Breaking Into a Smart Home With A Laser – Smarter Every Day 229

Breaking Into a Smart Home With A Laser – Smarter Every Day 229


(Smart Lock Opening) (Smart Lock Dingsl) – [Destin] It just worked. – [Ben] Yep. – Alexa, Okay Google,
Hey Siri, set a reminder to subscribe to Smarter Every Day. You have a microphone
listening to you in the room right now, what I just did probably worked to a small percentage of you. That is terrifying. Another thing that is
terrifying is there are ways that you can get signals into phones and all these microphones
that you might not know about. I read an academic paper. First of all, I was like,
please don’t be real. Turns out it is real. So, I don’t think
there’s anything to panic or freak out about. We just have to be clever about
how we set up our devices. But, this video is about
me inviting the person that was on the team that wrote the paper to my house, performing
the test for myself so I could prove that
this really does happen and then informing you
so that you know how to configure your devices. So, I hope this video
earns your subscription and possibly even your support on Patreon. Let’s go get smarter everyday. Hey, it’s me Destin, welcome
back to Smarter Every Day. I didn’t plan this out very well. So I’m at Best Buy on Black Friday. We’re gonna go buy some
smart home products because there is a
vulnerability, we’ll call it of many of them that most
people don’t know about. Let’s go met Ben, whose
been doing some research on this, he should be at the
smart home product aisle. You’re Ben right? – Yes, I am. – [Destin] Nice to meet you dude.
– Nice to meet you. – You even got a shirt look at you. So Ben works at the
University of Michigan. You’re from Huntsville, right? – Yes. – Okay, and you’ve been
working on this way to exploit smart home products with lasers. So this is new data. – [Ben] We had it go
public about a month ago. – We’re gonna buy some products right. – Yep. – Some some we can
control with Amazon Alexa and the Google Home. – And maybe Siri, if you
want to try your phone. – Siri, okay yeah, let’s try it. Let’s see what we got. After a few minutes of
deciding what products to buy, it became clear to me that
Ben had specific knowledge about the vulnerabilities
associated with each individual device. – There are some software
problems with how August handles this, which
makes it more vulnerable. So you can still get a
signal into it but it’s the range is reduced a lot
because it gets attenuated by the fabric. – [Destin] So we have a
garage door, a door lock, we have a thermostat, now
we’re getting a light bulb. There you go man. – Thanks. (Destin giggles) Think we should have got a cart. – I don’t know if you noticed lately but there is a ton of
advertising dollars being spent on trying to convince you
to put smart home products in your house. So there is no sponsor for this video. I wast to say thank you
to everyone that supports at Patreon.com/smartereveryday. You allow me to make videos like this. No sponsor dollars whatsoever. So thank you because the
patrons are who allowed me to purchase these
products, take them home and unbox them. In a smart home you have
two types of devices. You have all the stuff that
designed to be controlled like lights, thermostat,
power outlets, even door locks and a garage door opener. All of that can be
controlled by all of this to make your life more convenient. We have products from Google,
Samsung, Apple, Amazon. All of this stuff you can
use your voice to get around the password requirement
and literally control things in your house. So the question is, is
there a way to input the voice command from
a long distance away and control things in the
house without permission? We only had a few hours
to do this demonstration so I started setting
everything up in the house, which felt a little bit
like inviting big brother into the house and Ben
started setting up his laser, which was surprisingly low tech. In fact, at one point
he had an issue with it and he fixed it really
quickly with a soldering iron. Anyway, he’s going to use
a 450 nanometer blue laser for this experiment, but
Ben said this technique works with several different
wavelengths like red, green or even infrared,
which humans can’t seen. Hey Google, we’re about
to shoot you with a laser. – [Google] I’m sorry, I don’t understand. – (chuckles) You will. Let me show you what we’re about to do. If you were to look at
any of these devices, you would see these little holes on them. You have to zoom in really really tight but you’ll see them, they’re right there. And behind that hole is a
special type of microphone. It’s a micro electro mechanical
system or a MEMS microphone. I’ve asked Ben to send me
a sample of all these MEMs microphones and he sent me this. So these are different
manufacturers and these all go in different types
of devices depending on if you have a Samsung or
an iPhone or whatever it is you have. What we’re going to do is
I’ve 3D printed an adaptor for the GH5 camera here. We’re gonna put this camera
on top of the microscope here and we’re going to look
at these microphones and see exactly how they’re designed. Let’s start by looking at this
one on the upper right here. Manufactured by CUI. Okay as we zoom in on this thing in focus, you can see it kind of
looks like a gold bar and that’s because that
is the can that this thing is housed in. If we scroll over to
the microphone itself, once we take that can off, look at that. We can zoom in a little bit,
that super tiny diaphragm is the exact thing that
vibrates due to sound. According to the stuff I read
it’s kind of like a flexible film and when it’s charged up,
it functions like a capacitor and when that film flexes
because of the sound that’s hitting it, the capacitance changes and that’s detectable by
the circuit it’s attached to and those changes can then be converted into a digital waveform. You can see there’s a
lead going to one side of the diaphragm and
I’m assuming that lead on the other side maybe ground. If you can look this up on
Digi-Key this part is only about $0.45 depending on how many you buy. Okay, so now let’s go
down to the bottom right of this slide here and
let’s look at this one manufactured by PUI. This design is different, they
use a Piezo Electric element instead of that capacitance
diaphragm technique. But this is fascinating. Look how complicated this design is. That membrane and those little zig-zags, they went to great lengths
to manufacture this. The next one is similar. It’s by Vesper. It’s also Piezo Electric element. Look at it though. It is round in design,
whereas that last one was that square shape with the zig-zags. So this is very different. I don’t know if that membrane over the top has anything to do with
waterproofing or not. All these form about the
eight o’clock position all the way to the top,
they’re manufactured by a company called Knowles. Okay, let’s zoom in here on the SPV 08A. Look at that, it looks
like a single diaphragm just like that other one earlier, only there seems to be
these little holes in it. Man, I love microscopes and the last one I want
to show you is this one right here at the very top. Okay, there is the
housing, again once we take the housing off look at
that, there are two little diaphragms there. That is fascinating, really,
really cool to look at and think about all these
things that are listening to us all the time. If I am typing on my phone. I know exactly what inputs
I’m able to give the phone and those turn into
commands and things happen. This is different. This is an always listening
microphone that also is given through software
the same authority to provide commands to my phone. Ben is not going to stimulate these things with acoustic energy. He’s going to hit it with a laser beam and somehow that is gonna
provide energy into it in a way that the phone can understand and it provides a command. So to do that, I have
to understand how light is getting a command to my phone. I don’t really understand. So how does light input
sound into a device? – So, there’s a couple of different ways that we think it’s working. We’ve talked with some
vendors and manufacturers and some of them think that it’s actually like a photoelectric
effect, where basically you have light entering
the MEMs microphone device, bouncing off some of the walls and hitting the electronics to induce
a current just from light interacting with silicon. But there’s also a potential
with some of our experiments we’re seeing that maybe
there’s some thermal effects on the membrane of the
microphone that’s causing it to expand and causes vibration as well. So we’re still in the process
of figuring out exactly what’s going on. – Okay, we finally have
all the devices set up. Ben is sitting here with
the laser ready to go. And we have this camera here looking at this Nest thermostat. We have this Google Home here and we’ve got the microphone
right here that we’re going to be aiming for. We’re gonna be monitoring
it with Nest cameras of course, that cameras
gonna see when the laser cuts on. I think we are ready to laser
google up because science is about to happen. All right, so it’s this
button right here that says Laser On, right? All right here we go. So you have to record something
that you’re going to say in the laser, right? – Yes. – Okay, so what are you going to tell it? I guess it’s my house, so it
should be your voice right? – Okay Google set the thermostat to 70. – [Google] Okay, setting
entryway to 70 degrees. – Okay it did that because it heard you. I’m going to go ahead
and turn it back down. We know that that’s an active
command that will work. I’ve changed the thermostat back. The next step is the
laser is shining right. – [Ben] Yes. – Okay, so the thermostat’s set low. The laser is now hitting the microphone. Give me a countdown and
tell me when you are going to attack. – Okay, so three, two, one. – [Google] Okay, setting
entryway to 70 degrees. – So that worked. – It worked. So you just used lasers
to set my thermostat without any volume whatsoever. Like I didn’t hear anything. Okay, go for it. – [Google] Okay, setting
entryway to 65 degrees. – That’s crazy dude, that’s crazy. There it is, 65, man. Okay, now we are going to attack an Amazon Echo Dot 3rd Generation. Let me see your waveform,
what are you gonna have it do this time. – [Ben] So we’re gonna
have it set the light above it to turn green. – [Destin] That light above it. – [Alexa on Amazon Echo Dot] Okay. Okay. – What’s happening ha! Well, it’s blue now. – [Recording of Ben’s voice] “Alexa, set
the hall light to [green].” – I was trying to set it to green but it turned blue, but it
did pick up the lights part. – Clearly it wasn’t perfect. Something’s happening but we
got the lights to change on. So we’re gonna call
that a win against Alexa and then we’re going to move
forward and go for Siri. Okay, there’s a couple of
these smart phone products where if you beat it,
like it spoof it somehow, it’s a huge security issue. Hey Siri, open the garage. That’s a big deal, okay. So, I just installed this little
bitty box on my garage door opener and suddenly if
somebody can get that command in my phone they have access to my stuff but the thing about this
is we were trying to bang all these things out in one night and we ran into some issues. With an iPhone, there’s
a few different things that make it different. Number one, if you are
trying to talk to it, it’s not just listening for anybody. It’s listening for a specific
voice on a specific phone. That can be beat pretty easily though. Can you try to sound like me. – I can. (laughs) Hey Siri. (both laugh) Hey, it worked. – It worked. (laughs) Okay, yeah, so we beat that all right. Number two, sometimes
if the phone is locked, this will happen. – [Siri] You’ll need to
unlock your iPhone first. – Hey Siri, open the garage. – [Siri] You’ll need to
unlock your iPhone first. – That is very important. The decision to not allow
an assistant to open or unlock anything unless
the phone is unlocked is very crucial. I haven’t tested this Samsung
or any of the other phones but that is important. And I can only assume that
they’re doing the same thing. There’s another way phones
are different though. Phones are sometimes a
little more difficult than home assistants
because the microphones are deeper or sometimes
angled inside the hardware. We spent about 25 minutes
trying to align the laser to the iPhone 11 but
because Ben had a flight the next morning. We decided to stop because
he said he was gonna send me this footage from his lab. But they figured out how to
open things with an iPhone 10 using lasers or iPhone X, I
don’t know what you call it. (phone chimes) So at this point, I think we
have to move outside, right? – Yes. – Okay, now we are outside with the setup and we are shooting through a window. Let me show you the window here. So, glass right here and
we are shooting directly at that right there. And the idea is to trigger
this thing in such a way that it will unlock the
garage door right here. This is an August brand lock. And my understanding of this
lock is you have to tell the Google Home to unlock
it and then there’s a pin code, is that correct? – Yes, so it asks for a pin code and the user would give one. But the problem is there’s
no limit on the number of pin codes you can give. So an adversary could just
brute force go through all the pin codes and it may take all night but you could eventually
get to the right pin number and open the lock. – Okay, so basically
you would say, Google, please open the garage and it’ll say, “What is your pin code?” And you say. – 0000. And then it’ll be like, “That’s wrong. “Try a different pin code.” And you’d say, “0001”. And you just keep doing
that until you get through all the numbers. – That’s crazy. So what we’ve done here
is we got this setup. We’ve loaded two wrong pin
codes and then one right pin code and we’ll see if we can do it. All right, ready to fire. – [Google] Can I have your security code to unlock the garage? – [Ben] Bringing up August lock. – [Destin] It is bringing. – [Google] Sorry, it
looks like the security code is incorrect, can I
have your security code to unlock the garage? Sorry, it looks like the
security code is incorrect. Can I have your security
code to unlock the garage? – [Destin] We have no idea,
like I can see the screen flash but we have no acoustic
feedback so we have no idea what it’s saying. – [Ben] Yeah, which is where something like a laser microphone would be really useful. – [Google] Sure, requesting
to unlock the garage. (Smart lock opens, electronic chime) – [Destin] It just worked. So you just busted open my garage. – [Google] The garage has been unlocked. – That’s crazy. From outside dude. Oh man, hey, gah-lee
that’s not even right dude. That’s crazy man. – Yep just so it would take a long time to know the passcode but
just from outside here we can shoot inside here and get in. – That’s nuts man. I mean if you think about it. There’s a lot that has to go on. There’s a lot of alignment issues. There’s a power issue getting
the laser in the right spot. Some of the systems
like Siri, for example. We can get Siri to tell
us the time and the date and stuff but we couldn’t get Siri to open the garage door while it was locked. So, I don’t think people
are like crazy vulnerable right now but this
demonstrates a capability that most people did not
understand, which is that light can influence MEMs microphones, correct? – Yes. The best way to defend
against this attack at all is just keep your devices
out of line of sight. If someone can get line
of sight on the microphone then you might be able to influence it. That’s the best way for a normal person to defend against it. – Okay, so we controlled a
device, which has the ability to control things in your
house, through a window, with a laser. We did it with a visible
laser, but it’s also possible with an infrared invisible laser. I want everyone to know this. Send this video to someone. When I was thinking about
what to say in this outro, I was like, you know what,
I’m just going to try something crazy. Hey Google, unlock the garage. – [Google] Can I have your
security code to unlock the garage? – I’m able to communicate
with that thing from outside of the house and it’s
just the passcode keeping me from getting in. This model of door lock
behaves differently. Hey Google, unlock the front door. – [Google] Sorry, I can’t unlock the front door remotely. – Now, I’m not saying
that the ability to unlock the front door is altogether bad, in fact it’s life changing for some people. My uncle’s in a wheelchair and the ability to remotely answer his door is huge. But I think we will all
agree there certainly needs to be a limit on the
number of passcode attempts you can try. This video is not about throwing
stones at any one company. It’s just a realization that
sometimes when we design things with one intended purpose. Sometimes they have other features that we didn’t know about. As a mechanical engineer,
I would have never thought to shoot a laser at a microphone. As a computer scientists
or a software engineer, when you design a system to be rock solid, your code is good. The moment you plug that
in to another system, you inherit all the vulnerabilities
of that system as well. You as a consumer have
to be thinking about your own security and safety. Configure your systems to best protect you and your family. Please consider
subscribing to this channel if this is the kind of
internet you like to watch. I hope you enjoy it, it’s
certainly the kind of internet I like to make and I hope
it adds value to your life. If it really adds value to your life then Patreon.com/smartereveryday is a way you can support the
channel and kind of isolate me from the ebbs and flows
of all kinds of stuff like algorithm stuff and like sponsors and that’s the best way to help
me make internet like this. Patreon.com/smartereveryday. Please consider that, if not, no big deal. I’m just glad you’re here. This was awesome and fun and
I’m honored that you gave me your time to watch this video. A huge thanks to Ben Cyr for coming down. He’s a Ph.D. student at computer science at the University of Michigan. He worked on this project
with all of these people. He wanted me to make sure
that you saw their names because they worked very
hard on this as a team and I’m grateful for what they’ve done. So if people want to read
the paper that you guys wrote where do they do that? – So that’s at the
LightCommand.com website is where we have all of
our demos and the paper. – [Destin] That’s awesome man, thank you so much for your time this was wildly interesting. Later buddy. – See ya. – [Destin] I said, see ya, like
you’re leaving or something. (both laugh) Whatever, let me help you clean up. Thank you so much for coming here.