from the apocalypse-in-a-box dept
And each week it seems like we're bearing witness to a new, deeper and uglier chapter in the saga of the internet of not-remotely-secure things. This week, it's the revelation by hackers that they've found another way to exploit a weakness in the Touchlink aspect of the ZigBee Light Link system at the heart of Phillips' Hue "smart" light bulbs. More specifically, hackers have demonstrated a way to control every smart bulb in your home by pushing malicious firmware updates, without setting a foot inside of the residence:
"The researchers focused on the Philips Hue smart light bulb and found that the wireless flaw could allow hackers to take control of the light bulbs, according to researchers at the Weizmann Institute of Science near Tel Aviv and Dalhousie University in Halifax, Canada. That may not sound like a big deal. But imagine thousands or even hundreds of thousands of internet-connected devices in close proximity. Malware created by hackers could be spread like a pathogen among the devices by compromising just one of them."As we've been noting, these compromised devices are then being used in some of the biggest and most potent denial-of-service attacks we've ever seen. According to the full research paper (pdf), the attack can be launched either via war driving (sitting in a vehicle) or by drone (in their test demonstration they were 70 meters, or 229.7 feet, away). More frighteningly, perhaps, the researchers posit that they could damage entire cities via this method using "readily available equipment costing a few hundred dollars" to forge "lightbulb worms":
"In this paper we describe a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction, provided that the density of compatible IoT devices exceeds a certain critical mass. In particular, we developed and verified such an infection using the popular Philips Hue smart lamps as a platform. The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack"Comforting. The report notes that the attack is thanks, in part, to the fact that while the ZLL Touchlink Commission protocol does use encryption to encode the "Master ZLL Key" sent to new devices joining the network, this key is shared among all devices and was leaked online last year. They're also quick to note that once a lightbulb has been infected with the worm, there's no way to reverse this short of replacing the light bulb:
"An important observation is that unlike computers or smart phones, this kind of attack is irreversible. There is no way to re-flash the Philips Hue lights firmware to get rid of our worm, and the only possible solution is to replace the lightbulb with a new one. Note that in order to prevent the new lightbulb from being infected in the same manner, the user must wait for a software patch to be available from the manufacturer before installing it."So yes, you left the store with a "smart" lightbulb thinking you'd just have some sexy mood lighting, but were shocked to find a mini-apocalypse in a box once you got your purchase home. Thanks, internet of broken things!