Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

New ‘LidarPhone’ Attack Uses Robot Vacuum Cleaners for Eavesdropping

A group of academic researchers has devised a new eavesdropping attack that leverages the lidar sensors present in commodity robot vacuum cleaners.

A group of academic researchers has devised a new eavesdropping attack that leverages the lidar sensors present in commodity robot vacuum cleaners.

Dubbed LidarPhone, the attack relies on traces of sound signals that are extracted from laser reflections to capture privacy sensitive information, including speech during teleconference sessions. It could also be used to spy on a victim’s TV habits and perhaps identify their political orientation.

Devised by a group of five researchers from the National University of Singapore and University of Maryland, College Park, the attack “achieves approximately 91% and 90% average accuracies” when used to collect spoken digits and music, respectively.

This novel acoustic side-channel attack is possible because the vacuum cleaning robot, a seemingly innocuous household device, is equipped with lidar sensors, which help it measure the distance to different objects by emitting laser light and measuring its reflection.

Sounds, the researchers explain, are pressure waves propagating through the medium’s vibrations, which are induced to surrounding objects. Thus, subtle physical vibrations are created within the solid material.

“The fundamental concept of LidarPhone lies in sensing such induced vibrations in house hold objects using the vacuum robot’s lidar sensor and then processing the recorded vibration signal to recover traces of sounds,” the researchers explain.

The same method is used by laser microphones and basically LidarPhone transforms the lidar sensors on the vacuum cleaning robot into microphones. Challenges that the new attack faces, however, include the low signal-to-noise ratio (SNR) of the reflected signals and the lidar’s low sampling rate, due to the robot’s rotating motion.

LidarPhone

According to the researchers, some of the main limitations of this attack include the fact that the intensity of sound vibrations is lower when objects are not in direct contact with the speakers, and the fact that the robot is continuously moving when operational — thus, it is more plausible to launch an attack when the robot is idle.

Advertisement. Scroll to continue reading.

The researchers implemented LidarPhone on a Xiaomi Roborock vacuum cleaning robot and concluded that it can achieve high accuracy for digit and music classification. They also argue that, unlike state-of-the-art eavesdropping attacks where physical presence is required to deploy the surveillance equipment, LidarPhone eliminates this step — the attacker only needs to somehow compromise the targeted vacuum.

“LidarPhone allows the adversary to obtain privacy sensitive speech information from laser beams reflected off of minutely vibrating objects (such as a trashcan or a takeaway bag) located near the victim’s computer speaker or TV soundbar. […] While we investigate lidars on robot vacuum cleaners as an exemplary case, our findings may be extended to many other active light sensors including smartphone time-of-flight sensors,” the researchers say.

Related: New Eavesdropping Technique Relies on Light Bulb Vibrations

Related: Power Supply Can Turn Into Speaker for Data Exfiltration Over Air Gap

Related: Air-Gapped Computers Can Communicate Through Heat: Researchers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.