Browse Prior Art Database

System and Method for Escalating Authentication Requirements for Cloud-accessible Devices

IP.com Disclosure Number: IPCOM000234129D
Publication Date: 2014-Jan-13
Document File: 2 page(s) / 31K

Publishing Venue

The IP.com Prior Art Database

Abstract

The "internet of things" is leading to a great number of household devices becoming available for control via cloud services (For example: remotely controllable thermostats like the Nest, remotely accessible deadbolts, security systems, cameras, garage doors, etc). This remote accessibility provides great convenience to consumers who can now set their home temperature via their smartphone while at work, open the garage door or deadbolt for a locked out spouse, etc. However these services all have a common weakness: if the consumer's service account is compromised, an attacker can perform arbitrary actions with the device. This new overlap between the digital and physical worlds demands a greater degree of defense in the digital domain to protect ourselves in the physical one.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 43% of the total text.

Page 01 of 2

System and Method for Escalating Authentication Requirements for Cloud -accessible Devices

The "internet of things" is leading to a great number of household devices becoming available for control via cloud services (For example: remotely controllable thermostats like the Nest, remotely accessible deadbolts, security systems, cameras, garage doors, etc). This remote accessibility provides great convenience to consumers who can now set their home temperature via their smartphone while at work, open the garage door or deadbolt for a locked out spouse, etc. However, these services all have a common weakness: If the consumer's service account is compromised, an attacker can perform arbitrary actions with the device.

This new overlap between the digital and physical worlds demands a greater degree of defense in the digital domain to protect users in the physical one.

Potential exploits could range from opening doors and disabling security systems and allowing physical access to personal property, to seemingly minor changes such as raising or lowering the house temperature (a potentially dangerous situation for pets or the elderly). A massive, coordinate exploit of cloud-based services could be used in a distributed attack on the energy grid.

It is clear that additional security is needed to protect these cloud services in order to mitigate the risk of such exposures. However, the appeal of these services for consumers is the ease of use. Therefore the traditional solution of adding multi-factor authentication (such as RSA IDs) is not viable because requiring a complex multi-factor authentication process every time a customer wants to raise their thermostat setting by 3 degrees would significantly hamper the adoption of such services. Therefore, a more sophisticated approach is required.

Existing companies have attempted to use single factor authentication (e.g. a physical key or biometrics) to authenticate users, however, these solutions tend to have higher capital costs and are not easily extendible or modifiable.

Proposed is a permissive system in which actions are evaluated to determine risk based on several dimensions:


1) What is the risk of allowing this action (raising the temperature 3 degrees carries little risk even if performed by an attacker, but raising it 20 degrees could cause significant damage)


2) Does this action fit into the historical pattern of activity for this consumer (what are the traditional temperature ranges preferred by the consumer, given the current weather conditions at their house and current time of day)


3) Does this action fit with the geographical location of the user? E.g. If the user is away on business, he or she is unlikely to be disabling the security system or using egregious amounts of air conditioning in the summer

Based on the evaluated risk of permitting the action and likelihood it is being undertaken by an authorized user, the system will determine what level of authentication to require....