Philips Hue lighting system is vulnerable to attacks which can cause a “perpetual blackout” in the homes of users, according to a security researcher.
The Hue wireless system – on sale in Apple store – controls wireless LED light bulbs in the home via a wireless bridge, and can be controlled by iOS and Android apps. But researcher Nitesh Dhanjani says that the system it uses to authenticate devices means that it’s all too easy to turn lights on and off in other people’s homes.
Attackers could “black out” all the Hue lights from nearby (any nearby location within reach of the same Wi-Fi network) by using malware to capture one of the list of “whitelisted tokens” – and then “issue ‘all lights off’ instructions.” Dhanjani says that it’s also difficult for users to regain control of their system.
“The script infinitely issues a blackout command. If the victim manually switches the bulbs off and on, the lights will flicker on for less than half a second and then go off again until the victimrecognized and terminates the script. Alternatively, the victim can disconnect the bridge – however, the blackout will reoccur when the victim reconnects the bridge.”
Dhanjani explains that the system’s method of “recognizing” devices leaves it open to attack. “The hue bridge uses a whitelist of associated tokens toauthenticate requests. Any user on the same network segment as the bridge can issue HTTP commands toit to change the state of the lightbulb. In order to succeed, the user must also know one of the whitelisted tokens.It was found that in case of controlling the bulbs via the hue website and the iOS app, the secret whitelist token was not random but the MD5 hash of the MAC address of the desktop or laptop or the iPhone or iPad. This leaves open a vulnerability whereby malware on the internal network can capture the MAC address active on the wire (using the ARP cache of the infected machine.”
At the recent Black Hat security conference in Las Vegas, researchers showed off hacks that could affect “connected” devices such as televisions, door alarms and toilets.
“By 2022, the average household with two teenage children will own roughly 50 such Internet connected devices, according to estimates by the Organization for Economic Co-Operation and Development,” Dhanjani says. “Our society is starting to increasingly depend upon Internet of Things devices to promote automation and increase our well being. As such, it is important that we begin a dialogue on how we can securely enable the upcoming technology.”
Hacks against the Hue website could also allow access, Dhanjani warns.
“The Internet app will accept a six-character password, and as we all know, users have a distressing habit of re-using passwords for lots of different sites – meaning that if a password leaks, an attacker can remotely control the system,” Richard Chirgwin writes in a report on The Register.
“Lighting is critical to physical security. Smart lightbulb systems are likely to be deployed in current and new residential and corporate constructions. An abuse case such as the ability of an intruder to remotely shut off lighting in locations such as hospitals and other public venues can result in serious consequences,” Dhanjani writes. “It is important that Philips and other consumer IoT organizations take issues like these seriously. In the age of malware and powerful botnets, it is vital that people’s homes be secure from vulnerabilities like these that can cause physical consequences.”
ESET Security Evangelist Stephen Cobb offers a basic guide to securing a household full of digital devices in a blog post here.“On a typical evening or weekend at home, how many computing devices is your household using?” Cobb asks. “In my house the answer is 10, and that’s just my wife and I. Before you decide we’re an extreme example, make sure your household computer count includes all of the laptops, tablets, iPods, smartphones and the like. Then think about the TV and DVD player, one or both of which may be connected to the home network. The fact is, many homes today are multi-device households, with numerous PCs, Macs, tablets and smartphones.”
Author Rob Waugh, We Live Security