An official website of the United States government
Typical Internet of Things (IoT) and smart home environments are composed of smart devices that are controlled and orchestrated by applications developed and run in the cloud. Correctness is important for these applications, since they control the home's physical security (i.e. door locks) and systems (i.e. HVAC). Unfortunately, many smart home applications and systems exhibit poor security characteristics and insufficient system support. Instead they force application developers to reason about a combination of complicated scenarios-asynchronous events and distributed devices. This paper demonstrates that existing cloud-based smart home platforms provide insufficient support for applications to correctly deal with concurrency and data consistency issues. These weaknesses expose platform vulnerabilities that affect system correctness and security (e.g. a smart lock erroneously unlocked). To address this, we present OKAPI, an application-level API that provides strict atomicity and event ordering. We evaluate our work using the Samsung SmartThings smart home devices, hub, and cloud infrastructure. In addition to identifying shortfalls of cloud-based smart home platforms, we propose design guidelines to make application developers oblivious of smart home platforms' consistency and concurrency intricacies.
more »
« less
This content will become publicly available on January 10, 2026
Comparing Smart-Home Devices that Use the Matter Protocol
This paper analyzes Google Home, Apple HomeKit, Samsung SmartThings, and Amazon Alexa platforms, focusing on their integration with the Matter protocol. Matter is a connectivity standard developed by the Connectivity Standards Alliance (CSA) for the smart-home industry. By examining key features and qualitative metrics, this study aims to provide valuable insights for consumers and industry professionals in making informed decisions about smart-home devices. We conducted (from May to August 2024) a comparative analysis to explore how Google Home Nest, Apple HomePod Mini, Samsung SmartThings station, and Amazon Echo Dot platforms leverage the power of Matter to provide seamless and integrated smart-home experiences.
more »
« less
- Award ID(s):
- 1955805
- PAR ID:
- 10618356
- Publisher / Repository:
- IEEE
- Date Published:
- ISBN:
- 979-8-3315-0805-0
- Page Range / eLocation ID:
- 1 to 6
- Format(s):
- Medium: X
- Location:
- Las Vegas, NV, USA
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Fake audio detection is expected to become an important research area in the field of smart speakers such as Google Home, Amazon Echo and chatbots developed for these platforms. This paper presents replay attack vulnerability of voice-driven interfaces and proposes a countermeasure to detect replay attack on these platforms. This paper introduces a novel framework to model replay attack distortion, and then use a non-learning-based method for replay attack detection on smart speakers. The reply attack distortion is modeled as a higher-order nonlinearity in the replay attack audio. Higher-order spectral analysis (HOSA) is used to capture characteristics distortions in the replay audio. The replay attack recordings are successfully injected into the Google Home device via Amazon Alexa using the drop-in conferencing feature. Effectiveness of the proposed HOSA-based scheme is evaluated using original recorded speech as well as corresponding played back recording to the Google Home via the Amazon Alexa using the drop-in conferencing feature.more » « less
-
The platformization of households is increasingly possible with the introduction of “intelligent personal assistants” (IPAs) embedded in smart, always-listening speakers and screens, such as Google Home and the Amazon Echo. These devices exemplify Zuboff’s “surveillance capitalism” by commodifying familial and social spaces and funneling data into corporate networks. However, the motivations driving the development of these platforms—and the dataveillance they afford—vary: Amazon appears focused on collecting user data to drive personalized sales across its shopping platform, while Google relies on its vast dataveillance infrastructure to build its AI-driven targeted advertising platform. This paper draws on cross-cultural focus groups regarding IPAs in the Netherlands and the United States. It reveals how respondents in these two countries articulate divergent ways of negotiating the dataveillance affordances and privacy concerns of these IPA platforms. These findings suggest the need for a nuanced approach to combating and limiting the potential harms of these home devices, which may otherwise be seen as equivalents.more » « less
-
Emerging smart home platforms, which interface with a variety of physical devices and support third-party application development, currently use permission models inspired by smartphone operating systems—the permission to access operations are separated by the device which performs them instead of their functionality. Unfortunately, this leads to two issues: (1) apps that do not require access to all of the granted device operations have overprivileged access to them, (2) apps might pose a higher risk to users than needed because physical device operations are fundamentally risk-asymmetric — “door.unlock” provides access to burglars, and “door.lock” can potentially lead to getting locked out. Overprivileged apps with access to mixed-risk operations only increase the potential for damage. We present Tyche, a secure development methodology that leverages the risk-asymmetry in physical device operations to limit the risk that apps pose to smart home users, without increasing the user’s decision overhead. Tyche introduces the notion of risk-based permissions for IoT systems. When using risk-based permissions, device operations are grouped into units of similar risk, and users grant apps access to devices at that risk-based granularity. Starting from a set of permissions derived from the popular Samsung SmartThings platform, we conduct a user study involving domain-experts and Mechanical Turk users to compute a relative ranking of risks associated with device operations. We find that user assessment of risk closely matches that of domain experts. Using this insight, we define risk-based groupings of device operations, and apply it to existing SmartThings apps. We show that existing apps can reduce access to high-risk operations by 60% while remaining operable.more » « less
-
Many smart home frameworks use applications to automate devices in a smart home. When these applications interact in the same environment, they may cause unintended actions which can lead to a safety violation (e.g., the door is unlocked when the user is not at home). While recent efforts have attempted to address this problem, they do not capture complex app behaviors such as: 1) timed behavior and user inputs (e.g., a door can remain unlocked for a long time because of a lock-door app that locks the door after 𝑥 duration, if 𝑥 is set too large.) and 2) interactions between devices and the environment they implicitly affect (e.g., water sprinklers cannot be turned on if the water supply is off). Hence, prior work leads to many false positives and false negatives. In this paper, we present PSA, a practical framework to identify safety intent violations in a smart home. PSA uses parameterized timed automata (PTA) as an expressive abstraction to model smart apps. To parse these apps into PTA, we define mappings from smart app APIs to equivalent PTA primitives. We also provide toolkits to model devices, environments, and their interactions. We evaluate PSA on 86 apps in the Samsung SmartThings IoT ecosystem. We compare PSA against two state-of-the-art baselines and find: (a) 19 new intent violations and (b) 35% fewer false positives than baselines.more » « less
