[LINK] IoT lightbulb worm takes over all smart lights until entire city is infected

Bernard Robertson-Dunn brd at iimetro.com.au
Sun Nov 13 15:08:02 AEDT 2016

It's only a proof of concept at this stage. The headline is a bit of an
exaggeration, it hasn't happened - yet

IoT lightbulb worm takes over all smart lights until entire city is infected
November 10, 2016
Danielle Correa, Production Editor

A research team has set up a chain reaction attack that would take over
Philips Hue smart lightbulbs across entire cities
Researchers showed that they could hijack the bulbs from nearly half a
kilometer away
Researchers showed that they could hijack the bulbs from nearly half a
kilometer away

Researchers have developed a proof-of-concept attack on smart lightbulbs
that allows them to wirelessly take control over the bulbs from up to 400m.

The attack involves writing a new operating system to one of the light
bulbs. The infected bulb then uses its trusted status to spread the
infection to all vulnerable bulbs in reach, until an entire city is
infected, “enabling the attacker to turn all the city lights on or off
permanently brick them, or exploit them in a massive DDoS attack”,
according to the researchers.

The research team from Dalhousie University in Canada and the Weizman
Institute of Science in Israel demonstrated attacking bulbs by drone or
ground station. The researchers chose to work with Philips Hue
lightbulbs, one of the market leaders in smart lighting systems in the

“If we want to look at worst case scenarios then the damages could be
significant. Apart from the obvious cases of turning off lights in very
dark areas that could cause the human occupants to lose their footing
and injure themselves, we need to consider the dangers of strobing LED
lighting that could cause epileptic seizures. It could also be used to
cause disruption to other Wi-Fi networks using the 2.4 GHz spectrum. If
enough lightbulbs are connected and compromised they could be used to
form a DDoS attack,” said Mark James, security specialist at ESET, in
commentary to SCMagazineUK.com.

One of the flaws allowing for this can be found in the Zigbee wireless
protocol implementation used in the Hue system. Researchers showed that
they could hijack the bulbs from nearly half a kilometer away as it does
not encrypt all traffic between devices.

Another flaw was found in the system the bulbs use for system updates.
The updates are cryptographically signed using a very strong algorithm.
However, the researchers were able to extract the keys from one
lightbulb and, because the same key is used in every bulb, were able to
use them to sign their own malicious updates.

The attack targets devices by Zigbee signals, making it almost
impossible to defend against through traditional methods such as firewalls.

In their report, the researchers said “the worm can rapidly retake new
bulbs which the user has attempted to associate with the legitimate base
station, making it almost impossible for vulnerable bulbs in range of
another infected bulb to receive an [over the air] patch before the worm
has spread”.

Users must first set up the Philips Hue app in order to receive
automatic patches before attacks take place since the worm can easily
override update attempts.

“Philips have already issued a patch to resolve this particular issue
but getting the patch is not as easy as it should be. These types of
issues can often arise from using common technologies that may be
flawed, it once again highlights the dangers of an interconnected world
running to embrace technology with security taking a back seat,” James said.

“Fixing the malicious software update will require physical replacement
of every affected lightbulb with a new one, and a waiting period for a
software patch to be available before restoring light. This scenario
might be alarming enough by itself, but this is only a small example of
the large scale problems that can be caused by the poor security offered
in many IoT devices,” the report stated.

In emailed commentary to SC, Alex Mathews, EMEA technical manager at
Positive Technologies said: “This is a sign of a worrying bigger picture
trend. As more and more IoT devices are connected to the internet, they
bring with them countless vulnerabilities because they simply aren't
created with security in mind. The creators of devices such as this
typically prioritise consumer appeal, not potential threats from
hacking, and this creates a potential risk. Even when a vulnerability is
known or discovered, all too often manufacturers cannot fix them as they
typically lie within third party components and/or the cost is too

“If we're to stem the deluge of IoT insecurities, there needs to be
comprehensive, agreed-upon guidelines on how to secure such apparatus.
Hardware manufacturers, service providers, security experts and everyone
else in between needs to be aware of this, and cooperate with one another.”

Stephen Gates, chief research intelligence analyst at NSFOCUS IB
commented: "Industrial IoT devices are a major concern for security
researches worldwide.  The implications of these devices being hackable
is very alarming. From widespread outages to takeover by botnet herders,
soon we will likely have smart lights and a litany of other industrial
IoT devices being used to wreak havoc on a scale never witnessed before.
Manufacturers need to recognise that almost anything is hackable and put
appropriate protects into place. Recommendation: hire the hackers to
test your systems before making them publicly available. Whatever
happened to 'due care'?"



Bernard Robertson-Dunn
Sydney Australia
email: brd at iimetro.com.au
web:   www.drbrd.com
web:   www.problemsfirst.com
Blog:  www.problemsfirst.com/blog

More information about the Link mailing list