Hit enter after type your search item
Wzy Word

HERE ARE THE WORLD'S NEWS

Breaking Into a Smart Home With A Laser – Smarter Every Day 229

/
/
/
706 Views
img

(Smart Lock Opening) (Smart Lock Dingsl) – [Destin] It just worked – [Ben] Yep

– Alexa, Okay Google, Hey Siri, set a reminder to subscribe to Smarter Every Day You have a microphone listening to you in the room right now, what I just did probably worked to a small percentage of you That is terrifying Another thing that is terrifying is there are ways that you can get signals into phones and all these microphones that you might not know about I read an academic paper

First of all, I was like, please don't be real Turns out it is real So, I don't think there's anything to panic or freak out about We just have to be clever about how we set up our devices But, this video is about me inviting the person that was on the team that wrote the paper to my house, performing the test for myself so I could prove that this really does happen and then informing you so that you know how to configure your devices

So, I hope this video earns your subscription and possibly even your support on Patreon Let's go get smarter everyday Hey, it's me Destin, welcome back to Smarter Every Day I didn't plan this out very well So I'm at Best Buy on Black Friday

We're gonna go buy some smart home products because there is a vulnerability, we'll call it of many of them that most people don't know about Let's go met Ben, whose been doing some research on this, he should be at the smart home product aisle You're Ben right? – Yes, I am – [Destin] Nice to meet you dude – Nice to meet you

– You even got a shirt look at you So Ben works at the University of Michigan You're from Huntsville, right? – Yes – Okay, and you've been working on this way to exploit smart home products with lasers So this is new data

– [Ben] We had it go public about a month ago – We're gonna buy some products right – Yep – Some some we can control with Amazon Alexa and the Google Home – And maybe Siri, if you want to try your phone

– Siri, okay yeah, let's try it Let's see what we got After a few minutes of deciding what products to buy, it became clear to me that Ben had specific knowledge about the vulnerabilities associated with each individual device – There are some software problems with how August handles this, which makes it more vulnerable So you can still get a signal into it but it's the range is reduced a lot because it gets attenuated by the fabric

– [Destin] So we have a garage door, a door lock, we have a thermostat, now we're getting a light bulb There you go man – Thanks (Destin giggles) Think we should have got a cart – I don't know if you noticed lately but there is a ton of advertising dollars being spent on trying to convince you to put smart home products in your house

So there is no sponsor for this video I wast to say thank you to everyone that supports at Patreoncom/smartereveryday You allow me to make videos like this No sponsor dollars whatsoever

So thank you because the patrons are who allowed me to purchase these products, take them home and unbox them In a smart home you have two types of devices You have all the stuff that designed to be controlled like lights, thermostat, power outlets, even door locks and a garage door opener All of that can be controlled by all of this to make your life more convenient We have products from Google, Samsung, Apple, Amazon

All of this stuff you can use your voice to get around the password requirement and literally control things in your house So the question is, is there a way to input the voice command from a long distance away and control things in the house without permission? We only had a few hours to do this demonstration so I started setting everything up in the house, which felt a little bit like inviting big brother into the house and Ben started setting up his laser, which was surprisingly low tech In fact, at one point he had an issue with it and he fixed it really quickly with a soldering iron Anyway, he's going to use a 450 nanometer blue laser for this experiment, but Ben said this technique works with several different wavelengths like red, green or even infrared, which humans can't seen Hey Google, we're about to shoot you with a laser

– [Google] I'm sorry, I don't understand – (chuckles) You will Let me show you what we're about to do If you were to look at any of these devices, you would see these little holes on them You have to zoom in really really tight but you'll see them, they're right there

And behind that hole is a special type of microphone It's a micro electro mechanical system or a MEMS microphone I've asked Ben to send me a sample of all these MEMs microphones and he sent me this So these are different manufacturers and these all go in different types of devices depending on if you have a Samsung or an iPhone or whatever it is you have What we're going to do is I've 3D printed an adaptor for the GH5 camera here

We're gonna put this camera on top of the microscope here and we're going to look at these microphones and see exactly how they're designed Let's start by looking at this one on the upper right here Manufactured by CUI Okay as we zoom in on this thing in focus, you can see it kind of looks like a gold bar and that's because that is the can that this thing is housed in If we scroll over to the microphone itself, once we take that can off, look at that

We can zoom in a little bit, that super tiny diaphragm is the exact thing that vibrates due to sound According to the stuff I read it's kind of like a flexible film and when it's charged up, it functions like a capacitor and when that film flexes because of the sound that's hitting it, the capacitance changes and that's detectable by the circuit it's attached to and those changes can then be converted into a digital waveform You can see there's a lead going to one side of the diaphragm and I'm assuming that lead on the other side maybe ground If you can look this up on Digi-Key this part is only about $045 depending on how many you buy

Okay, so now let's go down to the bottom right of this slide here and let's look at this one manufactured by PUI This design is different, they use a Piezo Electric element instead of that capacitance diaphragm technique But this is fascinating Look how complicated this design is That membrane and those little zig-zags, they went to great lengths to manufacture this

The next one is similar It's by Vesper It's also Piezo Electric element Look at it though It is round in design, whereas that last one was that square shape with the zig-zags

So this is very different I don't know if that membrane over the top has anything to do with waterproofing or not All these form about the eight o'clock position all the way to the top, they're manufactured by a company called Knowles Okay, let's zoom in here on the SPV 08A Look at that, it looks like a single diaphragm just like that other one earlier, only there seems to be these little holes in it

Man, I love microscopes and the last one I want to show you is this one right here at the very top Okay, there is the housing, again once we take the housing off look at that, there are two little diaphragms there That is fascinating, really, really cool to look at and think about all these things that are listening to us all the time If I am typing on my phone I know exactly what inputs I'm able to give the phone and those turn into commands and things happen

This is different This is an always listening microphone that also is given through software the same authority to provide commands to my phone Ben is not going to stimulate these things with acoustic energy He's going to hit it with a laser beam and somehow that is gonna provide energy into it in a way that the phone can understand and it provides a command So to do that, I have to understand how light is getting a command to my phone

I don't really understand So how does light input sound into a device? – So, there's a couple of different ways that we think it's working We've talked with some vendors and manufacturers and some of them think that it's actually like a photoelectric effect, where basically you have light entering the MEMs microphone device, bouncing off some of the walls and hitting the electronics to induce a current just from light interacting with silicon But there's also a potential with some of our experiments we're seeing that maybe there's some thermal effects on the membrane of the microphone that's causing it to expand and causes vibration as well So we're still in the process of figuring out exactly what's going on

– Okay, we finally have all the devices set up Ben is sitting here with the laser ready to go And we have this camera here looking at this Nest thermostat We have this Google Home here and we've got the microphone right here that we're going to be aiming for We're gonna be monitoring it with Nest cameras of course, that cameras gonna see when the laser cuts on

I think we are ready to laser google up because science is about to happen All right, so it's this button right here that says Laser On, right? All right here we go So you have to record something that you're going to say in the laser, right? – Yes – Okay, so what are you going to tell it? I guess it's my house, so it should be your voice right? – Okay Google set the thermostat to 70 – [Google] Okay, setting entryway to 70 degrees

– Okay it did that because it heard you I'm going to go ahead and turn it back down We know that that's an active command that will work I've changed the thermostat back The next step is the laser is shining right

– [Ben] Yes – Okay, so the thermostat's set low The laser is now hitting the microphone Give me a countdown and tell me when you are going to attack – Okay, so three, two, one

– [Google] Okay, setting entryway to 70 degrees – So that worked – It worked So you just used lasers to set my thermostat without any volume whatsoever Like I didn't hear anything

Okay, go for it – [Google] Okay, setting entryway to 65 degrees – That's crazy dude, that's crazy There it is, 65, man Okay, now we are going to attack an Amazon Echo Dot 3rd Generation

Let me see your waveform, what are you gonna have it do this time – [Ben] So we're gonna have it set the light above it to turn green – [Destin] That light above it – [Alexa on Amazon Echo Dot] Okay Okay

– What's happening ha! Well, it's blue now – [Recording of Ben's voice] "Alexa, set the hall light to [green]" – I was trying to set it to green but it turned blue, but it did pick up the lights part – Clearly it wasn't perfect Something's happening but we got the lights to change on

So we're gonna call that a win against Alexa and then we're going to move forward and go for Siri Okay, there's a couple of these smart phone products where if you beat it, like it spoof it somehow, it's a huge security issue Hey Siri, open the garage That's a big deal, okay So, I just installed this little bitty box on my garage door opener and suddenly if somebody can get that command in my phone they have access to my stuff but the thing about this is we were trying to bang all these things out in one night and we ran into some issues

With an iPhone, there's a few different things that make it different Number one, if you are trying to talk to it, it's not just listening for anybody It's listening for a specific voice on a specific phone That can be beat pretty easily though Can you try to sound like me

– I can (laughs) Hey Siri (both laugh) Hey, it worked – It worked (laughs) Okay, yeah, so we beat that all right

Number two, sometimes if the phone is locked, this will happen – [Siri] You'll need to unlock your iPhone first – Hey Siri, open the garage – [Siri] You'll need to unlock your iPhone first – That is very important

The decision to not allow an assistant to open or unlock anything unless the phone is unlocked is very crucial I haven't tested this Samsung or any of the other phones but that is important And I can only assume that they're doing the same thing There's another way phones are different though Phones are sometimes a little more difficult than home assistants because the microphones are deeper or sometimes angled inside the hardware

We spent about 25 minutes trying to align the laser to the iPhone 11 but because Ben had a flight the next morning We decided to stop because he said he was gonna send me this footage from his lab But they figured out how to open things with an iPhone 10 using lasers or iPhone X, I don't know what you call it (phone chimes) So at this point, I think we have to move outside, right? – Yes – Okay, now we are outside with the setup and we are shooting through a window

Let me show you the window here So, glass right here and we are shooting directly at that right there And the idea is to trigger this thing in such a way that it will unlock the garage door right here This is an August brand lock And my understanding of this lock is you have to tell the Google Home to unlock it and then there's a pin code, is that correct? – Yes, so it asks for a pin code and the user would give one

But the problem is there's no limit on the number of pin codes you can give So an adversary could just brute force go through all the pin codes and it may take all night but you could eventually get to the right pin number and open the lock – Okay, so basically you would say, Google, please open the garage and it'll say, "What is your pin code?" And you say – 0000 And then it'll be like, "That's wrong

"Try a different pin code" And you'd say, "0001" And you just keep doing that until you get through all the numbers – That's crazy So what we've done here is we got this setup

We've loaded two wrong pin codes and then one right pin code and we'll see if we can do it All right, ready to fire – [Google] Can I have your security code to unlock the garage? – [Ben] Bringing up August lock – [Destin] It is bringing – [Google] Sorry, it looks like the security code is incorrect, can I have your security code to unlock the garage? Sorry, it looks like the security code is incorrect

Can I have your security code to unlock the garage? – [Destin] We have no idea, like I can see the screen flash but we have no acoustic feedback so we have no idea what it's saying – [Ben] Yeah, which is where something like a laser microphone would be really useful – [Google] Sure, requesting to unlock the garage (Smart lock opens, electronic chime) – [Destin] It just worked So you just busted open my garage

– [Google] The garage has been unlocked – That's crazy From outside dude Oh man, hey, gah-lee that's not even right dude That's crazy man

– Yep just so it would take a long time to know the passcode but just from outside here we can shoot inside here and get in – That's nuts man I mean if you think about it There's a lot that has to go on There's a lot of alignment issues

There's a power issue getting the laser in the right spot Some of the systems like Siri, for example We can get Siri to tell us the time and the date and stuff but we couldn't get Siri to open the garage door while it was locked So, I don't think people are like crazy vulnerable right now but this demonstrates a capability that most people did not understand, which is that light can influence MEMs microphones, correct? – Yes The best way to defend against this attack at all is just keep your devices out of line of sight

If someone can get line of sight on the microphone then you might be able to influence it That's the best way for a normal person to defend against it – Okay, so we controlled a device, which has the ability to control things in your house, through a window, with a laser We did it with a visible laser, but it's also possible with an infrared invisible laser I want everyone to know this

Send this video to someone When I was thinking about what to say in this outro, I was like, you know what, I'm just going to try something crazy Hey Google, unlock the garage – [Google] Can I have your security code to unlock the garage? – I'm able to communicate with that thing from outside of the house and it's just the passcode keeping me from getting in This model of door lock behaves differently

Hey Google, unlock the front door – [Google] Sorry, I can't unlock the front door remotely – Now, I'm not saying that the ability to unlock the front door is altogether bad, in fact it's life changing for some people My uncle's in a wheelchair and the ability to remotely answer his door is huge But I think we will all agree there certainly needs to be a limit on the number of passcode attempts you can try

This video is not about throwing stones at any one company It's just a realization that sometimes when we design things with one intended purpose Sometimes they have other features that we didn't know about As a mechanical engineer, I would have never thought to shoot a laser at a microphone As a computer scientists or a software engineer, when you design a system to be rock solid, your code is good

The moment you plug that in to another system, you inherit all the vulnerabilities of that system as well You as a consumer have to be thinking about your own security and safety Configure your systems to best protect you and your family Please consider subscribing to this channel if this is the kind of internet you like to watch I hope you enjoy it, it's certainly the kind of internet I like to make and I hope it adds value to your life

If it really adds value to your life then Patreoncom/smartereveryday is a way you can support the channel and kind of isolate me from the ebbs and flows of all kinds of stuff like algorithm stuff and like sponsors and that's the best way to help me make internet like this Patreoncom/smartereveryday Please consider that, if not, no big deal

I'm just glad you're here This was awesome and fun and I'm honored that you gave me your time to watch this video A huge thanks to Ben Cyr for coming down He's a PhD

student at computer science at the University of Michigan He worked on this project with all of these people He wanted me to make sure that you saw their names because they worked very hard on this as a team and I'm grateful for what they've done So if people want to read the paper that you guys wrote where do they do that? – So that's at the LightCommandcom website is where we have all of our demos and the paper

– [Destin] That's awesome man, thank you so much for your time this was wildly interesting Later buddy – See ya – [Destin] I said, see ya, like you're leaving or something (both laugh) Whatever, let me help you clean up

Thank you so much for coming here

Source: Youtube

This div height required for enabling the sticky sidebar