Surprise! The Internet of Things is a security nightmare. Anyone who was online a few weeks ago can attest to that. The massive internet blackout was caused by connected devices, and new research from white-hat hackers expounds upon those types of vulnerabilities. The target? Philips Hue smart lightbulbs. While they've been hacked in the past, Philips was quick to point out that it happening in a real-world situation would be pretty difficult. Digital intruders would need to already be on your home network with a computer of their own -- the company claimed that directly attacking the lightbulbs wasn't exactly feasible. But this new attack doesn't require that sort of access.
In fact, all it takes is tricking the bulbs into accepting a nefarious firmware update. By exploiting a weakness in the Touchlink aspect of the ZigBee Light Link system (again!), the hackers were able to bypass the built-in safeguards against remote access. From there, they "extracted the global AES-CCM key" that the manufacturer uses to encrypt and authenticate new firmware, the researchers write (PDF).
"The malicious firmware can disable additional downloads, and thus any effect caused by the worm, blackout, constant flickering, etc.) will be permanent." What's more, the attack is a worm, and can jump from connected device to connected device through the air. It could potentially knock out an entire city with just one infected bulb at the root "within minutes."
"There is no other method of reprogramming these devices without full disassemble (which is not feasible). Any old stock would also need to be recalled, as any devices with vulnerable firmware can be infected as soon as the power is applied."
The result is that the hackers were able to turn lights on and off both from a van driving by a house and a drone flying outside an office building. For the home, the team was 70 meters (229.7 feet) away and caused lights to go on and off individually. The office building houses a few security companies including Oracle, and was hacked from 350 meters (1,148 feet; about a quarter of a mile), and once under control, the lights started signaling "S.O.S." in Morse code.
"We used only readily available equipment costing a few hundred dollars, and managed to find this key without seeing any actual updates." Not terrifying at all, right? The researchers say that they've contacted Philips and included all the details needed for a fix. Philips has confirmed the weaknesses and issued firmware updates to hopefully guard against this ever happening.