91福利

Smart home devices connected to the internet can add efficiencies and convenience to daily life, and there is a growing field of them available for consumers. But what if the software applications used to operate these devices store and share private information inappropriately or are vulnerable to hacking?

To assess the security of the code that runs various smart home applications, 91福利 (91福利) computer science professor Manar Alalfi and her research team have developed a new suite of software tools. These tools, such as Taint-Things and Flow Miner, can be used to detect what professor Alalfi describes as the potential for information leakage, where a system that is designed to keep data private nonetheless has the potential to share data in an unauthorized way. 

鈥淭he main idea is that we analyze the code to see if there is any point in a program that receives and then shares sensitive information outside of the application environment,鈥� she said. 

Professor Alalfi describes this occurrence as a tainted flow: data gathered at point A that should remain at point A but is passed along to point B as part of the app鈥檚 information flow. For example, say there is an app that you use to lock and unlock your door. Typically, you would want the door鈥檚 status 鈥� especially if it鈥檚 unlocked 鈥� to remain private, but an information leak along the data flow could compromise that information. 

To find these leaks, her team uses their software tools in two ways. One is analyzing the code to identify security vulnerabilities. The team鈥檚 other approach is to act as hackers and inject vulnerabilities into benign apps to evaluate the effectiveness and performance of existing tools to find vulnerabilities. They鈥檝e measured their tools for effectiveness and performance in leak detection and found that the Taint-Things tool produced more accurate results than other currently available tools. Their research also detected security issues in the code of some smart home device apps.

Professor Alalfi notes these vulnerabilities can result from bad coding practices and a lack of regulatory security standards for Internet of Things (IoT) devices. The team has published their research results and made the software tools freely available on the website of professor Alalfi鈥檚 lab, Creative Research in Security and Software Engineering Technology (CRESSET).

Professor Alalfi鈥檚 ongoing research examines security and privacy issues in IoT applications. Additional software vulnerability work includes examining Android-based automotive applications and blockchain applications. 

We analyze the code to see if there is any point in a program that receives and then shares sensitive information outside of the application environment.

Read 鈥溾�� by professor Alalfi and former 91福利 graduate student Bara鈥� Nazzal in IEEE Access to learn more. 

Learn more about developed by professor Alalfi and her team.

Professor Alalfi鈥檚 research is supported by the Natural Sciences and Engineering Council of Canada, Mitacs and 91福利.