Serious security concerns regarding the Internet of Things (IoT) are continuing to mount in the wake of the massive DDoS attack that used a massive IoT botnet to take down a portion of the internet in October.
Now, researchers have found a security flaw in Philips Hue smart bulbs that could allow malicious hackers to remotely hijack and control the devices.
According to a new study titled, "IoT goes nuclear: Creating a ZigBee Chain Reaction," researchers from Welzmann Institute of Science in Israel and Dalhousie University in Novascotia, Canada, discovered that they were able to exploit a weakness in the common wireless radio protocol called ZigBee that is often used in other smart home devices as well. Philips Hue smart bulbs allow users to control the intensity and colour of the web-connected bulbs via a computer or a smartphone.
Researchers said that hackers can potentially use a method that involves tricking an internet-connected light bulb into accepting a computer worm that can then spread malicious software to other neighbouring bulbs within the network.
"The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity," researchers explained. "The attack can start by plugging in a single infected bulb anywhere in the city, and catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDoS attack."
The researchers noted that they were able to carry out the attack using "only readily available equipment costing a few hundred dollars." They demonstrated the technique in a video showing a drone flying up to 350m away from a building, taking control of its smart light bulbs to blink on and off, and flash an "SOS" message in Morse code.
Another video showed researchers testing the technique to take control of light bulbs at the Weizmann Institute of Science facility and cause them to flicker by driving a car 70m away.
"This demonstrates once again how difficult it is to get security right even for a large company that uses standard cryptographic techniques to protect a major product," researchers said.
The latest study comes just a month after hackers targeted DNS provider Dyn to knock multiple major websites offline through waves of massive DDoS attacks. Using Mirai malware, the hackers infected thousands IoT devices such as web cameras and digital recorders to create a huge Mirai botnet and flood its server with fake traffic to take it offline. The researchers said they notified Philips about the vulnerability and the company fixed the security flaw with a patch in October.
"We have assessed the security impact as low given that specialist hardware, unpublished software and close proximity to Philips Hue lights are required to perform a theoretical attack," a Philips Lighting spokesperson told. "Despite the low risk, we consulted with the researchers and developed a patch that has already been issued in a firmware update."