Key Takeaways
1. The Halo 3C smart smoke detector, commonly used in schools and public buildings, has significant security flaws due to its design based on Raspberry Pi.
2. The investigation was initiated by a high school student who discovered the device on his school’s WiFi, highlighting a lack of awareness about IoT security in public services.
3. The device lacks secure boot features and strong authentication methods, making it vulnerable to unauthorized access and manipulation.
4. The duo was able to easily modify the device’s functionalities, raising concerns about potential misuse by hackers and other entities.
5. The findings underscore the urgent need for better understanding and regulation of IoT devices to protect privacy and security in public spaces.
Presenters Reynaldo and Nyx explored the complex inner workings of the Halo 3C smart smoke detector at this year’s DEF CON hacking conference. They discovered that this device, based on Raspberry Pi, is packed with security flaws and is widely used in schools, housing complexes, and various public buildings. Although it wasn’t their original goal, this investigation revealed alarming practices and claims from manufacturers, underlining the lack of tech knowledge in public services necessary for making smart choices about IoT devices.
The Start of the Investigation
The investigation kicked off when Reynaldo, a curious high school student, stumbled upon an unusual device connected to his school’s WiFi. As he dug deeper, he identified it as the Halo 3C, a “smart” smoke detector claiming to have features like vape and THC detection, along with real-time air monitoring. At first, obtaining the device for a thorough examination was too expensive, with a retail price exceeding $1200. However, when Reynaldo found it listed on eBay, he then managed to uncover its inner workings.
What’s Inside the Halo 3C
Inside the Halo 3C, there are various sensors, such as TVOC, PIR motion detectors, temperature and humidity sensors, CO2, particle sensors, and microphones—all powered by a Raspberry Pi Compute Module 4. Although the device is designed for commercial use, the discovery was still shocking due to its high cost and the ease with which such devices can be altered. With this newfound knowledge, Reynaldo contacted Nyx, a member of a local hacking collective, to assist with accessing the device.
Vulnerabilities and Risks
To their surprise, the duo found that the device had vulnerabilities that seemed almost careless on the manufacturer’s part. For example, it didn’t have any secure boot features, allowing them to easily extract the contents of the CM4 and start reverse-engineering the protocols. They also managed to gain admin access to the web interface by brute-forcing the credentials, since there were no strong authentication methods in place. Additionally, the device would accept any firmware update payload, provided the firmware file had the correct name. As a bonus, the firmware files could be downloaded for free from the manufacturer’s website.
In the end, they were able to modify the Halo to perform various actions at their discretion. Although they didn’t discover any misuse of the microphones beyond what the manufacturer claimed, there is nothing preventing other hackers, IT administrators, or law enforcement from exploiting the device’s capabilities in ways contrary to its marketed purpose. Considering that this device is already installed in nursing homes, schools, banks, and public housing, and with one public figure referring to it as an “expert witness” in legal matters, it presents a concerning outlook on the expanding and covert IoT landscape of privacy invasion that is accessible to hackers and law enforcement.