Enhancing privacy in smart home devices

Smart home devices connected to the internet can add efficiencies and convenience to daily life, and there is a growing field of them available for consumers. But what if the software applications used to operate these devices store and share private information inappropriately or are vulnerable to hacking?

To assess the security of the code that runs various smart home applications, Toronto Metropolitan University (TMU) computer science professor Manar Alalfi and her research team have developed a new suite of software tools. These tools, such as Taint-Things and FlowsMiner, can be used to detect what professor Alalfi describes as the potential for information leakage, where a system that is designed to keep data private nonetheless has the potential to share data in an unauthorized way. 

“The main idea is that we analyze the code to see if there is any point in a program that receives and then shares sensitive information outside of the application environment,” she said. 

Professor Alalfi describes this occurrence as a tainted flow: data gathered at point A that should remain at point A but is passed along to point B as part of the app’s information flow. For example, say there is an app that you use to lock and unlock your door. Typically, you would want the door’s status – especially if it’s unlocked – to remain private, but an information leak along the data flow could compromise that information. 

To find these leaks, her team uses their software tools in two ways. One is analyzing the code to identify security vulnerabilities. The team’s other approach is to act as hackers and inject vulnerabilities into benign apps to evaluate the effectiveness and performance of existing tools to find vulnerabilities. They’ve measured their tools for effectiveness and performance in leak detection and found that the Taint-Things tool produced more accurate results than other currently available tools. Their research also detected security issues in the code of some smart home device apps.

Professor Alalfi notes these vulnerabilities can result from bad coding practices and a lack of regulatory security standards for Internet of Things (IoT) devices. The team has published their research results and made the software tools freely available on the website of professor Alalfi’s lab, Creative Research in Security and Software Engineering Technology (CRESSET).

Professor Alalfi’s ongoing research examines security and privacy issues in IoT applications. Additional software vulnerability work includes examining Android-based automotive applications and blockchain applications. 

We analyze the code to see if there is any point in a program that receives and then shares sensitive information outside of the application environment.

Read “An Automated Approach for Privacy Leakage Identification in IoT Apps (external link, opens in new window) ” by professor Alalfi and former TMU graduate student Bara’ Nazzal in IEEE Access to learn more. 

Learn more about Taint-Things, FlowsMiner and other tools (opens in new window)  developed by professor Alalfi and her team.

Professor Alalfi’s research is supported by the Natural Sciences and Engineering Council of Canada, Mitacs and TMU.