Skip to Main Content
You are now in the main content area

Using AI and digital twins to make smart homes more secure

January 30, 2026
A glowing digital illustration of a smart home represented as a cube made of data, connected by bright blue lines to icons of IoT devices such as a phone, car, lock, camera and appliances, symbolizing interconnected smart home technology and data flows

Smart homes use connected devices, such as locks, lights, cameras and smoke detectors, that communicate with each other to automate daily tasks. As more devices are added, the number of possible interactions multiplies, creating new opportunities for software flaws. These vulnerabilities can allow hackers to unlock doors, turn off alarms or spy on residents, and can be extremely difficult to detect.

“The complexity of a modern smart home is staggering,” said Manar Alalfi, director of the Creative Research in Security and Software Engineering Technology (CRESSET) lab and a computer science professor at Toronto Metropolitan University (TMU). “Trying to test this vast and complicated system with traditional or purely random methods is like looking for a needle in a haystack.”

To uncover these risks more effectively, professor Alalfi and computer science PhD candidate Samad Chan developed SmartTinkerer. This novel software system uses artificial intelligence, virtual simulation and automation to find hidden security flaws before they affect real users.

AI keeps smart home apps up-to-date

One major security challenge arises when smart home applications that enable device connectivity update their software. For example, the Samsung SmartThings application recently discontinued its first-generation system built on the Groovy programming language. As a result, security analysis tools developed specifically for that Groovy-based environment became incompatible with the new platform.

This disruption illustrates a critical research problem. “When a core component of a platform changes, it can render years of research tools, datasets and benchmarks obsolete,” professor Alalfi explained.

SmartTinkerer addresses this by using large language models (LLMs) – AI systems adept at understanding and generating text and code – to automatically translate legacy Groovy apps into JavaScript, the language now supported by the Samsung SmartThings app. This automated translation preserves valuable historical datasets for testing and eliminates the time and cost of manual code conversion.

Digital twins for safer testing

Testing for vulnerabilities on physical devices can disrupt daily life or create safety risks. To solve this, SmartTinkerer builds a digital twin: a detailed virtual replica of a smart home that accurately simulates the software behaviour critical for security analysis.

The digital twin provides a stable, controlled testing environment populated with simulated devices that behave like real sensors, switches and appliances. Researchers can safely run smart home apps, trigger device interactions and observe outcomes without any risk to a physical home. Tests can also be repeated under identical conditions, ensuring consistent results and easy verification.

Teaching AI how to find vulnerabilities

Unlike random testing, SmartTinkerer uses reinforcement learning, an AI technique that learns by trial and error. In this system, an AI agent interacts with the digital twin by performing actions, such as unlocking doors or triggering sensors. When an action brings it closer to discovering a vulnerability, the agent receives a reward. Over time, the agent learns the sequences of actions most likely to expose security flaws.

This intelligent approach makes testing both faster and more thorough. In the researchers’ experiments, the reinforcement learning method found vulnerabilities 38 per cent faster on average than random testing and required 64 per cent fewer actions.

“Efficiency is absolutely critical in security testing,” emphasized professor Alalfi. “The faster a vulnerability can be found, the faster it can be patched, and the less time malicious actors have to exploit it.”

What this means for safety, privacy and trust at home

Smart home security directly impacts personal safety, privacy and trust in technology. A compromised smart lock or a disabled smoke detector could have serious real-world consequences. By combining AI-powered code translation, digital twins and intelligent testing, SmartTinkerer helps identify these risks earlier in the product development cycle, before devices reach consumers.

“By making it easier to build more secure systems from the ground up,” professor Alalfi said, “we hope users can embrace smart technology without sacrificing their safety or privacy.”

Looking ahead, professor Alalfi’s team plans to expand SmartTinkerer to support additional smart home platforms and to explore capabilities for real-time threat detection.

To learn more, read “SmartTinkerer: Bridging Smart Home Testing Gaps with LLM, Digital Twin & Reinforcement Learning,” a paper presented at the 2025 IEEE 49th Annual Computers, Software, and Applications Conference (COMPSAC).

Visit the Creative Research in Security and Software Engineering Technology (CRESSET) lab at TMU to learn more about professor Alalfi’s research.

Related links

Enhancing privacy in smart home devices.

Share This
Facebook, opens new window X, opens new window LinkedIn, opens new window Pinterest, opens new window Reddit, opens new window Tumblr, opens new window