Security researchers in Canada and Israel have discovered a way to take over the Internet of Things (IoT) from the sky.
Okay, that’s a little dramatic, but the researchers were able to take control of some Philips Hue lights using a drone. Based on an exploit for the ZigBee Light Link Touchlink system, white hat hackers were able to remotely control the Hue lights via drone and cause them to blink S-O-S in Morse code.
The drone carried out the attack from more than a thousand feet away. Using the exploit, the researchers were able to bypass any prohibitions against remote access of the networked light bulbs, and then install malicious firmware. At that point the researchers were able to block further wireless updates, which apparently made the infection irreversible.
“There is no other method of reprogramming these [infected] devices without full disassemble (which is not feasible). Any old stock would also need to be recalled, as any devices with vulnerable firmware can be infected as soon as power is applied,” according to the researchers.
The researchers notified Philips of the vulnerability. The company then delivered a patch for it in October, according to The New York Times.
Why this matters: The ability to attack Philips Hue lighting doesn’t sound all that menacing and more of an inconvenience than anything else. The obvious exception to that would be using the lights to trigger epileptic seizures in vulnerable people, or plunging properties into darkness.
Shedding light on a deeper issue
The bigger issue is that security researchers worry exploits like these could be used to infect devices with a computer worm. That worm could then move on to attack other IoT devices on the same network. The researchers argue this kind of attack could be used to take over a building or an area with a high concentration of connected devices within minutes. All the hacker would have to do is hover over a building with a drone or drive past an area with a computer searching for vulnerable devices.
Taking over massive numbers of IoT devices may sound like alarmist nonsense, but it’s really not that hard to believe. Just a few weeks ago, an IoT botnet was responsible, at least in part, for the major DDoS attack that caused disruptions to U.S. Internet traffic.
Over the past few months, it’s become increasingly clear that while we may be ready to put networked light bulbs, thermostats, and door locks on our homes, the security for many of these devices is still sub-optimal.