Virus-spreading smart bulbs? Researchers say it’s possible

One assessment of the Internet of Things (IoT) is that 2016 has been a bad year.

Its woes aren’t hard to locate from the infamous Mirai botnet that led a collection of webcams, PVRs and surveillance cameras to summon up the biggest DDoS in history to a growing unease over privacy.

Now, just when you thought it was safe to turn on the light, an Israeli-Canadian study has uncovered a weakness in the design of Philips Hue smart light bulbs that it believes a hacker could use to launch an improvised wireless worm.

The attack works by targeting the Atmel ZigBee wireless chip inside each bulb which should, on the face of it, be highly secure. It’s cloaked in layers of cryptographic and non-cryptographic defences which also limit the proximity required to issue new instructions to mere centimetres.

Unfortunately, the chip’s proximity detection firmware has a security flaw which allows this to be extended by up to 400 metres, rendering it vulnerable to takeover after issuing a factory reset.

The team even came up with a memorable proof-of-concept that involved taking control of bulbs from a drone – dubbed war flying – before flashing back each bulb’s captured status as an SOS in Morse code:

What harm could an attacker possibly do with remote control?

According to the study’s authors an attack would only need about 15,000 devices in order to spread effectively through a city the size of Paris – a density they claim has “almost certainly been surpassed already”.

Hue light bulb users needn’t worry though – the researchers shared details of their attack with Philips in the summer and make it clear that Philips “have already confirmed and fixed the takeover vulnerability”.

Philips have posted a statement on their website that reads:

Researchers contacted us in the summer about a potential vulnerability and we patched it before the details of findings were disclosed publicly. At no time was a virus created or used to infect any Philips Hue products.

We recommend all our customers install the latest software update via the Philips Hue app, as with any other update that we release, despite assessing the risk to Philips Hue products as low.

Although there’s no danger for Philips customers today the research is a signpost to what might be possible if the IoT’s security doesn’t improve as the density of devices gets ever greater.

The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDoS attack.

Ironically, the bigger worry is not that this type of ZigBee-based device is connected to the internet but that it isn’t.

By using ZigBee, humble devices such as light bulbs can communicate and interact with one another independently of the very communications systems that could be used to remotely exert some control in the event of a worm-like incident.

It’s not even clear how defenders would locate the original hacked bulb let alone neutralise it, a problem the researchers liken to stopping a biological infection such as influenza.

In a process resembling a nuclear chain reaction, hackers can rapidly cause city-wide disruptions which are very difficult to stop and to investigate.

All this to make lights ever so slightly easier to turn on and off. We have been warned.