Smart Home devices are playing an increasingly important role in our day-to-day lives. Most people will know about the functionality of smart speakers or displays and understand some of the risks associated of having a seeing and listening device in the house. But what about fridges, lighting… what about robot vacuum cleaners?
Those are all appliances and devices that can now be purchased with a “smart” twist. While fridges may still be for the select few, millions of households have embraced robot vacuum cleaners. These smart robotic units are IoT devices at heart and are open to attacks.
According to researcher, threat actors have found a way to spy on conversations by tapping into their robot vacuums.
Most people probably don't think twice about their automatic cleaner. They place it on the floor and it does it's thing. However, these devices use smart sensors to be able to navigate through a home, avoiding obstacles along the way. More advanced options include mapping sensors and even cameras and microphones.
Researchers says a new attack called “LidarPhone” targets vacuum cleaners with built-in LiDAR sensors. Light Detection and Ranging (LiDAR) is the fundamental technology behind the remote sensing vacuum cleaner. It uses emitted light in a pulsing laster to measure ditances to help the device avoid in-home obstacles.
Attackers have found a way to hack into the technology on the devices. While that is concerning, the attack is complex and it seems most bad actors may not be able to do it. For example, the device would already need to be exploited by another attack. Furthermore, the LidarPhone attack would need to occur on the same local network as the victim.
Both those scenarios are unlikely in most circumstances. Still, researchers says it is still theoretically possible to hack robot vacuums:
“We develop a system to repurpose the LiDAR sensor to sense acoustic signals in the environment, remotely harvest the data from the cloud and process the raw signal to extract information. We call this eavesdropping system LidarPhone,” according to researchers from the University of Maryland, College Park and the National University of Singapore, in Wednesday research.
“The robot is typically connected to the Xiaomi cloud ecosystem for its standard operations and data exchange. We override this interface with the Valetudo software stack on the rooted device and control the robot over a local network.”