuator)
on when the temperature exceeds a threshold.
ControllerActuator: An entity with automation processing
and actuating capabilities. Such an entity can make au- data command
Sensor Controller Actuator
tomated decisions based on sensor data and actuate itself
accordingly.
An inter-entity communication
SensorController: An entity with sensing and automation
processing capabilities. Such an entity makes an automated FIGURE 6: Communications in Scenario-1
decision based on self-generated data and issues a command
to the corresponding Actuator.
b: Scenario-2: SensorActuator and Controller
SensorControllerActuator: An entity with sensing, au- This scenario describes communications between a Compos-
tomation processing, and actuating capabilities. Such an ite Entity (e.g., a SensorActuator) and a Simple Entity (e.g.,
entity is typically a self-contained device which can operate a Controller). There are two types of such communications
independently. This type of device makes an automated in this scenario, data and command communications, as
decision based on data generated by its on-device Sensor, depicted in FIGURE 7. An example use case is a door lock
and actuates itself accordingly. service (Controller) that receives the state of a smart lock
from the smart lock (SensorActuator) and sends a command
C. SHAUTO ENTITY COMMUNICATIONS to the smart lock to lock itself after the smart lock is left
unlocked for 30 seconds.
There are a number of potential communication scenar-
ios among SHAuto Entities, depending on their automation data
roles, communication levels, and communication patterns. SensorActuator Controller
For clarity, we first create a classification of SHAuto command
Entities prior to discussing the scenarios. Based on their
automation roles, SHAuto Entities can be classified into two An inter-entity communication
generic types, Simple Entities and Composite Entities. A
Simple Entity is defined as an entity having only a single FIGURE 7: Communications in Scenario-2
component (a Sensor, a Controller, or an Actuator) with a
specific capability. A Composite Entity refers to an entity
made up of more than one component. Such an entity may c: Scenario-3: Sensor and ControllerActuator
have components with the same or different capabilities. An This scenario describes communications involving a Sim-
example of the former is a smart camera with a motion ple Entity (e.g., a Sensor) and a Composite Entity (e.g., a
VOLUME 15, 2022 7
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2024.3359442
S. W. Tay et al.: Problem Analysis of Smart Home Automation: Toward Secure and Usable Communication-based Authorisation
ControllerActuator). As illustrated in FIGURE 8, there is an if the person is a child, makes a decision, and sends a lock
inter-entity data communication between the Sensor and the command to the smart door lock to lock itself.
ControllerActuator, and an intra-entity command communi-
cation within the ControllerActuator. An example use case data command
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2024.3359442
S. W. Tay et al.: Problem Analysis of Smart Home Automation: Toward Secure and Usable Communication-based Authorisation
An example of a component-to-component communica- communication patterns. In this work, we expand this con-
tion taking place between two Composite Entities (the smart cept of interactions in two ways. Firstly, in addition to the in-
fridge d1 and a device d2 ) is shown in FIGURE 12. In teractions between devices, we also consider the interactions
addition to the components described above, the fridge d1 between other SHAuto Entities such as services and apps
also has a smart interior camera s2 which keeps track of as well as their interactions with the devices. Secondly, we
what is in the fridge and makes this information accessible also consider the many-to-many communication pattern. This
to devices which need it. d2 has two Controllers, c2 and expansion results in four communication patterns of SHAuto
c3 , running on it. c3 is a grocery shopping service which Entities: one-to-one, many-to-one, one-to-many, and many-
automatically orders groceries based on available items in the to-many. In the following, we use a smart air conditioning
fridge as well as users’ consumption and purchasing habits. use case to describe each of these patterns.
To perform automated ordering, c3 needs to know what items
are left in the fridge and it obtains this information from the a: Scenario-9: One-to-one Communications
smart interior camera s2 of the fridge. In this scenario, an SHAuto Entity or component sends data
or a command to another SHAuto Entity or component. For
Device d2 Device d1 example, as shown in FIGURE 14, a temperature sensor
sends room temperature data to an air conditioning service,
Controller c2 Controller c1 Actuator a1 which, in turn, issues a command to a smart air conditioner
to switch itself on when the room temperature exceeds a
data
Controller c3 Sensor s2 Sensor s1 threshold.
data command
Device d1
Controller c1 Actuator a1
Temperature sensor data
data
Sensor s1 Sensor s2 Device d3
An inter-entity communication
A data/command communication
FIGURE 13: An example of entity-to-component communi-
cation FIGURE 15: An example of many-to-one communication
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2024.3359442
S. W. Tay et al.: Problem Analysis of Smart Home Automation: Toward Secure and Usable Communication-based Authorisation
which, an air conditioning service commands two smart air A. MESSAGING PATTERN
conditioners. We have chosen Publish/Subscribe (PubSub) [64] as the
underlying messaging pattern for the G-SHAuto model. In
Temperature sensor Air conditioning service Smart air conditioner a PubSub system, clients, i.e., publishers and subscribers,
exchange messages through a central message broker. Sub-
data command
scribers register their interest in receiving messages through
subscriptions, and only receive messages, generated and sent
by the publishers that match their registered interest [64]. The
Smart air conditioner matching of messages with relevant subscribers is done by
command
the broker by using a filtering approach. Topic-based filtering
and content-based filtering are among the most widely used
approaches [64].
In the topic-based filtering approach, subscribers receive
A data/command communication all the messages published to the topics to which they sub-
FIGURE 16: An example of one-to-many communication scribe. As shown in FIGURE 19, topics serve as logical
channels between publishers and subscribers. In the content-
based filtering approach, subscribers receive messages if the
content of the messages matches the constraints defined by
d: Scenario-12: Many-to-many Communications
the subscribers during their subscriptions [65].
In this scenario, multiple SHAuto Entities and/or components
The G-SHAuto model adopts the topic-based PubSub mes-
provide data and/or commands to multiple SHAuto Entities
saging pattern for the following reasons:
and/or components. An example of this scenario, as shown
in FIGURE 17, is that two temperature sensors provide • The messaging pattern provides asynchronous, loosely-
temperature data to two services, an air conditioning service coupled, and many-to-many communications between
and an early fire detection service. message producers (publishers) and message consumers
(subscribers) [66, 67], making it suitable for SHAuto
communications. PubSub has been used in considerable
Temperature sensor Air conditioning service Smart air conditioner
data
smart home applications, which not only include estab-
command lished IoT platforms such as AWS IoT and IBM Watson
IoT, but also research projects (e.g., [68–74]).
data
• The messaging pattern supports an event-driven com-
Temperature sensor data Early fire detection munication model [64, 75, 76], which is commonly seen
service
in SHAuto.
• In addition to one-to-one communications, topic-based
PubSub also supports topic-based group communi-
data
cations, thus enabling one-to-many, many-to-one and
many-to-many communication patterns described in
A data/command communication
Section IV-C3. The support for group communications
FIGURE 17: An example of many-to-many communication is particularly useful in SHAuto scenarios where a
publisher sends an identical piece of data/command
to multiple subscribers. Without PubSub, the publisher
V. A GENERIC MODEL OF SHAUTO would have to send the data/command separately and re-
Based on the use case analysis in the previous section, we spectively to each of the subscribers. With PubSub, the
have formulated a generic model for SHAuto (hereinafter publisher would only need to publish the data/command
referred to as the G-SHAuto model). The G-SHAuto model once to a topic and the data/command will be delivered
captures the different SHAuto use case scenarios presented to all the subscribers by the broker, thus reducing the
above, in a communication view called the PubSub Space. number of messages to be transmitted by the publisher.
The PubSub Space represents a logical space where hetero- • PubSub supports persistent sessions [64]. Take the Mes-
geneous SHAuto Entities can communicate with one another, sage Queuing Telemetry Transport (MQTT) protocol
regardless of the layer they reside in the SHAuto architecture. [77], a lightweight PubSub protocol, for example. In
FIGURE 18 depicts the G-SHAuto model, how SHAuto a persistent session, the broker stores subscription in-
Entities are represented in the PubSub Space and how they formation even if the subscriber is offline, and delivers
communicate among themselves in the PubSub Space. A undelivered messages to the subscriber as soon as it has
detailed description of the model including its messaging pat- reconnected [78].
tern and elements and the aforementioned communications is • PubSub protocols such as MQTT allow publishers to
provided below. mark a message published to a topic to be retained by
10 VOLUME 15, 2022
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2024.3359442
S. W. Tay et al.: Problem Analysis of Smart Home Automation: Toward Secure and Usable Communication-based Authorisation
Application Layer
s1 SE1 4a
t1
CCE1
Cloud Layer CCE2 7a t2 4b
c1
5a
SE2
Gateway Layer 2a
9b
s2 SE3
8b
Device Layer t3 t4
s3
8a
9a 2b
s4 SE4 CE1 5b
8b 7b
3b
1b
9b
c2 CE2
1a t5
t6
c3 3a 6a
CCE3 6b
CCE4 t7
10a 10b
c4
CCE5
Legend:
ard
Topic1 forw The G-SHAuto model has three types of elements, PubSub
subscr
publish ibe
Publisher2 Subscriber2 Entities, a Broker and Topics.
...
forward
...
...
subs
publish
Topicn cribe PubSub Entities: PubSub Entities are PubSub clients made
Publishern Subscribern
forward up of SHAuto Entities that communicate with one another
in the PubSub Space to provide SHAuto. For the sake of
FIGURE 19: Topic-based PubSub architecture simplicity, PubSub Entities are hereinafter referred to as
entities. Entities include devices, device components, au-
tomation rules or services, and end-user apps provided by
the broker [67]. In MQTT, such a message is known as the SHAuto platform or third parties. To capture the different
a retained message, and will be sent by the broker to any communication levels as described in Section IV-C2, entities
new subscribers immediately upon their subscription to are categorised into three types: SE (Simple Entity), CE
the topic to which the message was published. This can (Composite Entity), and CCE (Component within a Com-
be very useful in the SHAuto context where devices may posite Entity). A Composite Entity may communicate in the
join or leave (or switch-on or switch-off) dynamically. PubSub Space as a single entity or multiple entities. In the
For example, a smart door lock publishes its status former case, the Composite Entity (e.g., c2 in FIGURE 18)
only when changed. With the retained message, a new is represented by an CE (e.g., CE1 in FIGURE 18). In the
subscriber will automatically receive the latest status of latter case, the Composite Entity (e.g., c1 in FIGURE 18)
the smart door lock upon subscription, without the need is represented by multiple CCEs (e.g., CCE1 and CCE2 in
to wait for the next status change. FIGURE 18). In other words, an CE represents a Composite
VOLUME 15, 2022 11
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2024.3359442
S. W. Tay et al.: Problem Analysis of Smart Home Automation: Toward Secure and Usable Communication-based Authorisation
Entity in the PubSub Space, while an CCE represents a t6 for example. In this communication, CCE3 has the data
component within a Composite Entity in the PubSub Space. producer communication role and may assume the Sensor au-
Entities can be both publisher (i.e., data or command tomation role. On the other hand, CE1 has the data consumer
producer) and subscriber (i.e., data or command consumer), communication role and may assume the ControllerActuator
that is to say, the communication role of an entity may differ automation role.
across automation tasks. An example of such an entity is The inter-entity communications shown in TABLE 1 cover
a smart fridge which participates in two automation tasks, different SHAuto scenarios discussed in Section IV. The
ice dispensing and recipe generation. In the former case, the scenarios include:
smart fridge is an Actuator which dispenses ice in response • Communications involving different device control
to a command received from a smart door lock with a camera modes:
when the door lock detects the homeowner has arrived. In the
-- Manual control (e.g., command flows 4a and 4b via
communication with the door lock, the fridge is the command
t1 ) and
consumer. On the other hand, in the latter case, the fridge is a
-- Auto control (e.g., all communication flows except
Sensor which sends the information about ingredients stored
for command flows 4a and 4b).
in the fridge to a smart cooker which then generates recipes
• Communications involving different automation modes:
based on the information received. In the communication
with the cooker, the fridge is a data producer. In addition, -- Cloud-managed automation (e.g., the control of
an entity (e.g., the smart lighting control service described CCE5 by CCE2 via t2 ),
in Section IV-A2) may have more than one communication -- Gateway-managed automation (e.g., the control of
role in an automation task, but can only take on one com- CE1 by SE2 via t4 ), and
munication role in a communication, either a data/command -- Device-managed automation (e.g., the control of
producer or a data/command consumer. CCE5 by CCE4 via t7 ).
• Communications involving different communication
Topics: A topic is a logical channel between a pair, or a patterns:
group, of data producer(s) and data consumer(s) or command -- One-to-one (e.g., SE1 to SE3 via t1 ),
producer(s) and command consumer(s). Topics can be dy- -- Many-to-one (e.g., SE2 and CCE2 to CCE5 via t2 ),
namically created when an entity publishes or subscribes to -- One-to-many (e.g., CCE3 to CCE4 and CE1 via t6 ),
them, without any initialisation beforehand (as supported by and
MQTT [77, 79]). -- Many-to-many (e.g., SE4 and CE2 to SE2 to CCE4 via
t3 ).
Broker: A PubSub broker, though not explicitly shown in
FIGURE 18, acts as a central server, to which all entities are TABLE 1: Inter-entity communications in SHAuto
connected, to enable message transmission between entities Inter-entity Description Example Communica-
via topics. Depending on the automation modes described in Communi- tion Flow
Section IV-B, the Broker could be cloud-hosted or locally- cation
CE and CE A communication between Data flows 1a and 1b via
hosted on a machine (usually an SHAuto gateway) within two CEs topic t5
the home. CE and SE A communication between Command flows 2a and 2b
an CE and an SE via topic t4
C. COMMUNICATIONS AMONG PUBSUB ENTITIES CE and CCE A communication between Data flows 3a and 3b via
an CE and an CCE topic t6
The G-SHAuto model involves two forms of communi- SE and SE A communication between Command flows 4a and 4b
cations, namely, inter-entity communications and Entity- two SEs via topic t1
Broker communications. SE and CCE A communication between Command flows 5a and 5b
an SE and an CCE via topic t2
CCE and A communication between
1) Inter-entity Communications CCE two CCEs. There are two
To facilitate SHAuto, entities communicate with one an- types of this communica-
tion: Local CCE and CCE
other by exchanging messages and each such message con- and Global CCE and CCE
tains data or commands. These communications are called Local CCE A communication between Data flows 6a and 6b via
inter-entity communications and can be categorised into six and CCE two CCEs of the same topic t6
Composite Entity
groups: CE and CE, CE and SE, CE and CCE, SE and Global CCE A communication between Command flows 7a and 7b
SE, SE and CCE, and CCE and CCE. These inter-entity and CCE two CCEs of different via topic t2
communications are summarised in Table 1. Each group of Composite Entities
communication is provided with an example composed of
communication flows depicted in FIGURE 18. It is worth
noting that in each inter-entity communication, an entity 2) Entity-Broker Communications
takes on one automation role and one communication role. The Broker mediates the inter-entity communications de-
Take the communication between CCE3 and CE1 via topic scribed above. This results in four types of Entity-Broker
12 VOLUME 15, 2022
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2024.3359442
S. W. Tay et al.: Problem Analysis of Smart Home Automation: Toward Secure and Usable Communication-based Authorisation
communications: Subscribe, Publish, Forward, and Unsub- we identify and discuss these opportunities (vulnerabilities
scribe. and authorisation threats) as well as the impacts they may
impose.
Subscribe: A Subscribe communication involves an entity
subscribing to the topic(s) to request messages, containing A. VULNERABILITIES
data or commands, that it is interested in receiving. For Vulnerabilities are known as the weaknesses in a system that
example, a smart air conditioner subscribes to a topic to an attacker could exploit to cause harmful impacts on the
receive control commands from other entities. In a Subscribe system [80]. In the G-SHAuto model, vulnerabilities can be
communication, an entity sends a Subscribe request in the classified into two categories: unconstrained communications
form of a message to the Broker. We refer to this message within the PubSub Space and overprivileged entities.
as a Subscribe message. A Subscribe message contains
information about a subscription such as the identifier of the 1) Unconstrained communications within the PubSub Space
topic(s) of interest. Interconnected entities, with heterogeneous functionalities,
communication capabilities, providers, and so on, can freely
Publish: A Publish communication involves an entity pub- communicate with one another through publishing or sub-
lishing a message, containing data or commands, to which scribing to topics to provide SHAuto. This promises en-
other entities might be subscribing. As can be seen from hanced convenience and comfort to home occupants. How-
the examples illustrated in FIGURE 18, each of the inter- ever, a single compromised entity may potentially compro-
entity communications is enabled through two sequential mise the entire SHAuto system. For example, an entity could
communications involving the Broker; the first being the leverage the group-based communication of PubSub to con-
Publish communication. In a Publish communication, an trol numerous other entities by publishing a single command
entity publishes a message to a topic managed by the to a topic that they have all subscribed to, without having
Broker. We call this message an inbound Publish message to compromise every single one of them. For instance, in
(hereinafter referred to as Publish message for simplicity). a one-to-many communication scenario illustrated in 16, a
This message serves as a Publish request and may include the compromised smart air conditioning service could potentially
identifier of the topic that it will be published to and a control manipulate all smart air conditioners subscribed to it by
command (e.g., on/off) or sensor data (e.g., room temperature issuing a single command.
reading). An example of Publish communication is captured
by the data flow 1a in FIGURE 18. 2) Overprivileged Entities
An overprivileged entity can access more data than it needs
Forward: A Forward communication involves the Broker or control more devices than it should. Overprivileges can
forwarding a message published by a publisher to a sub- be attributed to the following features offered by SHAuto
scriber. This is the subsequent communication that completes platforms.
an inter-entity communication after a Publish communi-
cation. A Forward communication is established by the • The support for automation rule customisation and man-
Broker in response to the receipt of a Publish message agement of devices and device communications through
from a publisher. The Broker then relays the message as end-user applications: This provides homeowners with
an outbound Publish message to every single subscriber of control over their SHAuto system but may also intro-
the topic to which the message was published. We name duce risks (e.g., misconfigurations) due to human error,
the outbound Publish message the Forward message. An negligence, or a lack of knowledge in IT or security as
example of Forward communication is exhibited by the data described in Section III-A. For example, the homeowner
flow 1b in FIGURE 18. may unintentionally grant a device more permissions
than it requires, causing the device to be overprivileged.
Unsubscribe: An Unsubscribe communication involves a • The support for third-party app development and in-
subscriber unsubscribing to remove a request for messages. tegration (see Section III-B): These apps enrich the
To unsubscribe from messages, a subscriber sends an Unsub- SHAuto experience but may be overprivileged [14].
scribe request to the Broker to stop receiving any subsequent
messages published to a particular topic. An Unsubscribe B. THREATS
request is sent in the form of an Unsubscribe message and Entities have access to an SHAuto system, and they may
it includes the identifier of the topic. be malicious, curious or compromised. These entities may
misuse their access privilege, intentionally or unintention-
VI. THREAT ANALYSIS ally, by exploiting the aforementioned vulnerabilities. We
While SHAuto has the potential to offer numerous benefits, call the misuse of access privilege an authorisation threat.
it also provides opportunities for attacks. External and inter- Authorisation threats can be classified into two classes: (1)
nal parties may take advantage of the interconnected smart privilege escalation and (2) privilege blocking. These threats
devices to illegitimately automate a home. In the following, are discussed below and summarised in FIGURE 20.
VOLUME 15, 2022 13
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2024.3359442
S. W. Tay et al.: Problem Analysis of Smart Home Automation: Toward Secure and Usable Communication-based Authorisation
1) Privilege Escalation victim and one intermediary. In the first stage, an actor
Privilege escalation refers to the act of gaining privileges publishes data to a topic subscribed to by an intermediary.
beyond what is intended for an entity. This threat can happen In the second stage, the intermediary publishes a command,
in entity control and command/data access. in response to the received data, to a topic subscribed to
by the victim. The publication by the actor is illegitimate
a: Privilege Escalation in Entity Control as it allows the actor to indirectly control the victim which
Privilege escalation in entity control refers to an event where the actor should not gain control over. The publication by
an entity takes control of other entities which it should not the intermediary is legitimate if performed in response to a
have control over. The entities involved in this threat can be legitimate publication; however, if carried out as a result of
classified into two types: actor and victim. An actor is an an illegitimate publication as described in the first stage, it
entity which causes the threat. A victim, on the other hand, is will lead to an indirect control threat. An example of indirect
an entity being controlled as a result of the threat. A victim is control threats involves a motion detector within a room (i.e.,
usually an entity with actuating capability (e.g., an Actuator, an actor) illegitimately sending a data item to a home security
a SensorActuator, or a ControllerActuator). This threat can service (i.e., an intermediary), which then issues a command
take two forms, direct control and indirect control. to either lock or unlock the main door of the house (i.e., a
A direct control threat refers to a circumstance in which an victim). An illegitimate publication by an actor can occur in
actor directly controls the victim(s). It can be caused by an the inter-entity communication below:
illegitimate publication by an actor. Such a publication occurs
if an actor publishes a command or data to a topic subscribed (COM3) An entity publishing data to a Controller.
to by the victim(s), causing the victim(s) to act following the
received command/data. For example, a smart coffee maker b: Privilege Escalation in Command/Data Access
illegitimately publishes a command to a topic subscribed Privilege escalation in command/data access arises when an
to by a burglar alarm, a device it should not control, in entity consumes commands or data which are not intended
an attempt to deactivate it. An illegitimate publication can for it. This threat may occur as a result of an illegitimate
happen in any of the following inter-entity communications: subscription or an unconstrained message forwarding. An
illegitimate subscription occurs when an entity subscribes to
(COM1) An entity publishing a command to an Actuator or a topic to which it should not have access. An example is a
a SensorActuator. coffee maker illegitimately subscribing to a topic to read the
(COM2) An entity publishing data to a ControllerActuator. status of the main door of the house (e.g., On or Off) which
is not intended for it. An unconstrained message forwarding,
The threats of indirect control refer to situations in which on the other hand, happens when the Broker broadcasts
actors indirectly control victims through intermediaries. In- a message, which contains data or a command, to all the
termediaries are Controllers which are authorised to con- subscribers of the topic to which the message was published,
trol the victims. An indirect control threat happens in two irrespective of the fact that only a subset of these subscribers
stages: (1) an illegitimate publication by an actor and (2) should receive the message. For example, the Broker might
publication(s) by one or more intermediaries. For simplicity, broadcast a "switch-on" command to all smart light bulbs in
the stages are explained using a case involving only one the house, irrespective of the fact that only the light bulbs in
14 VOLUME 15, 2022
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2024.3359442
S. W. Tay et al.: Problem Analysis of Smart Home Automation: Toward Secure and Usable Communication-based Authorisation
the kitchen are intended to receive it. A privilege escalation from such control commands, rendering it inoperable when
in command/data access can happen in any of the following occupants are away from home.
inter-entity communications:
Device misoperation: This occurs when a device fails to
(COM4) An Actuator or a SensorActuator consuming a operate as intended. Device misoperation can be of two types:
command published by a command producer. internal misoperation and external misoperation. The former
(COM5) A ControllerActuator, a Controller, a Sensor, a means a misoperation posed by an entity (i.e., the device
SensorController, or a SensorControllerActuator itself), whereas, the latter refers to a device misoperation
consuming a command published by a command posed by other entities. An internal misoperation of a device
producer. may result from a privilege escalation that occurs in (COM4)
(COM6) A ControllerActuator or a SensorControllerActua- or (COM6). On the other hand, an external misoperation
tor consuming data published by a data producer. of a device could be caused by a privilege escalation that
(COM7) A Controller or a SensorController consuming data happens in (COM1) to (COM3), or (COM7). Misoperations
published by a data producer. of devices, which perform critical SHAuto functions, could
(COM8) A Sensor, an Actuator, or a SensorActuator con- be disastrous. They may cause device or property damage,
suming data published by a data producer. putting residents’ lives at risk. An example of malicious con-
trol of devices, e.g., kitchen appliances, by a compromised
entity has been discussed in Section I.
The illegitimate publications and subscriptions discussed
above may be performed intentionally by a curious, mali- Service disruption: This is an interruption in the delivery
cious or compromised entity, or unintentionally as the result of SHAuto services. It can result from an event of operation
of device permission misconfigurations by their owners and obstruction or device misoperation. Multiple occurrences of
so on. such an event may potentially result in a whole SHAuto
system disruption.
2) Privilege Blocking
Privilege blocking is the act of blocking legitimate access Disclosure of information: It refers to the dissemination of
to rightful resources [81]. In SHAuto, privilege blocking information to any parties who are not authorised to access
occurs when the legitimate consumption of commands/data that information. It can result from a privilege escalation
by entities is prevented. in command/data access that happens in any of the inter-
A privilege-blocking threat may occur as a result of an communications described in (COM4) to (COM8). For ex-
illegitimate subscription cancellation. Such a cancellation ample, a compromised entity might be used to subscribe to
happens when a legitimate subscriber unsubscribes itself data published by entities (e.g., smart door lock) that are not
from a topic illegitimately, stopping itself from receiving intended for it, with the aim of learning about the current
commands or data intended for it. This action, which may state of the smart home, such as whether the house is locked
be performed intentionally or unintentionally by entities, can or unlocked and if the occupants are home or away. This
result in an availability violation in which commands/data information could then be used in facilitating home intrusion
are made unavailable to legitimate subscribers. For example, and burglary.
a compromised smoke detection service might unsubscribe
itself from receiving data from smoke detectors, preventing Impact on efficiency: The threat actions of illegitimate topic
itself from sending alerts to the homeowner’s smartphone. subscription and unconstrained message forwarding may
impact the efficiency of an SHAuto system. For example,
C. IMPACTS OF THREATS an illegitimate topic subscription, which is performed by an
The authorisation threats discussed above could cause one or entity unintentionally, could lead to additional overhead in
more adverse impacts on a SHAuto system. These threats not the entity in processing unwanted messages. The situation
only impact the security and safety of an SHAuto system but is even worse if the entity is a resource-constrained device.
also its efficiency. Below, impacts that have the potential to Additionally, the threat actions can lead to a rise in the
cause safety concerns are discussed before other impacts as volume of communications, putting an additional burden
they have the highest severity (e.g., endangering occupants’ on the Broker. This extra burden may cause the reduced
lives). performance of the messaging system in SHAuto.
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2024.3359442
S. W. Tay et al.: Problem Analysis of Smart Home Automation: Toward Secure and Usable Communication-based Authorisation
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2024.3359442
S. W. Tay et al.: Problem Analysis of Smart Home Automation: Toward Secure and Usable Communication-based Authorisation
evolves. Additionally, by ensuring that access delays are kept Machinery, Mar. 2018, pp. 43–53. [Online]. Available:
as short as possible, the solution can provide efficient access http://doi.org/10.1145/3180457.3180464
control, which is critical for ensuring safety and security in [8] A. L. Marra, F. Martinelli, P. Mori, and A. Saracino,
SHAuto environments. An example use case is a smart oven “Implementing Usage Control in Internet of Things: A
and a smart camera that collectively provide a child safety Smart Home Use Case,” in 2017 IEEE Trustcom/Big-
service. The camera detects if a child is approaching the oven DataSE/ICESS, Aug. 2017, pp. 1056–1063, iSSN:
without the presence of an adult. When the detection hap- 2324-9013.
pens, the camera communicates the information to the oven [9] A. La Marra, F. Martinelli, P. Mori, A. Rizos, and
so that the oven can lock its door to prevent the child from A. Saracino, “Improving MQTT by Inclusion of Usage
opening the door. To protect children from severe injury, it is Control,” in Security, Privacy, and Anonymity in Com-
critical that the access delay imposed on the communication putation, Communication, and Storage, ser. Lecture
between the camera and the oven can be minimised. Notes in Computer Science, G. Wang, M. Atiquzzaman,
In our future work, we will employ the specified require- Z. Yan, and K.-K. R. Choo, Eds. Cham: Springer
ments to design a secure and usable communication-based International Publishing, 2017, pp. 545–560.
access control solution for SHAuto environments. In addi- [10] T. Dimitrakos, T. Dilshener, A. Kravtsov, A. La Marra,
tion, we will draw insights from related white papers (e.g., F. Martinelli, A. Rizos, A. Rosetti, and A. Saracino,
[82]) to refine our requirements comprehensively. Finally, we “Trust Aware Continuous Authorization for Zero Trust
will evaluate our solution in terms of security and usability. in Consumer Internet of Things,” in 2020 IEEE 19th In-
ternational Conference on Trust, Security and Privacy
REFERENCES in Computing and Communications (TrustCom), Dec.
[1] “What is the Internet of Things (IoT)?” [Online]. 2020, pp. 1801–1812, iSSN: 2324-9013.
Available: https://aws.amazon.com/what-is/iot/ [11] Y. J. Jia, Q. A. Chen, S. Wang, A. Rahmati,
[2] R. Ross, V. Pillitteri, and K. Dempsey, “Assessing E. Fernandes, Z. M. Mao, and A. Prakash,
Enhanced Security Requirements for Controlled “ContexIoT: Towards Providing Contextual Integrity
Unclassified Information,” National Institute of to Appified IoT Platforms,” in Proceedings
Standards and Technology, Tech. Rep. NIST 2017 Network and Distributed System Security
Special Publication (SP) 800-172A, Mar. 2022. Symposium. San Diego, CA: Internet Society, 2017.
[Online]. Available: https://csrc.nist.gov/publications/ [Online]. Available: https://www.ndss-symposium.
detail/sp/800-172a/final org/ndss2017/ndss-2017-programme/
[3] V. H. Bhide and S. Wagh, “i-learning IoT: An intelligent contexlot-towards-providing-contextual-integrity-appified-iot-pl
self learning system for home automation using IoT,” in [12] Y. Tian, N. Zhang, Y.-H. Lin, X. Wang,
2015 International Conference on Communications and B. Ur, X. Guo, and P. Tague, “Smar-
Signal Processing (ICCSP), Apr. 2015, pp. 1763–1767. tAuth: User-Centered Authorization for the
[4] M. O’Neill, “The Internet of Things: do more Internet of Things,” 2017, pp. 361–378. [On-
devices mean more risks?” Computer Fraud & line]. Available: https://www.usenix.org/conference/
Security, vol. 2014, no. 1, pp. 16–17, Jan. 2014. usenixsecurity17/technical-sessions/presentation/tian
[Online]. Available: https://www.sciencedirect.com/ [13] A. Rahmati, E. Fernandes, K. Eykholt, and A. Prakash,
science/article/pii/S1361372314700089 “Tyche: A Risk-Based Permission Model for Smart
[5] V. Hu, D. Ferraiolo, and R. Kuhn, “Assessment Homes,” in 2018 IEEE Cybersecurity Development
of Access Control Systems,” National Institute of (SecDev), Sep. 2018, pp. 29–36.
Standards and Technology, Tech. Rep. NIST Internal [14] E. Fernandes, J. Jung, and A. Prakash, “Security Anal-
or Interagency Report (NISTIR) 7316, Sep. 2006. ysis of Emerging Smart Home Applications,” in 2016
[Online]. Available: https://csrc.nist.gov/publications/ IEEE Symposium on Security and Privacy (SP), May
detail/nistir/7316/final 2016, pp. 636–654, iSSN: 2375-1207.
[6] V. Hu, D. Ferraiolo, R. Kuhn, A. Schnitzer, [15] Samsung, “Samsung SmartThings - For Your
K. Sandlin, R. Miller, and K. Scarfone, “Guide Connected Smart Home.” [Online]. Available:
to Attribute Based Access Control (ABAC) Definition https://www.samsung.com/uk/smartthings/
and Considerations,” National Institute of Standards [16] D. Geneiatakis, I. Kounelis, R. Neisse, I. Nai-Fovino,
and Technology, Tech. Rep. NIST Special Publication G. Steri, and G. Baldini, “Security and privacy is-
(SP) 800-162, Aug. 2019. [Online]. Available: https: sues for an IoT based smart home,” in 2017 40th
//csrc.nist.gov/publications/detail/sp/800-162/final International Convention on Information and Commu-
[7] B. Bezawada, K. Haefner, and I. Ray, “Securing nication Technology, Electronics and Microelectronics
Home IoT Environments with Attribute-Based Access (MIPRO), May 2017, pp. 1292–1297.
Control,” in Proceedings of the Third ACM Workshop [17] W. Ali, G. Dustgeer, M. Awais, and M. A. Shah,
on Attribute-Based Access Control, ser. ABAC’18. “IoT based smart home: Security challenges, security
New York, NY, USA: Association for Computing requirements and solutions,” in 2017 23rd International
VOLUME 15, 2022 17
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2024.3359442
S. W. Tay et al.: Problem Analysis of Smart Home Automation: Toward Secure and Usable Communication-based Authorisation
Conference on Automation and Computing (ICAC), Chin, “Identifying factors influencing consumers’
Sep. 2017, pp. 1–6. intent to install mobile applications,” International
[18] A. K. Ray and A. Bagwari, “Study of smart home com- Journal of Information Management, vol. 36,
munication protocol’s and security & privacy aspects,” no. 3, pp. 441–450, Jun. 2016. [Online]. Avail-
in 2017 7th International Conference on Communica- able: https://www.sciencedirect.com/science/article/pii/
tion Systems and Network Technologies (CSNT), Nov. S0268401215301122
2017, pp. 240–245. [28] G. C.-C. Shen, “Users’ adoption of mobile
[19] A. Girish, T. Hu, V. Prakash, D. J. Dubois, applications: Product type and message framing’s
S. Matic, D. Y. Huang, S. Egelman, J. Reardon, moderating effect,” Journal of Business Research,
J. Tapiador, D. Choffnes, and N. Vallina-Rodriguez, vol. 68, no. 11, pp. 2317–2321, Nov. 2015.
“In the Room Where It Happens: Characterizing [Online]. Available: https://www.sciencedirect.com/
Local Communication and Threats in Smart Homes,” science/article/pii/S0148296315002465
in Proceedings of the 2023 ACM on Internet [29] S. W. Tay, P. S. Teh, and S. J. Payne, “Reasoning
Measurement Conference, ser. IMC ’23. New York, about privacy in mobile application install decisions:
NY, USA: Association for Computing Machinery, Risk perception and framing,” International Journal of
Oct. 2023, pp. 437–456. [Online]. Available: Human-Computer Studies, vol. 145, p. 102517, Jan.
https://dl.acm.org/doi/10.1145/3618257.3624830 2021. [Online]. Available: https://www.sciencedirect.
[20] R. Li, W. Zhang, L. Wu, Y. Tang, and X. Xie, “ZPA: com/science/article/pii/S1071581920301191
A Smart Home Privacy Analysis System Based on [30] A. Abdullah, H. Kaur, and R. Biswas, “Universal Lay-
ZigBee Encrypted Traffic,” Wireless Communications ers of IoT Architecture and Its Security Analysis,” in
and Mobile Computing, vol. 2023, p. e6731783, Jan. New Paradigm in Decision Science and Management,
2023, publisher: Hindawi. [Online]. Available: https: ser. Advances in Intelligent Systems and Computing,
//www.hindawi.com/journals/wcmc/2023/6731783/ S. Patnaik, A. W. H. Ip, M. Tavana, and V. Jain, Eds.
[21] Y. Meng, W. Zhang, H. Zhu, and X. S. Shen, “Se- Singapore: Springer, 2020, pp. 293–302.
curing Consumer IoT in the Smart Home: Architec- [31] P. Agarwal and M. Alam, “Investigating IoT Middle-
ture, Challenges, and Countermeasures,” IEEE Wireless ware Platforms for Smart Application Development,”
Communications, vol. 25, no. 6, pp. 53–59, Dec. 2018, in Smart Cities—Opportunities and Challenges, ser.
conference Name: IEEE Wireless Communications. Lecture Notes in Civil Engineering, S. Ahmed, S. M.
[22] G. Kavallieratos, V. Gkioulos, and S. K. Katsikas, Abbas, and H. Zia, Eds. Singapore: Springer, 2020,
“Threat Analysis in Dynamic Environments: The Case pp. 231–244.
of the Smart Home,” in 2019 15th International Con- [32] A. Alshehri and R. Sandhu, “Access Control Models for
ference on Distributed Computing in Sensor Systems Cloud-Enabled Internet of Things: A Proposed Archi-
(DCOSS), May 2019, pp. 234–240, iSSN: 2325-2944. tecture and Research Agenda,” in 2016 IEEE 2nd In-
[23] A. Jacobsson, M. Boldt, and B. Carlsson, “On the ternational Conference on Collaboration and Internet
Risk Exposure of Smart Home Automation Systems,” Computing (CIC), Nov. 2016, pp. 530–538.
in 2014 International Conference on Future Internet of [33] K. Bing, L. Fu, Y. Zhuo, and L. Yanlei, “Design of an
Things and Cloud, Aug. 2014, pp. 183–190. Internet of Things-based smart home system,” in 2011
[24] H. Touqeer, S. Zaman, R. Amin, M. Hussain, 2nd International Conference on Intelligent Control
F. Al-Turjman, and M. Bilal, “Smart home security: and Information Processing, vol. 2, Jul. 2011, pp. 921–
challenges, issues and solutions at different IoT layers,” 924.
The Journal of Supercomputing, vol. 77, no. 12, [34] C. S. C. Council, “Cloud Customer Architecture
pp. 14 053–14 089, Dec. 2021. [Online]. Available: for IoT.” Cloud Standards Customer Council,
https://doi.org/10.1007/s11227-021-03825-1 2016. [Online]. Available: https://www.omg.org/cloud/
[25] T. H.-J. Kim, L. Bauer, J. Newsome, A. Perrig, and deliverables/cloud-customer-architecture-for-iot.htm
J. Walker, “Access right assignment mechanisms for [35] S. EL Jaouhari, E. Jose Palacios-Garcia, A. Anvari-
secure home networks,” Journal of Communications Moghaddam, and A. Bouabdallah, “Integrated
and Networks, vol. 13, no. 2, pp. 175–186, Apr. 2011, Management of Energy, Wellbeing and Health in
conference Name: Journal of Communications and Net- the Next Generation of Smart Homes,” Sensors,
works. vol. 19, no. 3, p. 481, Jan. 2019, number: 3 Publisher:
[26] M. Funk, L.-L. Chen, S.-W. Yang, and Y.-K. Chen, Multidisciplinary Digital Publishing Institute. [Online].
“Addressing the Need to Capture Scenarios, Intentions Available: https://www.mdpi.com/1424-8220/19/3/481
and Preferences: Interactive Intentional Programming [36] M. A. Jabraeil Jamali, B. Bahrami, A. Heidari, P. Al-
in the Smart Home,” International Journal of Design, lahverdizadeh, and F. Norouzi, “IoT Architecture,” in
vol. 12(1), 2018. [Online]. Available: http://www. Towards the Internet of Things: Architectures, Security,
ijdesign.org/index.php/IJDesign/article/view/2995 and Applications, ser. EAI/Springer Innovations in
[27] M. A. Harris, R. Brookshire, and A. G. Communication and Computing, M. A. Jabraeil Jamali,
18 VOLUME 15, 2022
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2024.3359442
S. W. Tay et al.: Problem Analysis of Smart Home Automation: Toward Secure and Usable Communication-based Authorisation
B. Bahrami, A. Heidari, P. Allahverdizadeh, and [46] “AWS IoT for the Connected Home.” [On-
F. Norouzi, Eds. Cham: Springer International line]. Available: https://aws.amazon.com/iot/solutions/
Publishing, 2020, pp. 9–31. [Online]. Available: connected-home/
https://doi.org/10.1007/978-3-030-18468-1_2 [47] “IBM Watson IoT Platform.” [On-
[37] N. M. Kumar and P. K. Mallick, “The Internet line]. Available: https://internetofthings.ibmcloud.com/
of Things: Insights into the building blocks, internetofthings.ibmcloud.com
component interactions, and architecture layers,” [48] E. Fernandes, A. Rahmati, J. Jung, and A. Prakash,
Procedia Computer Science, vol. 132, pp. 109–117, Jan. “Security Implications of Permission Models in Smart-
2018. [Online]. Available: https://www.sciencedirect. Home Application Frameworks,” IEEE Security & Pri-
com/science/article/pii/S1877050918309049 vacy, vol. 15, no. 2, pp. 24–30, Mar. 2017, conference
[38] G. Mokhtari, A. Anvari-Moghaddam, and Q. Zhang, “A Name: IEEE Security & Privacy.
New Layered Architecture for Future Big Data-Driven [49] Z. Chen, F. Zeng, T. Lu, and W. Shu, “Multi-Platform
Smart Homes,” IEEE Access, vol. 7, pp. 19 002–19 012, Application Interaction Extraction for IoT Devices,” in
2019, conference Name: IEEE Access. 2019 IEEE 25th International Conference on Parallel
[39] J. C. Sapalo Sicato, P. K. Sharma, V. Loia, and Distributed Systems (ICPADS), Dec. 2019, pp.
and J. H. Park, “VPNFilter Malware Analysis 990–995, iSSN: 1521-9097.
on Cyber Threat in Smart Home Network,” [50] “IFTTT.” [Online]. Available: https://ifttt.com/
Applied Sciences, vol. 9, no. 13, p. 2763, [51] “What is IFTTT?” [Online]. Available: https://ifttt.
Jan. 2019, number: 13 Publisher: Multidisciplinary com/explore/new_to_ifttt
Digital Publishing Institute. [Online]. Available: [52] “IFTTT Smart Home.” [Online]. Available: https:
https://www.mdpi.com/2076-3417/9/13/2763 //ifttt.com/solutions/smart_home
[40] S. M. Tahsien, H. Karimipour, and P. Spachos, [53] S. P. R. Asaithambi, S. Venkatraman, and
“Machine learning based solutions for security of R. Venkatraman, “Big Data and Personalisation for
Internet of Things (IoT): A survey,” Journal of Network Non-Intrusive Smart Home Automation,” Big Data
and Computer Applications, vol. 161, p. 102630, Jul. and Cognitive Computing, vol. 5, no. 1, p. 6,
2020. [Online]. Available: https://www.sciencedirect. Mar. 2021, number: 1 Publisher: Multidisciplinary
com/science/article/pii/S1084804520301041 Digital Publishing Institute. [Online]. Available:
[41] M. Wu, T.-J. Lu, F.-Y. Ling, J. Sun, and H.-Y. Du, https://www.mdpi.com/2504-2289/5/1/6
“Research on the architecture of Internet of Things,” [54] B. Ur, E. McManus, M. Pak Yong Ho, and M. L.
in 2010 3rd International Conference on Advanced Littman, “Practical trigger-action programming in
Computer Theory and Engineering(ICACTE), vol. 5, the smart home,” in Proceedings of the SIGCHI
Aug. 2010, pp. V5–484–V5–487, iSSN: 2154-7505. Conference on Human Factors in Computing Systems,
[42] Q. Zhu, R. Wang, Q. Chen, Y. Liu, and W. Qin, “IOT ser. CHI ’14. New York, NY, USA: Association
Gateway: Bridging Wireless Sensor Networks into In- for Computing Machinery, Apr. 2014, pp. 803–812.
ternet of Things,” in 2010 IEEE/IFIP International [Online]. Available: http://doi.org/10.1145/2556288.
Conference on Embedded and Ubiquitous Computing, 2557420
Dec. 2010, pp. 347–352. [55] HomeSeer, “Home Controller Systems For Every
[43] A. Banerjee, F. Sufyanf, M. S. Nayel, and S. Sagar, Need & Budget | HomeSeer.” [Online]. Available:
“Centralized framework for controlling heterogeneous https://homeseer.com/home-controllers/
appliances in a smart home environment,” in 2018 In- [56] W. A. Jabbar, T. K. Kian, R. M. Ramli, S. N. Zubir,
ternational Conference on Information and Computer N. S. M. Zamrizaman, M. Balfaqih, V. Shepelev, and
Technologies (ICICT), Mar. 2018, pp. 78–82. S. Alharbi, “Design and Fabrication of Smart Home
[44] W. Zhou, Y. Jia, Y. Yao, L. Zhu, L. Guan, With Internet of Things Enabled Automation System,”
Y. Mao, P. Liu, and Y. Zhang, “Discovering IEEE Access, vol. 7, pp. 144 059–144 074, 2019, con-
and Understanding the Security Hazards in the ference Name: IEEE Access.
Interactions between IoT Devices, Mobile Apps, [57] LG, “LG Unveils New Framework for advancing
and Clouds on Smart Home Platforms,” 2019, pp. AI Technology at CES 2020,” Jan. 2020.
1133–1150. [Online]. Available: https://www.usenix. [Online]. Available: https://thinq.developer.lge.com/en/
org/conference/usenixsecurity19/presentation/zhou news/news-list/7-jan-2020-article-ces-keynote/
[45] T. T. Doan, R. Safavi-Naini, S. Li, S. Avizheh, M. V. [58] S. Maxim, “Local control made easy
K., and P. W. L. Fong, “Towards a Resilient Smart with Ezlo Hubs,” Mar. 2021. [On-
Home,” in Proceedings of the 2018 Workshop on line]. Available: https://getvera.com/blogs/our-blog/
IoT Security and Privacy, ser. IoT S&P ’18. local-control-made-easy-with-ezlo-hubs
New York, NY, USA: Association for Computing [59] D. Meyer, J. Haase, M. Eckert, and B. Klauer, “A
Machinery, Aug. 2018, pp. 15–21. [Online]. Available: threat-model for building and home automation,” in
http://doi.org/10.1145/3229565.3229570 2016 IEEE 14th International Conference on Industrial
VOLUME 15, 2022 19
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2024.3359442
S. W. Tay et al.: Problem Analysis of Smart Home Automation: Toward Secure and Usable Communication-based Authorisation
Informatics (INDIN), Jul. 2016, pp. 860–866, iSSN: Trends in Electronics, Information & Communication
2378-363X. Technology (RTEICT), May 2017, pp. 2043–2045.
[60] openHAB, “empowering the smart home.” [Online]. [71] Z. Li, Y. Xiao, S. Liang, and S. Wang, “Design of
Available: https://www.openhab.org/ Smart Home Management System based on MQTT and
[61] E.-M. Schomakers, H. Biermann, and M. Ziefle, FBP,” in 2018 Chinese Automation Congress (CAC),
“Users’ Preferences for Smart Home Automation Nov. 2018, pp. 3086–3091.
– Investigating Aspects of Privacy and Trust,” [72] S.-M. Kim, H.-S. Choi, and W.-S. Rhee, “IoT home
Telematics and Informatics, vol. 64, p. 101689, Nov. gateway for auto-configuration and management of
2021. [Online]. Available: https://www.sciencedirect. MQTT devices,” in 2015 IEEE Conference on Wireless
com/science/article/pii/S0736585321001283 Sensors (ICWiSe), Aug. 2015, pp. 12–17.
[62] S. AlJanah, N. Zhang, and S. W. Tay, “A Survey on [73] Y. Upadhyay, A. Borole, and D. Dileepan, “MQTT
Smart Home Authentication: Toward Secure, Multi- based secured home automation system,” in 2016 Sym-
Level and Interaction-Based Identification,” IEEE Ac- posium on Colossal Data Analysis and Networking
cess, vol. 9, pp. 130 914–130 927, 2021, conference (CDAN), Mar. 2016, pp. 1–4.
Name: IEEE Access. [74] F. Ozturk and A. M. Ozdemir, “Content-Based Publish/-
[63] S. AlJanah, N. Zhang, and S. W. Tay, “A Multifactor Subscribe Communication Model between IoT Devices
Multilevel and Interaction Based (M2I) Authentication in Smart City Environment,” in 2019 7th International
Framework for Internet of Things (IoT) Applications,” Istanbul Smart Grids and Cities Congress and Fair
IEEE Access, vol. 10, pp. 47 965–47 996, 2022, confer- (ICSG), Apr. 2019, pp. 189–193.
ence Name: IEEE Access. [75] T. R. Sheltami, A. A. Al-Roubaiey, and A. S. H.
[64] P. T. Eugster, P. A. Felber, R. Guerraoui, and A.-M. Mahmoud, “A survey on developing publish/subscribe
Kermarrec, “The many faces of publish/subscribe,” middleware over wireless sensor/actuator networks,”
ACM Computing Surveys, vol. 35, no. 2, pp. 114–131, Wireless Networks, vol. 22, no. 6, pp. 2049–2070,
Jun. 2003. [Online]. Available: http://doi.org/10.1145/ Aug. 2016. [Online]. Available: https://doi.org/10.
857076.857078 1007/s11276-015-1075-0
[65] Y. Tian, B. Song, and E.-N. Huh, “A Parameterized [76] S. Oh, J.-H. Kim, and G. Fox, “Real-
Privacy-Aware Pub-sub System in Smart Work,” in time performance analysis for publish/subscribe
Security Technology, ser. Communications in Computer systems,” Future Generation Computer Systems,
and Information Science, T.-h. Kim, H. Adeli, W.-c. vol. 26, no. 3, pp. 318–323, Mar. 2010.
Fang, J. G. Villalba, K. P. Arnett, and M. K. Khan, Eds. [Online]. Available: https://www.sciencedirect.com/
Berlin, Heidelberg: Springer, 2011, pp. 204–214. science/article/pii/S0167739X09001344
[66] S. Khare, H. Sun, K. Zhang, J. Gascon-Samson, [77] A. Banks, E. Briggs, K. Borgendale, and R. Gupta,
A. Gokhale, X. Koutsoukos, and H. Abdelaziz, “Scal- “MQTT Version 5.0,” Mar. 2019. [Online].
able Edge Computing for Low Latency Data Dissem- Available: https://docs.oasis-open.org/mqtt/mqtt/v5.0/
ination in Topic-Based Publish/Subscribe,” in 2018 os/mqtt-v5.0-os.html
IEEE/ACM Symposium on Edge Computing (SEC), Oct. [78] “Persistent Session and Queuing Messages
2018, pp. 214–227. - MQTT Essentials: Part 7,” Feb. 2015.
[67] D. Happ, N. Karowski, T. Menzel, V. Handziski, [Online]. Available: https://www.hivemq.com/blog/
and A. Wolisz, “Meeting IoT platform requirements mqtt-essentials-part-7-persistent-session-queuing-messages/
with open pub/sub solutions,” Annals of Telecommu- [79] “MQTT Topics, Wildcards, & Best Practices
nications, vol. 72, no. 1, pp. 41–52, 2017. [Online]. - MQTT Essentials: Part 5,” Aug. 2019.
Available: https://doi.org/10.1007/s12243-016-0537-4 [Online]. Available: https://www.hivemq.com/blog/
[68] D. J. Cook, A. S. Crandall, B. L. Thomas, and N. C. Kr- mqtt-essentials-part-5-mqtt-topics-best-practices/
ishnan, “CASAS: A Smart Home in a Box,” Computer, [80] M. Jouini, L. B. A. Rabai, and A. B. Aissa, “Classi-
vol. 46, no. 7, pp. 62–69, Jul. 2013, conference Name: fication of Security Threats in Information Systems,”
Computer. Procedia Computer Science, vol. 32, pp. 489–496, Jan.
[69] R. Kishore Kodali, S. C. Rajanarayanan, L. Bop- 2014. [Online]. Available: https://www.sciencedirect.
pana, S. Sharma, and A. Kumar, “Low Cost Smart com/science/article/pii/S1877050914006528
Home Automation System using Smart Phone,” in 2019 [81] V. Hu, R. Kuhn, and D. Yaga, “Verification and Test
IEEE R10 Humanitarian Technology Conference (R10- Methods for Access Control Policies/Models,” NIST
HTC)(47129), Nov. 2019, pp. 120–125, iSSN: 2572- Special Publication, vol. 800, p. 192, Jun. 2017.
7621. [Online]. Available: https://csrc.nist.gov/publications/
[70] J. Prabaharan, A. Swamy, A. Sharma, K. N. Bharath, detail/sp/800-192/final
P. R. Mundra, and K. J. Mohammed, “Wireless home [82] S. Hanna, S. Kumar, and D. Weber, “IIC Endpoint Se-
automation and security system using MQTT protocol,” curity Best Practices,” Industrial Internet Consortium,
in 2017 2nd IEEE International Conference on Recent 2018.
20 VOLUME 15, 2022
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2024.3359442
S. W. Tay et al.: Problem Analysis of Smart Home Automation: Toward Secure and Usable Communication-based Authorisation
Siok Wah Tay received the B.Sc. degree in security technology from
Multimedia University, Malaysia, the M.Sc. degree in human–computer
interaction from the University of Bath, UK, and the Ph.D. degree in
computer science from the University of Manchester, UK. She is a fellow of
the Higher Education Academy (FHEA), UK. Her research interests include
IoT security, human–computer interaction, usable security, and applied AI.
Ning Zhang received the B.Sc. degree (Hons.) from Dalian Maritime
University, China, and the Ph.D. degree from the University of Kent, U.K.,
both in electronics engineering.
Since 2000, she has been with the Department of Computer Science, the
University of Manchester, U.K., where she is currently a Senior Lecturer.
Her research interests include security in networked and distributed systems,
applied cryptography, data privacy, trust, and digital right managements.
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4