Researchers hack light bulbs using a drone
07 Nov 2016
In yet another reminder of that the IoT could prove to be the ultimate Pandora's Box, The New York Times reported on a new threat outlined, IoT Goes Nuclear. The report described a scenario in which, connected devices are infected by a worm that sets off a chain reaction, theoretically creating a doomsday-like scenario for smart cities that had millions of densely interconnected devices.
In the demonstration, researchers infected a Phillips Hue lamp with a virus that then spread by jumping from one lamp to its neighbours, whether the lights formed part of the same private network or not.
What made the scenario truly scary was the researchers did not need physical access to the lights, the infection was carried out wirelessly by a drone or car while still a few hundred feet away.
Researchers from the Weizmann Institute of Science and Dalhousie University exploited a vulnerability in a widely used home automation protocol found in millions of today's most popular smart home devices of which Philips Hue lighting was just one example.
The researchers exploited a weakness in Philips' encryption to allow an over-the-air firmware update using an "autonomous attack kit" built from "readily available equipment". What the attack demonstrated was that anyone with the knowledge and motivation could launch an attack of the kind.
Meanwhile, Ry Crist writes in CNET that the researchers disclosed their hack to Philips, which issued a security update before anything was made public.
"The academics with whom we cooperated merely demonstrated the possibility of an attack," a Philips Lighting representative told me", Crist writes. "They did not create a virus nor disclose information necessary for someone else to do so. Their research findings helped us develop and roll out the software update."
"We recommend all customers install the latest software update via the Philips Hue app, as with any other update that we release, despite assessing the risk to Philips Hue products as low."