Smart homes of today—with lights, refrigerators, and Alexa all talking to each other—aren't nearly as smart as they need to be to thwart virtual burglars from breaking in. To address the massive security threat to interconnected devices known as the Internet of Things, or IoT, Johns Hopkins University and six other institutions are embarking on an effort to fortify vulnerable points of entry against hackers.
The five-year program to develop trustworthy devices and best practices and principles is funded by a $10 million grant from the National Science Foundation and has been dubbed SPLICE, the Security and Privacy in the Lifecycle of IoT for Consumer Environments.
As the smart home market expands rapidly into a more than $53 billion worldwide industry by 2022, Johns Hopkins computer scientist Avi Rubin, a co-principal investigator for SPLICE, said the effort is sorely needed because so few industry standards have been established.
"The current state of affairs in smart home security and privacy is dismal," said Rubin, who is also the technical director of the JHU Information Security Institute. "Many smart home IoT devices have been built, sold, and deployed without proper security. These vulnerable systems often present easy targets for malicious attackers who can utilize them as platforms for further intrusion into the home network, for participation in botnets, and for ransomware attacks. An increasing number of home appliances and devices are 'smart,' and the result is a much wider attack surface in the home."
The effort, led by Dartmouth University, comes as the federal government and states grapple with laws to protect consumers by requiring companies to equip devices with security measures. Over the past two years, Rubin testified three times to the Maryland General Assembly about such mandatory security rules. Legislation failed in Maryland, but California and Oregon passed laws requiring IoT manufacturers to build minimum security features into all devices. The federal government is contemplating similar measures.
Ten faculty experts will manage teams conducting research related to security, privacy, sociology, human-computer interface design, wireless networks, radio engineering, and mobile computing. The effort's principle investigator is David Kotz, a computer science professor at Dartmouth University.
"Home is a place where people need to feel safe from prying eyes," Kotz said. "SPLICE will address the challenges required for the vision of smart homes to be realized safely and successfully."
The shift toward smart devices and systems in residences—such as houses, apartments, hotels, and assisted-living facilities—offers benefits such as increased energy efficiency and personalized services. But faulty designs can increase the risks of harm to people and properties. Hackers recently gained entry into home security cameras from a popular consumer brand in four states, according to The New York Times, allowing the hackers to watch the residents, pipe their own music into the home, and even threaten residents through the hardware's speaker.
Since many homes are complex environments in which residents, landlords, and guests have different privacy needs, the research team will consider the interests of all property owners, renters, and users.
The program will develop technology and design principles related to smart homes, including solutions such as:
- The first-ever toolkit to discover, identify, and locate cooperative and non-cooperative smart devices within a home's wireless network, allowing residents to have a complete understanding of their home's technological environment;
- Tools that move away from the failed "notice and consent" model of privacy management, shifting the privacy burden away from end users who are ill-equipped to manage an increase in the number of devices and decisions;
- Identification of privacy issues in smart homes that must be addressed to advance consumer trust – informing the development of best-practice principles for smart homes. The group will also develop programs for students, junior researchers, and community members to encourage more people from underrepresented groups to pursue computing careers.
SPLICE, part of NSF's Secure and Trustworthy Cyberspace Frontiers, will begin Oct. 1.