Smart Solution, Poor Protection: An Empirical Study of Security and Privacy Issues in Developing and Deploying Smart Home Devices

The concept of Smart Home drives the upgrade of home devices from traditional mode to an Internet-connected version. Instead of developing the smart devices from scratch, manufacturers often utilize existing smart home solutions released by large IT companies (e.g., Amazon, Google) to help build the smart home network. A smart home solution provides components such as software development kit (SDK) and relevant management system to boost the development and deployment of smart home devices. Nonetheless, the participating of third-party SDKs and management systems complicates the workflow of such devices. If not meticulously assessed, the complex workflow often leads to the violation of privacy and security to both the consumer and the manufacturer. In this paper, we illustrate how the security and privacy of smart home devices are affected by JoyLink, a widely used smart home solution. We demonstrate a concrete analysis combined with network traffic interception, source code audit, and binary code reverse engineering to evince that the design of smart home solution is error-prone. We argue that if the security and privacy issues are not considered, devices using the solution are inevitably vulnerable and thus the privacy and security of smart home are seriously threatened.