A new security flaw has been found in robot vacuums, with researchers warning their laser-based navigation systems could be hacked to record private conversations.
Scientists at the University of Maryland’s Computer Science department have demonstrated a system they call LidarPhone, which can read vibrations in a robovac’s LIDAR laser navigation system generated by sound waves and use them to figure out the original sound.
The team successfully hacked into a Xiaomi Roborock vacuum and was able to take over its LIDAR system, allowing the scientists to control the beam and receive data from it without interfering with its navigation.
The researchers then captured signals bouncing off a variety of household objects as two different sound sources played – a human voice reciting numbers over computer speakers, and TV shows played through a sound bar – and fed them through deep-learning computer algorithms. They found that LidarPhone was able to identify and match spoken numbers, as well as the TV shows, with 90 per cent accuracy.
An illustration of the LidarPhone attack, where a hacker uses a robot vacuum’s LIDAR sensor to record sensitive information from a videoconferencing call. (Image: University of Maryland)
According to assistant professor Nirupam Roy, the research reveals a security hole in devices we often welcome into our homes without a second thought.
“We have shown that even though these devices don’t have microphones, we can repurpose the systems they use for navigation to spy on conversations and potentially reveal private information,” he said.
Roy highlighted the risk of LIDAR-based spying being used to gather data such as spoken phone and credit card numbers from people working at home.
“What is even more concerning for me is that it can reveal much more personal information. This kind of information can tell you about my living style, how many hours I’m working, other things that I am doing.
“And what we watch on TV can reveal our political orientations. That is crucial for someone who might want to manipulate the political elections or target very specific messages to me,” he added.
Roy warns that other devices, such as infrared sensors in smartphones and motion detectors, could be used in a similar way.
“I believe this is significant work that will make the manufacturers aware of these possibilities and trigger the security and privacy community to come up with solutions to prevent these kinds of attacks,” he said.
Sound waves captured by a robot vacuum. (Image: University of Maryland)
Capturing sound using lasers is not a new technology, with laser microphones featuring in the kits of espionage agents since the 1940s. There is already concern from privacy experts that the maps generated by robovacs could be used to give advertisers data such as home size, layout, and other sensitive information.
