A team of academic researchers demonstrated how even the simplest internet of things devices could be used to spread malicious code when they exploited a vulnerability in a popular smart light bulb to infect other devices.
In a draft research paper, researchers from the Weizmann Institute of Science in Israel and Dalhousie University in Canada outlined their method of wresting control of Philips Hue smart lights from a home-automation network and then remotely updating the devices with malicious code.
With just 15,000 randomly distributed smart lights in an urban area, a network worm could spread in a chain reaction throughout an entire city, the researchers concluded using a type of analysis known as percolation theory.
“The attack can start by plugging in a single infected bulb anywhere in the city and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them or exploit them in a massive DDoS attack,” the researchers said.
Network-connected devices—ranging from smart light bulbs to programmable thermostats and wireless video cameras—are the basic building blocks of the IoT. An increasing number of devices already are connected to controllers and internet-connected hubs, with as many as 50 billion expected to be in use by 2020.
While some smart-device manufacturers have made security a priority, most have focused on getting their products to market, leaving the potential for significant vulnerabilities that could affect the products and their users.
Unsecured webcams, for example, can allow attackers to see into consumers’ homes. And in September and October, botnets using millions of IoT devices knocked many target websites off the internet, including security journalist Brian Krebs and domain-name service Dyn.
Unless more manufacturers and users consider the potential threats of the technology they are using every day, the risk of a major incident will only rise, the researchers said.
“Without giving it much thought, we are going to populate our homes, offices and neighborhoods with a dense network of billions of tiny transmitters and receivers that have ad-hoc networking capabilities,” they wrote in the paper. “These IoT devices can directly talk to each other, creating a new, unintended communication medium that completely bypasses the traditional forms of communication such as telephony and the internet.”
Philips had taken steps to secure the lights from hackers, including encrypting data and refusing to reset a connection unless a ZigBee controller was in close proximity to the bulb.
However, the ZigBee chip used by Philips and made by Atmel had a major bug in its proximity test, the researchers found. As a result, a controller within 400 meters could initiate the factory reset procedure. The researchers tested the attack on lights distributed around their university campus, taking control of the Hue smart bulbs.
The equipment needed to conduct the factory reset could be mounted on a drone for a remote attack, a technique known as war-flying.
The attack could be undone easily, except the researchers also reverse-engineered older bulbs to extract the encryption key used to secure firmware updates. Using that key, they created new software to overwrite the code that manages the bulbs to spread to other bulbs.
“A single infected lamp with a modified firmware, which is plugged-in anywhere in the city, can start an explosive chain reaction in which each lamp will infect and replace the firmware in all its neighbors within a range of up to a few hundred meters,” the researchers wrote.
Unlike previous worms, the attack does not require any internet access or communications, relying on the ZigBee protocol to send the malicious code among the bulbs in a peer-to-peer network. A city the size of Paris, about 105 square kilometers, could be infected if 15,000 lights were installed in a random distribution across the urban area, the researchers calculated.
“Since the Philips Hue smart lights are very popular in Europe and especially in affluent areas such as Paris, there is a very good chance that this threshold had in fact been exceeded, and thus the city is already vulnerable to massive infections via the ZigBee chain reaction described in this paper,” they wrote.