IoT Smart Mirror case

Preeti, a tech enthusiast, had always been drawn to smart gadgets. When she discovered an unbranded smart mirror at a significant discount on an online marketplace, she quickly purchased it. The device promised essential features like weather updates, a task list, daily motivational quotes.

Each morning, as she stood before the mirror, it greeted her with updates and reminders. However, she began noticing a brief flicker—almost like a camera flash—in dim light. Initially, she dismissed it, but as it became more frequent, she grew uneasy.
To investigate, she contacted Atharv, a cybersecurity researcher specializing in IoT security.

Phase 1:

Network Analysis
When Atharv arrived, he began with a network security assessment to determine whether the mirror was transmitting data externally.
Identifying the Device on the Network
Atharv scanned the local network to find all connected devices and identify any unusual connections.
Tool: nmap (Network Mapper)
 

This scan revealed a new, unidentified device with an active open port.

Capturing Network Traffic
To analyze the mirrorʼs data transmissions, Atharv used Wireshark to capture network packets.
Tool: tcpdump (Packet Capture)

Upon analyzing the packet logs, he found encrypted outbound traffic to a remote server in China.

The mirror was sending encrypted data at regular intervals—an indication of potential unauthorized surveillance.

Phase 2:

Hardware Inspection
Since the network analysis confirmed suspicious activity, Atharv proceeded with physical examination of the mirrorʼs internal components.
Disassembling the Device
He carefully removed the back panel and inspected the hardware. Inside, he found:

•        Microcontroller: ESP32 (Wi-Fi-enabled, commonly used in IoT devices)
•      Camera Module: A compact pinhole camera (CMOS sensor)
•      Microphone: MEMS microphone (capable of audio capture)
•      Storage: 16MB SPI flash memory
•      Wi-Fi Module: Built into the ESP32
•      Voltage Regulator: 3.3V LDO regulator

Using a multimeter, he traced the circuit paths and confirmed that the camera and microphone were actively powered and connected to the ESP32.
This confirmed the presence of an unauthorized surveillance system embedded within the device.

Phase 3:

Firmware Extraction and Analysis
To determine the software functionality and find evidence of malicious code, Atharv extracted the mirrorʼs firmware for further analysis.
Dumping the Firmware
He connected a JTAGulator to identify debug test points on the ESP32 microcontroller. Using esptool.py , he extracted the firmware.
Tool: esptool.py (Firmware Dumping)

Analyzing the Firmware
To extract and inspect the firmware components, he used Binwalk. Tool: binwalk (Firmware Analysis)

Among the extracted files, he discovered:

•       An encrypted configuration file
•      A script executing periodic uploads
•      Hardcoded IP addresses and credentials

Deciphering the Configuration File
 
Atharv found base64-encoded credentials within the configuration file and proceeded to decode them.
Tool: Python Script

Decoded Output:

This confirmed that the mirror was actively recording and transmitting both images and audio to a remote server.

Phase 4:

Filing a Complaint with CERT-In

The Indian Computer Emergency Response Team (CERT-In) is the national agency responsible for responding to cybersecurity incidents in India. It works under the Ministry of Electronics and Information Technology (MeitY).
Since the case involved potential surveillance and data theft, Atharv recommended reporting it to local cybercrime authorities via the Indian Cyber Crime Portal.