Smart Bulbs. How Vulnerable Are Hue?
The popularity of smart bulbs such as Phillips’ Hue have grown exponentially in recent years. After all, what’s not to love about them? They can dim without the need for dimmer switches; they can change colour to provide mood lighting; some can help you sleep better emitting colour temperatures that help suppress human melatonin levels during the day and increase melatonin as you near bedtime; some can even play music, pulsating and changing colours to match! The convenience comes in the form of wireless connectivity and apps that can be installed on your smartphone, which allow you to remotely configure and control the smart bulbs. However, public awareness is growing of the danger that networked lighting can be an entry point to the entire smart home or building automation system. The convenience of a connected world enables homeowners to monitor their home from hundreds of miles away but also provides an attack surface to hackers and thieves.
Is your smart home committing a cybercrime?
Any device connected to a smart home or building automation system can serve as a gateway. Seemingly innocuous devices like connected light bulbs or connected home appliances can be tricked into trusting a malicious device, offering a hacker access to the system. We have seen this demonstrated in very real terms in recent weeks with millions of connected devices – also referred to as Internet of Things (IoT) devices – being used in an attack which took down websites such as Amazon, Twitter and Spotify, as well as separate attacks on internet service providers affecting home broadband users and even the heating systems of apartment blocks!
Spotlight on weak security
In 2013, a researcher published a proof-of-concept paper outlining how Phillips’ Hue lighting systems could be successfully attacked, pointing out vulnerabilities such as not enforcing strong password use for web-based administration interfaces. Three years later, have we seen any significant improvement on security? Researchers have since uncovered more weaknesses. In a paper titled IoT Goes Nuclear: Creating a ZigBee Chain Reaction researchers describe how a proof-of-concept worm they created can “… rapidly retake new bulbs which the user has attempted to associate with the legitimate base station, making it almost impossible for vulnerable bulbs in range of another infected bulb to receive an [over the air] patch before the worm has spread.”
The worm spreads by jumping directly from one lamp to its neighbours, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack.
The research findings prompted Philips to release a firmware patch for owners of its “Hue” connected bulbs. This is not without some risk as users must first set up the Philips Hue app in order to receive the automatic patches, and do so before attacks take place since the worm can easily override update attempts.
What is the best way to protect connected devices?
Hackers attacking the smart home exploit common security flaws and use them to breach home networks, computers, IoT and mobile devices. Once cyber criminals have access, they can steal personal and financial information, and hijack or hold for ransom anything from computers and webcams, to smart TVs and thermostats.
Connected light bulbs are available in retail outlets making it very easy for attackers to physically analyse their construction and identify security. Effective security needs to rely on a dedicated tamper-resistant security device, such as a secure micro-controller. This type of controller enables secure storage of network passwords and authentication keys, as well as an isolated environment for security functions. A properly designed security chip, protects the connected device against both remote and physical attacks, making each node of the network an effective barrier against hacking attempts.
It seems IoT device manufacturers are finally taking note. Chinese manufacturer Xiongmai recalled webcams after they were linked to recent attacks. But whilst manufacturers are re-evaluating the minimum levels of security that they need to have built-into their products (balancing the cost for building in this security against lead time to market and profits), the onus is on us as owners of smart homes to ensure our networks are as secure as possible. This ranges from having better security hygiene practices such as using strong passwords and multi factor authentication, and changing the default admin username and password on devices, to having an effective security strategy whether you’re at home or away.
Infosec Partners can help
Worried that your Internet connected devices at work or at home might have been breached? We can help. From stress testing the security strategies and cyber readiness of significant organisations to attacks including DDoS, to securing exclusive estates using full home-automation and IoT technologies, Infosec Partners are proven experts in full-spectrum cybersecurity and a team you can trust.
For your free consultation, complete the adjacent form or to speak with trusted advisor immediately
Call us on +44 (0)1256 893662.
Did you know? Infosec Partners are the only full-spectrum security experts accredited to implement, manage and troubleshoot the top three home-automation vendors (Crestron, Control4 and Savant), and the first ever to integrate these with security from leading security vendors including Fortinet which named Infosec Partners it’s first ever UK Partner of Excellence.