CheckMag | Next-gen school smoke detector sparks privacy concerns with embedded microphones
Presenters Reynaldo and Nyx gave a deep dive into the inner workings of the Halo 3C smart smoke detector at this year's DEF CON hacking conference. What they found is a Raspberry Pi-based device riddled with security issues that is currently widely deployed across school districts, housing developments, and other public buildings. While not initially the intention, this deep dive uncovered questionable practices and promises made by manufacturers, and highlighted the lack of technological literacy in public service needed to make informed decisions about IoT devices.
The investigation began when bored high school student Reynaldo found a strange device on his school's WiFi network. Upon further investigation, the device was identified as the Halo 3C, a "smart" smoke detector that markets itself as having vape, THC, and real-time air monitoring abilities. At the time, sourcing the device for further investigation was cost-prohibitive, as it retails for upwards of $1200. It wasn't until the device showed up on eBay that Reynaldo found out what was inside.
Inside the device is a host of sensors, including TVOC, PIR motion, temperature and humidity, CO2, particle sensors, microphones, and at its heart, a Raspberry Pi Compute Module 4. While designed for commercial applications, this discovery was still shocking, given the device's price point and how easily these types of devices can be modified. With this information in hand, Reynaldo reached out to Nyx, a member of a local hacking group, to help hack into the device.
Surprisingly, the researchers discovered that the device was susceptible to attacks that bordered on negligence on the part of the manufacturer. For starters, the device lacked any form of secure boot, and the researchers were able to simply dump the CM4's contents and begin reverse-engineering the protocols. Next, they gained admin privileges in the hosted web interface by brute-forcing credentials, as there were no serious authentication methods in place. Lastly, the device would accept any payload during a firmware update, as it only needed the firmware file to be named correctly. As a bonus, the firmware files were available for free download on the manufacturer's website.
Ultimately, they were able to modify the Halo to do whatever the researchers wanted. While they did not find any implementations of the microphones doing anything other than what the manufacturer said they would do, nothing is stopping other hackers, IT admins, or law enforcement from using the device's abilities in ways that go entirely against what the device is marketed for. Coupling this information with the fact that this device is already in retirement homes, schools, banks, and public housing projects, with one public official calling it an "expert witness" for prosecuting individuals, it paints a bleak picture for what appears to be a growing, hidden IoT infrastructure of privacy invasion that is open to hackers and law enforcement alike.
Source(s)
DEF CON 33 on Youtube
Add as a preferred