Congressman And Former Trump Advisor Calls For Hearings On Media Bias, Threatens To Start Pulling FCC Licenses

Not Even Your Light Bulbs Are Safe From Shitty Internet Of Things Security

from the apocalypse-in-a-box dept

Tue, Nov 8th 2016 9:42am — Karl Bode

We've discussed at length how the rush to market by Internet of Things companies and evangelists with nary a thought toward security has left us all immeasurably less safe. Whether it's smart door locks that are easily bypassed, smart vehicles that can be remotely controlled, or smart electrical outlets being used as the cornerstone of nasty new botnets, we're effectively all living in a barely-believable dystopian novel at this point. And as we've noted repeatedly, this would all be kind of funny if it weren't for the fact that inevitably, these vulnerabilities are going to result in very real, and potentially massive human deaths.

And each week it seems like we're bearing witness to a new, deeper and uglier chapter in the saga of the internet of not-remotely-secure things. This week, it's the revelation by hackers that they've found another way to exploit a weakness in the Touchlink aspect of the ZigBee Light Link system at the heart of Phillips' Hue "smart" light bulbs. More specifically, hackers have demonstrated a way to control every smart bulb in your home by pushing malicious firmware updates, without setting a foot inside of the residence:

"The researchers focused on the Philips Hue smart light bulb and found that the wireless flaw could allow hackers to take control of the light bulbs, according to researchers at the Weizmann Institute of Science near Tel Aviv and Dalhousie University in Halifax, Canada. That may not sound like a big deal. But imagine thousands or even hundreds of thousands of internet-connected devices in close proximity. Malware created by hackers could be spread like a pathogen among the devices by compromising just one of them."

As we've been noting, these compromised devices are then being used in some of the biggest and most potent denial-of-service attacks we've ever seen. According to the full research paper (pdf), the attack can be launched either via war driving (sitting in a vehicle) or by drone (in their test demonstration they were 70 meters, or 229.7 feet, away). More frighteningly, perhaps, the researchers posit that they could damage entire cities via this method using "readily available equipment costing a few hundred dollars" to forge "lightbulb worms":

"In this paper we describe a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction, provided that the density of compatible IoT devices exceeds a certain critical mass. In particular, we developed and verified such an infection using the popular Philips Hue smart lamps as a platform. The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack"

Comforting. The report notes that the attack is thanks, in part, to the fact that while the ZLL Touchlink Commission protocol does use encryption to encode the "Master ZLL Key" sent to new devices joining the network, this key is shared among all devices and was leaked online last year. They're also quick to note that once a lightbulb has been infected with the worm, there's no way to reverse this short of replacing the light bulb:

"An important observation is that unlike computers or smart phones, this kind of attack is irreversible. There is no way to re-flash the Philips Hue lights firmware to get rid of our worm, and the only possible solution is to replace the lightbulb with a new one. Note that in order to prevent the new lightbulb from being infected in the same manner, the user must wait for a software patch to be available from the manufacturer before installing it."

So yes, you left the store with a "smart" lightbulb thinking you'd just have some sexy mood lighting, but were shocked to find a mini-apocalypse in a box once you got your purchase home. Thanks, internet of broken things!

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: hue, iot, lightbulbs, security, smart lightbulbs
Companies: phillips

25 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Jason, 8 Nov 2016 @ 9:48am

mislink
Just an editing note, the link at the end of the second paragraph ("without setting a foot inside of the residence") points back to this page; presumably it was meant to point at the source of the quote?
[ link to this | view in thread ]
Jeremy Lyman (profile), 8 Nov 2016 @ 9:53am

So.... this is an article against using golden keys?
[ link to this | view in thread ]
Roger Strong (profile), 8 Nov 2016 @ 10:09am

Prediction
This problem won't be properly addressed until five years from now, when half a million wireless virtual and augmented reality helmets are suddenly infected by the goatse.vr.3d virus.
[ link to this | view in thread ]
Anonymous Coward, 8 Nov 2016 @ 10:09am

you light up my life . . . or end it.

your choice.
[ link to this | view in thread ]
Anonymous Coward, 8 Nov 2016 @ 10:15am

Not Even Your Light Bulbs Are Safe

Um, mine are. Because they don't have CPUs or antennas.

in their test demonstration they were 70 meters, or 229.7 feet, away

The paper just said 70 meters. Please consider significant digits when converting.
[ link to this | view in thread ]
orbitalinsertion (profile), 8 Nov 2016 @ 10:23am

FUD-slinging, doomsaying, and hyperbolic Masnick is hyperbolic, as usual.
[ link to this | view in thread ]
Richard Bennett (profile), 8 Nov 2016 @ 10:25am

Fruits of your labor
You demanded a dumb pipe and an end-to-end network and you got it. Happy now?
[ link to this | view in thread ]
Michael, 8 Nov 2016 @ 10:27am

Re:
"Um, mine are. Because they don't have CPUs or antennas."

Until the power company (who owns the smart light bulb companies) starts producing "smart" electricity that includes "Power DRM" (I'm going to have to trademark that) that, for your safety, ensure that the electricity is not powering unapproved devices that could harm you or the electrical grid.

Then your piece of tungsten is going to be worthless.
[ link to this | view in thread ]
Michael, 8 Nov 2016 @ 10:28am

Re:
He is, but Karl writes good copy.
[ link to this | view in thread ]
Roger Strong (profile), 8 Nov 2016 @ 10:29am

Re:
It's not like Internet of Things botnet attacks would happen in real life....?
[ link to this | view in thread ]
andrew_duane (profile), 8 Nov 2016 @ 10:39am

Maybe this could end up being a good thing
Maybe, just maybe....

If a worm were spread that permanently bricked every Philips smart light bulb it connected to, the public backlash against Philips would start some "serious" thinking about this stuff. The cost to the "innocent externals" would be a few bucks for a busted lightbulb, the cost to Philips would be a warning shot across their bow.

just maybe.....
[ link to this | view in thread ]
Richard Bennett (profile), 8 Nov 2016 @ 10:46am

Re: Maybe this could end up being a good thing
Almost as cool as phones with exploding batteries...
[ link to this | view in thread ]
Christenson, 8 Nov 2016 @ 11:07am

As cool as a blackout, city wide...
When, at 4PM, all the Phillips lightbulbs in the city turn on at once, destabilizing the main electric grid!

Well, a *little* more complicated...but not enough to matter, given "script kiddies"!
[ link to this | view in thread ]
orbitalinsertion (profile), 8 Nov 2016 @ 11:16am

Re:
It seems i have sarcasm'd myself into the Poe-Zone.
[ link to this | view in thread ]
Anonymous Coward, 8 Nov 2016 @ 11:27am

Seems "Live Free or Die Hard" wouldn't be so crazy if it were released today.
[ link to this | view in thread ]
Anonymous Coward, 8 Nov 2016 @ 11:30am

Re: Maybe this could end up being a good thing
Wasn't there a Techdirt article earlier this year about Phillips bricking their own lightbulbs with a bad firmware update...?
[ link to this | view in thread ]
Anonymous Coward, 8 Nov 2016 @ 11:35am

Re: Re: Maybe this could end up being a good thing

Almost as cool as phones with exploding batteries...

Have we seen evidence of changes resulting from that yet? Going back to removable batteries, for example...
[ link to this | view in thread ]
Anonymous Coward, 8 Nov 2016 @ 11:37am

"Malware created by hackers could be spread like a pathogen among the devices by compromising just one of them."

Like a... "cyber pathogen"?

Sorry, couldn't help myself.
[ link to this | view in thread ]
Michael, 8 Nov 2016 @ 11:49am

Re: Maybe this could end up being a good thing
"the public backlash against Philips would start some "serious" thinking about this stuff"

Would you be interested in buying a bridge?
[ link to this | view in thread ]
Michael, 8 Nov 2016 @ 11:51am

Re: As cool as a blackout, city wide...
I'm pretty sure they are LED bulbs, so all of them turning on at the same time would...just make lots of houses brighter.
[ link to this | view in thread ]
Anonymous Coward, 8 Nov 2016 @ 12:02pm

Re: Fruits of your labor
No I don't
[ link to this | view in thread ]
Anonymous Coward, 8 Nov 2016 @ 12:04pm

Re:
Yes it would.
[ link to this | view in thread ]
Anonymous Coward, 8 Nov 2016 @ 2:03pm

Re: Re: As cool as a blackout, city wide...

I'm pretty sure they are LED bulbs, so all of them turning on at the same time would...just make lots of houses brighter.

Can these bulbs be convinced to use more than their rated power, or maybe even short out?
[ link to this | view in thread ]
Bilateralrope, 8 Nov 2016 @ 10:17pm

If you want to cause maximum harm, forget about disrupting the grid. Think about disrupting the people.

Turning on all the smart bulbs in a city would disrupt a lot of peoples sleep. Making them flash at the wrong frequency can trigger sizeures.
[ link to this | view in thread ]
Anonymous Coward, 9 Nov 2016 @ 1:04am

Re: Re: Re: As cool as a blackout, city wide...
There are things called fuses, or fusible links, inside the device, and between all its electronics and the light socket. They protect the supply from devices that fail short circuit.
[ link to this | view in thread ]