Internet of Things Canada IDC

There’s no shortage of warnings that connecting consumer devices to the Internet can pose security risks if not implemented properly. Among the risks is having them leveraged in huge distributed denial of service (DDoS) attacks seen in the past two months.

Here’s another piece of evidence: Security researchers at Dalhousie University and Israel’s Weizmann Institute of Science have demonstrated that the Philips Hue LED smart lamps, which use the ZigBee wireless protocol to wirelessly control room lights through a small box called a bridge that connects to a Wi-Fi router, can be hacked and taken over through over-the-air firmware updates.

Initially, researchers were able to briefly take control of lamps by disassociating them from their controllers. “We demonstrated this with a real war-driving experiment in which we drove around our university campus and took full control of all the Hue smart lights installed in buildings along the car’s path,” says the research paper. “Due to the small size, low weight, and minimal power consumption of the required equipment, and the fact that the attack can be automated, we managed to tie a fully autonomous attack kit below a standard drone, and performed war-flying in which we flew hundreds of meters away from office buildings, forcing all the Hue lights installed in them to disconnect from their current controllers and to blink SOS in morse code.

That kind of attack could be blunted by having users re-associate the lights with the controllers.

Philips Hue lights with a control bridge. Image from Philips

Then researchers found a way to do more damage. First researchers discovered and exploited a major bug in the implementation of the Touchlink part of the ZigBee Light Link protocol, which is supposed to stop such attacks with a proximity test. The lamps use AES-CCM key to encrypt and authenticate new firmware, but the researchers found a way around it with a side-channel attack to find the keyb using  readily available equipment  they say cost a few hundred dollars.

Lamps infected through a firmware attack would have to be thrown away. But also hackers could plunge hundreds of homes –or offices — into darkness.

According to a news report Philips has issued an update to its app limiting the wireless range of its devices to controllers that are very close to the lamps. That should limit the ability of hackers to remotely attack a lamp from outside a room or a building.

The wider point the researchers are trying to make about the Internet of Things (IoT) is in their paper: “This demonstrates once again how difficult it is to get security right even for a large company that uses standard cryptographic techniques to protect a major product.”

The research paper says the worm they created spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. “The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack.”

Think if the lights were installed across Paris, the paper says. “The chain reaction will fizzle if there are fewer than about 15,000 randomly located smart lights in the whole city, but will spread everywhere when the number exceeds this critical mass.”

Researchers say Hue lamps contain a ZigBee chip made by Atmel, which uses multiple layers of cryptographic and non-cryptographic protection to prevent hackers from misusing the lamps once they are securely connected with their controllers.  The chips are supposed to ignore any request to reset or to change their affiliation unless it is sent from a ZigBee transmitter which is only a few centimeters away from the lamp. Even though the attacker can try to spoof such a proximity test by using very high power transmitters, the fact that the received power decreases quadratically with the distance makes such brute force attacks very hard (even at ranges of a hundred meters).

But researchers found the Atmel stack has a major bug in its proximity test which enables any standard ZigBee transmitter (which they say can be bought for a few dollars in the form of an tiny evaluation board) to initiate a factory reset which will dissociate lamps from their current controllers, up to a range of 400 meters. Once this is achieved, the transmitter can issue additional instructions which will take full control of all those lamps.

The report is yet another warning to manufacturers of IoT devices that despite using a state of the art cryptographic algorithm a mistake — in this case using a global key — can be a fatal vulnerability.