How a smart vacuum cleaner was hacked to listen to conversations — even without a microphone
As I went about vacuuming the house the other day, I found myself wishing I had one of those smart vacuums that could do all the work for me, buzzing around the house and adapting to objects that invariably make their way to the floor. Resigning myself to my very low-tech vacuum cleaner, I found comfort in one particular aspect: it can’t be hacked.
This article is part of our ongoing series on hacking and IoT. Also in this series:
- Welcome to the Internet of (hackable) Things
- People are hacking diabetes pumps — and that’s both bad and good
“We welcome these devices into our homes, and we don’t think anything about it,” said Nirupam Roy, an assistant professor in the University of Maryland’s Department of Computer Science. “But we have shown that even though these devices don’t have microphones, we can repurpose the systems they use for navigation to spy on conversations and potentially reveal private information.”
Roy and colleagues carried out an ethical hacking experiment in which he hacked a popular vacuum cleaning robot and made it recover speech from its users and television programs playing in the room.
Vacuums and Lidars
Just like self-driving cars, some robot vacuum cleaners use a laser-based navigation system to navigate surroundings. Lidar (Light Detection and Ranging) sends out laser pulses and measures the time they take to return, thus calculating the range (distance) at which objects are. It’s how vacuum robots manage to sweep the house without bumping into everything, and how one day, self-driving cars will be able to safely navigate their surroundings.
By now, the fact that this type of robot can sometimes be hacked shouldn’t come as much of a surprise. If you’ve read our previous articles in the series, you should be familiar with the idea that attackers (and sometimes, the very owners of smart devices) can try to hack these objects. They may not always succeed, especially if the device is well-secured, but it can be a risk.
For starters, smart vacuum cleaners connect through a mobile app, and this is where the first vulnerabilities can occur. A 2017 report showed that hundreds of thousands of vacuum cleaners could be hacked due to an app vulnerability, allowing attackers to spy on the user’s house and even commandeer the device. The vulnerability was since patched, but it was just one of the many vulnerabilities uncovered by researchers.
A 2019 study showed that many vacuum cleaners use unencrypted HTTP protocols to communicate — protocols that can be attacked with relative ease. “Weaknesses and exploits are continuously found in commercially sold products,” the study concluded. Even more secure units, including some featuring better hardware than many smartphones, were not hack-proof.
But the hack carried out by Roy and his colleagues was probably the most spectacular of them all.
From Cold War to hacking IoT
They took inspiration from Cold War technology used for espionage — especially laser microphones. Laser microphones were first developed by Leon Theremin, who nowadays, is probably most famous for his invention of the musical instrument theremin, which is an electronic musical instrument controlled without physical touch. But Theremin the inventor also worked in espionage. Among his inventions was something called The Thing — a covert device that recorded private conversations of the US ambassador in the 1940s and 1950s, and a low-power infrared beam that could detect sound vibrations by analyzing vibrations in glass windows.
In principle, a laser microphone that is inside a room when a conversation is taking place can monitor conversations in response to pressure waves on any object in the room. Windows work best because the smoother the surface is, the better it works (because the laser beam is reflected more accurately). Lidar works with laser, so what if that could be used as a microphone?
To start off, researchers hacked a smart vacuum cleaner to gain access to it and the data it gathers — this was the easy part. The data was sent to their laptops through Wi-Fi, without giving a clue to the user that something was off. The next part was a bit more challenging.
Espionage laser microphones are typically fixed and aimed at a smooth surface, whereas the vacuum cleaner is moving and facing a number of different objects with different surfaces. They had to work with a trash can, a cardboard box, and a take-out container, objects you’d normally expect to find on the floor of a house. The findings were presented at the Sensys conference and can be accessed on the ACM Digital Library.
Deciphering the signals also required a bit of work. However, when the signals were passed through specialized deep training algorithms, they were able to match not just spoken voices, but also television voices with 90% accuracy.
At a time when we’re working from home and often having important meetings via computer, this type of threat is more important than ever. Laser microphones may be a Cold War relic, but IoT Lidar spying is very much an actual concern.
Perhaps even more worrying is that even a less sophisticated attack can tell a lot about your lifestyle by simply looking at your floor.
“This kind of information can tell you about my living style, how many hours I’m working, other things that I am doing. And what we watch on TV can reveal our political orientations. That is crucial for someone who might want to manipulate the political elections or target very specific messages to me,” Roy added in a press release.
Of course, this doesn’t mean we should trash and burn our smart vacuum cleaners. As with pretty much anything in life, there are advantages and risks. For most people (at least for now), the pros vastly outweigh the cons. But as IoT devices will undoubtedly start to play a more and more important role in our life, it’s important to be aware of the potential risks that come along with them.
The post How a smart vacuum cleaner was hacked to listen to conversations — even without a microphone originally appeared on the HLFF SciLogs blog.