麻豆传媒

 

Hacking lightbulbs

PhD student's research earns international media attention

- November 7, 2016

Philips Hue lightbulbs, the device that was the focus of Colin O'Flynn's research. The security vulnerability he and his co-authors identified has since been patched. (Sho Hashimoto photo, used under Creative Commons license)
Philips Hue lightbulbs, the device that was the focus of Colin O'Flynn's research. The security vulnerability he and his co-authors identified has since been patched. (Sho Hashimoto photo, used under Creative Commons license)

The number of devices that are connected to the Internet is staggering 鈥斅爏ome estimates suggest it may be as many as 6.4 billion devices worldwide.

And it鈥檚 not just computers and phones: it鈥檚 automated lighting, heating ventilation and air conditioning systems, as well as appliances such as washers and dryers, robotic vacuums, air purifiers, ovens and refrigerators. These devices make life more convenient, but that convenience is not without security risks.

麻豆传媒 researcher has recently earned international media attention for a study identifying a flaw in the wireless technology used for 鈥渟mart homes.鈥 The study, conducted with Eyal Ronen, Adi Shamir and Achi-Or Weingarten, all from the Weizmann Institute of Science in Israel, identifies a security concern that makes such devices susceptible to hackers, and could potentially give them control over things like lights, switches, locks and thermostats.

The draft paper was recently covered by the New York Times, Globe and Mail, CBC, BBC, Fortune and several other international media outlets. And it鈥檚 already led to practical results: Philips, one of the companies whose devices was susceptible to the potential vulnerability, was notified about the issue and issued a patch to correct it last month.

Creating a computer worm


O鈥橣lynn, currently a PhD student in Dal鈥檚 Department of Electrical & Computer Engineering, developed the study from his research on re-purposing low-cost Phillips Hue bulbs by re-programming them with new code.

鈥淢y first step was to understand how these light bulbs worked, and that's what really set the whole project in motion,鈥 says O鈥橣lynn. 鈥淚 reached out to Eyal Ronen at Weizmann Institute, who had been doing similar work under his PhD supervisor Adi Shamir, and we decided to join forces to do a more in-depth look at how secure the bulbs were.鈥

Using the Philips Hue smart light bulb as a platform, the researchers developed a computer worm that could be easily spread to other devices. The worm spread by jumping directly from one lamp directly to one of its neighbours, using only the built in ZigBee wireless connectivity and their physical proximity.

The theory was put to the test by taking over lamps in two different 鈥渁ttack鈥 scenarios. In the first, conducted at the Weizmann Institute, the researchers did a 鈥渄rive-by鈥 hack using a vehicle, and found they were able to manipulate the lights from up to 70 metres away. (.)

The second was significantly more elaborate 鈥 but not out of the realm of possibility by any means. The target was an office building in the city of Be鈥檈r Sheva in Israel, which hosts several well-known security companies and also the Israeli Computer Emergency Response Team (CERT). Several Philips Hue lights were installed on one floor of the building, and an 鈥渁ttack kit鈥 was installed on a drone. As the drone got closer to building, lights were able to be manipulated to spell out "S.O.S." in morse code.



鈥淲e weren't too surprised at the results, to be honest,鈥 says O鈥橣lynn. 鈥淲hen we started the project we figured it would be possible with enough time, but it was very exciting as there was a probably two to three-day period where a lot of things were falling into place.鈥

Potential implications


Flickering lights may not initially seem like something to be concerned about, but this technology has the potential to be dangerous if placed into the wrong hands. Compromised devices could be used to jam wireless networks, attack the electrical grid or steal information.

鈥淗opefully we'll start to take security of all 'connected' devices seriously, and not just those connected to the Internet,鈥 says O鈥橣lynn. 鈥淎 big part of our research was showing how such a worm could spread between the light-bulbs themselves wirelessly, independent of any internet or network connection.

鈥淭here is no doubt that devices are becoming more and more popular. But they are still new enough that there is time to fix some of these issues before they are completely ubiquitous.鈥

The complete findings of this study are available .