An independent researcher has found a way of hacking certain Web-enabled light bulbs, to remotely switch them off.
Nitesh Dhanjani published a paper, Hacking Lightbulbs, in which he demonstrated how Philips' Hue brand lighting systems can be exploited.
He said the "Internet of things" is influencing people's lives for the better by augmenting spaces with intelligent and connected devices such as light bulbs, motion sensors, door locks, video cameras, thermostats, and power outlets.
Dhanjani cited estimates by the Organisation for Economic Co-Operation and Development as saying that, by 2022, the average household with two teenage children will own approximately 50 such devices.
Because society is increasingly dependent on connected devices, he added, it is vital that people "begin a dialogue" on how to secure these and future technologies.
How he did it
Touted in many quarters as the "future of home lighting", Philips' Hue lighting product is a system of wireless LED light bulbs and a wireless bridge that can be controlled via iOS, Android and the Hue Web site.
However, Philips' bridge employs a whitelist of associated tokens to authenticate its requests. Any user who can get on its network and find a single whitelisted token has the ability to issue HTTP commands to the system, and through this, control the light bulbs.
Dhanjani added that when testing, he found the secret whitelist token was not random, but the MD5 hash of the MAC address of the desktop, laptop, iPhone or iPad.
"This leaves open a vulnerability whereby malware on the internal network can capture the MAC address active on the wire, using the ARPcache of the infected machine. Once the malware has computed the MD5 of the captured MAC addresses, it can cycle through each hash and issue 'all lights off' instructions," explained Dhanjani.
Why bother?
He said security controls in the hue system should be evaluated because lighting is a vital part of physical security.
Smart systems such as this one are likely to be deployed in new residential and corporate constructions, and should an intruder be able to remotely shut off lighting in locations such as hospitals and other public venues, the consequences could be serious.
Moreover, Dhanjani said the system is easily available and popular. From a design perspective, he said the Hue system's architecture uses a mixture of network protocols and application interfaces. "It is likely that competing products will deploy similar interfaces, thereby inheriting abuse cases."
Share