Ask Hackaday: Can You Hack An Appliance Into A Spy Device?

crackinGoodTeapot

A story surfaced a few days before Halloween on Russian news site Rosbalt (yep, that’s in Russian), claiming Russian authorities intercepted Chinese-made electric irons and kettles: each equipped with microphones and WiFi. You can read a summary in English on the BBC’s website. The “threat” imposed by these “spy appliances” is likely the result of gross exaggeration if not downright fear mongering against Chinese-made products. It’s not worth our (or your) effort to speculate on what’s really happening here, but the situation does present a fun exercise.

Say you wanted to spice up your pen testing by altering a small home appliance: how easily could you build it? Let us know in the comments which appliance would serve as the best “host” for the modifications and what features you would include. Could you manage all the components listed in the article–a microphone, WiFi (any chance of cracking unsecured networks?), plus some vague indication that it “spreads viruses?” There’s a video below with a few glimpses of the electronics in question, but unless you speak Russian it probably won’t offer much insight.

http://www.youtube.com/watch?v=hkiqenPy8zY

[Thanks Johannes]

96 thoughts on “Ask Hackaday: Can You Hack An Appliance Into A Spy Device?

  1. it would need to be something mains powered or with it’s own battery so you could hijack power.

    a coffee maker would be a good one, there if often some extra space under the water tank.

    perhaps using a wifi enabled sd card would be a good solution.

      1. You can also send data down it. There’s proprietary stuff does it, but I remember an electronics mag, back in the day when people built stuff without microcontrollers, featuring their own invented version of X10 allowing communication over power lines. You could also buy intercoms that sent audio through your house through your power lines. So if the spy has access to the building he can pull the spied information across the mains. Even if not, it means the parts “in the field” need just be the mic and transmitter, the recording / other equipment can be hidden in a cellar somewhere.

        1. I just read a thread on avrfreaks yesterday about detecting zero crossing (the split second of 0v when you can send data) and apparently Atmel has a pdf on how to design something like that on their website.

    1. I think a dashcam would be a pretty nifty vector, people drive around so you constantly see new hotspots, and it’s powered by the car’s power. So yeah the dashcam is actually clever.

      As for the chinese, I would sooner expect the US spooks to plant these things, even in chinese export. It’s the americans who are constantly afraid of spy stuff in chinese equipment and we have learned the reason is that they themselves do it (how else can they hack in every damn phone system you think? Backdoors in the hardware/software that runs the phone system I would say), so they fear others would do the same.

      1. The NSA has pretty well admitted that they have a “spigot” installed in major trunk lines. You don’t need anything but bandwidth for that. You also need a buttload of processing power to sift through all that info. Regardless of how well Grandma’s “secret” recipie for French egg noodles is kept, it isn’t something the NSA is interested in.
        As far as “every” phone system, I would assume that there aren’t more than a dozen different encoding methods in use in North America. ANY mass encryption is going to be relatively easy for a group as large as the NSA to defeat. Once defeated, they don’t have to worry about it. Do that as many times as there are codecs, and you can listen in to any phone conversation you want. If you pull a BATMAN, you can make every phone anywhere a mic. If you can defeat security on iOS & Android, you basicly have it all. Oh sure, there is also Blackberry, and dozens of other non-smartphones, but they are a small percentage. Once you have iOS & Android, you have phones, tablets, various e-book readers, and a bunch of other misc. devices. You are very likely to have some type of device in range of any “interesting” conversation (as defined by the NSA). Face it, just about anyone worth the NSA’s time is NOT going to be poor.
        Being as I may be in the poor catagory myself, I don’t know if the fact that the NSA wouldn’t care about me makes me feel any better about things…
        But it doesn’t matter, I still carry an Android…

        1. I was speaking of all the euro countries (for starters, there is also south america and the middle east and even asia and africa.), those phone calls aren’t routed through the US, and the phone companies aren’t going to be all that AT&T and give them a separate room where they split the entire traffic to.
          Plus it’s well known that big US firms put backdoors in exported systems, either voluntary or forced. And when I say well known I don’t mean by people thinking things up but by past revelations.

        2. Who in their right mind would attack the applications CPU in smartphone? Just twist the arms of those who make the radio hardware/software to put in a backdoor for you! The radios on phones are all closed source, well protected and often have some manor of control over the applications processor, so it’d be an ideal spot to hide stuff.

        3. Security on individual brand/os phones is not so much a major concern in that since they all encrypt/decrypt through the carrier network. Crack the network, you effective crack them all.

    1. For a good few years you’ve been able to buy em with mics built in. Traditionally they use either a cheap FM-band transmitter, for the cheapskates, or shortwave stuff with accompanying receivers. The revolution in mobile phone chips means now the spy stuff is starting to move that way. Certainly mic + CPU + SD card + cellular data link should be able to deliver voice-activated compressed encrypted audio to wherever you like on the Internet. Or maybe have a live, voice-activated link with realtime compression. This is all stuff that’d fit in any small device.

      There’s companys sell all this James Bond type stuff, have a look.

  2. I’d target the ubiquitous iPhone speaker dock / clock radio. It’s got enough open interior volume to house my evil circuits, mains power so I can hog all I want, optimally-embarassing positioning in the bedroom, and the additional benefit of being an attack vector against the docked iPhone.

  3. The K-cup coffee makers would be perfect for this. However, a high-def tv would be easier. It already has an operating system that you can patch into to run a camera, mic and SDR dongle that send images and sound. No real need to send it through wifi (even though that setup would be easy too).

    1. Hm, though you wouldn’t want your transmitter to mess with the TV’s incoming RF. Fortunately TVs come with a tiny little window for the IR remote. Some sort of prism setup, or just a bit of glass slide, would let you move the IR detector to the side, and put your camera facing out.

      You can already buy cheap wall clocks with a camera hidden in one of the hour marks, the little ticks between 12 and 3. And of course there’s the excellent Thing, which was a Great Seal of the USA converted by the Russkies into a mic / transmitter. Using nothing more than an empty cavity, a bit of metal, and a metal rod! Utterly passive in the days before RFID. Not a component in it (or nothing that *looked* like one)!

          1. I know, right? “No, that’s not a radio mic bug, it’s just a big hollow sign with a metal plate”. It was located in the US Ambassador’s house in Moscow. It took seven years to be discovered, accidentally, by a radio operator who wondered why he could hear American conversations on an empty channel. That led them to sweep the building for bugs.

            It’s complete luck that the radio operator was tuned into that particular channel while the Russians happened to be using the device. It worked by being “illuminated” by a carrier wave sent by nearby spies, then sent the signal back, passively modulated with voice. When the Russians weren’t sending the illuminating signal, there was nothing to detect. If it hadn’t been discovered that time, it might not have been EVER! How might history have gone then?

            To correct my earlier self, Theremin actually invented it. Not a single active or conventional passive component! Just a thin plate vibrated by voice, acting as a capacitor plate, connected to a quarter-wave antenna. Beam a carrier wave at it, it AM / FM (both) modulates it back at you.

            I think the Thing itself, the active part, need not be very big, just a couple of inches round, and a few inches of wire / metal rod for the antenna. You could easily hide it in plain sight as a light fitting or a bit of art. Very hard to detect, embassies expect to be bugged, most places would never check.

            Funny the Russians getting pissy about this, surely they know enough about spying on their public themselves. And why would anyone in China care what Yevgeny says to Valentina when she’s doing the ironing?

          2. I remember reading about an American Embassy (in the USSR, I believe), that had transistors mixed into the aggregate in the concrete. When the place was swept for bugs, the detector would hit on all the embedded semiconductors, so EVERYTHING would look like a bug! Where better to hide a bug than in somewhere where it canot be distinguished from background. As I remember, the US paid to have it built, and then couldn’t use the building.

      1. Incoming RF? You mean from the coaxial cable or the HDMI cord? Either way, the signal being sent out should have no bearing on the signal going in (Title 15 and whatnot). If any stray RF from the transmitter should cause any issues with the normal operations of the tv, a filter or modulator can be used to modify the incoming signal so that the main tv circuits can properly use them. Besides, I did mention using the tv’s operation system to help do this so that might make things easier.

        1. In the UK we have Freeview. It uses the same UHF bands we used to get analogue TV on, only now it carries multiplexed MPEG streams. Something like 50 channels for less than 20 quid for a cheap set-top box. New TVs don’t need the box. Analogue TV was phased out over the last 5 years or so, closing altogether about 2 years ago.

          So for the past few years all British TVs have come with built-in decoding hardware for digital TV. Same old RF cable from the same old aerial goes in the back. Obviously this is a faint signal, so you’d have to be careful not to interfere with it. Even a little bit can destroy the encoded bits to the point where there’s no picture. It doesn’t degrade as well as analogue TV used to if there’s not a good signal.

          I don’t have any practical RF knowledge so I dunno how easy it is to build a transmitter so near to a sensitive receiver, but that’s what I was worried about. If the picture goes, nobody’s going to use the TV!

          Some British TVs also come with satellite decoders built-in, and again it’s a weak signal. In other countries people use cable, so the signal’s stronger. There is cable in the UK but it doesn’t have a massive takeup. Especially since you can get 50 channels for free. There’s not much on cable or satellite that you miss out on.

      2. Around the same time, a similar technique was in use that used the filament in a light bulb to pick up voice. Filter out 60 hz and you’re good to go… wait, that is publicly known right? If not, uh, oops.

  4. This stuff is honestly nothing but BS. honestly, that small Wifi will crack my access point’s WPA2 and then start talking to the mothership sending audio without detection?

    Oh and how is it getting past my MAC address filtering?

    1. As always Mr. fartface is trolling agian.
      The device only connects to unprotected networks.
      This has been posted on hackaday before(In the comments) so I am guessing you must have seen it yourself before guessing from how active you seem to be here.

        1. Wow you are pathetic. You even troll yourself, dumbass. It was right there in the blurb, didn’t even have to click thru. What an idiot. Tune in tomorrow when fartface gets laughed at again for making some stupid, off the cuff comment. It is always kinda funny and sad and puts you at around a 15 year old arrested development. Probably best to stick with machines at this point, chief. preferably one that can read to you ;)

      1. Try finding unprotected networks! Since the ISPs got their shit together a few years ago and started shipping their DSL to Wifi boxes with passwords enabled, there aren’t any. Although WPA2 has helped that, the early security on Wifi was a bit wrong in a few ways.

        Originally Wifi networks were kept open, since the hardware was rare enough you didn’t have much to lose. And since setup was such a pain in the arse, taking off security meant one less problem to stop it working.

        If the Russians are claiming that this thing uses unprotected Wifi, it’s bullshit. If they’re claiming it can hack Wifi, when for everybody else it takes gigacycles and enormous rainbow tables, it’s also bullshit. It’s almost certainly bullshit anyway, who cares what Russians talk about when they’re ironing? Rich, important people don’t iron.

          1. So what, that mostly every electronic thing is made in China? Even Iphone’s is made in China. But the Apple users isn’t paranoid in all, that Chinese could spie on them secretly :D

            @Greenaum, russian claims mostly is as bit of “russian suspicion” and not relates with reality. I personally believe that the bug can connect to unprotected Wi-Fi.

            But about Wi-Fi hack is absolutely BS. Who effing uses today a WEP encryption? That is simple to hack. Do not require much computational burden by brute force. Of course in case of pass strength and encryption key length.

            That simple chip should be very powerfull what simple cannot be. If that could be, the Chinese crackers a.k.a “engineers” could earn big investitions from whole world for a such thing if they could demonstrate 200 meter Wi-Fi range and other capabilities.

            Imagine! You can even throw away your routher and get this tiny “bug” in your routhers place. Again, if such thing was real, the energy consumption would fantastic. Comparing that your routher uses a 6 W power source and that tiny SoC would be suppose 1 W. Who would not want suchlike miracle? :))

            Naturally chinese is whole world copy-pasters in technology, electronics like a few decades Soviet Union was. Summa summarum someone somewhere is spreading big PR.

    2. On some routers the mac address filtering does not apply to wireless connections, only to wired connections- which is one possible attack vector, however you do raise a very valid point.

      The article in question appears to be fake anyway however, as the make and model were not cited (It only seems logical to raise awareness by making such information public) and the initial reason for checking was weight. Given the size of the object and the PCB, the weight per unit while somewhat different- should be barely noticeable.

      Irons are a bad choice of product anyway. Coffee-makers, Clocks, Radios, Televisions, telephones, refrigerators, smoke detectors, water coolers, etc. are all better suited for discreet surveillance than something that is more often than not- unplugged and stuffed inside a closed closet and forgotten about for long periods of time.

      1. The whole point is if they have such small devices capable of doing that, then WHY don’t we find them on the china parts market? I know a LOT of hackers that would utterly kill for a full wifi/tcp-ip stack device that pretty much acts like a full linux box the size of a 50 cent piece. There is HUGE profit in a device that small with the capabilities they claim it has, These are manufactured circuit boards so they are not one off custom pieces and china manufacturers are know for trying to make a buck anywhere they can. WE would see these all over the china market and ebay.

        And yes you are 100% correct on the device choice problem.

      2. MAC address filtering is a joke. I know too many people who rely solely on it for their wifi security. With an unencrypted network it is trivial to sniff out valid MAC addresses from the ongoing traffic and then spoof one. A spy device could easily be programmed to do this too. It could even watch for MAC addresses that show up for a while and then disappear (belonging to mobile devices or devices that get turned off). Then it would spoof that device only when the real thing isn’t around so that no conflicts are noticed.

        I know some people who at least know better than to rely on MAC filtering as their only security still use MAC filtering plus encryption. The argument there being ‘it doesn’t hurt’. Yeah.. but it doesn’t help either and it is quite inconvenient to have to go and add a new MAC to the list every time you have something to connect. Well, maybe not a huge hastle but too much for the little bit of security theatre that MAC filtering provides.

    3. Why use the local WiFI? Why not use the device to get the spy unit into every house, and then only spy on the one you want by getting a nearby unsecured (or secured with a known pre-programmed SSID and password). Or it could send data out over powerline, that won’t get past the mains box or maybe the drop from the local line, but you could drop an outdoor receiver that is a passive power tap and uplinks to a cell tower.

      It could even just broadcast on AM/FM bands, or the equivalent of CB, if it’s moderately encrypted. The goal might be to put the device everywhere and only listen to the important ones; and there are so many exit vectors other than local wifi that it wouldn’t matter which one you used.

      And, frankly, suspecting a foreign government of spying on every citizen’s in-home conversation? I don’t think the NSA even does that domestically (at least from the Snowden leaks) so why would China? Higher likelyhood that China (if the story is true) is using the devices for high profile foreign folks, and locally for targeting dissidents; by just putting the devices everywhere.

    4. Ever heard of reaver? Or mac spoofing? So yeah, these days most wpa2 routers in the wild are vulnerable, if any of this had anything to do with wpa2 in the first place. Troll satiated now?

  5. I see that it is fairly easy to place camera/mic inside a device, but how do you transmit the data to spy master? It must have some sort of internet connection or it is close to useless for spying purposes. Unsecured wi-fi is rare these days (in my neighboorhood there is about 10 home networks and all are secured).

    1. Sumaring the discussion in russian linux user community linux.org.ru, when the news hit the headlines:
      * They can most likely find open wireless hotspots, there are a lot of idiots.
      * They can then dump WPA/WPA2 protected traffic and send for cracking home.
      * Once they get wireless networks cracked – use a known vulnerability list to infect Windoze-users.
      * A lot of people want that hardware to tinker, including me! So far, I’ve never got anything spying on me from china.

        1. Yeah it looked very sketchy too me. I think it was either intended as a targeted shipment to a specific entity, maybe the work of some spying agency (?), or yet another political action.

      1. “* They can then dump WPA/WPA2 protected traffic and send for cracking home.”
        How? they spit out an envelope and hope the owner drops it in the mail? If it can communicate home then it does not NEED wifi access. that means there is also a full cellphone inside with an activated account. Mighty impressive for the boards they are claiming are the “bugs”

    1. That “magazine” was talked about here when it happened. It was estimated to cost several dozen dollars, and was only shipped in a few promo copies sent to subscribers. It’s not that cheap, yet.

      I suppose if you were going to go for massive production runs, you could probably get a cellphone or something data enabled for not toooo much. An obvious example is the 10 quid cellphones you can buy from phone shops. Usually you have to buy 10 quid of credit too.

  6. I would target something that requires wifi access for normal use such as a smart TV or Nest Thermostat, this would get you around all of the security on their wifi. Most of these devices are running some form of Linux and some of the TV’s now have a camera and microphone already built in.

    If you really wanted to be malicious I would have it reach out and infect any computers on the network with a root kit, just to give you more spying nodes. How long do you think it would take someone to realize that their computer keeps getting infected from their thermostat/tv.

    1. I would guess…. no.

      For one thing the 50 / 60 Hz humming would overwhelm any sound. Then there’s the large amount of power flowing, the low-pressure gas in the bulb, and whatever else. As much as anything a coiled coil isn’t a very microphonic thing anyway, it’s not going to change resistance through being vibrated even strongly.

  7. Lowest resources, specific target that you know nothing about beyond a linkedin account. CD in the mail in a hardwood box, promising a free goodwill gift from a potential supplier of a related industry. I couldn’t resist a cd in a hardwood box, noone could. Or a usb with the company logo that says “free usb for employees” on the envelope.

  8. With today’s digital wired world why would anyone choose a clothes iron to bug? Build a spy device into a router, or even a PC. Who the hell even irons clothes anymore? Does anyone even care what people who do iron clothes have to say while they’re ironing?

    This story just reeks of BS.

  9. How many of you ever opened an iron?

    I think the chances of getting caught is way lower cause usually you’d buy a new one and I (although did take one apart) wouldn’t expect not many people to open it op. If it’s encapsulated with some resin for sure it would not be noticed quickly.

    However as said I doubt it happens randomly (if at all) it would need to be targeted to work in my opinion.

    1. I don’t think it needs to be used on everyone. Just put it everywhere, and use it to listen to the targets that you want, when you want. Panopticon style: everyone could be monitored but in likely hood may not be. Like http://en.wikipedia.org/wiki/Thing_(listening_device) that someone mentioned above; passive device until it’s hit with a specific radio wave. Say the chip in the iron does the same, sends out a packet or a radio burst only when it sees the right AP or receives a priming radio signal. Burst transmit out any recording, and go back to sleep. Or waits for a signal in the form of a packet over the powerline before responding over 802.11 or am/fm or powerline or . . .

      In the end, the device is ubiquitous but the only one active is on your target of choice. Like the NSA and phone taps: sure, they could tap and log everyone but the leaks thus far show they just tap and listen to a broad selection. Maybe these weren’t even meant for outside China, they do have a history of spying on their own citizens and an iron would be one good hiding spot.

  10. I just read a book about the history of CIA’s “Technical aids”, they and the Russians were doing this stuff decades ago (microphones in mains plugs, the Great Seal, ultrasonic lock picks, silent sand drills, etc. it’s amazing stuff).

    Extrapolating that stuff forwards 20-30 years blows the mind, a bit like everyone assumed no-one could possibly monitor & store the entire internet until Snowden…

  11. The CIA bugged Xerox photocopiers with cameras to take photos of everything that was put on the copier glass. Xerox helped design the system and trained CIA agents to be copier servicemen.

    The targets were Soviet government agencies. Nobody expected the Xerox man to be a spy. “Security clearance? Let him through NOW! The copier isn’t working!”

    Some models of IBM Selectric typewriters have a small number of solenoids that work in combinations to set the tilt and rotation of the type ball. Easy to add switches on those to convert to a computer keyboard (which many micro computer builders did in the late 70’s), or to bug. Reverse it and connect the solenoids to a computer and it’s now a printer. A used Selectric was far far less expensive than purpose built keyboards and printers 30-some years ago.

    Now there would be a hack! Take that old school hacking and add Bluetooth to make a wireless keyboard/printer for a phone/tablet/computer.

    1. Wow I didn’t know that. Very clever. Though If I had been the chairman of the KGB at the time I’d have ordered a false flag operation targeting Xerox’s HQ or ‘accidentally’ down a passenger plane carrying Xerox’s executives with families and then claim that ‘the cleaning lady hit the launch button and we’re terribly sorry’. You know something obvious enough to to send the right message and make sure that they think twice in the future. I am actually surprised none of this happened, but apparently not every agency is as cunning as Mossad.

  12. Ну зачем микрофоны в утюге, если они могут рассылат СПАМ и вирусы? :D Штоли китайцы дураки? Рассчитывали што токих утюг куплят высокие депутаты? :)) Но и руские репортеры полную чужь об 200 метров говорили. Как знаю Росию там достаточно пропоганды о националную безопасность.

    I think this case is overestimated from russians. First of all if the transceiver tries to connect to Wi-Fi – there’s no way to get 200 meters radius of work. Necessary powerfull transmitter. Comparing with a simple laptop Wi-Fi or mobile phone that “bug” in a iron is parody. About microphone need to spy on simple russian life is only joke. I’m wondering how good chinese know russian language :P

    One more thing, that most famous Russia spy on USA outspoken by Greenaum : http://hackaday.com/2013/11/13/ask-hackaday-can-you-hack-an-appliance-into-a-spy-device/comment-page-1/#comment-1100523

    From geopolitical geolocation everyone spies on everyone. Even USA on Germany’s chancellor Angela Merkel and so on.. :))

    The more world globalizes, the more crazy sh*t is happening. And the truth is behind of government shadow. Public press is cream for citizens. And we can only speculate about this.

  13. I personnally would use a WiFi module with 802.11s running. It is a draft version now (rev13), but it has some nice features. It is a meshing WiFi protocol. Get enough of them in the area and they will talk. you now have your own network and you can easily tap into it.

  14. Interesting..
    Not much advance in bugging devices even after cell phones become much more accessible.

    30 years ago the best bugging appliance was an expensive luxury leather office chair.
    A gift that the recipient usually would not refuse and usually use it themselves in their office while talking about sensitive matters..
    Lots of space to put in long life battery, lots of space to put in recorder, digitizer and other paraphernalia to do mischief.
    I guess even today these could work as well LOL.

  15. Hate to say it but with 32GB and larger memory cards being commonplace if you have a short passphrase on WPA2 then you are probably already 0wn3d.
    I use alphanumeric upper and lower case with non printable symbols and Alt codes and STILL feel paranoid.

    The problem is that most routers do not have intrusion detection enabled so that little spybox can sit there for weeks if needed thrashing away at a given target until its battery runs out or it breaks the code.

    I did explore the possibility of writing my own WiFi variant of OTP, the idea here is that both the router and the host device have a custom IC and memory chip in a ceramic package which as it goes wipes out the previous used keys so even intercepting the traffic can’t work.
    I call it WPA2+OTP :-)
    Also stops casual leeching and misuse of MY HARD EARNED money as I get charged by the MB.

      1. That link was awesome and very spot on. We’re trying to train people to use computers better, but at the same time, programming/designing computers to be better at using people. Technological singularity anyone?

    1. Just think of all the spy-worthy secrets that important people typically discuss while they are ironing… clearly, this must be the best device to hide microphones in, forget mobile phones and routers. Never mind also that the heat produced by the iron makes it quite a challenge to place all these electronics… but, hey, we are always in for a challenge, aren’t we.

      Iron… irony… I can see a pattern there… :-)

  16. It’s a fake, they find spy chips in irons by weight! ))) Customs Service find weight difference between shipments. But manufacturer may change the design of their products without notifications, how they check for this ?

  17. Maybe do a resonance sweep for WiFi, GPS and other antennas?

    No matter how well it is shielded the antenna has to poke out someplace, usually in the mains cable.

    I did look into this for finding a crashed hexacopter, catch is the range is only 5 feet max with sensible power levels.

      1. I don’t know that girl.
        She was walking with her iron through main street in Ekaterinburg.

        I think the public fiction with the radio-chip and this girl are an elements of some trade action. I think someone wants to coming into the Russian market of irons. So he is attracted attention to his production. It is my opinion.

Leave a Reply to Rollyn01Cancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.