Smart Speakers vs Lasers & voice injection hacking

Last night, I watched a video made by Dustin from “SmarterEveryDay” about using lasers to trigger your smart speakers (Alexa, Google and Siri enabled gadgets). I read about this concept before, but this was the first time I have seen it in action.

Attacked by lasers

The laser hacking is a physical attack where the attacker is stimulating a microphone membrane with laser light. The light stimulates the membrane in the same way as the sound waves would, creating an illusion that the command is being issued by the device owner, not a hacker standing outside of the window.

Unless you are willing to brick-up your windows or keep your blinds closed all the time (you could use automated curtains like these ones from Zemismart), there is very little you can do to protect yourself from laser hacking attempt (attempt, not a successful attempt!). The best action is to limit what the attacker can do. Most of the consumer smart home system figured out how to protect voice actions from voice spoofing. While it’s possible to turn the lights on or turn off the heating, you are very unlikely to open a smart lock without providing a pin or unlocking your phone first.

How to combat lasers

I checked my smart speakers and not a single one would be a subject to a laser hack from outside due to their placement. It’s fair to say that the risk of an attack like this small, but not impossible. Dustin suggested that placing devices out of view, and checking with products require additional security steps would be the best way to protect yourself from such attacks.

The whole experiment got me thinking what else could be done to protect yourself not only from laser hacking but voice spoofing in general, especially if you are running a DIY automation server.

3D Printing

The success of the laser hacking depends on how accurately laser can be pointed at the microphone. We can increase the difficulty of an attack like this by printing 3D accessories that will obstruct the direct view of the microphone.

These 3D designs could range between sophisticated stands and hats that cover up the microphone holes and small and simple stand-offs that would block the access to the microphone hole.

I will point a couple of disadvantages of this approach too. Since the 3D printed part will cover the microphone hole, it may decrease the accuracy of voice interpretation. This method will be also useless against the sound injection attacks as these don’t rely on a direct line of sight to the microphone.

Security: Consumer vs DIY

You don’t have to tie yourself down to a specific security standard if you plan your home automation smart. Most of my readers are probably using HASS or NodeRED already, but if you rely on consumer systems, you are limited to what the manufacturer provides you with.

Voice spoofing and laser hacking work on the premise that the action will be executed without the safety check and for most of the devices that hold true (lights, thermostats, smart plugs). You can, however, introduce an additional level of security for these devices too.

The strength of the DIY security is probably the same as its greatest weakness. You are in charge of solutions for the security of your home automation setup. This means that at the positive side, you will create a unique ecosystem resistant to attacks, that work with consumer solutions, but at the negative side, implementation of the security on your own can expose other vulnerabilities.

Play it to your strength and do it smartly.

2FA

A couple of weeks ago, I came up with a way to trigger a two-factor authentication on your mobile for any action taken by NodeRED server. In a laser hacking scenario, you would get a notification if the action is performed. You can set a default “decline” behaviour and authorise each action independently.

This extra security step would require you to have your mobile phone with you, but you can add the 2FA to any action on your server (from toggling bulbs, turning on devices, to unlocking doors and garages).

Lock your smart home

Outsourcing smart control to a NodeRED server means you can implement an extra level of security as needed. In this example, I will show you how to secure your smart devices against laser hacking and audio injections. The breach will still take place, but the system won’t be compromised as a result of it.

How does it work

Outsourced devices have to go through the NodeRED server before an action can be taken. Thanks to Alexa and Google Assistant integrations in NodeRED, I can intercept the voice command and run it against the extra security steps triggering 2FA or in this case, checking if the system is in a “holiday” mode.

Thanks to IFTT I can disable and enable the lock by creating custom commands to interact with Google Assistant and Alexa (It’s a shame you cannot provide Alexa IFTTT with a number ingredient). While enabling the lock is pretty easy, to cancel it, I want to add a password for added security.

Saying “Alexa/OK Google enable holiday mode” will set the NodeRED system in a shutdown mode where each voice command will be acknowledged but not passed over for execution.

I can use a global variable in NodeRED to store the state of the holiday mode and use it in all my flows. Just remember to preserve the variables so the data would survive a server reboot.

As you can see, I can stop the execution just at the voice command entry, making this compatible with many other systems and skills.

Password Protection

Dustin also mentioned no limits to how many times the pin can be entered to unlock a specific request. This is something I have fixed as well. In my flow, you can specify the number of failed attempts and how often this would reset.

var count;
var attempts = 5; //flow.get("attmepts");
var pass = msg.payload;
var currentpass = msg.pass;

count = flow.get("count");

var x = isNaN(count);

if(x === true){
    flow.set("count", 0);
}

if(count < attempts){
    if(currentpass === pass){
        global.set("holiday", false);
        flow.set("count", 0);
        msg.payload = "Holiday Mode disabled";
        return [msg, null];
        
    }
    if(currentpass !== pass){
        count = count + 1;
        flow.set("count", count);
        msg.payload = "Wrong password try again you have " + (attempts - count+1) + " left";
        return [msg, null];
        
    }
}

if(count => attempts){
    msg.payload = "Wrong password entered too many times";
    return [null, msg];
}

return msg;

The password is stored in a hashed form in a flow variable. If the password for matches the holiday mode is deactivated and voice commands will work as normal.

Since you can submit a number with your voice command through IFTTT and Google Assistant, you can simply unlock your home with a command: OK Google, holiday mode disabled, pin #1234. With Alexa, you will have to use another way unless you are willing to hardcode the pin into IFTTT phrase (not the best idea).

Passwords are submitted via HTTP POST and I would strongly advise you to read my 5 min security guide to NodeRED to make sure your server lives up to some security standards.

Conclusion

Having a “holiday” mode can increase the security of your smart home system. Yes, you could run around muting each smart speaker every time you want to enable the “holiday” mode too but there is a fine balance between home automation being safe and easy to use. Adding 2FA to lights may seem like an odd idea, but having the prompt available when the garage door is open or disabling the system altogether when you are not going to use it, seem smart! This solution isn’t a fix for every scenario, but it can definitely make it harder to hack your smart system. If you have any questions about the article, let me know in this Reddit thread.

Project Download

Download project files here. Bear in mind that Patreon supporters have early access to project files and videos.

Download