Researchers with software risk measurement and management company Checkmarx were able to create two mobile applications that abuse the functionality of smart bulbs for data exfiltration.
For their experiment, the researchers used the Magic Blue smart bulbs, which work with both Android and iOS, and which rely on Bluetooth 4.0 for communication. The devices are made by a Chinese company called Zengge, which claims to be a supplier for brands such as Philips and Osram.
The bulbs are marketed as supporting Bluetooth Low Energy (Bluetooth LE or Bluetooth Smart) and the researchers focused on those using the Low Energy Attribute Protocol (ATT). Some of the bulbs are only Bluetooth Smart Ready, the researchers said.
The bulbs use Just Works as pairing method, which allowed Checkmarx to sniff the communication with the mobile application used for control. The Android application, the company discovered, works with other bulbs that have the same characteristics as well.
The researchers paired the mobile phone running the iLight app with the smart bulb and started controlling the device, while also attempting to capture the traffic. After discovering commands in the analyzed traffic, they also downloaded the application to a PC and analyzed it to see whether the discovered commands are indeed present in the app.
At this point, the researchers concluded that they have all the tools necessary to attempt data exfiltration by modifying the smart bulb’s color and warm levels. The idea was to use light to transfer information from a compromised device to the attacker.
“Light can achieve longer distances, which was our goal. Imagine the following attack scenario: a BLE device (smartphone) gets compromised with malware. The malware steals the user’s credentials. The stolen information is sent to an attacker using a BLE light bulb nearby,” Checkmarx notes.
To receive the exfiltrated data, an attacker would only need a smartphone connected to a telescope for wider range, and the victim would never notice that any type of exfiltration actually took place.
For their experiment, the researchers created two applications. One would be installed on the victim’s device for data exfiltration purposes, while the second would run on the attacker’s smartphone, capable of receiving the data.
The exfiltration app was designed to change the blue light intensity to send data: weaker intensity for binary 1 and stronger for binary 0. The receiver only needs a smartphone camera to detect and process the data.
The exfiltration application can run in either Normal or Stealth mode. The Normal mode, possibly visible to human-eye, allows the attacker to reach longer distances for data transmission. The Stealth mode, more difficult to observe to the human eye due to the used shades of blue, makes the air gap exfiltration very hard to detect, the researchers say.
“These methods will work on every smart bulb that allows control by an attacker. In the future, we would like to create a better proof of concept that allows us to test a database of vulnerable bulbs and even implement AI to learn and implement new bulbs along the way,” Checkmarx concludes.