Another study has suggested how unsmart it would be to use smart devices without adequate cybersecurity measures. Researchers have devised a LidarPhone attack that can transform smart robot vacuum cleaners into a spying tool.
LidarPhone Attack Targeting Smart Vacuum Cleaners
A team of academic researchers has shared their findings on how robot vacuums can threaten user privacy.
Specifically, they have devised LidarPhone attack, an acoustic side-channel attack that targets the smart vacuum cleaners for eavesdropping.
Most smart vacuums today that offer smart navigation with mapping come with Lidar sensors. These Lidar (Light Detection and Ranging) sensors utilize infrared laser beams to measure the distance from objects based on the reflected light.
These sensors offer convenience to the users as they enable the robot vacuums to move smoothly without requiring human input. However, an adversary can target the sensors to transform them into microphones and listen to the surrounding noise.
Describing LidarPhone in brief, the researchers stated,
The fundamental concept of LidarPhone lies in sensing such induced vibrations in household objects using the vacuum robot’s lidar sensor and then processing the recorded vibration signal to recover traces of sounds. This sensing method is inspired by the principles of laser microphones that use reflected laser beams to sense sounds from vibrating objects. Although laser mics require sophisticated setups, the rotating lidar sensors are equipped with at least a laser transmitter and reflection sensor. This enables the key possibility to transform a lidar into a microphone.
Hence, briefly, the attack simply involves meddling with the robot cleaner’s software to transform the laser sensors into microphones and obtain readings. The collected data then goes to the attackers’ server first. The attacker can then process the data to remove noise and eventually obtain the desired sound. This can either be human speech, or the sounds of a nearby computer, speaker, or any other device.
The researchers tested the popular model Xiaomi Roborock S5 vacuum cleaner in their study. The following video quickly overviews their findings.
What Next?
Although, LidarPhone isn’t easy to exploit due to several limitations, the main issue being the difficulty to control sensor rotations.
However, the LidarPhone attack bears significance in that smart vacuum cleaners are increasingly being used today. Hence, this type of attack poses a risk to millions of users.
Secondly, the researchers believe this type of attack can also apply to other devices as well that bear active sensors, including smartphones.
Also, this attack strategy allows remote attackers to eavesdrop without any physical access to the target device.
The researchers have shared their findings in a research paper that they also presented at the ACM Conference on Embedded Networked Sensor Systems (SenSys 2020).