Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

IoT Worm Could Hack All Smart Lights in a City

Researchers have demonstrated how an Internet of Things (IoT) worm designed to target smart bulbs can cause significant disruptions to lighting systems in a city. The malware can spread by itself, but attackers can also use cars and drones for distribution.

Researchers have demonstrated how an Internet of Things (IoT) worm designed to target smart bulbs can cause significant disruptions to lighting systems in a city. The malware can spread by itself, but attackers can also use cars and drones for distribution.

The research was conducted by experts from the Weizmann Institute of Science in Rehovot, Israel, and Dalhousie University in Halifax, Canada. In their experiments, they targeted Philips Hue, as this is considered one of the most popular smart lighting products in the world.

The worm developed by experts relies on the ZigBee wireless technology to spread from one smart lamp to another. Philips Hue products use ZigBee communications as part of ZLL (ZigBee Light Link), a global standard that allows consumers to remotely control LED fixtures, light bulbs, timers and switches. According to the ZigBee Alliance, the technology has a range of 70 meters (230 feet) indoors and 400 meters (1,300 feet) outdoors.

Experts calculated that in a city the size of Paris, which has 105 square kilometres (41 square miles), just over 15,000 randomly located smart lights would be enough for the worm to spread in the entire city from a single malicious bulb. Researchers showed in a real-world experiment that the malware can also be delivered by driving around and targeting all Hue lights in the car’s path (i.e. wardriving) and by using a drone (i.e. war-flying).

“By flying such a drone in a zig-zag pattern high over a city, an attacker can disable all the Philips Hue smart lights in city centers within a few minutes,” researchers explained in their paper.

Once it infects a device, the malware enables the attacker to switch the lights on or off, permanently brick them, or abuse them for massive distributed denial-of-service (DDoS) attacks.

These attacks, which do not require prior knowledge of the targeted lights, are possible due to a couple of issues.

One of them is related to the ZLL Touchlink protocol, which is used to establish a personal area network (PAN) to which new devices, such as lights and remotes, can connect and receive an encryption key.

Advertisement. Scroll to continue reading.

A device that possesses this master key can force a lightbulb to reset to factory settings or get it to join a new PAN. To prevent abuse – for example, an individual trying to take control of his neighbor’s lights – Touchlink uses a protection mechanism that requires the devices to be in close proximity.

The problem is that the ZLL secret master key has been leaked, allowing attackers to take control of smart lights as long as they are in the short range required by the proximity check mechanism. Researchers overcame this challenge after discovering a bug in Atmel’s implementation of the ZLL Touchlink protocol as used in Philips Hue lights.

The bug enables any standard ZigBee transmitter to initiate a factory reset procedure from a longer distance and dissociate the targeted lamp from its controller. The transmitter can then take full control of the lamp.

Attackers can compromise the smart bulbs using malicious firmware updates. Firmware updates are conducted over the air (OTA) using a standard provided by the ZigBee Alliance. The standard allows devices from different manufacturers to upgrade each other’s firmware image.

Philips uses a global AES-CCM key to encrypt and authenticate new firmware, but experts managed to crack this key using readily available equipment.

Once the malicious firmware is uploaded to a device, attackers gain the ability to execute arbitrary code. One major concern is that once the malicious firmware has been installed, it can disable the firmware update process, preventing the victim from reflashing the infected Hue lights.

Philips and Atmel have been notified about the vulnerabilities in July 2016. An update released by Philips in October reduces the maximum infection range to roughly one meter (three feet).

Related: Solving IoT Security – Pursuing Distributed Security Enforcement

Related: Attackers Use Decade-Old Flaw to Target IoT Devices

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.