Denys Poshyvanyk likens the state of smart-home devices today to the “Wild West, ” a chaotic situation that contributes to concerns of security and trust among users and potential customers.
“We’re talking about literally billions of devices,” he said. “There are all these different vendors. And all these different vendors have their own operating systems. They have their own development processes. They have their own certification processes.”
Adwait Nadkarni says the human element adds another layer of complexity to the situation.
“We don’t really understand how consumers automate their homes,” he said. “We don’t understand what people want to do with the devices they have. We don’t even understand what the most common smart-home devices are.”
Nadkarni and Poshyvanyk are professors in William & Mary’s Department of Computer Science. They recently received funding from the National Science Foundation to bring law and order — or at least greater security — to the Wild West of home automation.
“Our hope is that eventually that our work will lead to more practical systems — systems that will prevent the threats that you actually see in the wild. That will then lead to an increase in consumer confidence,” Nadkarni said. “But that’s not something that we can have right now.”
The goal of Nadkarni and Poshyvanyk is to bring their expertise as computer scientists to collect and analyze data on how people are using the cyber-physical devices that comprise what has become known as Internet of Things.
Home automation may not exactly be in its infancy, but it may be helpful to think of it as being in a precocious toddlerhood. Nadkarni says most consumers of smart-home devices begin with single items — a video doorbell, a smart lock, a security camera.
“But true home automation goes a little beyond that,” he explained. “Now, you have people configuring these devices to work together. Let’s say you want to use a security camera, but you don’t want to be monitored when you’re home. So, you turn the camera on when you leave and off when you’re home. That can be automated.”
And your security camera can be linked — through automation — to your smart speaker, your smart phone, and so on. Nadkarni explained that software that comes with most modern smart-home devices allows the user to self-configure the automation.
“Most modern platforms such as Nest allow you to essentially just configure such automation,” he said. “Using trigger-action programs, you just have to say that if this particular thing happens, then let that thing happen.”
A previous survey conducted by Nadkarni and Poshyvanyk revealed that most smart-device users want to automate their homes, and seem to want to take the DIY route to automation. Homeowners may download automation apps offered by non-vendors, but both Nadkarni and Poshyvanyk believe that users may prefer the routines that they can configure for themselves, over those imagined by third-party developers (i.e., “IoT apps”).
“Our intuition is that people aren’t using these IoT apps, which is why we need to study these user-driven routines created by users in order to truly understand what’s happening,” Nadkarni said.
Poshyvanyk says the first step in the project is to collect data. Then he and Nadkarni will mine the raw data and test cases, that is, scenarios of home automation that security analysts could use to test existing security systems for both normal security weakness as well as stress testing for extreme cases.
“The beauty of this project is that we’re trying to combine ideas from two fields, security and software engineering,” Poshyvanyk said. “We’re obviously relying on security, domain knowledge and expertise to work with the data. But we’re also relying on some of the techniques from software engineering and natural language processing to be able to use this data.”
The researchers have already determined that users tend to automate their devices using similar routines — and they say they will be careful to use terminology understandable to people who are comfortable smart phone users, but not computer science professionals.
“So they don’t really have to attempt to understand our terminology, they can just express what automation they want in their own terms,” Nadkarni said.
The team, which will include graduate and undergraduate William & Mary students, will take that user-generated automation data and write code to model programmable routines from those natural language specifications.
“Even if we collect data from hundreds of users, we will not be able to collect all possible combinations of routines that users may come up with in the real world,” Poshyvanyk explained. “So this is where the beauty of statistical language models comes in.”
The researchers understand that today’s wild west of smart-home devices contains a population of outlaws. Nadkarni and Poshyvanyk published a paper a couple of years ago outlining their white-hat hacking of a Nest camera through another device on the same automation director. So how worried should a homeowner be about security of their smart-home devices?
“It’s an interesting question,” Nadkarni said. “I think ‘extremely’ and ‘not at all.’”
He went on to say that the Wild West of smart homes contains some stalwart characters in the form of reputable vendors that follow best practices in terms of the security of their devices. But not all of those vendors follow best practices — and your security chain is only as strong as its weakest link.
“So there’s a little caveat there,” Nadkarni said. “Even if you’re doing everything right, and the vendors doing everything right, as long as you’re integrated into a system that isn’t reliable, you still can have problems. And so that’s what this project is about as well, because we’re studying home automation holistically, and not piece by piece.”
Joseph McClain, Research Writer