VPNFilter Malware Analysis on Cyber Threat in Smart Home Network

: Recently, the development of smart home technologies has played a crucial role in enhancing several real-life smart applications. They help improve the quality of life through systems designed to enhance convenience, comfort, entertainment, health of the householders, and security. Note, however, that malware attacks on smart home devices are increasing in frequency and volume. As people seek to improve and optimize comfort in their home and minimize their daily home responsibilities at the same time, this makes them attractive targets for a malware attack. Thus, attacks on smart home-based devices have emerged. The goals of this paper are to analyze the di ﬀ erent aspects of cyber-physical threats on the smart home from a security perspective, discuss the types of attacks including advanced cyber-attacks and cyber-physical system attacks, and evaluate the impact on a smart home system in daily life. We have come up with a taxonomy focusing on cyber threat attacks that can also have potential impact on a smart home system and identify some key issues about VPNFilter malware that constitutes large-scale Internet of Things (IoT)-based botnet malware infection. We also discuss the defense mechanism against this threat and mention the most infected routers. The speciﬁc objective of this paper is to provide e ﬃ cient task management and knowledge related to VPNFilter malware attack.


Introduction
In the near future, it is calculated that millions of people around the world will live in smart homes; therefore, home security and comfort should be improved using this technology. A smart home is a home based on the integration of electronic devices connected to each other with internet, wi-fi, or Bluetooth, and so on. For example, we can control many things such as light, temperature, or operation of appliances with an integrated system. Technology has radically changed the way people relate to the environment, thanks to the internet. Nowadays, it is possible to get in touch with friends and families instantly from anywhere in the world, know the route to an unknown destination in a snap, and also facilitate the day-to-day operations inside the home thanks to the smart home based on the internet of things (IoT) technology. With the increasing variety and upgrading of technology, criminal practices have evolved. The human being came to use the internet and various technological tools in a malicious way.
Nowadays, cybercrimes can victimize a large company or an ordinary person. Recently, new malware was implemented in many different routers on the network. Known as VPNfilter malware, it is considered a sophisticated piece of malware variant that mostly targets networking devices from a wide range of manufacturers named Vpnfilter [1]. This malware can collect confidential information that passes through an infected router, allowing attackers to gain control of Wi-Fi routers directly to obtain unexpected sensitive personal data. The malware infects routers to manipulate sites visited by users on the same network because the threat acts as the source of internet signal; it need not directly affect the victim's smartphone and computer. The main contributions of this survey paper are as follows: show the known and current VPNfilter malware attacks that can be launched on smart home devices such as the wi-fi router, and demonstrate the maximum security risk introduced by VPNfilter, which can affect the operation of multifunction devices such as smart TV, smart locks, and so on.

Motivation
Living in a smart home environment is known to provide a number of benefits and comforts. A series of IoT technologies adopted in a smart home consist of communication technologies such as automatic control technology and sensor technology. Figure 1 shows the smart home architecture featuring the smart home devices connected with applications, allowing users to communicate directly with home appliances via mobiles. The aim of smart home technology is to make life more convenient and efficient, save energy, and so much more. Therefore, a significant risk to security and privacy can be introduced. Since this malware seemed to be critical, we need to understand how they are being exploited. Smart home devices can be directly compromised by attackers, undermining the privacy and security of the users [2]. Due to the lack of sufficient protection, attackers can easily obtain sensitive information from users. Moreover, many of the developments of the existing framework of smart applications give rise to vulnerabilities that can then be exploited by the attackers to launch various attacks [3,4]. The motivation of this research is the ever-growing and several malware threats to cyber-security; therefore, it is important to understand the different types of malware, their impact, and the detection techniques in the smart home.

Research Methodology
The IoT is also known as the internet of objects capable of connecting actuators, things, sensors, and many other smart technologies; thus, enabling communication between devices. It is typically connected to cloud services. The IoT system can be a heterogeneous environment that allows the different substantial devices to interact with both users and other devices, be they hardware or services offered. IoT conveys meaning to different people. Therefore, we use a research methodology that evaluates the overall study about malware on the smart home and answers three main questions: • Can a smart home be hacked?

Research Methodology
The IoT is also known as the internet of objects capable of connecting actuators, things, sensors, and many other smart technologies; thus, enabling communication between devices. It is typically connected to cloud services. The IoT system can be a heterogeneous environment that allows the different substantial devices to interact with both users and other devices, be they hardware or services offered. IoT conveys meaning to different people. Therefore, we use a research methodology that evaluates the overall study about malware on the smart home and answers three main questions: • Can a smart home be hacked? Every device connected to any other network without exceptions can be compromised. For this question, the answer is yes. The smart home system is not totally safe. There are several examples of smart devices affected by malware attacks.

•
How can smart home cyber-security be compromised by an attacker? In a smart home, every device or anything with the smallest piece of firmware and networking capability can be compromised. We could be forgiven for having secured strong built-in security and for presuming that any successful attack is only possible with highly determined cybercriminals. It is not just about one hacker trying to target your camera to watch you making lunch. This is far from the truth, however. Vulnerabilities and exploits are much more common than we can imagine.

•
What is the impact of different attacks against smart home occupants? As we know, the typical smart home system is configured for energy efficiency, convenience, and security. Therefore, we should keep in mind that cyber-security attacks cause serious disruption, leading to adverse experiences in users' daily lives, ranging from inconvenience, to loss of time, and intense frustration due to goal blockage.
In this research paper, we discuss how to handle a device that may be infected, as well as techniques on how to defend against malware. Table 1 presents the contribution of this survey in related to existing surveys. The rest of this paper is organized as follows: Section 2 describes the taxonomy of malware in the smart home network; Section 3 discusses VPNFilter malware in the smart home network; Section 4 describes the impact on the smart home network as well as physical, cyber-security, and daily life impacts; Section 5 discusses the open issues, challenges, and proposed solutions; Section 6 presents the conclusions. We expect our discussion to help readers gain an overall understanding of the studies related to these issues. Table 1. Contribution of our survey in related to existing surveys.

Taxonomy of Malware in the Smart Home Network
Through the emerging growth of the internet and technology, various aspects of our lives are becoming simpler and smart day by day, connected through the internet of things and smart home technology. As a consequence, today's home task is considered a smart home if it is connected to a communication network using the internet. The resident of the home can monitor, program, and control all smart home appliances, as illustrated in Figure 1, in a smart home architecture from a remote location.
At first glance, every smart home device makes our life easy, and automation can make our routine more comfortable and our home safer. At the same time, however, all these devices may introduce a huge threat if they get hit by cyber-attack like virus, malicious attacks, web attacks, and much more. Many attacks were carried out in the wireless sensor network, such as denial of service, wormhole attack, and sinkhole attack. Security for controlling the smart home area network depends on four main properties: integrity, authentication, confidentiality, and availability [10]. We are constantly generating data, receiving information, and communicating in real time with our devices and each other anytime and from anywhere.
We should regard internet of things security as unique in many aspects and as one giving rise to diverse challenges in the security assurance of other computing devices such as laptops, servers, mobile devices, smart devices, and much more [11,12]. As such, we have developed three taxonomies of security attacks criteria for the smart home mentioned in Figure 2. The first taxonomy introduces a series of four layers in the smart home system wherein each layer can be attacked and is necessary for the protection of the entire network, not only for the specific technology, but for the entire system. Based on this taxonomy, we systematically analyzed the privacy issues and security threats along with all layers of the smart home system. The second taxonomy refers to attacks based on a smart home central hub, and the last taxonomy describes the attacks based on the smart home's physical security. of security attacks criteria for the smart home mentioned in Figure 2. The first taxonomy introduces a series of four layers in the smart home system wherein each layer can be attacked and is necessary for the protection of the entire network, not only for the specific technology, but for the entire system. Based on this taxonomy, we systematically analyzed the privacy issues and security threats along with all layers of the smart home system. The second taxonomy refers to attacks based on a smart home central hub, and the last taxonomy describes the attacks based on the smart home's physical security.

Attacks Based on the Smart Home Architecture
The smart home system is known as a control system that, through the internet, can integrate security protection, automatic control of equipment, domestic communication, and so on. The proposed smart home architecture has 4 layers.

Application Layer
This layer is used in both lower and upper models because of its significance, interacting with the user and user applications. The communication system is involved in this application layer. The application layer should be considered one of the social divisions of IoT, realizing extensive intellectualization and combining with industry demand [13,14]. A set of different applications is implemented by this application layer. The same application layer is used to process and manage data starting in the middleware layer, which can provide quality of service to the last user in the smart home [15]. The main problem of the application layer normally occurs in the operation of sensitive data, i.e., malicious attack to modify data and secure lifetime permission and access to data [16]. Attackers normally exploit vulnerabilities to allow malicious code to attack the systems, gain sensitive data access, and modify the system.

•
Code injection attack: This type of attack depends on the injection of data in web applications wherein it facilitates the interpretation and execution of malicious data in an unexpected way by exploiting program errors [17]. It can be used for various purposes. • Buffer overflow attack: A buffer whose memory is allocated by a program is an example of temporary storage to deal with a surplus of data. A buffer overflow attack occurs when a program deliberately tries to occupy more storage space than the buffer can handle, causing all

Attacks Based on the Smart Home Architecture
The smart home system is known as a control system that, through the internet, can integrate security protection, automatic control of equipment, domestic communication, and so on. The proposed smart home architecture has 4 layers.

Application Layer
This layer is used in both lower and upper models because of its significance, interacting with the user and user applications. The communication system is involved in this application layer. The application layer should be considered one of the social divisions of IoT, realizing extensive intellectualization and combining with industry demand [13,14]. A set of different applications is implemented by this application layer. The same application layer is used to process and manage data starting in the middleware layer, which can provide quality of service to the last user in the smart home [15]. The main problem of the application layer normally occurs in the operation of sensitive data, i.e., malicious attack to modify data and secure lifetime permission and access to data [16]. Attackers normally exploit vulnerabilities to allow malicious code to attack the systems, gain sensitive data access, and modify the system.

•
Code injection attack: This type of attack depends on the injection of data in web applications wherein it facilitates the interpretation and execution of malicious data in an unexpected way by exploiting program errors [17]. It can be used for various purposes.
• Buffer overflow attack: A buffer whose memory is allocated by a program is an example of temporary storage to deal with a surplus of data. A buffer overflow attack occurs when a program deliberately tries to occupy more storage space than the buffer can handle, causing all extra data to overflow for the exploitation of program vulnerabilities. As an example, a well in tech king view 6.53 history Svr was threatened by a heap buffer overflow vulnerability in an industrial automation software [18].

•
Data manipulation attack, known as a manipulation code attack, involves gaining illegal access by violating user privacy. The data manipulation attack usually exploits design flaws in the permission model [19].

•
Authentication attack plays an important role in the protection of IoT security and privacy. The process of confirming the identity or truth of an object is known as authentication. This kind of attack is a way of exploiting and discovering security holes in web applications.

Network Layer
A network consists of a set of computers or other interconnected devices sharing resources, information, and services. This layer, which is responsible for connecting the IoT infrastructure [15], collects data from the lower layer as a perception layer and transmits the communication up to the upper layer of the smart home architecture. The communication medium may be wireless or wired, and the different technologies used can be Bluetooth, ZigBee, 3G, WiFi, and others [20,21]. Occurring on the network layer are diverse types of attacks typically affecting the information sharing among network devices. It can be classified as a passive attack, such as traffic analysis, monitor and eavesdropping and others, or as active attack, such as routing attack, denial of service node malfunction, and much more.

•
Denial of service attack: in this type of attack, a hacker denies a service to authorize the user or even creates delays through resources, generating a large amount of data. This classification presents the impact of DoS on the victim's network or bandwidth resources. In such attacks, the attacker aims to consume the victim's limited available resources [17].

•
Sybil attack: in this kind of attack, a single attacker can actually take over the networking, and multiple identities in the network are presented to the victim's node, which allows the victim's node to perform multiple operations, thus defeating the purpose of redundancy [22,23].

•
In the sinkhole attack, a compound node attracts the flow of data from nearby nodes used by hackers [23][24][25]. The system is tricked into thinking that the data have reached their destination [24]. In a wireless sensor network, the attacker can use the malicious node to attract network traffic, and then the sensor data can be arbitrarily operated.

•
Man-in-the-middle (MITM) attack is also a kind of attack wherein communication occurs between victim nodes when the attacker gains access to it, as well as the trust of the two nodes and obtains information of different nodes [26][27][28].

Middleware Layer
This provides enterprise activation and integration required to connect engagement systems. The middleware layer obtains from the network layer data that links together the system to the database and the cloud and also performs processing and data storage [19]. The security of the database and cloud is considered the main problem in the middleware layer, which greatly affects the quality of service at the application layer.

•
Flooding attack: This type of attack is considered to be a form of denial of service attack wherein a network or a service becomes so weighed down with packets initiating incomplete connection requests that it can no longer process genuine connection requests. Attackers can attack the service to affect the quality of service [29]. • Cloud malware attack: An attacker launching this type of attack tries to inject a malicious service in the cloud and creates its own malicious service implementation module and tries to add it in the cloud system. Therefore, if the attacker succeeds, the cloud automatically redirects the request of the valid user for the attacker code to start to be executed. • SQL injection attack: In this type of attack, many attackers use SQL statements for writing, deleting operations, and reading when the web application is being hacked by SQL injection. Pages show different outcomes compared with the actual information on the network.

•
Signature wrapping attack: Based on the cloud system, this type of attack uses the XML signature to ensure service integrity. Attackers can easily modify the communication between nodes on this layer by eavesdropping without invalidating the signature [30].

Perception Layer
This is considered one of the closest levels for the environment, wherein it is responsible for collecting packets and converting this information into digital signals and identifying objects [31]. The communication between the nodes in this layer and the attacker can directly access the devices-related attributes through physical attacks such as tag cloning and forgery attacks wherein hackers can easily spy on them. This layer has one of the main technologies consisting of various sensor nodes, cameras, and actuators, RFID readers, mobile phones, tablets, GPS, and others to communicate in the smart home. The technologies of the perception layer are usually affected by the energy and the computer [32]. This sensor device can operate in a hostile environment, and it can also be destroyed easily. The malicious attack on the sensor is considered one of the main challenges for the perception layer and the identification technology, which interferes with the data collection [33]. This attack on the perception layer generally aims at destroying communication and data collection. The entire system has a direct effect on efficiency.
• Spoofing attack: The attacker uses many different fake source addresses by sending packets on the network across. By amplifying the attack, the attacker disguises a tag as a valid tag, which gains the same permission and service as the valid tag [34]. Spoofing attacks may lead to packet loss in the transmission process [35].

•
Sleep deprivation attack: The perception layer is limited by the battery power in the node. To prolong the life of the battery, it is necessary for the device to sleep when not in operation. This type of attack attempts to subvert this process by constantly controlling and sending information to the network devices [36]. • Radio frequency jamming attack: This attack targets one of the key technologies of this layer, which consists of sensor nodes, cameras, actuators, tags / RFID readers, cell phones, tablets, GPS, and others to communicate in the smart home. The attacker can destroy the data collection process at the perception layer.

Attacks Based on the Smart Home Central Hub
We know that the internet of things made it easier than ever to set up a smart home that allows easy remote control of lights, thermostats doors, and other devices using a smartphone and an application. It also makes monitoring your smart home from anywhere simple. A smart security system is one that is highly customized and is available as full-blown setups or do-it-yourself kits that can include professional monitoring and installation.
IoT devices within smart homes are vulnerable to a wide range of device attacks. They interact with the internet and the physical world, enabling intelligent interaction between the surroundings and the physical world, but giving rise to cyber-security risks.

•
Threats in a smart home wield negative impacts that exploit security weaknesses in a system [37]. Different active threats, such as man-in-the-middle attack, spoofing attacks, Sybil attack, denial of service and malicious inputs, and passive attacks can affect the internet of things system within the smart home. Since the objective of the system is to allow intruders to access anytime, anywhere, attack vectors or surfaces also become accessible to intruders [38,39]. Therefore, potential threats are becoming more likely, wherein an intruder can have access to these devices. Generally, over the wireless network, smart home devices are usually connected, and an attacker can expose private information from the communication channel by eavesdropping. The secure smart home system is a challenging and complex task. • Software attack: The main source of security vulnerabilities in any network system is considered to be software attacks. Such attacks exploit deployment vulnerabilities in the router through its communication interface. This type of malware includes virus, denial of service, worms, and VPNfilter attack that allows injecting malicious code into the system. • Denial of service attack is a very common kind of attack used by attackers to disrupt an entire network and the router. The attacker uses multiple series requests to flood the router with message requests using internet control message protocol (ICMP) packets. • Packet mistreating attack: This type of attack is similar to a denial of service attack. A packet mistreating injects packets with malicious codes to disrupt and confuse networks; data packets appear to mistreat the router, which brings the positive result of the router starting to mistreat harmful packets within the network, but the routing processes can no longer handle the number of packets occurring on the routing table.

•
The VPNfilter attack is a common malware attack on routers wherein false information about routing is redirected by compromising the smart home system.

Physical Attack
Physical attacks interfere with the hardware components, and they are usually more inaccurate to run because they require expensive material.

•
Voltage supply attack is a powerful active type of attack that modifies the execution flow of a device by disrupting power supply.

•
Tampering attack: This type of attack is launched when the attacker is much closer to the network device and is forced to break hardware without any permission.

VPNFilter Malware in the Smart Home Network
Nowadays, the smart home has become very popular with this technology. Note, however, that owners of smart homes are faced with the high probability of hacking, malware attacks, and intrusion of privacy by people with malicious intent. Many of the smart home platforms rely on the home internet gateway to access the cloud to be able to function. In the event that attackers successfully manage to compromise the internet gateway, they may gain complete control of all household devices connected with the platform. Stamm et al. [40] suggested that an attack can be initiated when the client accesses an infected website, which automatically executes a Java applet on the code of the device. This script will fingerprint the home internet router's internal IP addresses. The script establishes a reverse socket connection between the client and the attacker wherein the client's IP address provides insight into the internal addressing schema.
Having complete information related to the router, the attacker takes advantage of the situation wherein most homeowners do not change the manufacturer-set default password and attempt a login query using the default vendor credentials. Upon successful login, the attacker will modify essential configuration settings and gain complete access to the home internet gateway. With the current mode of threat, however, no particular weakness of the home medium is exploited. Relying solely on blocking all unwanted inbound connections creates a false sense of security. A homeowner may accidentally and unknowingly initialize an attack script on internal devices, which in turn provides open access to the entire internal network. The attacker can now control all outbound connections and the home router administration.
Recently, some researchers from Cisco and Talos reported grave security threats to home internet gateways via a large-scale, advanced persistent threat to SOHO routers known as VPNFilter [41].
Specially engineered to attack routers, this malware can intercept the user's internet traffic and manipulate the pages visited by the user. It can either steal typed passwords, including those on bank sites, or create fake copies of the page so that the victim does not know that they are being hit. This malware has powerful destructive capability that can leave the infected device unusable, and it can be triggered on individual victim machines. It can also switch off internet access for more than thousands of victims connected within the network worldwide [42]. Once installed in the router, this malware can stop the router from working, collect information from the system that runs through the network, and block network traffic.

VPNFilter Attack Vulnerability
Some analyses of the malware revealed a module-and multi-stage-based malware having the ability to manage data collection activities and the ability to disable devices completely, which allows access for distributed denial of attacks. Router platforms belonging to Linksys, TP-Link, Qnap, Netgear, and MikroTik implement home networks on internet gateways, making them more susceptible to the VPNFilter malware attack. This malware is also regarded as three-stage, since it infects the device responsible for distributing the internet indoors, and it can interfere with the navigation of all connected devices [43]. Figure 3 illustrates the malware penetration stages.
Some analyses of the malware revealed a module-and multi-stage-based malware having the ability to manage data collection activities and the ability to disable devices completely, which allows access for distributed denial of attacks. Router platforms belonging to Linksys, TP-Link, Qnap, Netgear, and MikroTik implement home networks on internet gateways, making them more susceptible to the VPNFilter malware attack. This malware is also regarded as three-stage, since it infects the device responsible for distributing the internet indoors, and it can interfere with the navigation of all connected devices [43]. Figure 3 illustrates the malware penetration stages.
• Stage 1. Penetration: it attempts to download a picture from either a photobucket or tokonowall, from which it can then extract the IP address of the stage 2 server hidden in image EXIF metadata. The goal of this stage is simply to survive after the reboot or to determine the IP address of the server once terminated. The core malware code stays in the infected system and does not disappear, even if the device is restarted [27]. • Stage 2. Filtration: the malware will proceed to download a non-persistent module from the attacker's server. This module operates through a local working directory and communicates with the command and control (C&C) server to execute the commands. In particular, it communicates with the command and control server capable of collecting data and running command in the infected unit. This is done by overwriting a section of the device's firmware and rebooting, rendering it unusable. • Stage 3. Deployment: the installation of a non-persistent packet sniffing module will extend the functionality of the malware. It will intercept the traffic and try to extract HTTP authentication strings as well as a communication plugin to enable remote communication using a secure network called Tor. It works as stage 2 plug-ins and includes a packet sniffer to spy on traffic routed through the device [16]. Researchers estimate that the VPNFilter malware has infected 500,000 routers across 54 nations since 2016. Common household routers make up a significant portion of these compromised routers [44]. During the initial infection vector, no known vulnerabilities have been identified, but many of the infected routers were either old or were left unpatched with generally known vulnerabilities that can be exploited. They also included open source vulnerabilities and often got dispatched with default login credentials. • Stage 1. Penetration: it attempts to download a picture from either a photobucket or tokonowall, from which it can then extract the IP address of the stage 2 server hidden in image EXIF meta-data. The goal of this stage is simply to survive after the reboot or to determine the IP address of the server once terminated. The core malware code stays in the infected system and does not disappear, even if the device is restarted [27]. • Stage 2. Filtration: the malware will proceed to download a non-persistent module from the attacker's server. This module operates through a local working directory and communicates with the command and control (C&C) server to execute the commands. In particular, it communicates with the command and control server capable of collecting data and running command in the infected unit. This is done by overwriting a section of the device's firmware and rebooting, rendering it unusable. • Stage 3. Deployment: the installation of a non-persistent packet sniffing module will extend the functionality of the malware. It will intercept the traffic and try to extract HTTP authentication strings as well as a communication plugin to enable remote communication using a secure network called Tor. It works as stage 2 plug-ins and includes a packet sniffer to spy on traffic routed through the device [16].
Researchers estimate that the VPNFilter malware has infected 500,000 routers across 54 nations since 2016. Common household routers make up a significant portion of these compromised routers [44]. During the initial infection vector, no known vulnerabilities have been identified, but many of the infected routers were either old or were left unpatched with generally known vulnerabilities that can be exploited. They also included open source vulnerabilities and often got dispatched with default login credentials.

Affected Vendors
Based on the scale of this research, it was initially believed that only Linksys, Netgear, TP-Link, and MikroTik routers were vulnerable, but the number of routers is increasing. Figure 4 illustrates most of the devices that are already affected by this new malware attack. Table 2

Affected Vendors
Based on the scale of this research, it was initially believed that only Linksys, Netgear, TP-Link, and MikroTik routers were vulnerable, but the number of routers is increasing. Figure 4 illustrates most of the devices that are already affected by this new malware attack. Table 2 summarizes the specific routers' features and their comparison.

Impact on the Smart Home Network
Everyday objects, wearables, houses, and entire cities are increasingly integrated with smart home technology. These connected, ubiquitous systems are not always recognizable, however. Such ubiquity leads to increasingly complex systems, but this complexity is difficult to protect because even the most diligent developers make mistakes. Many of these vulnerabilities or weaknesses in the systems are only found through communication. In relation to the cyber impact on smart homes, Coppolino et al. [53] proposed that a cyber-physical attack be characterized as a security breach in cyberspace that negatively influences the physical space. As illustrated in Figure 5, this results in breach of physical privacy and prevented, delayed, and unauthorized actuation.

Impact on the Smart Home Network
Everyday objects, wearables, houses, and entire cities are increasingly integrated with smart home technology. These connected, ubiquitous systems are not always recognizable, however. Such ubiquity leads to increasingly complex systems, but this complexity is difficult to protect because even the most diligent developers make mistakes. Many of these vulnerabilities or weaknesses in the systems are only found through communication. In relation to the cyber impact on smart homes, Coppolino et al. [53] proposed that a cyber-physical attack be characterized as a security breach in cyberspace that negatively influences the physical space. As illustrated in Figure 5, this results in breach of physical privacy and prevented, delayed, and unauthorized actuation.

•
Delayed actuation: the research of Isaac et al. [54] demonstrated the smart home ZigBee sinkhole attack, as well as how it advertises itself as a favorable route via a rogue node to the ZigBee controller. This results in delayed actuation wherein a rogue node alters or drops the data carried forward from Zigbee sensors.

•
Breach of physical privacy: the privacy of an individual in a household for a given point in time or for long and extended periods can be invaded during the transmission of data via an eavesdropping attack [55]. Veracode, a security solutions provider, described the attack as seizing the wink relay touch controller to switch on the microphone to record background audio covertly. Using audio as a means of breaching physical privacy, a privacy violation that takes advantage of a software vulnerability found in the android debug bridge (ADB), which was subsequently patched in an update [56], is demonstrated. Many of the smart home devices are shipped with poor security solutions in place from their manufacturers. The lack of security exposes many areas of exploitation for violation of physical privacy. On the web are search engines that allow users to search for vulnerable devices connected to the internet, such as shodan.
io. An attacker using these search engines may locate an insecure open port and record the header or banner information of any device. The data may include the type and model of the device used, its manufacturer, and the installed software version. According to Lin et al. [2], searching on shodan.io using a search query such as "has_screenshot: true port:554" resulted in an exhaustive list of camera devices along with their IP addresses, the screenshots captured by them, and their exact geographic location. With the help of such search engines, an attacker can gain access to surveillance cameras installed both in a home and outside, giving them complete visibility and knowledge of the victim's daily routine in a smart home environment. There have Figure 5. Impact of the smart home system.

Physical Impact
• Delayed actuation: the research of Isaac et al. [54] demonstrated the smart home ZigBee sinkhole attack, as well as how it advertises itself as a favorable route via a rogue node to the ZigBee controller. This results in delayed actuation wherein a rogue node alters or drops the data carried forward from Zigbee sensors.

•
Breach of physical privacy: the privacy of an individual in a household for a given point in time or for long and extended periods can be invaded during the transmission of data via an eavesdropping attack [55]. Veracode, a security solutions provider, described the attack as seizing the wink relay touch controller to switch on the microphone to record background audio covertly. Using audio as a means of breaching physical privacy, a privacy violation that takes advantage of a software vulnerability found in the android debug bridge (ADB), which was subsequently patched in an update [56], is demonstrated. Many of the smart home devices are shipped with poor security solutions in place from their manufacturers. The lack of security exposes many areas of exploitation for violation of physical privacy. On the web are search engines that allow users to search for vulnerable devices connected to the internet, such as shodan.io. An attacker using these search engines may locate an insecure open port and record the header or banner information of any device. The data may include the type and model of the device used, its manufacturer, and the installed software version. According to Lin et al. [2], searching on shodan.io using a search query such as "has_screenshot: true port:554" resulted in an exhaustive list of camera devices along with their IP addresses, the screenshots captured by them, and their exact geographic location.
With the help of such search engines, an attacker can gain access to surveillance cameras installed both in a home and outside, giving them complete visibility and knowledge of the victim's daily routine in a smart home environment. There have even been concerns of an attacker gaining access to baby monitoring systems and covertly spying on children [57][58][59].

•
Prevented actuation was suggested by disabling the vacation mode on devices [60]. Users use this mode when they are away for an extended period to give any criminal the impression that the home is occupied. The user's smartphone can interfere with this mode and disable the actuation expected by the users when they are away from home.

Cyber Impact
Some modern research shows that cyber threats have evolved and grown considerably, with traditional threats expanding to new forums-mobile devices, cloud computing, and social media [61,62]. This territory is also being expanded inevitably to smart home technologies.
• Confidentiality: to ensure the confidentiality of user data, the most common techniques deployed are data encryption and access control. An event was described wherein an attacker orchestrated a snooping attack to obtain the pin code of a door lock by employing battery monitor smart applications [63]. The applications exploited an over-privilege weakness found in Samsung's smart home environment to view the pin code in plain text format and send it across via SMS messaging service. Unlawful access to this data can result in unauthorized physical actuation. Access control is another method of safeguarding user data by defining the control access of specific users to system resources. Due to the limited resources available in smart home devices and embedded devices, however, complex data encryption cannot be implemented on them. As such, access control will provide inadequate protection. • Integrity: since smart devices are vulnerable, they require a security system in place to protect them in the event the data is modified and stolen, which may result in the server malfunctioning during data transmission [64]. Data is especially vulnerable when being accessed over a wireless network. The objective of maintaining the integrity of data is to ensure its trustworthiness and consistency across the lifecycle. Maintaining data integrity means that the data should not be altered or modified in any way between the source and the destination by any unauthorized entity. To execute a cyber-physical actuation attack, tampering with data integrity is often the route chosen by the attackers. As such, security in many smart homes may have likely been breached, causing the unauthorized manipulation of data. There have been reported incidents wherein digital photo frames caused malware infections. Another large-scale phishing attack was discovered in 2014 [65,66] wherein the phishing messages included the source addresses of household appliances such as interconnected refrigerators, which were used as messaging proxies to reroute the phishing emails. It is a fairly common practice among attackers in the cyber world to spoof the IP address in order to evade detection. • Availability: quality of service (QoS) is ensured with the security of information resources to maintain continuity of services. To deny services and make resources unavailable, attackers initiate jamming attacks and distributed denial of service (DDoS) attacks against their victims. In smart homes that operate wirelessly via wi-fi, a DDoS attack is first launched to gain access to home networks. After a successful DDoS attack, the attacker floods the network traffic, targeting its smart devices such as surveillance cameras to ensure that they can no longer transmit any data or receive any commands [67]. The research of Loukas et al. [68] described an attack for Zigbee on IEEE 802.15.4, which consisted of wideband and pulse denial and jamming.

Daily Life Impact
Intrusion in smart home security has grave implications on the household's domestic life. A successful attack on a smart home will have a profound impact on domestic life with direct consequences that lead to damages in terms of health, financial loss, and safety. It will also result in an emotional cascading impact severely impacting the occupant's physical and psychological well-being.
After understanding how different kinds of cyber-attacks and physical attacks impact smart home technology, we know that cyber-attacks affect daily life. As such, there is a need for the development of processes and systems in support of such victims. Keeping in mind the presence of the internet of things, the network beyond the computer or the cell phone is a trend that has come to stay and change our lives. Connectivity has gone beyond its usual limits to be installed physically in our homes. Among aging societies in developed countries, e-health/telehealth will most likely be the most important feature of smart homes and the factor that will drive their development and market demand.

Open Issues and Challenges
The growth of IoT devices used within smart home environments has led to higher security risks, and threats linked to the smart home's inhabitants have been seen to increase. To explain these risks, we consider a scenario consisting of the taxonomy of malware in the smart home network. We have discussed threat detection and mitigation of VPNFilter malware. The scale of cyber-attacks is steadily growing. We should keep in mind that, if the entire smart home system is compromised, attackers will be able to steal personal or sensitive information and invade the privacy of the smart home's inhabitants. They will be able to control the smart home system and even monitor residents inside the smart home environment. When referring to devices in a smart home, we consider several issues and challenges that arise in a smart home system. In particular, the rapid increase of its technologies gives rise to a lot of challenges in the local environment: • Privacy in smart home devices is one of the biggest challenges. In the case of unauthorized manipulation of software and hardware in smart home appliances, confidential information may leak. As an example, in the case of VPNfilter malware, the intruder will reprogram the router wherein it sends data in the form of packets not only to the servers but also for the attacker. This raises major societal concerns and issues related to privacy and data storage. It becomes a target for attackers who see it as a way to capture sensitive information about individuals, making them easy targets for attacks such as identity theft, phishing, or fraud [69]. • Vulnerability: Various vulnerabilities as a weakness in the system allow an attacker to access unauthorized data and execute the command VPN filter. This was described as DOS attacks [70]. The smart home system based on two main components, software and hardware, quite often had design flaws. Software vulnerabilities based on malware can be found in the application software and the operating system of the devices. For example, in the router, it is hard to identify and fix hardware vulnerabilities [71]. Several technical vulnerabilities are found to have been caused by human weaknesses.

•
Software exploitation: Based on the smart home system and the devices therein, we should consider the possibility of infection by malicious software such as VPNfilter malware, DDoS, DOS, and others. Smart home devices are known to work autonomously, which leads the operating adversaries of systems to search for software vulnerabilities to exploit and gain access where the private information of the system is stored [72]. Nowadays, it is becoming the target of many attacks whose resulting traffic in the devices would serve to run VPNfilter and DOS attack. For example, DDoS attacks were launched using IoT devices against DNS servers to paralyze internet access [73].

•
Cost of a smart home: The cost is one of the biggest challenges that should be considered in a smart home environment under a cyber-security attack. The attack increases the cost for the users in terms of their well-being being affected and the devices being compromised. The psychological impact on the user's health and the cost of replacing the infected devices also increase. The manufacturers suffer a cost impact in terms of providing increased security to assure their customers that their products are safe and secure to use. They are required to invest in developing devices that offer robust security measures [74,75].

Proposed Solution
The proposed Intrusion Detection System (IDS) by Abhiroop et al. analyzes packets and detects DDoS attacks in SDN switches using machine learning to predict the incoming traffic on the network [76]. The proposed IDS categorizes the network traffic, and it can be integrated into the IoT network. For anomaly detection using deep learning [77], none of them focus on Intrusion Detection aand Prevention System (IDPS) for protecting the edge router on smart home devices. Therefore, we propose a solution that will help handle not only VNPfilter, but also other different types of malware attacks such as DOS and DDoS on the edge router. Specifically, we design a framework for IDPS for a secure smart home system-based machine learning environment, which is presented in this section.
Considering the malware attack challenges, in addition to the abovementioned cyber threats, we believe that, in future smart homes, threats related to the VPNfilter can pose dangers on the life of the inhabitants. If the devices are infected, it is important to defend against this malware attack through the following: first, reset the router to its original factory settings, and it is also important to upgrade the router's firmware, which can be found on the manufacturer's website and is also known as one of the critical weak points on smart home devices; disable remote management and change the router login and password data for security because many devices come shipped with a default set password.
Smart home technology is applied in many fields. Therefore, we propose a strong framework, illustrated in Figure 6, which can help handle this VPNfilter malware for security system using network-based intrusion detection system (IDS) that allows monitoring traffic for attacks and intrusion prevention system (IPS) for securing the smart home using a machine learning algorithm to detect abnormal behaviors and attacks as early as possible and mitigate them as appropriate.

Proposed Solution
The proposed Intrusion Detection System (IDS) by Abhiroop et al. analyzes packets and detects DDoS attacks in SDN switches using machine learning to predict the incoming traffic on the network [76]. The proposed IDS categorizes the network traffic, and it can be integrated into the IoT network. For anomaly detection using deep learning [77], none of them focus on Intrusion Detection aand Prevention System (IDPS) for protecting the edge router on smart home devices. Therefore, we propose a solution that will help handle not only VNPfilter, but also other different types of malware attacks such as DOS and DDoS on the edge router. Specifically, we design a framework for IDPS for a secure smart home system-based machine learning environment, which is presented in this section.
Considering the malware attack challenges, in addition to the abovementioned cyber threats, we believe that, in future smart homes, threats related to the VPNfilter can pose dangers on the life of the inhabitants. If the devices are infected, it is important to defend against this malware attack through the following: first, reset the router to its original factory settings, and it is also important to upgrade the router's firmware, which can be found on the manufacturer's website and is also known as one of the critical weak points on smart home devices; disable remote management and change the router login and password data for security because many devices come shipped with a default set password.
Smart home technology is applied in many fields. Therefore, we propose a strong framework, illustrated in Figure 6, which can help handle this VPNfilter malware for security system using network-based intrusion detection system (IDS) that allows monitoring traffic for attacks and intrusion prevention system (IPS) for securing the smart home using a machine learning algorithm to detect abnormal behaviors and attacks as early as possible and mitigate them as appropriate. Our proposed idea involves securing many core aspects of the smart home architecture by avoiding anomalies; therefore, we propose an IDPS-based machine learning algorithm to predict and detect the anomaly.
• The intrusion detection system is known as a device or a software application that automates the process of monitoring the event over the network or activities system for malicious activities. It helps analyze them for security problems. In case of a network attack, security has to be increased [78]. IDS will help detect possible intrusions, especially malware attacks on the Our proposed idea involves securing many core aspects of the smart home architecture by avoiding anomalies; therefore, we propose an IDPS-based machine learning algorithm to predict and detect the anomaly.
• The intrusion detection system is known as a device or a software application that automates the process of monitoring the event over the network or activities system for malicious activities. It helps analyze them for security problems. In case of a network attack, security has to be increased [78]. IDS will help detect possible intrusions, especially malware attacks on the network, such as VPNfilter, DOS, DDoS, and others. IDS is helpful for network operators in taking appropriate actions before an attack is launched on the system.

•
Intrusion prevention system is a passive system that scans incoming traffic. Once IDS identifies suspicious traffic, it can send an alert to IPS because it has the ability to block or prevent intrusions actively. IPS uses a preexisting database for signature recognition, and it can be programmed to detect attacks based on traffic and behavioral anomalies.
IDPS is a combination of two system forms, intrusion detection and intrusion prevention, for a more robust mechanism. Below are the key components of the IDPS framework: • Data collection is one of the important tools for designing machine learning and is considered to be the process of gathering information and measuring from countless different sources over the network. Data gathering within the network system will allow capturing a record of a past event if a hacker sends a malware packet and using data analysis to find recurring patterns by using machine learning algorithms organized in the form of dataset. As an example, we can use knowledge discovery databases (KDD), CSV, and others. • Data processing is a data mining technique that involves transforming raw data into an understandable format before feeding it to the algorithm. The preprocessing phase starts as soon as data is collected over the network.

•
Machine learning algorithm consists of three different types: (a) supervised learning, wherein all data are labeled and the algorithms learn how to predict the output from the input; (b) unsupervised learning, wherein all data are unlabeled and the algorithm learns the inherent structure of the input data; and (c) semi-supervised learning, which is the combination of supervised and unsupervised techniques and wherein most of the data are unlabeled.
The machine learning algorithm will be useful for predicting malicious host potentials and malicious connections, as illustrated in Figure 7. A prediction is known as a subset of machine learning application wherein these prediction results are used for the IDPS controller since it would allow setting security rules in order to protect the potentially vulnerable host and restrict access by possible intruders, blocking the entire subnet network if it is under attack or operating normally if not. network, such as VPNfilter, DOS, DDoS, and others. IDS is helpful for network operators in taking appropriate actions before an attack is launched on the system. • Intrusion prevention system is a passive system that scans incoming traffic. Once IDS identifies suspicious traffic, it can send an alert to IPS because it has the ability to block or prevent intrusions actively. IPS uses a preexisting database for signature recognition, and it can be programmed to detect attacks based on traffic and behavioral anomalies. IDPS is a combination of two system forms, intrusion detection and intrusion prevention, for a more robust mechanism. Below are the key components of the IDPS framework: • Data collection is one of the important tools for designing machine learning and is considered to be the process of gathering information and measuring from countless different sources over the network. Data gathering within the network system will allow capturing a record of a past event if a hacker sends a malware packet and using data analysis to find recurring patterns by using machine learning algorithms organized in the form of dataset. As an example, we can use knowledge discovery databases (KDD), CSV, and others. • Data processing is a data mining technique that involves transforming raw data into an understandable format before feeding it to the algorithm. The preprocessing phase starts as soon as data is collected over the network.

•
Machine learning algorithm consists of three different types: (a) supervised learning, wherein all data are labeled and the algorithms learn how to predict the output from the input; (b) unsupervised learning, wherein all data are unlabeled and the algorithm learns the inherent structure of the input data; and (c) semi-supervised learning, which is the combination of supervised and unsupervised techniques and wherein most of the data are unlabeled.
The machine learning algorithm will be useful for predicting malicious host potentials and malicious connections, as illustrated in Figure 7. A prediction is known as a subset of machine learning application wherein these prediction results are used for the IDPS controller since it would allow setting security rules in order to protect the potentially vulnerable host and restrict access by possible intruders, blocking the entire subnet network if it is under attack or operating normally if not.  In data intake, considered to be the data generation phase, the data set is loaded from files and saved in the memory of the device. Second data transformation, which collects packets from the data intake, is the process of putting together data to normalize and transform them into a suitable algorithm. Third is feature extraction, which is the process of extracting data; it also represents important and relevant information related to the dataset. The fourth is model deployment using the ML technique, the stage that defines the number of iterations and wherein the results reveal whether the situation is normal or the device is under attack. Last is the model training dataset, wherein the model is trained to select the algorithm. Machine learning techniques are used in the anomaly IDPS by training a specific model that will improve the effectiveness of identifying intrusions and normal activities.

Conclusions
In this paper, we have described cyber-attacks on smart home devices, for which the number of reported instances of malicious attacks tends to increase; experts in cyber-security and researchers routinely uncover vulnerabilities used by cyber threats that could compromise consumer privacy, safety, and security. The smart home device can be compromised by malware attacks, so we have discussed different types of malware attack. A survey on cyber threats in a smart home environment was conducted, and a taxonomy that categorizes threats in the system was presented. We also discussed smart home technologies that present both opportunities and security risks. We then discussed, in detail, VPNfilter malware in a smart home. Internet of things-based smart homes are considered highly vulnerable to different cyber security threats; if a smart home is compromised, personal information and privacy will be at risk. Therefore, appropriate measures should be taken to make smart homes more secure and suitable to live in. We also described the impact on a smart home network and, finally, discussed in detail open issues and challenges and proposed solutions.