Security Experts:

IoT Worm Could Hack All Smart Lights in a City

Researchers have demonstrated how an Internet of Things (IoT) worm designed to target smart bulbs can cause significant disruptions to lighting systems in a city. The malware can spread by itself, but attackers can also use cars and drones for distribution.

The research was conducted by experts from the Weizmann Institute of Science in Rehovot, Israel, and Dalhousie University in Halifax, Canada. In their experiments, they targeted Philips Hue, as this is considered one of the most popular smart lighting products in the world.

The worm developed by experts relies on the ZigBee wireless technology to spread from one smart lamp to another. Philips Hue products use ZigBee communications as part of ZLL (ZigBee Light Link), a global standard that allows consumers to remotely control LED fixtures, light bulbs, timers and switches. According to the ZigBee Alliance, the technology has a range of 70 meters (230 feet) indoors and 400 meters (1,300 feet) outdoors.

Experts calculated that in a city the size of Paris, which has 105 square kilometres (41 square miles), just over 15,000 randomly located smart lights would be enough for the worm to spread in the entire city from a single malicious bulb. Researchers showed in a real-world experiment that the malware can also be delivered by driving around and targeting all Hue lights in the car’s path (i.e. wardriving) and by using a drone (i.e. war-flying).

“By flying such a drone in a zig-zag pattern high over a city, an attacker can disable all the Philips Hue smart lights in city centers within a few minutes,” researchers explained in their paper.

Once it infects a device, the malware enables the attacker to switch the lights on or off, permanently brick them, or abuse them for massive distributed denial-of-service (DDoS) attacks.

These attacks, which do not require prior knowledge of the targeted lights, are possible due to a couple of issues.

One of them is related to the ZLL Touchlink protocol, which is used to establish a personal area network (PAN) to which new devices, such as lights and remotes, can connect and receive an encryption key.

A device that possesses this master key can force a lightbulb to reset to factory settings or get it to join a new PAN. To prevent abuse – for example, an individual trying to take control of his neighbor’s lights – Touchlink uses a protection mechanism that requires the devices to be in close proximity.

The problem is that the ZLL secret master key has been leaked, allowing attackers to take control of smart lights as long as they are in the short range required by the proximity check mechanism. Researchers overcame this challenge after discovering a bug in Atmel’s implementation of the ZLL Touchlink protocol as used in Philips Hue lights.

The bug enables any standard ZigBee transmitter to initiate a factory reset procedure from a longer distance and dissociate the targeted lamp from its controller. The transmitter can then take full control of the lamp.

Attackers can compromise the smart bulbs using malicious firmware updates. Firmware updates are conducted over the air (OTA) using a standard provided by the ZigBee Alliance. The standard allows devices from different manufacturers to upgrade each other’s firmware image.

Philips uses a global AES-CCM key to encrypt and authenticate new firmware, but experts managed to crack this key using readily available equipment.

Once the malicious firmware is uploaded to a device, attackers gain the ability to execute arbitrary code. One major concern is that once the malicious firmware has been installed, it can disable the firmware update process, preventing the victim from reflashing the infected Hue lights.

Philips and Atmel have been notified about the vulnerabilities in July 2016. An update released by Philips in October reduces the maximum infection range to roughly one meter (three feet).

Related: Solving IoT Security - Pursuing Distributed Security Enforcement

Related: Attackers Use Decade-Old Flaw to Target IoT Devices

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.