The Digital Harms of Smart Home Devices - A Systematic Literature Review

Download as pdf or txt
Download as pdf or txt
You are on page 1of 15

Computers in Human Behavior 145 (2023) 107770

Contents lists available at ScienceDirect

Computers in Human Behavior


journal homepage: www.elsevier.com/locate/comphumbeh

The digital harms of smart home devices: A systematic literature review


David Buil-Gil a, *, Steven Kemp b, Stefanie Kuenzel c, Lynne Coventry d, Sameh Zakhary e,
Daniel Tilley f, James Nicholson g
a
Department of Criminology, University of Manchester, UK
b
Department of Public Law, University of Girona, Spain
c
Department of Electronic Engineering, Royal Holloway University of London, UK
d
Division of Cybersecurity, Abertay University, UK
e
Zakhary IT Services Limited, UK
f
Daniel Tilley Analytic Solutions Limited, UK
g
Department of Computer and Information Sciences, Northumbria University, UK

A R T I C L E I N F O A B S T R A C T

Keywords: The connection of home electronic devices to the internet allows remote control of physical devices and involves
Internet of things the collection of large volumes of data. With the increase in the uptake of Internet-of-Things home devices, it
Cybercrime becomes critical to understand the digital harms of smart homes. We present a systematic literature review on the
Hacking
security and privacy harms of smart homes. PRISMA methodology is used to systematically review 63 studies
Privacy
Smart readers
published between January 2011 and October 2021; and a review of known cases is undertaken to illustrate the
Security literature review findings with real-world scenarios. Published literature identifies that smart homes may pose
threats to confidentiality (unwanted release of information), authentication (sensing information being falsified)
and unauthorised access to system controls. Most existing studies focus on privacy intrusions as a prevalent form
of harm against smart homes. Other types of harms that are less common in the literature include hacking,
malware and DoS attacks. Digital harms, and data associated with these harms, may vary extensively across
smart devices. Most studies propose technical measures to mitigate digital harms, while fewer consider social
prevention mechanisms. We also identify salient gaps in research, and argue that these should be addressed in
future crossdisciplinary research initiatives.

1. Introduction systems, as well as other home devices such as televisions, door locks,
remote baby or pet control systems, refrigerators, or voice control de­
The connection of electronic devices to the internet allows remote vices (e.g., Google Home, Amazon Alexa). Almost any home electrical
control of physical devices and involves remote collection and sharing of appliance can be connected to the internet, and multiple interconnected
large volumes of data. “Internet-of-Things” (IoT) is the term used to refer devices form smart home ecosystems. Smart home technologies are used
to physical objects embedded with sensors and software that connect not only to activate and deactivate appliances, but also to monitor the
them to other devices and systems over the internet (Atzori et al., 2010; activities of households and automate certain aspects of everyday life
Weber, 2010). Since the early 1980s, when a group of researchers from (Ricquebourg et al., 2006). The use of IoT home devices is increasingly
Carnegie Mellon University connected a Coca-Cola vending machine to widespread: in the UK, a survey conducted by techUK and GfK in 2021
the internet for the first time, the IoT paradigm has expanded to showed that 58% of respondents owned a smart TV, 39% smart speakers,
encompass many different types of physical devices, including corporate 24% smart fitness and activity trackers and 15% smart thermostats
security systems, connected cars, electrical grids, military equipment, (techUK, 2021). In March 2022, 51% of all meter readers in the UK were
and home appliances. The connection of home electronic devices and smart or advanced meters (BEIS, 2022).
attributes to the internet is known as “smart home” (Lutolf, 1992). Smart While smart homes present many opportunities for users and may
homes may incorporate remote-controlled lighting, heating and water improve energy efficiency (Corbett, 2013), they also pose challenges to
consumption, smart meters and internet-connected home security the security and privacy of users (Ali et al., 2017; Komninos et al., 2014).

* Corresponding author. 4.44 Williamson Building, Department of Criminology, University of Manchester, Oxford Road, Manchester, M13 9PL, UK.
E-mail address: [email protected] (D. Buil-Gil).

https://doi.org/10.1016/j.chb.2023.107770
Received 30 August 2022; Received in revised form 18 February 2023; Accepted 27 March 2023
Available online 28 March 2023
0747-5632/© 2023 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY license (http://creativecommons.org/licenses/by/4.0/).
D. Buil-Gil et al. Computers in Human Behavior 145 (2023) 107770

With the increase in the uptake of IoT home devices, it becomes critical harms of smart homes is essential to design technical, social and
to understand the digital harms that can be associated with smart socio-technical mechanisms to protect the data and prevent the harms
homes. The main challenge of smart homes is related to the large specific to each device, user and context.
amount of security-critical and privacy-sensitive data they record from Moreover, synthesising existing evidence on the digital harms of
users (Dorri et al., 2017). Lin and Bergmann (2016) argue that smart smart devices is essential to further contribute to the development of
homes may pose threats to confidentiality (i.e., unwanted release of theoretical frameworks aimed at explaining the adoption and imple­
sensitive information), authentication (i.e., control or sensing informa­ mentation of IoT technologies. The theoretical and conceptual model
tion being falsified) and access (i.e., unauthorised access to system developed by Nord et al. (2019), for instance, argues that the adoption
controls). For instance, confidentiality breaches may lead to an unwanted and implementation of IoT devices is dependent upon the links between
release of information about electricity usage that may inform potential the priorities of stakeholders, the networks of devices and applications,
offenders about the times when a house is not occupied (Blythe & the privacy and security challenges of devices, and people’s trust in IoT.
Johnson, 2021; Hodges, 2021). Confidentiality breaches may also lead to Our systematic review presents key information to better understand the
a loss of sensitive medical data or other types of sensitive information, privacy, security and trust challenges of IoT devices in home settings,
that can be used by offenders to hold data to ransom (Tzezana, 2016). An thus contributing to the growing theoretical base on IoT adoption and
authentication threat may exist, for example, if an automated fire control implementation.
system is tampered with to activate the emergency alarm system and This article is structured as follows: Section 2 presents an over­
unlock all doors, thus enabling anyone to access the building (Jacobsson arching description of recent developments in smart home ecosystems.
et al., 2016). Unauthorised access to smart home control systems may Section 3 describes the methodology of the systematic review, including
enable the activation of webcams and voice control devices, or control of the search strategy, selection of studies, and data extraction. Section 4
home appliances such as ovens or electric stoves, thus making the entire presents the results, and Section 5 presents the discussion and final
smart home ecosystem insecure. Smart homes may also enable new conclusions.
forms of cyberstalking and exacerbate power asymmetries between
household members (Nicholls et al., 2020). 2. Smart home: opportunities and digital harms
For all these reasons, it becomes crucial to fully understand the
digital harms of smart homes, in terms of threats to privacy and security. Marikyan et al. (2019) identified four broad areas in which smart
A growing body of research has begun to speculate about the security home devices can provide benefits for users: health-related benefits (e.
and privacy challenges of IoT home devices, and record data about g., detection of dangerous events), environmental benefits (e.g., reduc­
digital harms known to public authorities and users’ perceptions and tion in electricity consumption), financial benefits (e.g., cheaper virtual
experiences. The field is now at a point where these unique studies can visits), and psychological wellbeing and social inclusion (e.g., virtual
be synthesised to create a comprehensive review of the digital harms of interaction and entertainment). These benefits coincide with the most
smart homes, which may serve to further inform policy and socio­ relevant benefits found by Sovacool and Furszyfer Del Rio (2020) in
technical solutions to mitigate them. This article presents a systematic their study using expert interviews, though these authors also highlight
review of the literature using observational, experimental, documental, the relevance of “convenience and controllability” provided by smart
or case study research methods to analyse the security and privacy homes (see also Lee et al., 2017). However, in addition to the potential
harms of smart home applications and technologies. Previously, Mar­ benefits, it is also key to understand the risks and barriers of smart home
ikyan et al. (2019) conducted a systematic review of studies published technologies.
between 2002 and 2017 to explore the definitions, services and func­ There are multiple ways consumer IoT can be exploited for crime
tions of smart homes and the main motivations for smart home adoption. (Blythe & Johnson, 2021), and it is easy to find examples of attacks
They highlighted that one of the main barriers to the adoption of smart involving smart home devices. Possibly the most famous of these is the
devices was the high perceptions of privacy and security risks among Mirai botnet, which exploits poor security in IoT devices and has been
users. Blythe and Johnson (2021) conducted a systematic review of ar­ used in numerous disruptive Distributed Denial-of-Service (DDoS) at­
ticles published between 2007 and 2017 to analyse crimes facilitated by tacks around the world (Krebs, 2017). The authors of the initial attacks
consumer IoT. Other systematic reviews have also synthesised the in 2016 published the source code for Mirai, meaning it was reused and
literature about the security challenges of smart cities (Laufs et al., sold as a DDoS-for-hire service. In 2017, the developers of the Mirai
2020) and applications of smart homes to monitor the well-being of malware were also found guilty of infecting IoT devices and home
older adults (Demiris & Hensel, 2008). Our research builds on and ex­ routers to create another botnet that was used in a click-fraud scam to
pands previous literature reviews about the privacy and security harms generate illicit advertising revenue (US Department of Justice, 2017).
of smart homes. More specifically, the aims and expected contribution of Other well-known attacks have involved the hacking of home cameras
this article are: that are used for security and baby monitoring, thereby allowing private
videos to be freely viewed online (BBC, 2013). Relatedly, research has
• Classify the digital harms of smart homes; highlighted the role of smart home devices in domestic abuse (Nicholls
• Identify smart home devices and attributes that pose digital harms; et al., 2020).
and Outlining just a few examples of attacks that have used smart home
• Explore policy and sociotechnical approaches to mitigate the digital devices provides an insight into the wide range of potential harms from
harms of smart homes. these technologies. This has not gone unnoticed by government
agencies. For instance, in the UK, the Product Security and Telecom­
To our knowledge, this is the first systematic review of the literature munications Infrastructure (PSTI) Bill was recently processed by the
to specifically focus on the digital harms of smart homes. Importantly, legislator, with the department behind the bill stating that its objective is
the use of smart home appliances has increased rapidly since the last to protect against “the harms enabled through insecure consumer
systematic review of crimes facilitated by consumer IoT, which was connectable products” (DCMS, 2021a). This legislation links closely to
conducted in 2017 (Blythe & Johnson, 2021), and many new digital the concept of safety by design that was explicitly noted in the UK
harms may have emerged since then. For instance, according to esti­ Government Online Harms White Paper from 2019 (DCMS, 2019) and to
mates by techUK (2021), the ownership of smart speakers increased by the definition of “online harms” in the government’s draft Online Safety
81% between 2017 and 2021, and this increase was larger than 75% in Bill: “user generated content or behaviour that is illegal or could cause
the case of smart doorbells, 50% in smart lighting, 49% in smart TVs and significant physical or psychological harm to a person” (DCMS, 2021b).
47% in smart thermostats. Gaining a better understanding of the digital However, this official definition may not cover the first two examples

2
D. Buil-Gil et al. Computers in Human Behavior 145 (2023) 107770

of botnet-based attacks described above, since these do not necessarily synthesising the recent literature about the digital harms related to
cause physical or psychological harm to a person. Thus, to fully under­ smart homes. First, we systematically review all relevant studies pub­
stand the digital harms related to smart home devices, a more tailored lished between January 2011 and October 2021. By systematically
definition and classification is necessary. Unfortunately, despite the reviewing the literature we aimed to classify the digital harms related to
clear policy interest in harms from smart home devices (Piasecki et al., smart homes, identify the smart home devices and attributes that pose
2021), an agreed-upon taxonomy does not exist. This is problematic digital harms, and explore potential policy and sociotechnical ap­
because to prevent digital harms we first need to understand how these proaches to mitigate digital harms. We have restricted our search to
might arise. Establishing and prioritising policy responses necessitate a studies published since 2011 due to the rapid technological develop­
comprehensive assessment of potential harms (Agrafiotis et al., 2018). ment of smart technologies and to facilitate the search. Second, where
To this end, we have adapted classifications of online harms by possible, we illustrate the findings of the literature review with real-
McGuire and Dowling (2013), Wall (2001), and Lin and Bergmann world cases.
(2016) in accordance with the nature, objective, and method of online We conduct the systematic literature review using a-priori criteria to
harm, respectively (Table 1). Firstly, with regard to the nature of harm, search, select and extract data from studies. The systematic review
this is divided into cyber-dependent harms that can only occur online, protocol follows the Preferred Reporting Items for Systematic reviews
such as DDoS attacks, and cyber-enabled harms that can also take place and Meta-Analyses for Protocols 2015 (PRISMA), which is a widely used
offline but are increased in scope by the internet, for example, fraud or checklist to facilitate the design of robust protocols for systematic re­
stalking. In the second place, the objective of the harm is more akin to a views (Mohler et al., 2015). The following sections explain the system­
legal categorisation. It includes (a) ‘cyber-trespass’ when invisible atic review protocol in detail.
boundaries are crossed, such as hacking a computer system, (b)
‘cyber-deception and theft’, for example, the myriad of possible frauds 3.1. Search strategy
committed over the internet, (c) ‘cyber-porn and obscenity’, which can
sometimes not necessarily be illegal, and (d) ‘cyber-violence’, which We have selected articles that use observational, experimental,
involve injurious or hurtful behaviour such as stalking. Finally, we adapt documental, or case study research methods to analyse the security and
a classification of the method used to bring about the harm (Lin & privacy harms of smart homes. Thus, we do not include theoretical or
Bergmann, 2016). This can be achieved by the unwanted release of in­ technical notes or reviews of the literature. We have included peer-
formation (confidentiality), falsification of control or sensing informa­ reviewed studies published in English. Since this article is particularly
tion (authentication), or unauthorised access to system controls (access). interested in smart homes, we have excluded all studies that analyse
We will apply this classification to record information about digital related technologies in settings that are not solely residential (e.g., IoT
harms from articles included in the systematic literature review. for cities, business, healthcare or any other context). We have also
excluded those studies that explore smart homes but do not consider
3. Methodology their digital harms, either privacy- or security-related.
The search for published studies was conducted in October 2021. The
This article takes a two-fold methodological approach to following databases were used to search for published articles: Web of
Science and Scopus. Both databases provide access to multiple multi­
disciplinary and regional citation indices. Web of Science covers more
Table 1
Proposed classifications of online harms. than 182 million records in engineering, social sciences, natural sci­
ences, biomedical sciences and arts and humanities, with its strongest
Classification Definition Examples
coverage in engineering, computer science and natural sciences. It
According to nature of harm. Adaptation of classification by McGuire and Dowling covers several databases such as the Web of Science Core Collections,
(2013)
BIOSIS, SciELO and Data Citation Index. Scopus includes more than 77
Cyber-dependent Harms that can only be Malware, DoS, hacking million items from more than 5000 publishers in many different fields,
harm committed through the internet including computing, information sciences, law, human society and
and do not have an equivalent
offline mode
engineering. Major publishers included in the Web of Science database
Cyber-enabled Harms that have an offline Fraud, stalking, grooming include Springer, Nature, Wiley, IEEE, Elsevier and ACM. Thus, Web of
harm equivalent mode but have Science and Scopus include many other digital libraries, such as IEEE
increased in reach and impact Xplore and ACM Digital Library.
due to the internet
The search strategy used the following search terms in titles, ab­
According to objective of harm. Adaptation of classification by Wall (2001) stracts, keywords and subject headings:
Cyber-trespass Crossing of invisible boundaries Hacking, access to
(((SMART) OR (IOT) OR (INTERNET OF THINGS) OR (AUTOMAT)
of ownership online private/confidential data
Cyber-deception Harmful or criminal acquisitions Fraud, identity theft, OR (VIRTUAL)) AND ((HOME) OR (HOUSE) OR (DOMESTIC) OR
and theft that occur online digital piracy (RESIDEN)) OR (DOMOTICS)) AND ((SECUR) OR (PRIVA) OR
Cyber-porn and Deviant content related with sex Pornography, sexual (CRIM) OR (HACK) OR (ATTACK) OR (INCIDENT) OR (BREACH) OR
obscenity and pornography services, online child (LEAK) OR (HARM) OR (THEFT))
sexual exploitation
Cyber-violence Injurious, hurtful or dangerous Stalking, harassment, Some terms were truncated to include all related terms. For example,
materials terrorism “AUTOMAT” includes automation, automated and automating, “HACK”
According to method of harm. Adaptation of classification by Lin and Bergmann includes hack, hacking and hacker, and “SECUR” includes “secure”,
(2016) “security” and “cybersecurity”. The search strategy was agreed among
Confidentiality Unwanted release of sensitive Release of information all co-authors after consulting several practitioners working in public
information about electricity usage, and private sector organisations.
explicit photos
Authentication Control or sensing information False data injection,
being falsified system tempered with to 3.2. Selection of studies
unlock doors
Access Unauthorised access to system Activation of web cam, All 3147 identified citations were imported into a database. Dupli­
controls control of voice assisted cated citations were removed. Two researchers then screened the titles
device
and abstracts of all articles against our inclusion criteria, namely: (a)

3
D. Buil-Gil et al. Computers in Human Behavior 145 (2023) 107770

main focus is on smart home appliances or attributes, (b) explores pri­ of studies, and then coded all details about the design of each research.
vacy and/or security harms, (c) uses data recorded from observation, Similarly, to study the focus of the recommendation, we distinguished
case studies, documents or experiments, either quantitative or qualita­ between studies that propose harm prevention or reduction measures
tive, and (d) is available in English. In order to ensure consistency focused on the perpetrator, target (e.g., smart device, data), user, or
among data collectors, we then selected random samples of 100 citations guardian (e.g., third parties that can protect the target or user, such as
and shared them with five additional researchers, who also screened the manufacturers that monitor emerging harms, family members) (Leuk­
titles and abstracts against our inclusion criteria. Interrater reliability feldt & Yar, 2016), as well as details about the specific recommendation
scores were then calculated, showing moderate-strong levels of agree­ proposed. We also counted the number of citations of each article ac­
ment for criteria (a) (% agreement = 84.4, Cohen’s κ = 0.67, p-value cording to Google Scholar on April 20, 2022. We will present descriptive
<0.001) and (b) (% agreement = 83.8, Cohen’s κ = 0.68, p-value statistics and tables for each variable.
<0.001), and moderate levels of agreement for criteria (c) (% agree­
ment = 80.0, Cohen’s κ = 0.50, p-value <0.001) and (d) (% agreement 3.4. Exemplar cases
= 97.0, Cohen’s κ = 0.53, p-value <0.001). The interrater reliability was
moderate-strong for the overall inclusion of studies (% agreement = In order to further illustrate some of the main findings from the
89.0, Cohen’s κ = 0.68, p-value <0.001). Disagreements were resolved systematic literature review, we accessed detailed information from
through consensus between the two primary judges, and all studies that real-world recorded cases and will present anonymised descriptions.
did not meet one or more criteria were removed from our review. More specifically, we obtained details from real cases reported to
The PRISMA flowchart in Fig. 1 shows the process of selection of different police forces in the UK, organisational data breaches sentenced
studies. The main reason for excluding articles was that the primary in court in the US and recorded in the Privacy Rights Clearinghouse
focus of the study was not on smart homes. In total, 1977 studies did not (PRC) website (https://privacyrights.org/data-breaches), anonymised
meet this criterion, amongst which many of them were studies with a online reports to websites such as BitcoinAbuse (https://www.bitcoina
focus on smart cities, smart farms or smart automobiles. 1402 studies buse.com/), and media reports. We purposively and non-randomly
were not selected for failing to meet the criterion of studying harms. select cases to illustrate common themes that arise from the system­
Many of those, for instance, focused on the energy efficiency, regulatory atic literature review. All accounts of real cases will be anonymised and
requirements, military applications or security perceptions related to described in general terms to preserve confidentiality.
IoT devices in home settings or elsewhere. 533 studies did not use data
obtained from observational, case, documental or experimental studies 4. Results
(e.g., literature reviews, technical reviews, theoretical pieces). We also
excluded 111 studies that either were not available in English or not In Section 4.1 we present details about selected studies, including the
available at all. research field and country of authors, organisations that provide fund­
While interrater reliability indices show a moderate-strong degree of ing, design of the study, aims, and type of data analysed. In Section 4.2
inter-judge reliability, the volume of selected studies was still too large we describe the main types of harms identified and classify them.
for an exhaustive review of studies (k = 625). We thus considered a fifth Finally, in Section 4.3 we summarise the approaches recommended to
inclusion criterion that reduced the number of selected studies: (e) an­ mitigate the digital harms of smart devices.
alyses of real-world harms on real-world smart home appliances or at­
tributes, thus excluding both laboratory experiments that do not attack 4.1. Description of selected studies
real-world devices and computer simulations not based on real-world
data. 588 studies were removed for this reason. Finally, 67 studies Amongst the 63 selected studies, 21 (33.3%) of them were published
met the inclusion criteria and were subject to an in-depth review. After in journals and 42 (66.7%) in conference proceedings. The main journals
reviewing the content of selected articles, 4 studies were excluded from were IEEE Access (3), Computers and Security (2), IEEE Internet of
the analysis due to failing to meet at least one of our main selection Things Journal (2) and Sensors (2); while only two conference pro­
criteria (i.e., 2 did not study digital harms, and 2 did not analyse data ceedings were represented more than once (i.e., 13th ACM Conference
obtained from observational, case, documental or experimental studies). on Security and Privacy in Wireless and Mobile Networks, and 30th
63 studies were included in the literature review. A short description of USENIX Security Symposium). IEEE was the most frequent publisher
each study is included in Table 2, including a unique identification both for journal articles and conference proceedings (7 and 22, respec­
number for each study, which will be used to refer to it in text. tively), followed by Elsevier (4) and MDPI (3) for journal articles, and
Springer (8) and ACM (7) for conference proceedings.
3.3. Data extraction As shown in Fig. 2, there is an increase in the frequency of selected
studies over time, with 2021 and 2020 being the years with the largest
Two researchers then reviewed all selected articles and extracted number of articles (16). We note however that data was recorded in
data from them using a standardised form. Aside from information about October 2021, which in turn means 2021 was the year with the largest
the year of publication, type of publication, authors, and name of the ratio of articles per month.
journal or conference proceedings, which was downloaded automati­ While selected studies included researchers from across 23 coun­
cally from the databases, we recorded detailed information from each tries,1 three countries were represented in the majority of studies: USA
article and coded the data into the following categories: (a) design of the (25, 39.7%), China (12, 19.0%) and UK (9, 14.3%), as shown in Fig. 3
study, (b) main aims, (c) type of data analysed, (d) research field, (e) (a). 13 studies involved authors from across multiple countries. Simi­
country of authors, (f) country and agency that provided funding, (g) larly, as shown in Fig. 3(b), amongst those studies that acknowledge a
country where data was recorded, (h) smart devices analysed, (i) digital source of funding (43 out of 63), the main countries (or group of
harms identified (by harm type, and according to the categorisation countries) that provide funding for research are USA (17, 39.5%), China
presented in Table 1), (j) type of data that pose a threat or vulnerability, (11, 25.6%), European Union (4, 9.3%) and UK (3, 7.0%). The most
(k) policy or sociotechnical recommendation to mitigate harms, (l) focus
of recommendation, and (m) other relevant findings.
For each of these variables, we coded articles according to predefined 1
Studies in the sample included researchers from Australia, Brazil, Canada,
categories and free-text descriptions with detailed information. For China, Finland, Germany, Israel, Italy, Japan, Kazakhstan, Norway, Pakistan,
example, to code the design of the study, we distinguished between Poland, Portugal, Qatar, Saudi Arabia, South Korea, Singapore, Spain, Sweden,
descriptive, correlational, experimental, meta-analysis, and other types Taiwan, UK and USA.

4
D. Buil-Gil et al. Computers in Human Behavior 145 (2023) 107770

Fig. 1. PRISMA flowchart in the selection of studies.

frequently mentioned funding entities were the USA National Science The majority of studies (52, 82.5%) were described as experimental
Foundation (10, 23.3%), Chinese National Natural Science Foundation or quasi-experimental by design (i.e., introducing a change, such as
(5, 11.6%), Chinese National Key Research and Development Program exploiting a vulnerability or applying software updates, to experimental
(4, 9.3%), and UK Engineering and Physical Sciences Research Council groups, such as smart devices or smart home ecosystems, to identify
(3, 7.0%). 24 studies mentioned more than one funding source, and 7 of effects in the outcome variables). For instance, [1] tests a spoofing
them obtained funding from more than one country. Aside from national countermeasure for voice assistant systems (e.g., Google Home, Amazon
research councils, some studies also acknowledged receiving internal Alexa) against a set of voice spoofing attacks, including synthetic voice
funding from universities, and in some cases from private organisations attacks and cloned replay attacks; [33] evaluates the effectiveness of a
such as Ericsson, Intel and Schneider. We also recorded information context-aware security framework based on Markov processes to detect
about the places where data were originally recorded, noticing that most malicious actions in smart homes; [48] rates the security level of IoT
of them recorded data in USA (21), UK (9), China (7) and Australia (5). devices through penetration testing tools; and [50] eavesdrops wireless
One study analysed data recorded in 5 different countries [28]. smart camera traffic to identify the presence of people in the house.
Regarding the research fields of the authors (compiled from affilia­ Fewer studies were identified as descriptive by design (22, 35.0%).
tions to university departments and research centres, and authors’ bios Some examples include [28], [29] and [36], which used honeypots to
included in publications), as shown in Fig. 4, most authors were affili­ capture active malware targeting smart homes, thus allowing re­
ated to computer science (39, 61.9%) or computer engineering (28, searchers to examine the characteristics of identified malware; and [39],
44.4%) departments or centres, and fewer to electrical engineering (15, which used semi-structured interviews with developers to gain a better
23.8%). Only 4 studies involved researchers from health disciplines and understanding of privacy issues of aged care monitoring devices. 11
1 from social sciences and humanities. We also noted an overall lack of studies combined descriptive and experimental designs. No study fol­
interdisciplinary work, with very few studies involving researchers from lowed correlational or meta-analytical designs. The information about
different technical disciplines, and not a single study involving re­ the methodological design of studies was recorded from their methods’
searchers from both technical and health or social sciences. descriptions, regardless of the overall quality of the design of the study

5
D. Buil-Gil et al. Computers in Human Behavior 145 (2023) 107770

Table 2 Table 2 (continued )


Summary description of primary studies included in the systematic review. Paper Topic of study
Paper Topic of study
43 Anthi et al. (2018) Security of adaptive IoT hub for smart home
1 Javed et al. (2021) Spoofing countermeasures against voice assistants ecosystems
2 Anthi et al. (2021) Adversarial Machine Learning against Intrusion 44 Isawa et al. (2018) Disassembly-code-based similarity between IoT
Detection Systems malware
3 OConnor et al. (2021) Protecting companion apps against man-in-the- 45 Bhatt and Morais (2018) Anomaly detection system for smart homes
middle attacks 46 Do et al. (2018) Adversarial models to identify vulnerabilities of
4 Yu et al. (2021) Sensitive information in the metadata of smart devices
encrypted packets 47 Bordel et al. (2018) Large datasets reduction for smart home security
5 Tran et al. (2021) Voice replay and injection attacks against voice systems
assistants 48 Sivanathan et al. (2018) Penetration testing to assess the security of
6 Wang, Li et al. (2021a, Decision tree models to detect attacks against consumer IoT devices
b) smart devices 49 Lally and Sgandurra Framework to evaluate vulnerabilities of smart
7 Li et al. (2021) Automation of privacy policy statements for smart (2018) devices
home apps 50 Ji et al. (2018) Eavesdropping of smart wireless cameras
8 Tushir et al. (2021) Impact of DoS attacks on smart devices connected 51 Mashima et al. (2018) Estimation of sensitive information from energy
to WiFi usage data
9 AlOtaibi and Lombardi Sound- and network-based attacks against 52 Teng et al. (2017) Over-the-air firmware update system for routers
(2021) Amazon Echo and gateways
10 Yamauchi et al. (2021) Machine learning to detect anomalous behaviour 53 Fan et al. (2017) Obfuscation of reactive power demand of smart
11 Aafer et al. (2021) Technical vulnerabilities of Android Smart TV meters
12 Wan et al. (2021) Automation of security assessment of IoT 54 Lyu et al. (2017) Capacity of consumer IoT devices to participate in
messaging protocols DDoS attacks
13 Wan et al. (2021) Unveiling of smart devices from network data 55 Sivanathan et al. (2017) Flow-based network monitoring to identify
14 Rauti et al. (2021) Man-in-the-browser attacks to intercept/modify attacks
data 56 Han and Park (2017) Push button configuration to detect unintended
15 Heartfield et al. (2021) Self-configurable automated intrusion detection paired devices
system 57 Capellupo et al. (2017) Identification of security vulnerabilities of smart
16 Choi et al. (2021) Older adults’ experiences with smart devices devices
17 Cultice et al. (2020) Machine learning to detect anomalous data 58 Birchley et al. (2017) Ethical issues of smart health devices
18 Alsheakh and Automated quantification of security of smart 59 Copos et al. (2016) Network traffic analysis to infer sensitive
Bhattacharjee (2020) devices household information
19 Gassais et al. (2020) Self-configurable automated intrusion detection 60 Min and Varadharajan Feature-distributed malware to compromise
system (2016) internet services of IoT
20 Peng and Wang (2020) Network-based monitoring platform to identify 61 de Morais et al. (2014) Active in-database processing to protect data of
security threats ambient-assisted living (AAL)
21 Xiao et al. (2020) Authentication framework to protect devices from 62 Matern et al. (2013) Detection of events in AAL using sensor data
attacks related to open ports and over-privilege 63 Boise et al. (2013) Older adults’ experiences with unobtrusive home
22 Salomons et al. (2020) Hardware and control model to protect data in monitoring
water meters
23 Wang et al. (2020) Inferred voice commands against voice assistants
24 Sikder et al. (2020) Access control system for multiple users and (e.g., sample sizes, randomisation processes, significance tests). We re­
devices turn to this point in the Discussion section.
25 Li et al. (2020) Identification of user behaviour from traffic data
The majority of studies recorded primary quantitative data (52,
of cameras
26 Zainab et al. (2020) Machine learning to identify spam in smart 82.5%), such as the volume and characteristics of metadata of encrypted
devices packets sent from smart devices [4], data sent from smart devices to web
27 Bugeja et al. (2020) Smart devices’ software vulnerabilities to DoS browser extensions [14], sensor device events [33], or surveys to older
attacks adults [63]. Primary qualitative data, including open code of smart apps
28 Vidal-González et al. Malware attacks against smart homes
(2020)
[7], interviews with engineering researchers [58], and interviews and
29 Bistarelli et al. (2020) Malware attacks against smart homes workshops with survivors of intimate partner violence and support
30 Hariri et al. (2020) Man-in-the-middle attack to exploit the heartbeat workers [34], was recorded in 15 studies (23.8%). Finally, 8 studies
of devices analysed secondary quantitative data, including existing datasets of
31 Skowron et al. (2020) Machine Learning to identify devices and users’
voice spoofing attacks [1] and real-world cyber-attacks and traffic data
activities
32 Javed and Rajabi (2020) AI-based solution for malicious traffic detection [18]. [34] analysed secondary qualitative data from discussions in do­
33 Sikder et al. (2019) Markov Chain Machine Learning to detect mestic abuse forums. 11 studies analysed both quantitative and quali­
malicious activity tative data.
34 Leitão (2019) Smart devices as attack vectors for intimate Regarding the aims of studies, most of them aimed to study the
partner violence
35 Kennedy et al. (2019) Voice command fingerprinting attacks against
vulnerabilities of specific smart home devices (34, 54.0%), followed by
home speakers designing and/or evaluating technology solutions to reduce the digital
36 Martin et al. (2019) Malware against Raspberry Pi smart devices harms of smart homes (33, 52.4%), and studying vulnerabilities of smart
37 Ullrich et al. (2019) Vulnerabilities of the firmware of robot vacuum home ecosystems beyond specific devices (27, 42.9%). 27 studies aimed
cleaners
to identify vulnerabilities of smart homes and develop technology so­
38 Zhang et al. (2019) Blockchain-based security protocol to protect IoT
networks lutions. As an example, [20] designed and evaluated a network-based
39 Alkhatib et al. (2019) Developers’ insights into the privacy of elderly monitoring platform to identify security threats against smart devices,
monitoring devices and [23] executed attacks against smart speakers to infer voice com­
40 Mahadewa et al. (2018) Integrated perspective to identify vulnerabilities mands and then proposed a differential privacy approach to protect such
of smart homes
41 Zhang et al. (2018) Identification of malicious smart home apps
data.
42 Jia et al. (2018) Graph-based mechanism to identify We also recorded data about the number of citations of studies,
vulnerabilities of smart homes showing a mean of 18.44 (min = 0, max = 122, median = 8). [41] was
the study with the largest number of citations, 122, followed by [59]
(114 citations) and [63] (112 citations) .

6
D. Buil-Gil et al. Computers in Human Behavior 145 (2023) 107770

Fig. 2. Studies included in systematic review by year of publication.

Fig. 3. Main countries of authors and funding bodies of studies included in systematic review.

Fig. 4. Research field of researchers included in systematic review.

Fig. 5. Digital harms (by type of incident) of smart homes.

7
D. Buil-Gil et al. Computers in Human Behavior 145 (2023) 107770

Table 3
Examples of digital harms identified in literature review and exemplar cases.
From literature review From exemplar cases

Privacy Breaches of smart water meters reveal home activities [22] Smart doorbell camera invades neighbour’s privacy (UK court case2)
intrusion Uncontrolled/unauthorised access to private data recorded by aged care App companion of smart sex toy records private moments without consent of the user
monitoring devices [39] (USA court case3)
Hacking Voice replay and voice injection attacks on voice assistants [5] Smart TV hacked to access victim’s personal details (UK police report)
False data injection on smart devices [26] Smart camera and baby monitor feeds from 700 households were hacked and
published online (USA court case4)
Malware 652,881 interactions with botnets targeting IoT devices [28] Mirai malware disables CCTV, routers, and other devices (USA court case5)
8713 IoT malware samples [44] Botnet targeting smart home devices and requesting ransom (Bitcoinabuse report)
DoS/DDoS Semantic DoS attacks on five smart home devices [27] Devices infected with Mirai malware to carry our DDoS attacks (USA court case6)
DoS attacks on seven routers [52] DDoS attacks on gaming networks (USA7 and Finland8 court cases)
Stalking Controlling partner activities through smart cameras, thermostats, TVs Control of ex-partner’s activities through Amazon Alexa (UK police report)
and locks [34]
Inferring activity of household members from smart thermostat and air App companion of ELAN smart home system used to control ex-partner activities (UK
detector [59] police report)

Table 4
Classification of digital harms identified in systematic review.

4.2. Classifying the digital harms of smart homes Secondly, we classify the harms of smart homes according to the
taxonomies presented by McGuire and Dowling (2013), Wall (2001),
Firstly, we classified the digital harms identified in each study ac­ and Lin and Bergmann (2016), which had been previously explained in
cording to the type of incident, including cybercrimes listed by the UK Section 2. Table 4 summarises the frequencies of studies that identified
Crime Prosecution Service (n.d.) (e.g., hacking, malware, DoS, stalking) digital harms according to these three classifications. As before, most
and privacy intrusions more generally. As shown in Fig. 5, privacy in­ studies identified several types of harms and thus are counted in various
trusions were the most common type of harm identified (31, 72.1%), categories. Based on McGuire and Dowling (2013), the majority of
followed by hacking (29, 67.4%), malware (22, 51.2%), DoS/DDoS (21, studies identified cyber-dependent harms (58, 92.1%) – that is, incidents
48.8%) and stalking (3, 7.0%). Most studies identified different types of that can only take place online and do not have an equivalent offline
harms. Moreover, certain incidents can comprise different harms mode. Only 8 studies identified cyber-enabled harms. Based on Wall
simultaneously. Examples of these types of harms, both obtained from (2001), 59 out of 63 studies (93.7%) focused on cyber-trespass (i.e.,
the systematic literature review and our exemplar cases, are presented in crossing online boundaries of ownership), while 9 studies identified
Table 3. harms related to cyber-deception (i.e., harmful acquisitions that occur
One study identified a different type of harm that did not fall within online, such as identity theft or fraud). Only 3 studies identified
the previous categories: traditional access control mechanisms in smart cyber-violence and 2 cyber-porn/obscenity. Finally, according to the
homes consider one unique type of trusted user (in binary terms: control classification proposed by Lin and Bergmann (2016), 41 studies (65.1%)
or absence of control), which may lead to certain users being granted an identified confidentiality, 41 (65.1%) access, and 24 (38.1%) authenti­
undesired full access control to all devices in the smart home ecosystem cation harms.
[24]. In turn, the authors propose a platform to manage access rights for As shown in Table 4, most studies focused on harms at the inter­
multiple devices and users. section of cyber-dependent, trespass, and access (38, 60.3%). For
example, [21] identify harms related to the penetration of smart devices
through exploiting open ports and over-privilege of companion apps,
2 and [36] explore malware used to access Raspberry Pi IoT devices with
https://www.judiciary.uk/wp-content/uploads/2021/10/Fairhurst-v-Woo
dard-Judgment-1.pdf.
weak credentials. 34 studies (54.0%) focused on harms at the intersec­
3
https://www.courthousenews.com/wp-content/uploads/2018/01/Loven tion of cyber-dependent, trespass and confidentiality. For example, [59]
se.pdf. applies network traffic analysis of data recorded by smart thermostats
4
https://www.ftc.gov/system/files/documents/cases/140207trendnetdo.pd and air quality detectors to infer sensitive information about events
f. occurring in a property, and [53] analyses reactive power data from
5
https://www.justice.gov/usao-nj/press-release/file/1017616/download. smart meters to infer appliance usage information.
6
https://www.justice.gov/usao-nj/press-release/file/1017616/download. These types of harms have also been identified in our exemplar cases.
7
https://www.justice.gov/usao-ndil/file/900826/download. For instance, in 2014, footage from 17 properties in the North East of
8
https://www.kaleva.fi/17-vuotias-tuomittiin-murtautumisesta-yli-50-000- England was hacked and live-streamed on a Russian website (UK police
p/1842675.

8
D. Buil-Gil et al. Computers in Human Behavior 145 (2023) 107770

report), which aligns with the cyber-dependent, trespass, and confi­ through man-in-the-middle DoS attacks, [25] accessed private traffic
dentiality grouping. Similarly, in 2020 there was a Class Action data from cameras via WiFi sniffing, and [46] applied adversarial
Complaint against Ring LLC in the USA arguing that weak software se­ models to obtain information about household members and their
curity of smart cameras and doorbells allowed hackers to gain access to routine activities from messages between smart lighting devices. DoS/
the control of these devices,9 which would be an example of cyber- DDoS attacks are also the most commonly identified type of harm in the
dependent, trespass and access harm. An example of a cyber- case of WiFi and entertainment devices, while hacking is more common
dependent, trespass and authentication harm is identified in [26], in the case of temperature and ventilation systems, smart home apps and
which reports false data injections in smart home devices. browsers, smart plugs and smart kitchen appliances. Privacy intrusions
While these are the main types of harms identified in the systematic are the most common type of harm for automation of elderly/sick and
literature review, real-world examples of harms of smart devices exist smart grids and meters.
for all groups in the taxonomy. For instance, a UK celebrity is currently Regarding the type of data that may pose vulnerabilities, network
facing trial for posting CCTV feeds of himself having sex with his ex- traffic data was the most mentioned in our selection of studies (24,
partner on various porn websites (UK police report), which would fall 38.1%), followed by energy usage data (13, 20.6%), written communi­
within a cyber-dependent, porn and confidentiality group. An example cations (10, 15.9%), audio (9, 14.3%), image (7, 11.1%) and video (7,
of a cyber-dependent and cyber-enabled, access and violence incident 11.1%). These, nonetheless, appear to vary between devices, with
was seen in the hacking of Ring smart cameras and doorbells in 2020, network traffic data being the main type of data mentioned in the cases
which enabled perpetrators to threaten and racially abuse victims. And of security systems, lighting, temperature and ventilation, occupancy-
an example of cyber-enabled, violence and confidentiality harm can be aware control, smart plugs, automation for elderly and sick, and enter­
found in a UK police report of someone who stalked his ex-partner tainment; audio data in the case of voice control devices; and energy
through the app companion of an ELAN smart home system (UK po­ usage data in the case of smart grids and readers and smart kitchens. To
lice report). mention some examples, [50] analysed the eavesdropping of network
traffic data from wireless cameras to identify the presence of people in
4.3. Identifying smart home devices that may pose digital harms the house, and [55] studied malware used to access network traffic at
flow-level granularity from a variety of security, lighting and
We also recorded information about the types of devices associated occupancy-aware devices. Other types of data not covered in Table 6
with digital harms, and visualised results in Fig. 6. The most referenced included network system information, such as access points, IP ad­
devices in our systematic review were security and surveillance systems dresses, and log-in credentials. We also note that, in the case of cleaning
(21, 33%), followed by lighting systems and smart bulbs (18, 28.6%) robots, no specific type of vulnerable data was identified, but [37]
and voice control devices (15, 23.8%). For instance, [25] identifies user analysed their insecure firmware more generally.
behaviour from traffic data of smart cameras, and [42] apply graph-
based mechanisms to analyse traffic between Google Home smart 4.4. Approaches to mitigate digital harms of smart homes
speaker and TP-LINK light bulbs and identify vulnerabilities. Before, we
had seen several exemplar cases of harms related to security systems, Finally, we also recorded data about the recommendations
such as the UK court case that concluded smart doorbell cameras invade mentioned in each study to mitigate the digital harms of smart devices.
neighbour’s privacy, and the USA court case about home CCTV disabled 56 studies (88.9%) included explicit recommendations to mitigate dig­
by Mirai malware. Other types of devices that were less commonly ital harms. As shown in Fig. 7(a), the vast majority of studies focused on
referenced included temperature and ventilation devices (12, 19.0%), technical improvements (55, 87.3%), while fewer mentioned prevention
companion apps and browsers (12, 19.0%), and occupancy-aware con­ based on education (10, 15.9%) and change in policy (2, 3.2%). No
trol systems (10, 15.9%), amongst others. study mentioned other forms of prevention, such as prevention based on
It is important to bear in mind, however, that while the smart devices control over victims or perpetrators.
shown here may have been selected due to their actual digital harms or Studies that focus on technical improvements, however, take highly
vulnerabilities, their selection may also be driven by the different uptake dissimilar approaches. To mention a few examples, a variety of ap­
of devices in home settings, and even by researchers’ preferences or the proaches are proposed to better identify malicious intrusions, including
ease with which appliances can be studied. A report published by You­ decision tree models [6], deep learning models that learn from time-
Gov (2020) showed that the most common type of smart device in UK series data [5, 26], machine learning trained from datasets of users
households are smart meters (18% at the time of the study), followed by with similar characteristics [10], automated intrusion detection systems
smart speakers (11%), thermostats (6%), lighting (5%) and security that adapt to new threats [15, 19], and distance-based verification
systems (3%). Another survey published by techUK (2021), which did procedures to identify unintended pairing of IoT devices [56]. Others
not include smart meters, showed that 58% of respondents own smart focus on improving the technical specification of traffic packets to better
TVs, 39% smart speakers, 24% smart fitness, 15% smart thermostats and conceal their content: [59] propose making randomly occurring
12% smart lighting. We thus find no direct correspondence between the deceptive connections, [4, 25] replaying fake packages and flows at
most common types of devices identified in our review and the uptake of random times, [31] appending randomised amounts of bytes to each
smart home devices, which shows that the usage of smart meters and connection, [23] applying differential privacy to better conceal packets,
smart TVs, for example, is more widespread than that of security and and [30] adding information about the last message sent in each packet,
lighting systems. There is no data available to understand which types of so devices can easily identify if a device has been corrupted. Other
devices are more commonly affected by digital harms in the real-world. technical recommendations include over-the-air firmware update sys­
Further, we recorded data about the digital harms identified for tems to quickly address vulnerabilities of devices [52], not allowing
different types of smart home devices (see Table 5) and the types of data individual devices to freely connect themselves to the network (only
that pose digital harms in each case (Table 6). The studies included in through a control hub) [14], and hardware and privacy moderation
the systematic review identified that DoS/DDoS and privacy intrusions algorithms to protect data [22].
are more common in the case of security and surveillance systems, while Several studies also mention the need to provide training and edu­
hacking is more commonly identified for lighting systems and voice cation for users, for example, in [14], “users should be encouraged to
control devices. For instance, [30] disabled smart security systems educate themselves on the aspects of cybersecurity to increase their
ability to identify and respond to cybersecurity risks within smart
homes” (p. 735), with a particular focus on those with cognitive
9
https://www.classaction.org/media/lemay-et-al-v-ring-llc.pdf. impairment and deficits in [63], social workers in [34], and developers

9
D. Buil-Gil et al. Computers in Human Behavior 145 (2023) 107770

Fig. 6. Smart devices that may pose harms identified in systematic review.

Table 5
Digital harms identified for each smart home device.

in [39]. [27] propose more stringent regulations and certification 5. Discussion and conclusions
programmes.
Most studies focus their recommendations on smart devices (54, The use of smart home devices is growing rapidly across the globe.
85.7%), while the proportion of studies that propose recommendations Between 2017 and 2021, the use of devices such as smart thermostats,
focused on the potential guardians (12, 19.0%), users (6, 9.5%) and smart TVs, and smart lighting increased by over 50% in the UK, and
perpetrators (1, 1.6%) is relatively small (Fig. 7(b)). For instance, [34] smart doorbells and smart speakers by over 75% (techUK, 2021). Similar
focuses on the training of social workers to better assist victims of do­ trends are seen in the US, where over 65% of residents own smart de­
mestic abuse, and [28] argues developers and vendors should undertake vices (Harvey, 2022). With the rapid uptake of smart technologies at
ongoing threat assessments to improve the technical specifications of home, it becomes vital for developers and vendors, as well as users and
devices. Others propose more imaginative solutions, such as encour­ policymakers, to fully understand their benefits as well as their potential
aging users to place moving objects (e.g., a clock) in front of smart risks and barriers.
cameras to continuously trigger the system and prevent offenders from While there is a growing body of academic research exploring the
detecting when users are not at home [25]. [34] propose multi-factor potential harms of smart devices, there is still an overall lack of infor­
authentication systems to prevent household members from stalking mation about the nature and extent of these harms, and no public re­
each other through companion apps. cords offer insights into this. We argue that the field is now at a point

10
D. Buil-Gil et al. Computers in Human Behavior 145 (2023) 107770

Table 6
Type of data that may pose vulnerabilities for each smart home device.

where unique studies can be synthesised to obtain a comprehensive evidence on the digital harms of smart homes can we understand the
overview of the digital harms of smart devices. Thus, this article has privacy and security challenges for the adoption of such technologies,
presented a first-of-its-kind systematic review of the privacy- and and in turn develop mechanisms to mitigate such harms and enhance a
security-related harms of smart home technologies. Following the safe implementation of IoT devices in home settings. Importantly, this
PRISMA protocol in two widely used academic databases, seven re­ review of the literature not only allows for a better understanding of the
searchers selected 63 studies that met a set of inclusion criteria and digital harms of smart homes, but also identifies relevant gaps in evi­
extracted information from them. This systematic review offers an dence and suggests directions for future research (see Table 7).
overview of smart home devices and attributes that may pose digital Our review identified that the majority of existing studies focus on
harms, classifies these digital harms, and summarises approaches to privacy intrusions as a prevalent form of harm against smart homes.
mitigate them. This review thus contributes to the growing theoretical Privacy intrusions can take the form of non-criminal (e.g., uncontrolled
body aimed at better understanding the adoption and implementation of access by medical practitioners and carers to private data recorded in
IoT technologies (Nord et al., 2019). Only by synthesising existing care monitoring devices; Alkhatib et al., 2019) as well as criminal

Fig. 7. Recommendations to mitigate digital harms of smart devices.

11
D. Buil-Gil et al. Computers in Human Behavior 145 (2023) 107770

Table 7 known cases, but we have also seen examples of other types of harms
Main gaps in research and directions for future research. that are either less commonly identified or fully neglected in existing
Gaps in research Research questions research. While our systematic review is important to gain a better un­
derstanding of the nature of the harms of smart devices, it also identifies
Better measurement of the nature and Do digital harms considered in the
extent of digital harms of smart homes literature reflect real-world incidents? gaps in research that should be better addressed in the future. For
How can we better estimate the nature instance, we found research gaps regarding harms at the intersection of
and extent of digital harms of smart cyber-enabled and deception, and cyber-enabled and pornography,
homes? which nonetheless do exist in the real-world (e.g., data retrieved from
Digital harms at the intersection of What is the nature and extent of cyber-
cyber-enabled and deception enabled and deception-related digital
smart homes being used for identity theft or to assist fraud, or the
harms of smart homes? dissemination of sexually explicit images of children obtained from
Digital harms at the intersection of What is the nature and extent of cyber- monitoring devices).
cyber-enabled and porn and obscenity enabled and obscenity-related digital Another key finding of this systematic review is that digital harms,
harms of smart homes?
and data associated with these harms, may vary extensively across smart
Social prevention mechanisms (e.g., What are the most relevant social factors
education, control, policy) against that explain the digital harms of smart home devices (Marikyan et al., 2019). For instance, according to data
digital harms of smart homes homes? extracted from this review, while harms associated with security and
How can we better design social and surveillance systems have been mainly linked to DoS attacks and privacy
socio-technical approaches to prevent intrusions arising from insufficient protection of network traffic data,
the digital harms of smart homes?
Prevention mechanisms focused on the What is the role of the user, perpetrator
voice control devices (e.g., Google Home, Amazon Alexa) are more
user, perpetrator or guardian and guardian in the digital harms of commonly associated with the hacking of audio data. And while lighting
smart homes? control systems are commonly linked with the hacking of network traffic
How can we better design prevention data, smart grids/meters are mainly linked to privacy intrusions of en­
mechanisms focused on the user,
ergy usage. This type of information may indeed be essential to propose
perpetrator or guardian?
and design better prevention mechanisms that adapt to the types of data
vulnerabilities and harms of each specific device, user and context. In a
behaviour (e.g., when information obtained from smart homes is sub­ similar vein, these findings can help inform policy and legislation such
sequently used to control household members or target houses for bur­ as the UK PSTI Bill.
glary; Hodges, 2021), which in turn affects the types of actions The vast majority of studies included in our systematic review pro­
companies and law enforcement should put in place to prevent and pose explicit measures to mitigate the digital harms identified. Most of
respond to them. Other factors that influence the private and public these recommendations focus on technical improvements with different
responses to digital harms include the type of device and data linked to aims, mostly related to improving intrusion detection systems, data
each harm, and the nature of the harm itself. This is the reason why in protection and concealment mechanisms, and software updates. Fewer
this study we recorded information not only about the most prevalent mentioned hardware improvements. Previous studies also found that
harm types, but also classified these harms and the variety of most studies focus on the technical prevention of harms (Blythe &
harm-affected devices. Johnson, 2021). While we found a considerable proportion of studies
Other types of harms that are less common in the literature include proposing technical recommendations for harm prevention, very few
hacking, malware and DoS/DDoS attacks targeting a variety of home articles mentioned social prevention mechanisms such as improving the
devices. Some of these types of attacks were also recorded in Blythe and education of users or developers, and only two articles described the
Johnson (2021). Fewer articles studied stalking incidents, and one of need for policy changes. Relatedly, most of these recommendations
them, Sikder et al. (2020), found that the way in which access control focused on the target, with fewer considering harm reduction and pre­
settings in smart homes are designed leads to users being granted un­ vention from the perspective of the guardian, user or perpetrator
desired full access control to all smart home ecosystems (e.g., AirBnB (Leukfeldt & Yar, 2016). This article thus identifies another important
guests). While the differences in the prevalence of the types of harms gap in research: the need to consider and evaluate the effectiveness of
identified in this systematic review may indeed reflect real-world pat­ social and socio-technical prevention approaches that focus on the
terns, the frequencies observed here are likely affected by the overall guardian, user and perpetrator. The main gaps in research identified in
interests of researchers and funders, and that it is easier or more this study, and directions for future research, are presented in Table 7.
convenient to study some harm types over others. Thus, while this sys­ Some of these gaps in research could, and perhaps should, be
tematic review provides valuable information about the types of harms addressed through cross-disciplinary initiatives involving researchers
that researchers have so far identified, it is necessary for researchers and from different fields. We have observed an overall lack of multidisci­
public authorities to work collaboratively on new ways to more accu­ plinary work in this domain, with not a single study involving re­
rately estimate the extent and nature of digital harms – this is identified searchers from across both technical and health or social sciences
as an important gap in research. Some consider that creating disciplines. For instance, our review found evidence that while crossing
public-private partnerships for data sharing and evidence-based pre­ physical and political boundaries does not appear to be an issue for
vention in the context of smart homes is essential to further understand collaborative work (i.e., 13 studies involved authors from multiple
their benefits and harms, and in turn put measures in place for pre­ countries), crossing disciplinary boundaries appears much more chal­
vention (Buil-Gil et al., 2022). lenging for researchers interested in the study of smart homes. This is
Moreover, in order to better understand these harms and derive likely to be the primary driver for some of the research gaps identified,
effective prevention mechanisms, either technical, social, or socio- including the lack of research about cyber-enabled harms, and incidents
technical, we argue that it is important to classify them according to related to deception, violence and pornography, and the main focus on
their nature, methods and objectives. Our study shows how previous solely technical prevention mechanisms to improve the protection of
classifications of online harms can be applied to better understand the smart devices. We argue that enhancing cross-disciplinary work in this
harms of smart homes (Lin & Bergmann, 2016; McGuire & Dowling, domain is not only important to better address the wider variety of
2013; Wall, 2001). We found that harms identified in extant academic harms that affect devices, and the wider possibilities of harm reduction
literature tend to cluster on incidents at the intersection of strategies, but to better research them. While most studies in our sys­
cyber-dependent, access and trespass, and cyber-dependent, confiden­ tematic review were described as experimental or quasi-experimental by
tiality and trespass. We have seen several examples of harms with these design, few of them consider the selection of randomised control and
characteristics, as presented in the academic literature as well as in trial groups, which is considered a fundamental requirement for

12
D. Buil-Gil et al. Computers in Human Behavior 145 (2023) 107770

experimental designs in many disciplines. Similarly, very few studies in S035362/1.


our review apply mixed-methods (i.e., combining quantitative and
qualitative data analysis) to better understand the harms of smart References
homes, and not a single study applies meta-analytical designs to
compare findings presented in multiple studies. Few studies considered techUK. (2021). The state of the connected home 2021: A year like no other. https://sp
ark.adobe.com/page/LCRPh1X14fjDM/. (Accessed 11 August 2021).
the experiences of victims in the assessment and response to the security Aafer, Y., You, W., Sun, Y., Shi, Y., Zhang, X., & Yin, H. (2021). Android {SmartTVs}
and privacy threats of smart homes (Leitão, 2019). As has been noted vulnerability discovery via {log-guided} fuzzing. In 30th USENIX security symposium
regarding the study of wearable technology (Ferreira et al., 2021), (pp. 2759–2776). USENIX.
Agrafiotis, I., Nurse, J. R. C., Goldsmith, M., Creese, S., & Upton, D. (2018). A taxonomy
research in the field of smart homes will undoubtedly benefit from of cyber-harms: Defining the impacts of cyber-attacks and understanding how they
further enhancing principles of cross-disciplinarity and considering the propagate. Journal of Cybersecurity, 4(1), Article tyy006.
voices of everyone involved in the design, development, and use of Ali, W., Dustgeer, G., Awais, M., & Shah, M. A. (2017). IoT based smart home: Security
challenges, security requirements and solutions. In 23rd international conference on
smart home technologies. automation and computing (pp. 1–6). IEEE.
Alkhatib, S., Waycott, J., & Buchanan, G. (2019). Privacy in aged care monitoring devices
6. Limitations (ACMD): The developers’ perspective. In E. Cummings, M. Merolli, & L. K. Schaper
(Eds.), Digital health: Changing the way healthcare is conceptualised and delivered (pp.
7–12). Amsterdam: IOS Press.
This study, however, is not free from limitations. First, we considered AlOtaibi, N., & Lombardi, F. (2021). Privacy and security evaluation of Amazon Echo
two academic databases to search for academic articles for our sys­ voice assistant. In International conference of women in data science at taif university
tematic review (Web of Science and Scopus). While these are two of the (Vol. 2021, pp. 1–6). IEEE.
Alsheakh, H., & Bhattacharjee, S. (2020). Towards a unified trust framework for
most widely used databases of academic literature, not all articles are detecting IoT device attacks in smart homes. In IEEE 17th international conference on
included in them, and thus we may have missed some important con­ mobile ad hoc and sensor systems (pp. 613–621). IEEE.
tributions in the field. Second, we only considered articles published Anthi, E., Ahmad, S., Rana, O., Theodorakopoulos, G., & Burnap, P. (2018). EclipseIoT: A
secure and adaptive hub for the internet of things. Computers & Security, 78,
between 2011 and 2021, and our study may have missed important 477–490.
contributions published both before and after this time period. Relat­ Anthi, E., Williams, L., Javed, A., & Burnap, P. (2021). Hardening machine learning
edly, the ever-changing nature of smart homes and their associated denial of service (DoS) defences against adversarial attacks in IoT smart home
networks. Computers & Security, 108, Article 102352.
harms may mean that some of the findings identified here may vary Atzori, L., Iera, A., & Morabito, G. (2010). The internet of things: A survey. Computer
extensively in the next few years. Third, while the process followed to Networks, 54(15), 2787–2805.
select articles for our review is based on a widely adopted protocol for BEIS. (2022). Smart meters in great britain, quarterly update March 2022. Available from:
https://www.gov.uk/government/statistics/smart-meters-in-great-britain-quarterl
systematic reviews, and we considered interrater reliability criteria to y-update-march-2022 (Accessed 10 August 2022).
ensure consistency across judges, we cannot rule out the possibility that Bhatt, P., & Morais, A. (2018). Hads: Hybrid anomaly detection system for IoT
some other relevant articles should have also been included in the study. environments. In 2018 international conference on internet of Things, embedded systems
and communications (pp. 191–196). IEEE.
Fourth, the exemplar cases used to illustrate our main findings were
Birchley, G., Huxtable, R., Murtagh, M., Meulen, R., Flach, P., & Gooberman-Hill, R.
selected using non-probability purposive sampling and may not be (2017). Smart homes, private homes? An empirical study of technology researchers’
representative of the most common types of harms occurring in the real- perceptions of ethical issues in developing smart-home health technologies. BMC
world. And fifth, as described in previous sections, while the digital Medical Ethics, 18(23), 1–13.
Bistarelli, S., Bosimini, E., & Santini, F. (2020). A report on the security of home
harms identified in this review may reflect real-world patterns, these connections with IoT and docker honeypots. In M. Loreti, & L. Spalazzi (Eds.),
may also be driven by the overall methodological approaches and areas Proceedings of the fourth Italian conference on cyber security (pp. 60–70). CEUR.
of interests of researchers and funders. Blythe, J. M., & Johnson, S. D. (2021). A systematic review of crime facilitated by the
consumer Internet of Things. Security Journal, 34, 97–125.
Boise, L., Wild, K., Mattek, N., Ruhl, M., Dodge, H. H., & Kaye, J. (2013). Willingness of
Ctedit author statement older adults to share data and privacy concerns after exposure to unobtrusive in-
home monitoring. Gerontechnology, 11(3), 428–435.
Bordel, B., Alcarria, R., Robles, T., & Sánchez-Picot, Á. (2018). Stochastic and
David Buil-Gil: Conceptualization; Methodology; Software; Formal information theory techniques to reduce large datasets and detect cyberattacks in
analysis; Writing - Original Draft, Steven Kemp: Methodology; Formal ambient intelligence environments. IEEE Access, 6, 34896–34910.
analysis; Writing - Original Draft, Stefanie Kuenzel: Conceptualization; Bugeja, J., Jacobsson, A., & Spalazzese, R. (2020). On the analysis of semantic denial-of-
service attacks affecting smart living devices. In K. Arai, S. Kapoor, & R. Bhatia
Methodology; Validation; Writing - Review & Editing, Lynne Coventry: (Eds.), Intelligent computing: Proceedings of the 2020 computing conference (Vol. 2, pp.
Conceptualization; Methodology; Validation; Writing - Review & Edit­ 427–444). Cham: Springer.
ing, Sameh Zakhary: Conceptualization; Methodology; Validation; Capellupo, M., Liranzo, J., Bhuiyan, M. Z. A., Hayajneh, T., & Wang, G. (2017). Security
and attack vector analysis of IoT devices. In G. Wang, M. Atiquzzaman, Z. Yan, &
Writing - Review & Editing, Daniel Tilley: Conceptualization; Method­
K. R. Choo (Eds.), Security, privacy and anonymity in computation, communication, and
ology; Validation; Writing - Review & Editing, James Nicholson: storage: SpaCCS 2017 international workshops (pp. 593–606). Cham: Springer.
Conceptualization; Methodology; Validation; Writing - Review & Edit­ Choi, Y. K., Thompson, H. J., & Demiris, G. (2021). Internet-of-things smart home
ing; Project administration. technology to support aging-in-place: Older adults’ perceptions and attitudes.
Journal of Gerontological Nursing, 47(4), 15–21.
Copos, B., Levitt, K., Bishop, M., & Rowe, J. (2016). Is anybody home? Inferring activity
Declaration of competing interest from smart home network traffic. In IEEE security and privacy workshops (Vol. 2016,
pp. 245–251). IEEE.
Corbett, J. (2013). Using information systems to improve energy efficiency: Do smart
The authors declare that they have no known competing financial meters make a difference? Information Systems Frontiers, 15, 747–760.
interests or personal relationships that could have appeared to influence Buil-Gil, D., Nicholson, J., & Kemp, S. (2022). Smart (and safe) homes – public-private
the work reported in this paper. partnerships to mitigate the digital harms of smart home devices. Policy@
Manchester blog. Available from: https://blog.policy.manchester.ac.uk/posts/2022/
03/smart-and-safe-homes-public-private-partnerships-to-mitigate-the-digital-harms-
Data availability of-smart-home-devices/. (Accessed 6 August 2022).
Crime Prosecution Service (n.d.). Cyber/online crime. Available from: https://www.cps.
gov.uk/crime-info/cyber-online-crime (Accessed 29 July 2022)..
No data was used for the research described in the article. Cultice, T., Ionel, D., & Thapliyal, H. (2020). Smart home sensor anomaly detection using
convolutional autoencoder neural network. In IEEE international Symposium on smart
Acknowledgment electronic systems (Vol. 2020, pp. 67–70). IEEE.
DCMS. (2019). Online harms white paper. https://www.gov.uk/government/consultat
ions/online-harms-white-paper. (Accessed 2 August 2022).
This work, as part of the PrivIoT project, has been supported by the BBC. (2013). Trendnet ruling heralds crackdown on insecure home webcams. Available from:
PETRAS National Centre of Excellence for IoT Systems Cybersecurity, https://www.bbc.com/news/technology-23971118 (Accessed 2 August 2022).
which has been funded by the UK EPSRC under grant number EP/

13
D. Buil-Gil et al. Computers in Human Behavior 145 (2023) 107770

DCMS. (2021). Product Security and Telecommunications Infrastructure (PSTI) Bill: Li, Y., Zhang, Y., Zhu, H., & Du, S. (2021). Toward automatically generating privacy
Factsheets. Available from: https://www.gov.uk/government/collections/the-pro policy for smart home apps. In IEEE conference on computer communications workshops
duct-security-and-telecommunications-infrastructure-psti-bill-factsheets. (Accessed (pp. 1–7). IEEE.
2 August 2022) Accessed. Lutolf, R. (1992). Smart Home concept and the integration of energy meters into a home
DCMS. (2021). Draft Online Safety Bill. Available from: https://www.gov.uk/govern based system. In Seventh international conference on metering apparatus and tariffs for
ment/publications/draft-online-safety-bill. (Accessed 2 August 2022). electricity supply (pp. 277–278). IEEE.
Demiris, G., & Hensel, B. K. (2008). Technologies for an aging society: A systematic Lyu, M., Sherratt, D., Sivanathan, A., Gharakheili, H., Radford, A., & Sivaraman, V.
review of “smart home” applications. Yearbook of Medical Informatics, 17(1), 33–40. (2017). In WiSec ’17: Proceedings of the 10th ACM conference on security and privacy in
Do, Q., Martini, B., & Choo, K. R. (2018). Cyber-physical systems information gathering: wireless and mobile networks (pp. 46–51). New York: ACM.
A smart home case study. Computer Networks, 138, 1–12. Mahadewa, K. T., Wang, K., Bai, G., Shi, L., Dong, J. S., & Liang, Z. (2018). HOMESCAN:
Dorri, A., Kanhere, S. S., Jurdak, R., & Gauravaram, P. (2017). Blockchain for IoT Scrutinizing implementations of smart home integrations. In 2018 23rd international
security and privacy: The case study of a smart home. In IEEE international conference conference on engineering of complex computer systems (pp. 21–30). IEEE.
on pervasive computing and communications workshops (pp. 618–623). IEEE. Marikyan, D., Papagiannidis, S., & Alamanos, E. (2019). A systematic review of the smart
Fan, J., Li, Q., & Cao, G. (2017). Privacy disclosure through smart meters: Reactive power home literature: A user perspective. Technological Forecasting and Social Change, 138,
based attack and defense. In 47th annual IEEE/IFIP international conference on 139–154.
dependable systems and networks (pp. 13–24). IEEE. Martin, E. D., Kargaard, J., & Sutherland, I. (2019). Raspberry Pi malware: An analysis of
Ferreira, J. J., Fernandes, C. I., Rammal, H. G., & Veiga, P. M. (2021). Wearable cyberattacks towards IoT devices. In 10th international conference on dependable
technology and consumer interaction: A systematic review and research agenda. systems, services and technologies (pp. 161–166). IEEE.
Computers in Human Behavior, 118, Article 106710. Mashima, D., Serikova, A., Cheng, Y., & Chen, B. (2018). Towards quantitative
Gassais, R., Ezzati-Jivan, N., Fernandez, J. M., Aloise, D., & Dagenais, M. R. (2020). evaluation of privacy protection schemes for electricity usage data sharing. ICT
Multi-level host-based intrusion detection system for Internet of things. Journal of Express, 4(1), 35–41.
Cloud Computing, 9, 62. Matern, D., Condurache, A., & Mertins, A. (2013). Adaptive and automated ambiance
Han, J., & Park, T. (2017). Security-enhanced push button configuration for home smart surveillance and event detection for Ambient Assisted Living. In 35th annual
control. Sensors, 17(6), 1–18. international conference of the IEEE engineering in medicine and biology society (pp.
Hariri, A., Giannelos, N., & Arief, B. (2020). Selective forwarding attack on IoT home 7318–7321). IEEE.
security kits. In S. Katsikas, F. Cuppens, N. Cuppens, C. Lambrinoudakis, McGuire, M., & Dowling, S. (2013). Cyber crime: A review of the evidence. Home office
C. Kalloniatis, J. Mylopoulos, A. Antón, S. Gritzalis, F. Pallas, J. Pohle, A. Sasse, research report (Vol. 75). London: Home Office.
W. Meng, S. Furnell, & J. Garcia-Alfaro (Eds.), Computer security: ESORICS 2019 Min, B., & Varadharajan, V. (2016). Design and evaluation of feature distributed
international workshops, CyberICPS, SECPRE, SPOSE, and ADIoT (pp. 360–373). malware attacks against the Internet of Things (IoT). In 20th international conference
Cham: Springer. on engineering of complex computer systems (pp. 80–89). IEEE.
Harvey, A. (2022). American home tech spending survey (Vol. 2022). Safewise. Available Mohler, D., Shamseer, L., Clarke, M., Ghersi, D., Liberati, A., Petticrew, M., Shekelle, P.,
from: https://www.safewise.com/blog/smart-home-tech-spending/ Accessed 5 Stewart, L. A., & PRISMA-P Group. (2015). Preferred reporting items for systematic
August 2022. review and meta-analysis protocols (PRISMA-P) 2015 statement. Systematic Reviews,
Heartfield, R., Loukas, G., Bezemskij, A., & Panaousis, E. (2021). Self-configurable cyber- 4, 1.
physical intrusion detection for smart homes using reinforcement learning. IEEE de Morais, W. O., Lundström, J., & Wickström, N. (2014). Active in-database processing
Transactions on Information Forensics and Security, 16, 1720–1735. to support ambient assisted living systems. Sensors, 14(8), 14765–14785.
Hodges, D. (2021). Cyber-enabled burglary of smart homes. Computers & Security, 110, Nicholls, L., Strengers, Y., & Sadowski, J. (2020). Social impacts and control in the smart
Article 102418. home. Nature Energy, 5, 180–182.
Isawa, R., Ban, T., Tie, Y., Yoshioka, K., & Inoue, D. (2018). Evaluating disassembly-code Nord, J. H., Koohang, A., & Paliszkiewicz, J. (2019). The internet of things: Review and
based similarity between IoT malware samples. In 13th asia joint conference on theoretical framework. Expert Systems with Applications, 133(1), 97–108.
information security (pp. 89–94). IEEE. Oconnor, T. J., Jessee, D., & Campos, D. (2021). Through the spyglass: Towards IoT
Jacobsson, A., Bold, M., & Carlsson, B. (2016). A risk analysis of a smart home companion app man-in-the-middle attacks. In Cset ’21: Cyber security experimentation
automation system. Future Generation Computer Systems, 56, 719–733. and test workshop (pp. 58–62). New York: ACM.
Javed, A., Malik, K. M., Irtaza, A., & Malik, H. (2021). Towards protecting cyber-physical Peng, P., & Wang, A. (2020). SmartMon: Misbehavior detection via monitoring smart
and IoT systems from single- and multi-order voice spoofing attacks. Applied home automations. In IEEE/ACM symposium on edge computing (pp. 327–333). IEEE.
Acoustics, 183, Article 108283. Piasecki, S., Urquhart, L., & McAuley, P. D. (2021). Defence against the dark artefacts:
Javed, Y., & Rajabi, N. (2020). Multi-layer perceptron artificial neural network based IoT Smart home cybercrimes and cybersecurity standards. Computer Law & Security
botnet traffic classification. In K. Arai, R. Bhatia, & S. Kapoor (Eds.), Proceedings of Report, 42, Article 105542.
the future of technologies conference (FTC) 2019 (Vol. 1, pp. 973–984). Cham: Rauti, S., Laato, S., & Pitkämäki, T. (2021). Man-in-the-browser attacks against IoT
Springer. devices: A study of smart homes. In A. Abraham, Y. Ohsawa, N. Gandhi,
Jia, Y., Xiao, Y., Yu, J., Cheng, X., Liang, Z., & Wan, Z. (2018). A novel graph-based M. A. Jabbar, A. Haqiq, S. McLoone, & B. Isaac (Eds.), Proceedings of the 12th
mechanism for identifying traffic vulnerabilities in smart home IoT. In Ieee INFOCOM international conference on soft computing and pattern recognition (pp. 727–737). Cham:
2018: IEEE conference on computer communications (pp. 1493–1501). IEEE. Springer.
Ji, W., Cheng, Y., Xu, W., & Zhou, X. (2018). User presence inference via encrypted traffic of Ricquebourg, V., Menga, D., Durand, D., Marhic, B., Delahoche, L., & Logé, C. (2006).
wireless camera in smart homes (Vol. 2018, pp. 1–10). Security and Communication The smart home concept: Our immediate future. In 1st IEEE international conference
Networks. on E-learning in industrial electronics (pp. 23–28). IEEE.
Kennedy, S., Li, H., Wang, C., Liu, H., Wang, B., & Sun, W. (2019). I can hear your Alexa: Salomons, E., Sela, L., & Housh, M. (2020). Hedging for privacy in smart water meters.
Voice command fingerprinting on smart home speakers. In IEEE conference on Water Resources Research, 56(9), Article e2020WR027917.
communications and network security (Vol. 2019, pp. 232–240). IEEE. Sikder, A. K., Babun, L., Aksu, H., & Uluagac, A. S. (2019). Aegis: A context-aware
Komninos, N., Philippou, E., & Pitsillides, A. (2014). Survey in smart grid and smart security framework for smart home systems. In Proceedings of the 35th annual
home security: Issues, challenges and countermeasures. IEEE Communications Surveys computer security applications conference (pp. 28–41). New York: ACM.
& Tutorials, 16(4), 1933–1954. Sikder, A. K., Babun, L., Celik, Z. B., Acar, A., Aksu, H., McDaniel, P., Kirda, E., &
Krebs, B. (2017). Who is anna-senpai, the Mirai worm author?. https://krebsonsecurity. Uluagac, A. S. (2020). Kratos: Multi-user multi-device-aware access control system
com/2017/01/who-is-anna-senpai-the-mirai-worm-author/. (Accessed 30 July for the smart home. In WiSec ’20: Proceedings of the 13th ACM conference on security
2022). and privacy in wireless and mobile networks (pp. 1–12). New York: ACM.
Lally, G., & Sgandurra, D. (2018). Towards a framework for testing the security of IoT Sivanathan, A., Loi, F., Gharakheili, H., & Sivaraman, V. (2018). Experimental evaluation
devices consistently. In A. Saracino, & P. Mori (Eds.), Emerging technologies for of cybersecurity threats to the smart-home. In IEEE international conference on
authorization and authentication: First international workshop, ETAA 2018 (pp. advanced networks and Telecommunications systems (Vol. 2017, pp. 1–6). IEEE.
88–102). Cham: Springer. Sivanathan, A., Sherratt, D., Gharakheili, H., Sivaraman, V., & Vishwanath, A. (2017).
Laufs, J., Borrion, H., & Bradford, B. (2020). Security and the smart city: A systematic Low-cost flow-based security solutions for smart-home IoT devices. In IEEE
review. Sustainable Cities and Society, 55, Article 102023. international conference on advanced networks and Telecommunications systems (Vol.
Lee, B., Kwon, O., Lee, I., & Kim, J. (2017). Companionship with smart home devices: 2016, pp. 1–6). IEEE.
The impact of social connectedness and interaction types on perceived social support Skowron, M., Janicki, A., & Mazurczyk, W. (2020). Traffic fingerprinting attacks on
and companionship in smart homes. Computers in Human Behavior, 75, 922–934. Internet of Things using machine learning. IEEE Access, 8, 20386–20400.
Leitão, R. (2019). Anticipating smart home security and privacy threats with survivors of Sovacool, B. K., & Furszyfer Del Rio, D. D. (2020). Smart home technologies in europe: A
intimate partner abuse. In Proceedings of the 2019 on designing interactive systems critical review of concepts, benefits, risks and policies. Renewable and Sustainable
conference (pp. 527–539). New York: ACM. Energy Reviews, 120, Article 109663.
Leukfeldt, E. R., & Yar, M. (2016). Applying routine activity theory to cybercrime: A Teng, C. C., Gong, J. W., Wang, Y. S., Chuang, C. P., & Chen, M. C. (2017). Firmware over
theoretical and empirical analysis. Deviant Behavior, 37(3), 263–280. the air for home cybersecurity in the Internet of Things. In 19th asia-pacific network
Li, J., Li, Z., Tyson, G., & Xie, G. (2020). Your privilege gives your privacy away: An operations and management symposium (pp. 123–128). IEEE.
analysis of a home security camera service. In IEEE conference on computer Tran, B., Pan, S., Liang, X., & Zhang, H. (2021). Exploiting physical presence sensing to
communications (pp. 387–396). IEEE. secure voice assistant systems. In IEEE international conference on communications (pp.
Lin, H., & Bergmann, N. W. (2016). IoT privacy and security challenges for smart home 1–6). IEEE.
environments. Information, 7, 44. Tushir, B., Dalal, Y., Dezfouli, B., & Liu, Y. (2021). A quantitative study of DDoS and E-
DDoS attacks on WiFi smart home devices. IEEE Internet of Things Journal, 8(8),
6282–6292.

14
D. Buil-Gil et al. Computers in Human Behavior 145 (2023) 107770

Tzezana, R. (2016). Scenarios for crime and terrorist attacks using the internet of things. Wan, Y., Xu, K., Wang, F., & Xue, G. (2021). IoTAthena: Unveiling IoT device activities
European Journal of Forest Research, 4, 18. from network traffic. IEEE Transactions on Wireless Communications, 21(1), 651–664.
Ullrich, F., Classen, J., Eger, J., & Hollick, M. (2019). Vacuums in the cloud: Analyzing Weber, R. H. (2010). Internet of Things – new security and privacy challenges. Computer
security in a hardened IoT ecosystem. In 13th USENIX workshop on offensive Law & Security Report, 26(1), 23–30.
technologies. USENIX. Xiao, Y., Jia, Y., Liu, C., Alrawais, A., Rekik, M., & Shan, Z. (2020). HomeShield: A
US Department of Justice. (2017). Justice department announces Charges and guilty credential-less authentication framework for smart home systems. IEEE Internet of
Pleas in three computer crime cases involving significant cyber attacks. U.S. Things Journal, 7(9), 7903–7918.
Attorney’s Office. Available from: https://www.justice.gov/usao-nj/pr/justice-dep Yamauchi, M., Ohsita, Y., & Murata, M. (2021). Platform utilizing similar users’ data to
artment-announces-charges-and-guilty-pleas-three-computer-crime-cases. (Accessed detect anomalous operation of home IoT without sharing private information. IEEE
2 August 2022). Access, 9, 130615–130626.
Vidal-González, S., García-Rodríguez, I., Aláiz-Moretón, H., Benavides-Cuéllar, C., YouGov. (2020). The dawn of the connected home. https://yougov.co.uk/topics/techno
Benítez-Andrades, J. A., García-Ordás, M. T., & Novais, P. (2020). Analyzing IoT- logy/articles-reports/2020/08/27/smart-speakers-no-longer-just-early-adopters.
based botnet malware activity with distributed low interaction honeypots. In (Accessed 3 August 2022).
A. Rocha, H. Adeli, L. P. Reis, S. Costanzo, I. Orovic, & F. Moreira (Eds.), Trends and Yu, X., Zhang, Y., Li, X. Y., & Guo, X. (2021). The Truman show: Attack on the privacy of
innovations in information systems and technologies (Vol. 2, pp. 329–338). Cham: smart home through traffic analysis. In 7th international conference on big data
Springer. computing and communications (pp. 121–128). IEEE.
Wall, D. (2001). Crime and the internet. New York: Routledge. Zainab, A., Refaat, S. S., & Bouhali, O. (2020). Ensemble-based spam detection in smart
Wang, Q., Ji, S., Tian, Y., Zhang, X., Zhao, B., Kan, Y., Lin, Z., Lin, C., Deng, S., Liu, A. X., home IoT devices time series data using machine learning techniques. Information,
& Beyah, R. (2021). {MPInspector}: A systematic and automatic approach for 11(7), 344.
evaluating the security of {IoT} messaging protocols. In 30th USENIX security Zhang, B., Li, J., Zheng, X., Ge, J., & Sun, J. (2019). A blockchain-based mobile IOT
symposium (pp. 4205–4222). USENIX. network interconnection security trusted protocol model. In J. Vaidya, X. Zhang, &
Wang, C., Kennedy, S., Li, H., Hudson, K., Atluri, G., Wei, X., Sun, W., & Wang, B. (2020). J. Li (Eds.), Cyberspace safety and security: 11th international symposium (pp.
Fingerprinting encrypted voice traffic on smart speakers with deep learning. In 372–381). Cham: Springer.
WiSec ’20: Proceedings of the 13th ACM conference on security and privacy in wireless Zhang, W., Meng, Y., Liu, Y., Zhang, X., Zhang, Y., & Zhu, H. (2018). HoMonit:
and mobile networks (pp. 254–265). New York: ACM. Monitoring smart home apps from encrypted traffic. In Proceedings of the 2018 ACM
Wang, Y., Li, X., Jia, P., Yang, Y., & Wang, H. (2021). Sensitive instruction detection SIGSAC conference on computer and communications security (pp. 1074–1088). New
based on the context of IoT sensors. In 51st annual IEEE/IFIP international conference York: ACM.
on dependable systems and networks workshops (pp. 121–128). IEEE.

15

You might also like