Update: On 3 November, Philips Lighting released a statement in reference to the Hue bulbs and the researchers’ findings noted in the below article. As Philips states, “The academics with whom we cooperated via our responsible disclosure process, merely demonstrated the possibility of an attack. They did not create a virus nor disclose information necessary for someone else to do so.” This statement does not change the cautions noted in the below article with regards to the vulnerability of IoT devices from malicious attacks and the need for stronger security measures.
Little did I know that once I had written about IoT security breaches in DDoS And 3 Recommendations To Secure The Internet Of Things (IoT), the next controversy was just around the bend. By now, many of you have heard about the publishing of a paper IoT Goes Nuclear: Creating a ZigBee Chain Reaction, by researchers from the Weitzmann Institute of Science in Israel and Dalhousie University in Nova Scotia, Canada. For those who are not familiar, here’s a quick synopsis.
Researchers we able to hack into the Philips Hue ZigBee Light Link Touch System from an aerial drone more than a thousand feet away from the light source to remotely control the Hue lights and cause them to blink S-O-S in Morse code. Fundamentally they injected one lightbulb with a worm, and that bulb infected its neighbors, and so on, and so on—infecting an entire building in a matter of minutes.
For those not familiar with the Hue or ZigBee, Philips Hue is a popular, and typical, wireless lightbulb that allows users to control its intensity, color, etc. from a smartphone or web. Most people and enterprises don’t have a single Hue bulb, they have many. Each Hue is connected to its neighbors (other Hues) via ZigBee Light Link, a standard from the ZigBee Alliance that allows for wireless lighting control and integration. The Hues are also connected to the internet and / or a local area network. Both the Hue bulbs and Zigbee have been around quite a while and have a broad range of both commercial and consumer deployments.
On the surface, the blinking experiment sounds amusing, and one wonders why we worry about someone controlling a light bulb from a drone. The researchers went further, however. In addition to blinking the bulbs, they were able to install malicious firmware via a worm and set the system to block further wireless updates. This made the infection irreversible; the bulbs were unable to be updated again by anyone. As the researchers note, this worm could then have been used to infect other connected systems. And if everything is connected (the very definition of IoT), then it would be possible to essentially take over a city in a matter of minutes.
As we look to determine exactly how experimental outcome was achieved and where the vulnerabilities lie, ZigBee has released a statement clarifying its role in the breach. They state, “In this instance, there was a software bug in the implementation from one silicon provider. It is not a ZigBee protocol issue – but rather an internal implementation issue.“ Further, they note, “The problem in this specific smart bulb scenario has since been resolved and rolled out to all customers of that [Zigbee] stack supplier. We also understand that Philips Hue, which uses third-party software components from this particular stack supplier for part of their portfolio, has implemented the patch and already rolled out the firmware to all devices in the field. No changes to the ZigBee standard are warranted.”
I applaud Zigbee for taking a proactive role in identifying the problem and clarifying their role in the situation. There is a broad range of Zigbee compatible products in consumer and commercial installations, and panic is not warranted.
So, let me reiterate. We need to be diligent about IoT security. My recent Forbes article outlines 3 recommendations:
- Designers and manufacturers must incorporate security concerns during the initial design phase
- Those implementing these secure devices need to make sure their networking and communications channels are secure themselves
- We need to make sure that the responsibility of security is everyone’s concern
I can’t say it enough times: Security in IoT designs is critical.
This new research has again shined a great hot light on IoT security. In this instance, the researchers demonstrated an example of how IoT networked products could be used for much more malicious purposes. Imagine the scenario of hovering a drone close to a building and being able to inject a virus through the light system that is connected to the building network. Within a matter of minutes, this kind of attack could take over a building and then extend from that building virtually anywhere within the connected network. All of a sudden, a smart city doesn’t look so smart.