Philips Hue Smart Lightbulbs Hack Can Spread IoT Worm Like Wildfire

Smart lighting may be the next Internet of Things (IoT) attack vector, thanks to hackable Philips Hue smart lightbulbs.

Smart lighting may be the next Internet of Things (IoT) attack vector, thanks to hackable Philips Hue smart lightbulbs.

Researchers from the Weizmann Institute of Science, Israel, and Dalhousie University, Canada, created a proof-of-concept worm that can be used spread from across the smart lightbulbs potentially infecting a whole network of them and opening them up for exploitation.

In the IoT Goes Nuclear: Creating a ZigBee Chain Reaction paper, the researchers noted how through exploiting universal encryption keys over the ZigBee wireless networking standard they can compromise a Philips Hue lightbulb from a distance of around 400 metres.

From there they can inject with a worm that can spread across Hue bulbs.

Smart lighting hack

philips-hue-2“The worm spreads by jumping directly from one lamp to its neighbours, using only their built-in ZigBee wireless connectivity and their physical proximity,” the researchers said.

“The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDoS attack.

“To demonstrate the risks involved, we use results from percolation theory to estimate the critical mass of installed devices for a typical city such as Paris whose area is about 105 square kilometres: The chain reaction will fizzle if there are fewer than about 15,000 randomly located smart lights in the whole city, but will spread everywhere when the number exceeds this critical mass (which had almost certainly been surpassed already).”

Over-the-air attack

zigbee xbee radioTo carry out the attack the researchers first had to figure out how to yank a Hue lightbulb from its network .

They did this by finding a bug in the Touchlink part of the ZigBee Light Link protocol that allowed then to initiate a factory reset in the targeted Hue lightbulb separating it from its current controllers.

Despite the Hue lightbulbs having a ZigBee chip made by Atmel with multiple layers of cryptographic encryption that prevent a smart bulb from being removed from its controller by an unauthorised person, unless a ZigBee transmitter is used in very close proximity.

However, the bug in the Atmel stack could be exploited to bypass this proximity test and trigger a factory reset at much greater range simply using a cheap ZigBee transmitter.

The researchers then had to get access to the universal encryption key, which they did by carrying out a side-channel attack to get the AES-CCM key which enabled them to perform over-the-air updates in order to infect the smart lights with the worm.

With these two stages in place they could infect one lightbulb which would then spread the worm to others over the ZigBee radio frequency; eventually carrying out an IoT hack attack but without actually needing the internet, which sets it apart from other IoT attacks which use Internet connections to detect and size control of vulnerable devices and networks.

While Philips have released a patch for the bug it is rendered a bit moot as the updates are carried out over the air, which the researchers said make it almost impossible to receive a patch before the worm has spread.

This will likely mean that a true fix for the problem will rely on future Hue lightbulbs coming with bolstered firmware that plugs the hole.

Rise of real-world attacks

IoT homeWhile the researchers worm was developed as a proof-of-concept and the hacking of smart lights does not immediately pose a massive threat under normal circumstances, such attacks can be used to cause Wi-Fi disruption and other problems.

The attack also demonstrated that IoT devices are difficult to secure using traditional encryption and present new attack vectors for savvy hackers, as seen with the havoc-wreaking Miria IoT botnet.

Furthermore, it showcases how smart devices can be remotely hacked in the physical as well as on the highways of the Internet, throwing up more areas of concern for both security experts and companies working in the IoT space.

“What we demonstrate in this paper is that even IoT devices made by huge companies with deep knowledge of security, which are protected by industry-standard cryptographic techniques, can be misused by hackers to create a new kind of attack,” the researchers warned.

“By using this new communication medium to spread infectious malware from one IoT device to all its physically adjacent neighbours in a process resembling a nuclear chain reaction, hackers can rapidly cause city-wide disruptions which are very difficult to stop and to investigate.”

This will come as no surprise for many tech savvy readers as warning of the security risks the IoT poses have been frequently and loudly discussed by cyber security experts who worry that cyber security is not being put at the forefront of IoT development.

Are you a security pro? Try our quiz!