Full Report
Dan Tentler reveals how consumer hardware coupled with Home Assistant can monitor hotel rooms, detect occupants through walls, and trigger automated alerts.
Analysis Summary
# Tool/Technique: Home Assistant based Physical Surveillance System
## Overview
This refers to a portable, covert surveillance system constructed by repurposing consumer-grade hardware, specifically leveraging the **Home Assistant (HA)** automation platform, Z-Wave devices, CO2 sensors, and millimeter wave (mmWave) radar units. The system's purpose is to monitor hotel rooms, detect the presence and movement of occupants, even through walls, and trigger automated alerts or actions based on the detected activity, effectively creating a sophisticated physical security monitoring platform.
## Technical Details
- Type: Tool (Custom Framework/Applied Technology)
- Platform: Consumer Hardware (Z-Wave, mmWave Radar), Home Assistant (Software running on local hardware like Raspberry Pi or NUC)
- Capabilities: Occupancy detection through solid structures (walls), movement detection, automated alerting, integration with various smart home devices for data capture/response (e.g., taking images).
- First Seen: The demonstration implies an evolution of the author's previous work, showcased at LABScon 2025.
## MITRE ATT&CK Mapping
Since this is an offensive physical security demonstration rather than traditional cyber malware, the primary mapping relates to physical security observation and reconnaissance.
- T1537 - External Information Gathering
- T1537.001 - Sensor Deployment
* *Note: While standard ATT&CK focuses on digital reconnaissance, this maps conceptually to the physical deployment and operation of sensors for intelligence gathering.*
- T1547 - Persistence (Conceptual mapping, as the system maintains an operational state for continuous monitoring)
- T1547.003 - Boot or Logon Autostart Execution
* *Note: Home Assistant typically runs as a persistent service.*
## Functionality
### Core Capabilities
- **Occupancy Detection:** Utilizing CO2 sensors to determine patterns of human presence within an area.
- **Through-Wall Detection:** Employing millimeter wave radar units to detect movement and presence in adjacent rooms or hallways, penetrating physical barriers.
- **Automation Engine:** Using Home Assistant as the central control hub to manage sensor inputs and trigger outputs.
### Advanced Features
- **Rapid Deployment:** Designed to be portable and quickly set up in unfamiliar environments (e.g., hotel rooms).
- **Automated Alerting:** Capable of sending immediate alerts based on sensor triggers.
- **Action Triggering:** Can execute any action supported by the Home Assistant ecosystem, including capturing images or initiating complex sequences.
## Indicators of Compromise
As this is a demonstration of a benign *security/monitoring* implementation (even if applied nefariously), traditional malware IOCs are not explicitly generated. The indicators relate to the presence of the system itself:
- File Hashes: N/A (Depends on specific Home Assistant installation components)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Configuration files or network traffic associated with Home Assistant communication (likely local network traffic or outbound alerts via configured services). **Example (Defanged):** `homeassistant[.]local:8123`
- Behavioral Indicators: Uncharacteristic presence of active, networked Z-Wave hubs, CO2 sensors, or improperly shielded mmWave radar signatures within a target location.
## Associated Threat Actors
The toolset is presented in the context of research demonstrated by Dan Tentler of Phobos Group. Potential misuse could be associated with:
- Physical Security Audit Teams
- Corporate Espionage Actors
- Individuals conducting physical surveillance.
## Detection Methods
Detection focuses on identifying the presence of the specialized hardware rather than traditional malware artifacts.
- Signature-based detection: N/A (No common malware signatures)
- Behavioral detection: Monitoring for unusual configuration of local IoT gateways (Home Assistant) or unexpected network activity related to sensor endpoints. Detection relies heavily on physical inspection or specialized RF scanning.
- YARA rules: N/A
## Mitigation Strategies
Mitigation focuses on hardening physical spaces against covert monitoring:
- **Physical Inspection:** Thoroughly inspect hotel rooms for unfamiliar or concealed electronic devices (sensors, small hubs).
- **RF/EMI Scanning:** Employ RF detection tools to locate active transmitting components like mmWave radar units.
- **Environmental Control:** Disrupting environmental factors (e.g., ventilation) might reduce the efficacy of CO2-based occupancy detection.
- **Securing Network Access:** If the Home Assistant hub connects to a hotel/private network, network monitoring for unauthorized IoT activity is crucial.
## Related Tools/Techniques
- Traditional Bugging Devices (Vibration sensors, RF microphones)
- Commercial Home Automation Platforms repurposed for data collection.
- Non-Line-of-Sight (NLOS) Sensing Technologies (e.g., advanced motion detection using radar).