Security flaws in Philips smart light bulbs are leaving users open to blackouts and password-stealing cyber attacks, according to independent researcher Nitesh Dhanjani.
Dhanjani issued his claim in a public whitepaper, entitled Hacking Lightbulbs: Security Evaluation of the Philips Hue Personal Wireless Light System. He highlighted several vulnerabilities in the light bulbs' architecture as being potentially exploitable, and said the most serious vulnerability could be used by hackers to permanently turn off the lights.
"The Hue bridge uses a whitelist of associated tokens to authenticate requests. Any user on the same network segment as the bridge can issue HTTP commands to it to change the state of the light bulb. In order to succeed, the user must also know one of the whitelisted tokens. It was found that in case of controlling the bulbs via the Hue website and the iOS app, the secret whitelist token was not random but the MD53 hash of the MAC address4 of the desktop or laptop or the iPhone or iPad," read the paper.
"This leaves open a vulnerability whereby malware on the internal network can capture the MAC address active on the wire (using the ARP5 cache of the infected machine). Once the malware has computed the MD5 of the captured MAC addresses, it can cycle through each hash and issue ‘all lights off' instructions. Once a request is successful, the malware can inﬁnitely issue the command using the known working whitelist token to cause a perpetual blackout."
Philips told V3 the company is aware of the whitepaper, clarifying that the attack works only on local networks, meaning its impact should be negligible. "In developing Hue we have used industry standard encryption and authentication techniques to ensure that unauthorised persons cannot gain access to lighting systems," the firm said.
"An attack of the nature described requires that a computer on your private local network is compromised to send commands internally. This means there is no security risk if your home network is properly protected, as traffic passing between your devices and across the internet will remain fully secure.
"Like the rest of your devices, however, if an attack is made upon your home network, everything contained within that network can be compromised. Therefore our advice to customers as always is that they take steps to ensure they are secured from malicious attacks at a network level, in order to protect all of their devices, including Hue."
Despite Philips downplaying the report, Dhanjani said the hackers could easily tweak the malware for more nefarious schemes. He highlighted the creation of a blackout-causing botnet as a particularly troubling future scenario, as it could grant criminals the ability to turn out the lights on whole businesses.
"It is likely that future malware will include a database of IoT signatures that can be used to detect devices in homes and ofﬁces. Once the devices are scanned, the malware can exploit known vulnerabilities (such as this) associated with the particular device," said the paper.
"Alternatively, a botnet system controlling the malware can remotely issue commands to control the devices. Imagine the power of a remote botnet system being able to simultaneously cause a perpetual blackout of millions of consumer light bulbs. As consumer IoT devices permeate homes and ofﬁces, this scenario is increasingly likely in the near future."
Philips light bulbs are one of several new smart devices that have been targeted by hackers. Renowned hackers Charlie Miller and Chris Valasek have also released tools capable of hijacking control of moving cars to the general public.
Some parts of Atacama have not received rainfall for 500 years - but a sudden deluge of water upset the Desert's delicate biological balance
Spitzer Space Telescope could not spot Oumuamua, suggesting that it is actually pretty small
Greenland crater one of the 25 largest impact craters on Earth
This long-sought progenitor star was identified in an image captured by Hubble in 2007