Engineering news
Researchers have been able to take control of smart lightbulbs using a computer virus administered remotely by drones, highlighting the potential security issues with internet of things (IoT) technology used in commercial and industrial settings.
The collaborative project, saw researchers Colin O’Flynn from Dalhousie University in Canada, and Eyal Ronen, Adi Shamir and Achi-Or Weingarten, from the Weizmann Institute of Science in Israel, identify a security concern that makes IoT devices susceptible to hackers, and could potentially give them control over things like lights, switches, locks and thermostats.
Using the Philips Hue, one of the most common smart light bulbs, as a platform, the researchers developed a computer worm that could be easily spread to other devices. The worm spread by jumping directly from one lamp directly to one of its neighbours, using only the built in ZigBee wireless connectivity and their physical proximity.
The researchers then tested the worm by taking over lamps in two different “attack” scenarios. In the first, conducted at the Weizmann Institute, the researchers did a “drive-by” hack using a vehicle, and found they were able to manipulate the lights from up to 70 metres away.
The second was more elaborate, targeting an office building in the city of Be’er Sheva in Israel, which hosts several well-known security companies and also the Israeli Computer Emergency Response Team (CERT). Several Philips Hue lights were installed on one floor of the building, and an “attack kit” was installed on a drone. As the drone got closer to the building, lights were able to be manipulated to spell out "S.O.S." in morse code.
“We weren't too surprised at the results, to be honest,” said O’Flynn. “When we started the project we figured it would be possible with enough time, but it was very exciting as there was a probably two to three-day period where a lot of things were falling into place.”
Philips, one of the companies whose devices was susceptible to the potential vulnerability, was notified about the issue and issued a patch to correct it.
A spokesperson for Philips Lighting said that reports of Philips Hue products being infected by a virus are inaccurate.
"Researchers contacted us in the summer about a potential vulnerability and we patched it before the details of findings were disclosed publicly. At no time was a virus created or used to infect any Philips Hue products.
"We recommend all our customers install the latest software update via the Philips Hue app, as with any other update that we release, despite assessing the risk to Philips Hue products as low."
The academics with whom we cooperated via our responsible disclosure process, merely demonstrated the possibility of an attack. They did not create a virus nor disclose information necessary for someone else to do so. Their research findings helped us to develop and roll out the software update.
While the taking over of light bulbs may not raise too many concerns, the researchers have said that the experiments show that the technology has the potential to be dangerous if place into the wrong hands. Compromised devices could be used to jam wireless networks, attack the electrical grid or steal information.
“Hopefully we'll start to take security of all 'connected' devices seriously, and not just those connected to the Internet,” said O’Flynn. “A big part of our research was showing how such a worm could spread between the light-bulbs themselves wirelessly, independent of any internet or network connection.
“There is no doubt that devices are becoming more and more popular. But they are still new enough that there is time to fix some of these issues before they are completely ubiquitous.”
The complete findings of this study are available online.