Building Smart Homes, Securely

From fridges that help fill out your shopping list to advanced thermostats that can save you a cool chunk of change, internet-connected “smart home” devices are making life easier—but are they also making it simpler for cybercriminals?

To help bolt that door, researchers from seven academic institutions, including the University of Maryland, will collaborate to increase the security and privacy of “internet of things” (IoT) devices used in smart homes. The five-year program is funded by a $10 million award from the National Science Foundation (NSF) announced today.

The project, “Security and Privacy in the Lifecycle of IoT for Consumer Environments (SPLICE),” comes as households expand their reliance on smart products ranging from lighting and security systems to baby monitors. These devices can share information with each other as well as communicate with services across the internet.

The SPLICE team includes UMD Computer Science Assistant Professor Michelle Mazurek as a principal investigator, along with researchers from Dartmouth College, Johns Hopkins University, Morgan State University, Tufts University, the University of Illinois at Urbana-Champaign and the University of Michigan.

Technology in the average home today is radically different from that of a decade ago and is likely to change even more rapidly in coming years, said David Kotz, a professor of computer science at Dartmouth and the lead principal investigator for the project.

“Home is a place where people need to feel safe from prying eyes,” he said. “SPLICE will address the challenges required for the vision of smart homes to be realized safely and successfully.”

The shift toward smart devices and systems in residences offers benefits that include increased energy efficiency and personalized services. Through faulty configuration or poor design, however, these items can increase the risk of harm to people and property. Since many homes are complex environments in which residents, landlords and guests have different privacy needs, researchers will consider the interests of all property owners and users.

Mazurek will focus on developing tools that move away from the failed “notice and consent” model of privacy management, when a consumer is forced to agree to a seemingly endless list of terms and conditions written in legal language in order to gain access to a device or service. Mazurek and her collaborators want to shift the privacy burden away from consumers, who are ill-equipped to manage an increase in the number of devices and decisions.

“We don’t think people who buy smart devices should be asked to make more and more decisions about privacy on those devices,” said Mazurek, who also holds a joint appointment in the University of Maryland Institute for Advanced Computer Studies. “We’re looking at ways to provide tools to consumer advocacy organizations and journalists that will enable them to evaluate the privacy of devices and provide trustworthy information to the general public.”

For example, consumers should know what information is shared between their devices and the corporations that manufacture them, Mazurek said. They should also know how that information is collected, stored, aggregated and sold to data brokers.

“We want to make it easy for consumers to be smart about privacy and make informed decisions about which device to choose, but we also think our tools will motivate companies to make products that respect consumer privacy as well,” Mazurek added.

This new project will build on Mazurek’s previous research into privacy considerations for Android apps and devices and her investigations into how security experts perform their work.

The SPLICE team also plans to:

• Develop the first-ever toolkit to discover, identify and locate cooperative and non-cooperative smart devices within a home’s wireless network—giving residents a complete understanding of their home’s technological environment; and
• Identify privacy issues in smart homes that must be addressed to advance consumer trust—informing the development of best-practice principles for smart homes; and
• Develop programs for students, junior researchers and community members with the aim of encouraging more people from underrepresented groups to pursue careers in computing. (More than half of the SPLICE principal investigators are from underrepresented groups in computing.)

“Cybersecurity is one of the most significant economic and national security challenges facing our nation today,” said Nina Amla, lead program director of NSF’s Secure and Trustworthy Cyberspace program. “NSF's investments in foundational research will transform our capacity to secure personal privacy, financial assets and national interests.”

This release was adapted from a text from Dartmouth University.