Hello all, I'm Sriram, the first author of this paper. We were inspired by the idea of laser microphones as an audio eavesdropping vector, and tried to find a way to use LIDARs similarly, even though they're not designed for this purpose at all.
In the near future, what I think is scarier is the possibility of executing the same attack through self-driving cars LIDARs. Perhaps this would allow attackers to spy on conversations in cars that are driving beside you or stationary next to you at traffic lights.
What materials did you find were most difficult to perform this attack on? I am guessing material like wood or rubber does not vibrate enough to observe a pattern? Also wouldn’t you be able to prevent this attack by having audio generators that generate near random audio signals that mask the data the attacker is seeking?
Right, good question. Anything that is very rigid and heavy doesn't vibrate enough when we play sound near it. I would say it's more about the thickness and weight of the target object than the material itself. For example, a very thin piece of wood would work much better than a wooden table leg. In the paper we actually test against ten different objects that are likely to be within reach of the robot vacuum cleaner.
The difficulty with masking this attack is that you need audio playing at a comparable volume near to the legitimate speech sources, which might be pretty disruptive. In the case of background white noise generators, for legitimate audio playing at around 70 dB SPL, we don't lose much accuracy until the background white noise exceeds 75 dB SPL.
Thank you! For the Xiaomi Roborock S5, the plastic housing around the LIDAR makes it hard to see if it's rotating when you're standing above it. If you bend down and look at it side-on, you can tell whether it's rotating or not.
Some feasible ways to stealthily perform the attack when the LIDAR is not rotating could be: a) attack when docked at the charging station, or b) hiding under furniture.
If only my Roomba was that smart, I wouldn't probably worry about eavesdropping: right now it can barely clean my floor and lock himself in the bathroom forever.
Jokes aside, which Robot Vacuum Cleaner is equiped with a LIDAR? So far the only ones that I've seen barely have a proximity sensor, fall sensor and IR sensors . It could be that I've only bought and seen the cheapest versions though.
Roborock are really nice and not that expensive. I've actually been really impressed with just how well it maps the floors. The other day I had to clean some cat fur out of it mid cycle, placed it in a totally different part of the room that wasn't in sight of the dock and it was able to fairly quickly figure out where it was.
Have one of those and it is really impressive. Automatically detected all rooms, so that i can just tell it to clean a specific one. No matter where i put it, it knows where it is even if i have rearranged some chairs etc.
I bought an S50 from China and it constantly errors out on carpet. It seems to be a common thing, I guess China doesn't do full carpet like we have in the US so it's something they didn't test for on my version.
The lidar is impressive though. Cleans way faster since it's taking efficient paths.
Some like the deebot even have common household object detection in addition to the lidar and can move around them. Not sure how well it works in practice.
The "Evil Maid" class of attacks have a new vector: "Evil Digital Maid/Butler" (assume pervasive, fully compromised electronic assistants).
iPhone "Evil Maid" => GPS, Mic, Camera, Digital User Impersonation [post social network messages, iMessage, etc.]
HomePod "Evil Butler" => Control HomeKit, Mic, Playback Arbitrary Recordings [freeze, this is the police, etc., impersonate a significant other]
Roomba "Evil Maid" => Lidar (mm-resolution depth-camera?!?), Virtual Mic, Push/Close Doors, Push/Move Objects [tip over a table w/ candle]
WiFi Cams "Evil Maid" => Camera, sometimes speakers, sometimes motion control
...if this is how the robot uprising begins, we're a long way from Terminators / SkyNet, but easy to see entire classes of vulnerabilities which are pretty obvious in retrospect.
If you haven't seen "Enemy of the State" or "Conspiracy Theory", they're great movies with a similar premise: "What if 'the system' turned against you?"
I would also recommend “The Conversation” (1974). Not because the vision of surveillance is up to date, but because it’s a much better movie and (sort of) prequel to “Enemy of the State”.
It's interesting work. It's a kinda like finding a really weak seemingly impossible to use buffer overflow and now someone has to weaponize it and put it into easy to use metasploit to become just one of 1000s of things to have available.
Personally I'm surprised all these robots don't have microphones yet. Not being able to talk to robots makes them pretty lame.
Hi, first author of the paper here. We also consider this as part of the increasing arsenal of smart-home attacks, which can be opportunistic and long-term. Also given that it's an offline attack, as signal processing / machine learning methods improve, perhaps the lidars signals an attacker collects could eventually become intelligible audio.
I was also surprised that they don't have microphones. I guess the developers would prefer to have that on the companion app instead.
In reality though I never have my lidar robotvac running when I am at home. Even less having a conversation as all robotvac are loud.
I personally would be still more concern about all voice activate device (alexa etc).
Readit News
In the near future, what I think is scarier is the possibility of executing the same attack through self-driving cars LIDARs. Perhaps this would allow attackers to spy on conversations in cars that are driving beside you or stationary next to you at traffic lights.
The difficulty with masking this attack is that you need audio playing at a comparable volume near to the legitimate speech sources, which might be pretty disruptive. In the case of background white noise generators, for legitimate audio playing at around 70 dB SPL, we don't lose much accuracy until the background white noise exceeds 75 dB SPL.
Seems like quite a number of things including WiFi SSID and lat/long info are sent.
Side-on: https://www.androidpolice.com/wp-content/uploads/2020/03/Rob...
Some feasible ways to stealthily perform the attack when the LIDAR is not rotating could be: a) attack when docked at the charging station, or b) hiding under furniture.
Jokes aside, which Robot Vacuum Cleaner is equiped with a LIDAR? So far the only ones that I've seen barely have a proximity sensor, fall sensor and IR sensors . It could be that I've only bought and seen the cheapest versions though.
Ate 2 charging cables tho
The lidar is impressive though. Cleans way faster since it's taking efficient paths.
Reason why I got a Roomba was because I trust iRobot more
Neato, all versions.
Far from perfect, but it makes cleaning the house once a week far easier, as the robot does a 90% or even 95% job every single day.
https://www.ecovacs.com/us/deebot-robotic-vacuum-cleaner/DEE...
https://www.geekwire.com/2020/wyze-releasing-199-robot-vacuu...
I think Tesla made one
iPhone "Evil Maid" => GPS, Mic, Camera, Digital User Impersonation [post social network messages, iMessage, etc.]
HomePod "Evil Butler" => Control HomeKit, Mic, Playback Arbitrary Recordings [freeze, this is the police, etc., impersonate a significant other]
Roomba "Evil Maid" => Lidar (mm-resolution depth-camera?!?), Virtual Mic, Push/Close Doors, Push/Move Objects [tip over a table w/ candle]
WiFi Cams "Evil Maid" => Camera, sometimes speakers, sometimes motion control
...if this is how the robot uprising begins, we're a long way from Terminators / SkyNet, but easy to see entire classes of vulnerabilities which are pretty obvious in retrospect.
If you haven't seen "Enemy of the State" or "Conspiracy Theory", they're great movies with a similar premise: "What if 'the system' turned against you?"
https://umd.app.box.com/s/7qkltjg5xs6cpbjllu8fajpelbs736cm
It's interesting work. It's a kinda like finding a really weak seemingly impossible to use buffer overflow and now someone has to weaponize it and put it into easy to use metasploit to become just one of 1000s of things to have available.
Personally I'm surprised all these robots don't have microphones yet. Not being able to talk to robots makes them pretty lame.
I was also surprised that they don't have microphones. I guess the developers would prefer to have that on the companion app instead.