Smart Home Internet of Things (SHIoT) provides a rich compendium of innovative, ubiquitous, and interactive services to users using a variety of smart sensors, devices and applications. However, owing to the strongly internet-facing, dynamic, and heterogeneous and low capability nature of these devices, and existence of vulnerabilities in them, in their controlling applications and their configurations, there are security threats in SHIoT that affect the safe and secure functioning of these systems. Moreover, owing to the rich interactions with human users, these systems are more vulnerable to security attacks. On the other hand, because of the complexity of the SHIoT system, it is difficult to effectively determine the security posture. What is lacking is a comprehensive model that would allow the security analysts to capture and analyze the nature of the interactions between the different devices, applications and human users, and the vulnerabilities and misconfigurations in the same in order to understand the weak spots in the SHIoT system and prepare for potential security attacks. Towards this end, we propose a finite state automata (FSA) based framework to build attack models of SHIoT. We present a formalism for such a model and show through several scenarios how the model enables one to obtain a better understanding of the security posture of the system. Furthermore, An FSA based attack model offers more opportunities for tool support for automated analysis using techniques such as model checking.