A team of researchers has worked in tandem to convert a smart vacuum into a microphone that is capable of recording nearby conversations. Successfully tested on Xiaomi Roborock, the technique is named ‘LidarPhone’ in which the vacuum’s built-in LiDAR laser-based navigational component is converted into a laser microphone.
According to researchers, it’s a complex attack that requires the attackers to meet certain conditions, such as an already compromised device. Additionally, to carry out the attack, the attacker must be on the victim’s local network.
- In order to perform an attack using the LiDar technique, the attacker needs to have malware or a compromised update process to tamper with the vacuum’s firmware to gain complete control over the LiDAR component.
- The hacker can stop the vacuum LiDAR from rotating, which reduces the number of data points for collecting data by tampering with the firmware. Now, it can be focused on only one nearby object at a time, from where it could record sound waves.
- Since LiDAR components are not as accurate as surveillance-grade laser microphones, their signals can be boosted for improved quality.
How serious is the threat?
- According to researchers, this technique displays one of the various ways on how the security and design of future smart vacuum robots can be exploited.
- The LiDAR phone attack was tested by researchers with multiple objects, by changing the distance between the robot and the object, along with the distance between the sound origin and the object, in which researchers managed to recover numeric values with 90% accuracy.
The technique shows that with ample resources at one’s disposal along with strong motives, even a single IoT device can be a conduit for malice. Hence, our internal experts suggest countermeasures such as shutting down the LiDAR component if it’s not rotating or reducing the signal-to-noise ratio of the LiDAR signal.
To read more, please check eScan Blog
