Location-Enhanced Information Flow for Home Automations

McKenna McCall; Ben Weinshel; Kunlin Cai; Ying Li; Eric Zeng; Devika Manohar; Lujo Bauer; Limin Jia; Yuan Tian

Location-Enhanced Information Flow for Home Automations

Authors: McKenna McCall (Colorado State University), Ben Weinshel (Carnegie Mellon University), Kunlin Cai (University of California, Los Angeles), Ying Li (University of California, Los Angeles), Eric Zeng (Georgetown University), Devika Manohar (Carnegie Mellon University), Lujo Bauer (Carnegie Mellon University), Limin Jia (Carnegie Mellon University), Yuan Tian (University of California, Los Angeles)

Volume: 2026
Issue: 1
Pages: 338–365
DOI: https://doi.org/10.56553/popets-2026-0018

Download PDF

Abstract: Smart-home automations enable users to customize smart devices to react automatically to people, the environment, and more. For example, an automation might adjust the lights when people are at home or enable a garage door to open by voice command. While automations offer convenience and accessibility, they can also inadvertently expose users to security and privacy risks, such as leaking sensitive data or allowing untrusted parties to control users' devices. Prior work has shown that information flow analysis is a promising technique for identifying these kinds of risks, hypothesizing that the analysis would be yet more effective if it could differentiate between devices located in different places in the home. We tested this hypothesis by developing a tool that extends prior information flow analysis approaches to account for device location. We conducted an interview study with 22 participants to build a dataset of home automations to establish a ground truth to evaluate the tool. We found that incorporating device location leads to an improved analysis that identifies more of the vulnerabilities users care about (F1 score 0.74) compared to prior work (F1 score 0.29). Our results demonstrate the feasibility of incorporating device location into an information flow analysis and, perhaps more importantly, suggest additional ways to prevent security and privacy risks beyond controlling potentially unsafe information flows.

Keywords: information flow analysis, smart home, home automation, trigger-action programs

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.