It Looks Like a School Bathroom Smoke Detector. A Teen Hacker Showed It Could Be an Audio Bug

WIRED

2 days ago

By Andy Greenberg and Joseph Cox Aug 8, 2025 9:00 AM A pair of hackers found that a vape detector often found in high school bathrooms contained microphones—and security weaknesses that could allow someone to turn it into a secret listening device. Photo-Illustration: Wired Staff;A couple of years ago, a curious, then-16-year-old hacker named Reynaldo Vasquez-Garcia was on his laptop at his Portland-area high school, seeing what computer systems he could connect to via the Wi-Fi—'using the school network as a lab,' as he puts it—when he spotted a handful of mysterious devices with the identifier 'IPVideo Corporation.'
After a closer look and some googling, Garcia figured out that a company by that name was a subsidiary of Motorola, and the devices he'd found in his school seemed to be something called the Halo 3C, a 'smart' smoke and vape detection gadget. 'They look just like smoke detectors, but they have a whole bunch of features like sensors and stuff,' Garcia says.
This article was created in partnership with 404 Media, a journalist-owned publication covering how technology impacts humans. For more stories like this, sign up here.
As he read more, he was intrigued to learn that the Halo 3C goes beyond detecting smoke and vaping—including a distinct feature for discerning THC vaping in particular. It also has a microphone for listening out for 'aggression,' gunshots, and keywords such as someone calling for help, a feature that to Vasquez-Garcia immediately raised concerns of more intrusive surveillance.
Now, after months of reverse engineering and security testing, Vasquez-Garcia and a fellow hacker he's partnered with who goes by the pseudonym 'Nyx,' have shown that it's possible to hack one of those Halo 3C gadgets—which they've taken to calling by the nickname 'snitch puck'—and take full control of it.
At the Defcon hacker conference today, they plan to show that by exploiting just a few relatively simple security vulnerabilities, any hacker on the same network could have hijacked a Halo 3C to turn it into a real-time audio eavesdropping bug, disabled its detection capabilities, created fake alerts for vaping or gunshots, or even played whatever sound or audio they chose out of the device's speaker. Motorola said it has since developed a firmware update to address those security flaws that will automatically push to cloud-connected devices by Friday.
Manyof the hackers' tricks are on display in a video demo below, which the Vasquez-Garcia and Nyx made ahead of their Defcon presentation:
The Halo 3C's vulnerabilities would have potentially allowed a teen hacker on a school network to take control of a Halo 3C for epic mischief or abuse. The sensor's capabilities also ignite fears that school administrators or even police could have done the same to eavesdrop on unsuspecting students in a school bathroom. Schools are increasingly subject to all sorts of surveillance technology, from AI-powered weapons detectors, to 'face analytics' cameras, to keystroke loggers on student computers.
One concern of the researchers is that technology like the Halo 3C could be turned against a student speaking about seeking an abortion, for instance. In marketing material, Motorola says the Halo 3C sensor 'is ideal for observing health and safety in privacy-concern areas, such as restrooms and changing facilities, where video and audio recording is not permitted.' (Motorola said that the sensor is programmed with wake words, such as 'Help, 911,' and does not record or stream audio.)
'To the credit of the company, the microphones sound great,' says Nyx. 'From up on the ceiling, you could totally listen to what somebody was saying, and we've made this happen.'
Motorola told the hackers in an email that it has worked on a new firmware update that should fix the vulnerabilities. But the hackers argue that doesn't, and can't, address the underlying concern: that a gadget loaded with hidden microphones is installed in schools around the country. Motorola also advertises its Halo sensors for use in public housing—including inside residents' homes—according to marketing material.
'The unfortunate reality is there's a microphone connected to a computer that's connected to the network,' says Nyx. 'And there's no software patching that will make that not possible to use as a listening device.'
Motorola pitches the Halo 3C as an 'all-in-one intelligent security device' in its marketing material. Its notifications 'enable security teams at schools, hospitals, retail stores and more to respond to potentially critical events faster, helping to establish a safer environment,' it says.
After Vasquez-Garcia got curious about the Halo 3C two years ago, he and Nyx—an older hacker he met at his local hackerspace—bought one on eBay and took it apart. Their physical teardown revealed the Halo 3C is essentially a Raspberry Pi micro computer with a bunch of sensors attached, including one for temperature or humidity, an accelerometer, and others for air quality that detect different gases. One feature jumped out: a couple of microphones.
'Seeing this device is getting put into buildings and having microphones in it,' says Nyx, 'it's kind of a huge red flag.'
A disassembled Halo 3C smoke and vape detector found to include microphones. Courtesy of Reynaldo Vasquez-Garcia and Nyx
To hack the Halo 3C, they found that if they could connect to one over the network it was installed on, they could brute-force guess its password with virtually no rate limitations due to a flaw in how it tried to throttle those guesses. 'It's trivially possible to guess passwords as quickly as the thing can respond to you,' says Nyx. That meant they could guess roughly 3,000 passwords a minute, and crack any insufficiently complex password relatively quickly.
Once they had administrator access to a Halo 3C, they found they could update its firmware to whatever they chose: Despite its security measures that attempted to require those firmware updates to be encrypted with a certain cryptographic key, that key was in fact included in firmware updates available on the Halo's website. 'They're handing you a locked box where the key is taped to the underside,' Nyx says. 'As long as you know to look down there, you can open it up.'
A Motorola Solutions spokesperson said in a statement: 'Motorola Solutions designs, develops and deploys our products to prioritize data security and protect the confidentiality, integrity and availability of data. A firmware update is available, and we are working with our customers and channel partners to deploy the update together with our additional recommendations and industry best practices for security.'
Marketing material available online says the Halo 3C uses a 'Dynamic Vape Detection algorithm' which can sense nicotine, THC, and when someone is trying to mask their vaping with aerosols. Halo can also 'alert security teams to motion after hours' and includes a 'spoken keyword feature.'
'The HALO Smart Sensor can detect specific spoken keywords that immediately alert security to a potential issue. Pre-defined keywords like 'help' are particularly valuable in environments such as schools, where bullying is a concern, or for teachers in need of assistance, as well as nurses and hospital patients,' the marketing material adds. Another section says the sensors can be used to detect 'bullying or aggression' in schools.
The marketing material also says Halo sensors have been used in public housing units in New York. 'The sensors helped SSHA [the Saratoga Springs Housing Authority] reduce risks, enforce nonsmoking rules, and protect vulnerable residents, with plans for further installations across the housing authority,' it says.
Nyx argues that the notion of requiring public housing residents to keep a hackable device that can become an audio eavesdropping tool in their apartment may represent the most disturbing application of the Halo 3C. 'That kind of took it up a notch as far as how egregious this entire product line is,' Nyx says. 'Most people have an expectation that their home isn't bugged, right?'
As sensors like the Halo 3C proliferate across schools and even homes, Vasquez-Garcia says the biggest takeaway from his and Nyx's findings ought to be that putting microphones and internet connections into every device in our lives as simple as a smoke detector is a decision that carries real risk. 'If people remember one thing from this, it should be: Don't blindly trust every internet of things device just because it claims to be for safety,' Vasquez-Garcia says. 'The real issue is trust. The more we accept devices that say 'not recording' at face value, the more we normalize surveillance without really knowing what's inside or bothering to question it.'