By Megan Bozman
Researchers were recently able to control Philips Hue lights using a drone and make them blink S-O-S in Morse code. Describing the attack, security author Bruce Schneier wrote, “This is exactly the sort of Internet-of-Things attack that has me worried.”
Writing for Computer World, Darlene Storm explains, “Researchers from the Weizmann Institute of Science in Israel and Dalhousie University in Canada didn’t just theorize about the possibility of an IoT worm; using a few hundred dollars of readily available equipment, they created a proof of concept attack to exploit Philips Hue smart light bulbs.
“Researchers have been taking aim at both ZigBee and Z-Wave wireless protocols for years. Hue light bulbs communication via the ZigBee protocol. Any new firmware is delivered via Over The Air (OTA) updates. In the researchers’ attack, the worm replaces the firmware.” This also made the infection irreversible.
In their paper, researchers Eyal Ronen, Colin OFlynn, Adi Shamir, and Achi-Or Weingarten, “Describe a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction, provided that the density of compatible IoT devices exceeds a certain critical mass.”
Explosively … a kind of nuclear chain reaction
Nahhh… doesn’t sound like something to be afraid of, does it?
“The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity.”
ZigBee Light Link War-driving
The researchers built an autonomous attack kit and tested it by both War-driving and War-flying with a drone-mounted kit, shown in the below video. “Right after liftoff it is already possible to see the light effects starting in the distance. As the drone gets closer to the building, the ZigBee channel gets more reliable, and we are able to affect more lights, and the flickering becomes more regular.”
Critical Mass Required to Inflict Damage
For the worm to spread quickly in a catastrophic manner, there must be a critical mass of installed devices. They estimate this to be at least 15,000 randomly located smart lights in a city of 105 square kilometers.
Once infected, the worm could inflict a variety of damage, such as permanent blackout or constant flickering. Additionally, using many infected lamps at once, WiFi communication (or any other 2.4 GHz transmissions) could be disrupted in the whole city. The power consumption used by simultaneously turning lights on and off multiple times could have a detrimental effect on the electric grid. Finally, by repeatedly flashing the lights at the right frequency, it is possible to induce epileptic seizures in photosensitive people.
IoT Attack Outlook for the Future
The researchers don’t seem too optimistic on the odds of their efforts improving security. “This demonstrates once again how difficult it is to get security right even for a large company that uses standard cryptographic techniques to protect a major product.”
“The main problem is in the insecure design of the ZLL standard itself… a better trade-off between usability and security must be made.” Apparently Philips Lighting came down on the wrong side of this common conflict of interest in technology product design. Additionally, the authors recommend the security community and academia be allowed greater participation in the ZLL standard design process. The secretive nature of the ZigBee 3.0 specification is also a big problem.
IoT Security Whack-a-Mole?
However, the researchers later state “We have made full disclosure to Philips Lighting, including all the technical details and suggestions for a fix. They have already confirmed and fixed the takeover vulnerability. OTA updates are available.”
A bleak outlook for the future of IoT security, followed by a declaration that this particular weakness has already been resolved makes me wonder: Is this simply a matter of security whack-a-mole?
Levity on IoT Attacks
Bringing some levity to this heavy topic, this amusing and accurate observation was posted on Slashdot, “It wasn’t long ago that claiming ‘Drones are controlling my lightbulbs!’ would have gotten you locked up for your own protection.”