Hacker News new | past | comments | ask | show | jobs | submit login
Spying with Your Robot Vacuum Cleaner: Eavesdropping via Lidar Sensors [pdf] (umd.edu)
131 points by aleksi 14 days ago | hide | past | favorite | 68 comments

Hello all, I'm Sriram, the first author of this paper. We were inspired by the idea of laser microphones as an audio eavesdropping vector, and tried to find a way to use LIDARs similarly, even though they're not designed for this purpose at all.

In the near future, what I think is scarier is the possibility of executing the same attack through self-driving cars LIDARs. Perhaps this would allow attackers to spy on conversations in cars that are driving beside you or stationary next to you at traffic lights.

What materials did you find were most difficult to perform this attack on? I am guessing material like wood or rubber does not vibrate enough to observe a pattern? Also wouldn’t you be able to prevent this attack by having audio generators that generate near random audio signals that mask the data the attacker is seeking?

Right, good question. Anything that is very rigid and heavy doesn't vibrate enough when we play sound near it. I would say it's more about the thickness and weight of the target object than the material itself. For example, a very thin piece of wood would work much better than a wooden table leg. In the paper we actually test against ten different objects that are likely to be within reach of the robot vacuum cleaner.

The difficulty with masking this attack is that you need audio playing at a comparable volume near to the legitimate speech sources, which might be pretty disruptive. In the case of background white noise generators, for legitimate audio playing at around 70 dB SPL, we don't lose much accuracy until the background white noise exceeds 75 dB SPL.

Very interesting. All the new phones have lidar built in that works up to 30 feet away. In theory with the technology you applied here, it would be possible for them to eavesdrop without a microphone.This is almost as unsettling as the cameras that can visualize WiFi reflecting off human skin through walls. Its a matter of time before a commercial model hits the market. https://youtu.be/fGZzNZnYIHo what a brave new world we are about to live in.

Hi Sriram! Nice job. BTW, did you investigate what data the roborock vacuum actually send to its servers?

Hey! Actually, this was investigated previously by Dennis Giese here (https://recon.cx/2018/brussels/resources/slides/RECON-BRX-20...). He also has a number of related talks (https://dontvacuum.me/talks/topics.html).

Seems like quite a number of things including WiFi SSID and lat/long info are sent.

Thank you very much!

Very cool! Is there some way to tell from the outside whether or not the LIDAR is rotating?

Thank you! For the Xiaomi Roborock S5, the plastic housing around the LIDAR makes it hard to see if it's rotating when you're standing above it. If you bend down and look at it side-on, you can tell whether it's rotating or not.

Side-on: https://www.androidpolice.com/wp-content/uploads/2020/03/Rob...

Some feasible ways to stealthily perform the attack when the LIDAR is not rotating could be: a) attack when docked at the charging station, or b) hiding under furniture.

If only my Roomba was that smart, I wouldn't probably worry about eavesdropping: right now it can barely clean my floor and lock himself in the bathroom forever.

Jokes aside, which Robot Vacuum Cleaner is equiped with a LIDAR? So far the only ones that I've seen barely have a proximity sensor, fall sensor and IR sensors . It could be that I've only bought and seen the cheapest versions though.

Roborock are really nice and not that expensive. I've actually been really impressed with just how well it maps the floors. The other day I had to clean some cat fur out of it mid cycle, placed it in a totally different part of the room that wasn't in sight of the dock and it was able to fairly quickly figure out where it was.

Have one of those and it is really impressive. Automatically detected all rooms, so that i can just tell it to clean a specific one. No matter where i put it, it knows where it is even if i have rearranged some chairs etc.

Ate 2 charging cables tho

To find out its position relative to the map it uses Simultaneous localization and mapping algorithm.

I bought an S50 from China and it constantly errors out on carpet. It seems to be a common thing, I guess China doesn't do full carpet like we have in the US so it's something they didn't test for on my version.

The lidar is impressive though. Cleans way faster since it's taking efficient paths.

They don't like some patterns, I suspect that straight dark lines are detected as possible drops

Roborock being xiamoi, I'd be cautious about data collection.

Reason why I got a Roomba was because I trust iRobot more

The roborock S5 and older models can easily be rooted, and you can install alternative open source firmware [0], newer models still require hardware disassembly in order to flash the firmware, so it's not quite user friendly yet [1]

For newer versions you can however extract the API token from the app, and use it to control the vacuum without internet access and block its external internet access, since the vacuum uses a known protocol. [2]

[0] https://github.com/Hypfer/Valetudo

[1] https://github.com/dgiese/dustcloud/issues/213#issuecomment-...

[2] https://github.com/marcelrv/XiaomiRobotVacuumProtocol

I did this with my S5. It's not the easiest operation, but the nice thing about the device is that a factory reset is an actual factory reset, so you can always start over with factory firmware if you mess up.

I use a Wireguard VPN to access the Vacuum's web UI to control it; it has no internet access at all.

It’s on its own WiFi network for this reason.

Roomba isn’t even a close competitor in terms of cleaning performance, especially for the price.

It is probably better for China to have your data then USA, because they probably don't share (unless you live in China)

> which Robot Vacuum Cleaner is equiped with a LIDAR

Neato, all versions.

Love my D7. Really helps with a dog being able to easily clean the house to pickup bits of paw dirt, grass, debris, etc.

Far from perfect, but it makes cleaning the house once a week far easier, as the robot does a 90% or even 95% job every single day.

D5 and cat here. I totally agree.

Some like the deebot even have common household object detection in addition to the lidar and can move around them. Not sure how well it works in practice.


Here is some overview: https://dontvacuum.me/robotinfo/

This is indeed a very useful page. Thanks!

Looks cool! Do you know by any chance who are they selling the floor map data to?

If their ops sec doesn't get any better, they may just give them away.


Xiaomi has been making Lidar vacuums for 4-5 year now.

Shark IQ has a camera. It requires you to have some level of lighting in the house while it runs. Otherwise it can’t do it’s smart navigation

LG Hom-Bots have a camera which looks to the ceiling in order to do SLAM. It's not a lidar, but a good enough spying device.

> which Robot Vacuum Cleaner is equipped with a LIDAR?

I think Tesla made one

Neato had lidar from day one and launched a couple years after the first roomba. then irobot bought them and kinda killed it.

I don't think this is true, Neato is not owned by iRobot

my bad. they were acquired by a german company not irobot. at the same time irobot bought another company that used indoor GPS, Mint. And neato launched a bunch of meaningless model numbers to jack up the price, just like irobot. Mixed it up because of all that (not sure it makes it any better :)

Neato was never acquired by irobot. The current Neato line is actually really good.

The "Evil Maid" class of attacks have a new vector: "Evil Digital Maid/Butler" (assume pervasive, fully compromised electronic assistants).

iPhone "Evil Maid" => GPS, Mic, Camera, Digital User Impersonation [post social network messages, iMessage, etc.]

HomePod "Evil Butler" => Control HomeKit, Mic, Playback Arbitrary Recordings [freeze, this is the police, etc., impersonate a significant other]

Roomba "Evil Maid" => Lidar (mm-resolution depth-camera?!?), Virtual Mic, Push/Close Doors, Push/Move Objects [tip over a table w/ candle]

WiFi Cams "Evil Maid" => Camera, sometimes speakers, sometimes motion control

...if this is how the robot uprising begins, we're a long way from Terminators / SkyNet, but easy to see entire classes of vulnerabilities which are pretty obvious in retrospect.

If you haven't seen "Enemy of the State" or "Conspiracy Theory", they're great movies with a similar premise: "What if 'the system' turned against you?"

I would also recommend “The Conversation” (1974). Not because the vision of surveillance is up to date, but because it’s a much better movie and (sort of) prequel to “Enemy of the State”.

If you're playing around with this, it might help to be root on the vacuum. https://github.com/dgiese/dustcloud

It's mentioned in the linked paper at the top of page 7. You must have missed it. Or perhaps you didn't read it completely ;-)

Yes, this is really cool project that we used in the paper as well!

Human maid vs robot vacuum cleaner... I'd take my chances with the robot.

Vs. pushing a Dyson around.

Human maid in the western world costs real $$$

To be fair so does the robot

Not in Indian subcontinent. I pay my maid $160/month to clean, mop, cook and wash utensils. A roborock costs $550.

Here's a clearer photo of the setup -


It's interesting work. It's a kinda like finding a really weak seemingly impossible to use buffer overflow and now someone has to weaponize it and put it into easy to use metasploit to become just one of 1000s of things to have available.

Personally I'm surprised all these robots don't have microphones yet. Not being able to talk to robots makes them pretty lame.

Hi, first author of the paper here. We also consider this as part of the increasing arsenal of smart-home attacks, which can be opportunistic and long-term. Also given that it's an offline attack, as signal processing / machine learning methods improve, perhaps the lidars signals an attacker collects could eventually become intelligible audio.

I was also surprised that they don't have microphones. I guess the developers would prefer to have that on the companion app instead.

In reality though I never have my lidar robotvac running when I am at home. Even less having a conversation as all robotvac are loud. I personally would be still more concern about all voice activate device (alexa etc).

Isn't the implication that someone has already compromised the robot? So it wouldn't be running necessarily?

This is why I make sure to whisper when entering my 2FA codes.

Are you one of those people who moves their mouth when reading silently?

I think not. But with 2FA codes/phone numbers/IP addresses, I tend to repeat back to myself what I'm trying to remember a in a melodic way.

Ya, most people do that in their mind.

This reminds me of the LibreRVAC project:


Terrifying when you think of the implications this has on self driving cars and the latest smartphones.

smartphones have some sensors that are more useful to the ad company then myself

Given that these vacuums also have a speaker, could that be used as a microphone as well?

I believe there is previous work that re-wires / re-purposes speakers to be used as microphones. However, my understanding is that this requires the hardware itself to be modified.

This is stupid; if I'm going to be able to sneak an entire robot vacuum cleaner into the victim's environment, I'm putting an actual microphone and even camera in there, and not messing around with LIDAR bouncing off vibrating paper cups.

Who says you get to put a microphone and a camera in there?

You work with what you have. Ideally you'd have a microphone, but maybe that robot vacuum cleaner of your target doesn't have one. And maybe you also don't have access to other devices which have one.

But, TBH, I wouldn't be surprised if today's vacuum cleaners have a microphone in them. "For voice commands", you know?

Recently I bought another TP-Link HS110 Wifi Plug, and while working on reading it automatically every couple of seconds with a Python script, I noticed that a response contained a field labeled "mic_type":"IOT.SMARTPLUGSWITCH". "mic_type"?

Some time ago the German router producer "AVM" had to explain why their DECT smart-plugs had a microphone in them.

How effective will a microphone attached to vacuum cleaner be though?

When it's not running? Probably pretty effective. As long as it's in the same or a nearby room as the target.

With AI probably better, from what the advances of AI on image/video improvement have shown.

But a clever hacker would probably drive the vacuum cleaner to a better location and then make the "low battery" led blink and leave it there ;)

The attack presented in the paper replace only the software without hardware intervention. It requires someone to MITM the robot update service, and that's not impossibile considering that someone still delivery software updates via HTTP.

The scenario does not involve "sneaking" in a robot vacuum. It's just another attack vector to pursue when looking to bug a target. Maybe you can't get a 0-day on their Alexas or their Nests, but you do have one for their vacuum. You remotely update the firmware on the vacuum to exfiltrate the sound that way.

Most people didn't realize that the :visited selector represented a danger until someone figured out how to get your browsing history by abusing it.

HN Bingo: Commenter doesn't recognize an obvious joke and responds seriously.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact