Researcher Outlines Hack of Smart Light Bulbs

A security researcher has outlined an attack against the Philips hue smart lighting system that could quite literally leave victims in the dark. 

Due to an authentication issue, the hue personal wireless system can potentially leave users vulnerable to hackers looking to cause blackouts.

“The hue system generates whitelist tokens that are used by the bridge to authenticate commands,” researcher Nitesh Dhanjani explained in a paper. “These tokens are MD5 hashes of the authenticating devices’ MAC addresses. This creates a situation where malware on the same network segment as the bridge can compute the whitelist tokens by looking at the ARP cache of the infected machine and cause a perpetual blackout.”

The hue  system can be purchase from the Apple Store and other outlets and can be used to configure light bulbs to any of 16 million colors using iOS and Google Android apps as well as the hue website, the paper notes.

Contacted by SecurityWeek, a Philips spokesperson said in a statement that the company used industry standard encryption and authentication techniques to ensure no one can gain access to lighting systems without authorization.

“An attack of the nature described [in the paper] requires that a computer on your private local network is compromised to send commands internally,” the spokesperson said. “This means there is no security risk if your home network is properly protected, as traffic passing between your devices and across the internet will remain fully secure. However, if an attack is made upon your home network, everything contained within that network can be compromised. Therefore our advice to customers as always is that they take steps to ensure they are secured from malicious attacks at a network level, in order to protect all of their devices, including hue.”

According to Dhanjani, the hue’s wireless bridge uses a whitelist of associated tokens to authenticate requests. Any user on the same network segment as the bridge can issue HTTP commands to alter the light bulb provided they know one of the whitelisted tokens.

“It was found that in case of controlling the bulbs via the hue website and the iOS app, the secret whitelist token was not random but the MD5 hash of the MAC address of the desktop or laptop or the iPhone or iPad,” according to the paper. “This leaves open a vulnerability whereby malware on the internal network can capture the MAC address active on the wire (using the ARP5 cache of the infected machine). Once the malware has computed the MD5 of the captured MAC addresses, it can cycle through each hash and issue ‘all lights off’ instructions to the bridge via HTTP. Once a request is successful, the malware can infinitely issue the command using the known working whitelist token to cause a perpetual blackout.”

The research follows a number of findings presented at the Black Hat and DefCon security conferences a few short weeks ago detailing attacks against smart TVs, alarm systems and other non-traditional connected devices.

“Lighting is critical to physical security,” the researcher blogged. “Smart lightbulb systems are likely to be deployed in current and new residential and corporate constructions. An abuse case such as the ability of an intruder to remotely shut off lighting in locations such as hospitals and other public venues can result in serious consequences.”