Jointly Achieving Smart Homes Security and Privacy Through Bidirectional Trust

Abstract

The increasing complexity of the smart home ecosystem necessitates effective solutions to pressing security and privacy challenges. Typically, authentication and authorization processes establish system security (i.e., system-to-user trust). Once approved, users are primarily concerned about privacy protection (i.e., user-to-system trust) when utilizing system services that require sensitive data for their functionality. We define "user-to-system trust" as the user's confidence in data privacy protection. To establish bidirectional trust, this study enhances the Authentication Enabled Attribute-Based Access Control (AeABAC) model for user privacy protection. While traditional AeABAC focuses on system-to-user trust (authentication and authorization), it lacks mechanisms to address user-to-system trust, leaving users vulnerable to privacy risks such as opaque data handling, insufficient consent frameworks, and unmitigated disclosure risks. This study enhances the AeABAC model by integrating a risk-based privacy approach to address these gaps. The proposed Risk-Based Privacy Approach for the AeABAC model aims to build user confidence by identifying relevant privacy profile information within the smart home environment. It conducts privacy risk assessments by evaluating the likelihood of data disclosure and examining the potential harm (disclosure impact) users may face if their data is exposed. Ultimately, this approach safeguards users' privacy by offering transparent and informative protections regarding data collection and disclosure. The key findings demonstrate that the RBP-AeABAC model enables role-specific privacy decisions (e.g., stricter controls for children), and balances usability and security through dynamic consent mechanisms. Use-case scenarios validate its practicality in real-world smart home ecosystems.