Philips Hue smart bulbs could be vulnerable to being hacked, according to security researchers.
According to researchers from Dalhousie University in Canada and the Weizmann Institute of Science in Israel, a flaw in the software that controls the bulbs could allow hackers to control not only the lights themselves but also smart switches, locks and thermostats on the same home network.
In a research paper, titled IoT Goes Nuclear: Creating a ZigBee Chain Reaction, researchers demonstrated how an exploit of hard-coded symmetric encryption keys that are used to control devices over Zigbee wireless networks could be used to gain control.
The worm allowed researchers to wirelessly take over the bulbs from up to 400m, write a new operating system to them, and then cause the infected bulbs to spread the attack to all the vulnerable bulbs in reach until an entire city is infected.
The researchers demonstrate attacking bulbs by drone or ground station. The demo attacks Philips Hue light bulbs, the most popular smart lighting system in the market today.
“The worm spreads by jumping directly from one lamp to its neighbours, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack,” said the researchers.
Philips has since released a patch to fix the problem.
Cesare Garlati, Chief Security Strategist at the prpl Foundation, told Absolute Gadget that Zigbee was never intended to be a secure wireless technology, at least by current standards.
“The ability to remotely hijack a large number of electric loads (i.e. light bulbs) represents a real safety concern – due to the impact this kind of attack can have on the electrical grid. However, Zigbee attacks are unlikely to result in DDOS attacks against Internet targets – such as seen with Mirai – as Zigbee devices don’t connect directly to the Internet and, in any case, have very limited bandwidth or the ability to create Internet disruption,” he said.
Stephen Gates, Chief Research Intelligence Analyst at NSFOCUS IB, told Absolute Gadget that industrial IoT devices are a major concern for security researches worldwide.
“The implications of these devices being hackable is very alarming. From widespread outages to takeover by botnet herders, soon we will likely have smart lights and a litany of other industrial IoT devices being used to wreak havoc on a scale never witnessed before. Manufacturers need to recognise that almost anything is hackable and put appropriate protects into place. Recommendation: hire the hackers to test your systems before making them publicly available. Whatever happened to “due care”,” he said.