Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

IoT Worm Could Hack All Smart Lights in a City

Researchers have demonstrated how an Internet of Things (IoT) worm designed to target smart bulbs can cause significant disruptions to lighting systems in a city. The malware can spread by itself, but attackers can also use cars and drones for distribution.

Researchers have demonstrated how an Internet of Things (IoT) worm designed to target smart bulbs can cause significant disruptions to lighting systems in a city. The malware can spread by itself, but attackers can also use cars and drones for distribution.

The research was conducted by experts from the Weizmann Institute of Science in Rehovot, Israel, and Dalhousie University in Halifax, Canada. In their experiments, they targeted Philips Hue, as this is considered one of the most popular smart lighting products in the world.

The worm developed by experts relies on the ZigBee wireless technology to spread from one smart lamp to another. Philips Hue products use ZigBee communications as part of ZLL (ZigBee Light Link), a global standard that allows consumers to remotely control LED fixtures, light bulbs, timers and switches. According to the ZigBee Alliance, the technology has a range of 70 meters (230 feet) indoors and 400 meters (1,300 feet) outdoors.

Experts calculated that in a city the size of Paris, which has 105 square kilometres (41 square miles), just over 15,000 randomly located smart lights would be enough for the worm to spread in the entire city from a single malicious bulb. Researchers showed in a real-world experiment that the malware can also be delivered by driving around and targeting all Hue lights in the car’s path (i.e. wardriving) and by using a drone (i.e. war-flying).

“By flying such a drone in a zig-zag pattern high over a city, an attacker can disable all the Philips Hue smart lights in city centers within a few minutes,” researchers explained in their paper.

Once it infects a device, the malware enables the attacker to switch the lights on or off, permanently brick them, or abuse them for massive distributed denial-of-service (DDoS) attacks.

These attacks, which do not require prior knowledge of the targeted lights, are possible due to a couple of issues.

One of them is related to the ZLL Touchlink protocol, which is used to establish a personal area network (PAN) to which new devices, such as lights and remotes, can connect and receive an encryption key.

A device that possesses this master key can force a lightbulb to reset to factory settings or get it to join a new PAN. To prevent abuse – for example, an individual trying to take control of his neighbor’s lights – Touchlink uses a protection mechanism that requires the devices to be in close proximity.

The problem is that the ZLL secret master key has been leaked, allowing attackers to take control of smart lights as long as they are in the short range required by the proximity check mechanism. Researchers overcame this challenge after discovering a bug in Atmel’s implementation of the ZLL Touchlink protocol as used in Philips Hue lights.

The bug enables any standard ZigBee transmitter to initiate a factory reset procedure from a longer distance and dissociate the targeted lamp from its controller. The transmitter can then take full control of the lamp.

Attackers can compromise the smart bulbs using malicious firmware updates. Firmware updates are conducted over the air (OTA) using a standard provided by the ZigBee Alliance. The standard allows devices from different manufacturers to upgrade each other’s firmware image.

Philips uses a global AES-CCM key to encrypt and authenticate new firmware, but experts managed to crack this key using readily available equipment.

Once the malicious firmware is uploaded to a device, attackers gain the ability to execute arbitrary code. One major concern is that once the malicious firmware has been installed, it can disable the firmware update process, preventing the victim from reflashing the infected Hue lights.

Philips and Atmel have been notified about the vulnerabilities in July 2016. An update released by Philips in October reduces the maximum infection range to roughly one meter (three feet).

Related: Solving IoT Security – Pursuing Distributed Security Enforcement

Related: Attackers Use Decade-Old Flaw to Target IoT Devices

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.