Illustration of devices reaching into a home

Credit: Laurent Hrybyk

Securing smart homes

As the market for internet-capable devices expands, a group of researchers is working to establish industry standards for securing these devices to protect consumer privacy

Smart homes of today—with lights, refrigerators, and Alexa all talking to each other—aren't nearly as smart as they need to be to thwart virtual burglars from breaking in. To address the massive security threat to interconnected devices known as the Internet of Things, Johns Hopkins University and six other institutions are embarking this fall on an effort to fortify points of entry against hackers.

Vulnerable to attacks

SPLICE, short for Security and Privacy in the Lifecycle of Internet of Things for Consumer Environments, is a five-year, $10 million program to develop trustworthy devices and best practices and principles.

As the smart home market is expected to expand into a more than $53 billion worldwide industry by 2022, Johns Hopkins computer scientist Avi Rubin, a co-principal investigator for SPLICE, says the effort is sorely needed because so few industry standards have been established.

"The current state of affairs in smart home security and privacy is dismal," Rubin says. "Many smart home Internet of Things devices have been built, sold, and deployed without proper security. These vulnerable systems often present easy targets for malicious attackers who can utilize them as platforms for further intrusion into the home network, for participation in botnets, and for ransomware attacks. An increasing number of home appliances and devices are 'smart,' and the result is a much wider attack surface in the home."

Safer spaces

The effort, led by Dartmouth University and funded by a National Science Foundation grant, comes as the federal government and states grapple with laws to protect consumers by requiring companies to equip devices with security measures. Over the past two years, Rubin testified three times to the Maryland General Assembly about such mandatory security rules. Legislation failed in Maryland, but California and Oregon passed laws requiring Internet of Things manufacturers to build minimum security features into all devices. The federal government is contemplating similar measures.

Ten faculty experts will manage teams conducting research related to security, privacy, sociology, human-computer interface design, wireless networks, radio engineering, and mobile computing.

"Home is a place where people need to feel safe from prying eyes," says principal investigator David Kotz, a computer science professor at Dartmouth University. "SPLICE will address the challenges required for the vision of smart homes to be realized safely and successfully."

Individualized solutions

The shift toward smart devices and systems in residences—such as houses, apartments, hotels, and assisted-living facilities—offers benefits such as increased energy efficiency and personalized services.

Since many homes are complex environments in which residents, landlords, and guests have different privacy needs, the research team will consider the interests of all property owners, renters, and users.

The program will develop technology and design principles related to smart homes, including the first-ever toolkit to discover, identify, and locate cooperative and noncooperative smart devices within a home's wireless network, allowing residents to have a complete understanding of their home's technological environment; tools that move away from the failed "notice and consent" model of privacy management, shifting the privacy burden away from end users who are ill-equipped to manage an increase in the number of devices and decisions; and identification of privacy issues in smart homes that must be addressed to advance consumer trust—informing the development of best-practice principles for smart homes.

The SPLICE team, part of NSF's Secure and Trustworthy Cyberspace Frontiers, will also develop programs for students, junior researchers, and community members to encourage more people from underrepresented groups to pursue computing careers.