yego.me
💡 Stop wasting time. Read Youtube instead of watch. Download Chrome Extension

Breaking Into a Smart Home With A Laser - Smarter Every Day 229


13m read
·Nov 3, 2024

(Smart Lock Opening) (Smart Lock Dings) - [Destin] It just worked. - [Ben] Yep. - Alexa, Okay Google, Hey Siri, set a reminder to subscribe to Smarter Every Day. You have a microphone listening to you in the room right now, what I just did probably worked to a small percentage of you. That is terrifying. Another thing that is terrifying is there are ways that you can get signals into phones and all these microphones that you might not know about. I read an academic paper. First of all, I was like, please don't be real. Turns out it is real.

So, I don't think there's anything to panic or freak out about. We just have to be clever about how we set up our devices. But, this video is about me inviting the person that was on the team that wrote the paper to my house, performing the test for myself so I could prove that this really does happen and then informing you so that you know how to configure your devices. So, I hope this video earns your subscription and possibly even your support on Patreon. Let's go get smarter everyday.

Hey, it's me Destin, welcome back to Smarter Every Day. I didn't plan this out very well. So I'm at Best Buy on Black Friday. We're gonna go buy some smart home products because there is a vulnerability, we'll call it of many of them that most people don't know about. Let's go meet Ben, who's been doing some research on this, he should be at the smart home product aisle.

You're Ben right? - Yes, I am. - [Destin] Nice to meet you dude. - Nice to meet you. - You even got a shirt look at you. So Ben works at the University of Michigan. You're from Huntsville, right? - Yes. - Okay, and you've been working on this way to exploit smart home products with lasers. So this is new data. - [Ben] We had it go public about a month ago. -

We're gonna buy some products right? - Yep. - Some we can control with Amazon Alexa and the Google Home. - And maybe Siri, if you want to try your phone. - Siri, okay yeah, let's try it. Let's see what we got. After a few minutes of deciding what products to buy, it became clear to me that Ben had specific knowledge about the vulnerabilities associated with each individual device.

  • There are some software problems with how August handles this, which makes it more vulnerable. So you can still get a signal into it but it's the range is reduced a lot because it gets attenuated by the fabric. - [Destin] So we have a garage door, a door lock, we have a thermostat, now we're getting a light bulb. There you go man. - Thanks. (Destin giggles) Think we should have got a cart.

  • I don't know if you noticed lately but there is a ton of advertising dollars being spent on trying to convince you to put smart home products in your house. So there is no sponsor for this video. I want to say thank you to everyone that supports at Patreon.com/smartereveryday. You allow me to make videos like this. No sponsor dollars whatsoever. So thank you because the patrons are who allowed me to purchase these products, take them home and unbox them.

In a smart home you have two types of devices. You have all the stuff that is designed to be controlled like lights, thermostat, power outlets, even door locks and a garage door opener. All of that can be controlled by all of this to make your life more convenient. We have products from Google, Samsung, Apple, Amazon. All of this stuff you can use your voice to get around the password requirement and literally control things in your house.

So the question is, is there a way to input the voice command from a long distance away and control things in the house without permission? We only had a few hours to do this demonstration so I started setting everything up in the house, which felt a little bit like inviting big brother into the house and Ben started setting up his laser, which was surprisingly low tech.

In fact, at one point he had an issue with it and he fixed it really quickly with a soldering iron. Anyway, he's going to use a 450 nanometer blue laser for this experiment, but Ben said this technique works with several different wavelengths like red, green or even infrared, which humans can't see. Hey Google, we're about to shoot you with a laser. - [Google] I'm sorry, I don't understand. - (chuckles) You will. Let me show you what we're about to do.

If you were to look at any of these devices, you would see these little holes on them. You have to zoom in really really tight but you'll see them, they're right there. And behind that hole is a special type of microphone. It's a micro electro mechanical system or a MEMS microphone. I've asked Ben to send me a sample of all these MEMS microphones and he sent me this. So these are different manufacturers and these all go in different types of devices depending on if you have a Samsung or an iPhone or whatever it is you have.

What we're going to do is I've 3D printed an adaptor for the GH5 camera here. We're gonna put this camera on top of the microscope here and we're going to look at these microphones and see exactly how they're designed. Let's start by looking at this one on the upper right here. Manufactured by CUI. Okay as we zoom in on this thing in focus, you can see it kind of looks like a gold bar and that's because that is the can that this thing is housed in.

If we scroll over to the microphone itself, once we take that can off, look at that. We can zoom in a little bit, that super tiny diaphragm is the exact thing that vibrates due to sound. According to the stuff I read it's kind of like a flexible film and when it's charged up, it functions like a capacitor and when that film flexes because of the sound that's hitting it, the capacitance changes and that's detectable by the circuit it's attached to and those changes can then be converted into a digital waveform.

You can see there's a lead going to one side of the diaphragm and I'm assuming that lead on the other side maybe ground. If you can look this up on Digi-Key this part is only about $0.45 depending on how many you buy. Okay, so now let's go down to the bottom right of this slide here and let's look at this one manufactured by PUI. This design is different, they use a Piezo Electric element instead of that capacitance diaphragm technique.

But this is fascinating. Look how complicated this design is. That membrane and those little zig-zags, they went to great lengths to manufacture this. The next one is similar. It's by Vesper. It's also Piezo Electric element. Look at it though. It is round in design, whereas that last one was that square shape with the zig-zags. So this is very different. I don't know if that membrane over the top has anything to do with waterproofing or not. All these from about the eight o'clock position all the way to the top, they're manufactured by a company called Knowles.

Okay, let's zoom in here on the SPV 08A. Look at that, it looks like a single diaphragm just like that other one earlier, only there seems to be these little holes in it. Man, I love microscopes and the last one I want to show you is this one right here at the very top. Okay, there is the housing, again once we take the housing off look at that, there are two little diaphragms there. That is fascinating, really, really cool to look at and think about all these things that are listening to us all the time.

If I am typing on my phone. I know exactly what inputs I'm able to give the phone and those turn into commands and things happen. This is different. This is an always listening microphone that also is given through software the same authority to provide commands to my phone. Ben is not going to stimulate these things with acoustic energy. He's going to hit it with a laser beam and somehow that is gonna provide energy into it in a way that the phone can understand and it provides a command.

So to do that, I have to understand how light is getting a command to my phone. I don't really understand. So how does light input sound into a device? - So, there's a couple of different ways that we think it's working. We've talked with some vendors and manufacturers and some of them think that it's actually like a photoelectric effect, where basically you have light entering the MEMS microphone device, bouncing off some of the walls and hitting the electronics to induce a current just from light interacting with silicon. But there's also a potential with some of our experiments we're seeing that maybe there's some thermal effects on the membrane of the microphone that's causing it to expand and causes vibration as well. So we're still in the process of figuring out exactly what's going on.

  • Okay, we finally have all the devices set up. Ben is sitting here with the laser ready to go. And we have this camera here looking at this Nest thermostat. We have this Google Home here and we've got the microphone right here that we're going to be aiming for. We're gonna be monitoring it with Nest cameras of course, that cameras gonna see when the laser cuts on. I think we are ready to laser Google up because science is about to happen.

All right, so it's this button right here that says Laser On, right? All right here we go. So you have to record something that you're going to say in the laser, right? - Yes. - Okay, so what are you going to tell it? I guess it's my house, so it should be your voice right? - Okay Google set the thermostat to 70. - [Google] Okay, setting entryway to 70 degrees. - Okay it did that because it heard you. I'm going to go ahead and turn it back down. We know that that's an active command that will work. I've changed the thermostat back.

The next step is the laser is shining right. - [Ben] Yes. - Okay, so the thermostat's set low. The laser is now hitting the microphone. Give me a countdown and tell me when you are going to attack. - Okay, so three, two, one. - [Google] Okay, setting entryway to 70 degrees. - So that worked. - It worked. So you just used lasers to set my thermostat without any volume whatsoever. Like I didn't hear anything.

Okay, go for it. - [Google] Okay, setting entryway to 65 degrees. - That's crazy dude, that's crazy. There it is, 65, man. Okay, now we are going to attack an Amazon Echo Dot 3rd Generation. Let me see your waveform, what are you gonna have it do this time. - [Ben] So we're gonna have it set the light above it to turn green. - [Destin] That light above it. - [Alexa on Amazon Echo Dot] Okay.

Okay. - What's happening ha! Well, it's blue now. - [Recording of Ben's voice] "Alexa, set the hall light to green." - I was trying to set it to green but it turned blue, but it did pick up the lights part. - Clearly it wasn't perfect. Something's happening but we got the lights to change on. So we're gonna call that a win against Alexa and then we're going to move forward and go for Siri. Okay, there's a couple of these smart phone products where if you beat it, like it spoof it somehow, it's a huge security issue.

Hey Siri, open the garage. That's a big deal, okay. So, I just installed this little bitty box on my garage door opener and suddenly if somebody can get that command in my phone they have access to my stuff but the thing about this is we were trying to bang all these things out in one night and we ran into some issues. With an iPhone, there's a few different things that make it different. Number one, if you are trying to talk to it, it's not just listening for anybody. It's listening for a specific voice on a specific phone.

That can be beat pretty easily though. Can you try to sound like me. - I can. (laughs) Hey Siri. (both laugh) Hey, it worked. - It worked. (laughs) Okay, yeah, so we beat that all right. Number two, sometimes if the phone is locked, this will happen. - [Siri] You'll need to unlock your iPhone first. - Hey Siri, open the garage. - [Siri] You'll need to unlock your iPhone first. - That is very important. The decision to not allow an assistant to open or unlock anything unless the phone is unlocked is very crucial.

I haven't tested this Samsung or any of the other phones but that is important. And I can only assume that they're doing the same thing. There's another way phones are different though. Phones are sometimes a little more difficult than home assistants because the microphones are deeper or sometimes angled inside the hardware. We spent about 25 minutes trying to align the laser to the iPhone 11 but because Ben had a flight the next morning. We decided to stop because he said he was gonna send me this footage from his lab.

But they figured out how to open things with an iPhone 10 using lasers or iPhone X, I don't know what you call it. (phone chimes) So at this point, I think we have to move outside, right? - Yes. - Okay, now we are outside with the setup and we are shooting through a window. Let me show you the window here. So, glass right here and we are shooting directly at that right there. And the idea is to trigger this thing in such a way that it will unlock the garage door right here.

This is an August brand lock. And my understanding of this lock is you have to tell the Google Home to unlock it and then there's a pin code, is that correct? - Yes, so it asks for a pin code and the user would give one. But the problem is there's no limit on the number of pin codes you can give. So an adversary could just brute force go through all the pin codes and it may take all night but you could eventually get to the right pin number and open the lock.

  • Okay, so basically you would say, Google, please open the garage and it'll say, "What is your pin code?" And you say. - 0000. And then it'll be like, "That's wrong. Try a different pin code." And you'd say, "0001". And you just keep doing that until you get through all the numbers. - That's crazy. So what we've done here is we got this setup. We've loaded two wrong pin codes and then one right pin code and we'll see if we can do it. All right, ready to fire.

  • [Google] Can I have your security code to unlock the garage? - [Ben] Bringing up August lock. - [Destin] It is bringing. - [Google] Sorry, it looks like the security code is incorrect, can I have your security code to unlock the garage? Sorry, it looks like the security code is incorrect. Can I have your security code to unlock the garage? - [Destin] We have no idea, like I can see the screen flash but we have no acoustic feedback so we have no idea what it's saying.

  • [Ben] Yeah, which is where something like a laser microphone would be really useful. - [Google] Sure, requesting to unlock the garage. (Smart lock opens, electronic chime) - [Destin] It just worked. So you just busted open my garage. - [Google] The garage has been unlocked. - That's crazy. From outside dude.

Oh man, hey, gah-lee that's not even right dude. That's crazy man. - Yep just so it would take a long time to know the passcode but just from outside here we can shoot inside here and get in. - That's nuts man. I mean if you think about it. There's a lot that has to go on. There's a lot of alignment issues. There's a power issue getting the laser in the right spot. Some of the systems like Siri, for example. We can get Siri to tell us the time and the date and stuff but we couldn't get Siri to open the garage door while it was locked.

So, I don't think people are like crazy vulnerable right now but this demonstrates a capability that most people did not understand, which is that light can influence MEMS microphones, correct? - Yes. The best way to defend against this attack at all is just keep your devices out of line of sight. If someone can get line of sight on the microphone then you might be able to influence it. That's the best way for a normal person to defend against it.

  • Okay, so we controlled a device, which has the ability to control things in your house, through a window, with a laser. We did it with a visible laser, but it's also possible with an infrared invisible laser. I want everyone to know this. Send this video to someone. When I was thinking about what to say in this outro, I was like, you know what, I'm just going to try something crazy.

Hey Google, unlock the garage. - [Google] Can I have your security code to unlock the garage? - I'm able to communicate with that thing from outside of the house and it's just the passcode keeping me from getting in. This model of door lock behaves differently. Hey Google, unlock the front door. - [Google] Sorry, I can't unlock the front door remotely.

Now, I'm not saying that the ability to unlock the front door is altogether bad, in fact it's life changing for some people. My uncle's in a wheelchair and the ability to remotely answer his door is huge. But I think we will all agree there certainly needs to be a limit on the number of passcode attempts you can try. This video is not about throwing stones at any one company. It's just a realization that sometimes when we design things with one intended purpose.

Sometimes they have other features that we didn't know about. As a mechanical engineer, I would have never thought to shoot a laser at a microphone. As a computer scientist or a software engineer, when you design a system to be rock solid, your code is good. The moment you plug that into another system, you inherit all the vulnerabilities of that system as well. You as a consumer have to be thinking about your own security and safety.

Configure your systems to best protect you and your family. Please consider subscribing to this channel if this is the kind of internet you like to watch. I hope you enjoy it, it's certainly the kind of internet I like to make and I hope it adds value to your life. If it really adds value to your life then Patreon.com/smartereveryday is a way you can support the channel and kind of isolate me from the ebbs and flows of all kinds of stuff like algorithm stuff and like sponsors and that's the best way to help me make internet like this.

Patreon.com/smartereveryday. Please consider that, if not, no big deal. I'm just glad you're here. This was awesome and fun and I'm honored that you gave me your time to watch this video. A huge thanks to Ben Cyr for coming down. He's a Ph.D. student at computer science at the University of Michigan. He worked on this project with all of these people. He wanted me to make sure that you saw their names because they worked very hard on this as a team and I'm grateful for what they've done.

So if people want to read the paper that you guys wrote where do they do that? - So that's at the LightCommand.com website is where we have all of our demos and the paper. - [Destin] That's awesome man, thank you so much for your time this was wildly interesting. Later buddy. - See ya. - [Destin] I said, see ya, like you're leaving or something. (both laugh) Whatever, let me help you clean up. Thank you so much for coming here.

More Articles

View All
HANDLING NARCISSISTIC PERSONALITIES: 10 EFFECTIVE STRATEGIES | STOICISM INSIGHTS
Welcome back, Stoicism Insights community. Today we’re delving into a topic that’s both timeless and practical. Ever wondered how the ancient Stoics handled difficult people and challenging situations? Get ready to discover powerful strategies to navigate…
In Ancient Rome, War Was the Norm. Then Peace Broke Out. | Big Think
Rome is an extremely highly militarized society in a way that is, I think, inconceivable to us. There, the level of military activity is something that sort of approaches what we were familiar with in the First and Second World Wars, but kind of the long …
Multiplying using area models and the standard algorithm
What we’re going to do in this video is multiply the numbers 352 and 481, and we’re gonna do it in two different ways. But realize that the underlying ideas are the same. So first, let’s just appreciate that 352 can be rewritten as 300 plus 50 plus 2, or…
Bhakti movement | World History | Khan Academy
In other videos, we have talked about the various empires of India. As we exit the Vic period, we talk about the Moria Empire, famous for the ruler Ashoka, who converts and then spreads Buddhism. As we get into the Common Era, we’ve talked about the Gupta…
WHAT IS THIS LINE? (on my Super Blue Blood Moon Photo) - Smarter Every Day 188
Hey, it’s me Destin. Welcome back to Smarter Every Day. Super. Blue. Blood. Moon. I heard those words and I was like, “Mmhmm, that’s my life now.” So, here’s the deal. “Supermoon” refers to the fact that the Moon goes around the Earth in an ellipse. When …
ZOMBIE Bugs!!!: Mind Blow 12
Nes breathalyzer and what’s so great about these balls? Ah, Vsauce! Kevin here. This is mind blow. In Sonic CD, don’t make the blue blur wait too long or eventually he’ll say, “I’m a game,” and he’s dead. What Yoshi’s Island contains the zombie glitch? Wa…