Your Facebook friends might be getting access to your smart home devices

There is a lot of stuff out there about smart home technology. Cameras, light bulbs, fridges – all connected to the Internet and the home Wi-Fi network. Natural language voice recognition central control units, such as Amazon’s Alexa, Google’s Home and Apple’s HomePod, can control these devices.

Some of these applications use machine learning to analyze and predict user behavior. A thermostat will work out what temperature a homeowner prefers based on previous usage. It will also analyze local weather forecasts to "predict" what temperature it should be set to. My Alexa has had some hard training on music preferences. As is the way with statistics, the larger the data set the more the frequency "reverts to the mean." Alexa knows that music by artists like Neil Diamond and Fleetwood Mac will be acceptable more often than not. When the robots take over, it will not be a violent revolution – but one that takes place to the music of Dire Straits and the Eagles.

The increased availability of smart home services is providing much interest/excitement/concern for security experts in the field of access control. Access control refers to the rules that control "who" is allowed to access "what" IT service. Smart homes are blowing the experts' minds and the rules.

Things used to be simple with IT services. Companies or government organizations ran applications. Specialist IT teams would manage an access control policy based around things like job role or staff seniority. HR systems allow managers to see different information from their team members. This is access control in action.

The home environment is not like this. These strict levels of authority and approval do not apply. There is, of course, approval and authority discussions – lots of them. Debates about whether to turn up the heat, what music to play or how someone is going to get access to the house are part of the rhythm of domestic life. The decision making is more vague, more fluid and based on social arrangements.

Soon, smart home environments will need clear access control. The use case for smart home technology is growing all the time. Medical records will be available to emergency services arriving at someone’s house. Strangers will have access to the home to deliver packages and pick up dogs for walking. It will not be acceptable to allow everyone who comes into the house – children, extended family, occasional guests and builders – the same level of permission to applications. A foundation for these new services needs sorting out now.

One solution to this problem comes from an area that has already developed access control methods that reflect social relationships: social networks. You have probably already experienced this Relationship Based Access Control (known as ReBAC). Facebook depends on mutual agreement between people on the nature of their relationship (you are asked to confirm that someone is a "friend" or "brother"). This then facilitates the access control policy ("let all friends see photos"). The policies and relationships are there. Some security experts are suggesting that this sorts out the problem: base smart home access control on your social network relationships. Social media "friends" would be able to access certain applications, "family" would have access to more services, and spouse/partners could access pretty much everything. Therefore, these agreements and relationships would simply be taken from your Facebook account.

To me, this feels uncomfortable. How would you feel if access control to your smart home was based on your Facebook relationships? My view is that the nature of people’s relationships on social networks can be very different from the levels of trust associated with people in the non-digital world. Many people would not describe all of their online friends as "real" friends. Moreover, public confidence in the security provided by companies like Facebook has significantly decreased due to a number of high-profile data breaches.

Does this lack of trust in social networks (from both data privacy and describing trusted relationships) derail delivering this protocol for smart homes? Not necessarily.

The approach of Relationship Based Access Control most closely mirrors the changing and imprecise nature of social relationships. Basing access to smart home systems on social network systems feels uncomfortable and insecure. It would be possible to fake or falsify friendship requests – or to "spoof" real friends – for the purpose of gaining access to someone’s social network and, therefore, begin gaining access to their home. Many users would recognize this weakness, and as a result, it would not be acceptable (and could potentially damage the uptake of smart home technology).

One way of approaching this problem, then, would be to allow the smart home system to "learn" the correct permissions and relationships of the various users over time. The aim would be to make the smart home more reflective of the actual relationships within the home. It also gives rise to the potential for smart home providers to create social networks that are more reflective of the true nature of people’s relationships.

What do you think?

Tom Gavin
Tom Gavin

Tom Gavin has been Head of Orange Consulting Europe since 2019. Previously he has held roles in sales and management. Tom lives in London and has three daughters. He spends his spare time as a post graduate student at the Computing Department at the University West London and walking his dogs.