Security researcher Nitesh Dhanjani has uncovered a vulnerability in the Philips hue smart lighting system that can lead to a sustained blackout, he said. The hue system, which can be controlled by smartphone, tablet or laptop, is available for purchase from the Apple Store and other outlets, and includes several wireless LED light bulbs and a wireless bridge. The light bulbs can be configured to any of 16 million colors.
"Lighting is critical to physical security," Dhanjani said in a blog post. "Smart light bulb systems are likely to be deployed in current and new residential and corporate constructions. An abuse case such as the ability of an intruder to remotely shut off lighting in locations such as hospitals and other public venues can result in serious consequences."
As outlined in the research, the main issue is the weak authentication and password system the Philips wireless controller uses to receive commands from “trusted” endpoints. The hue bridge uses a whitelist of associated tokens to authenticate requests. Any user on the same network segment as the bridge can issue HTTP commands to it to change the state of the light bulb, as long as he or she also knows one of the whitelisted tokens.
It was found that in case of controlling the bulbs via the hue website and the iOS app, the secret whitelist token was not random but the MD53 hash of the MAC address of the desktop or laptop or the iPhone or iPad. This leaves open a vulnerability whereby malware on the internal network can capture the MAC address active on the wire (using the ARP5 cache of the infected machine). Once the malware has computed the MD5 of the captured MAC addresses, it can cycle through each hash and issue “all lights off” instructions.
Once a request is successful, the malware can in?nitely issue the command using the known working whitelist token to cause a perpetual blackout. If a command doesn't succeed, the malware will register a new token every second or so using a different MAC address until a valid one is found.
As consumers adopt connected cars, smart homes (think connected thermostats, motion sensors, door locks, video cameras and power outlets) and even connected appliances (refrigerators that email you a shopping list) in escalating numbers, the threat vectors multiply too. And the scale of the IoT issue shouldn’t be underestimated: By 2022, the average household with two teenage children will own roughly 50 such internet-connected devices, according to the Organization for Economic Co-Operation and Development.
And that scale is the problem with the hue weakness. "Imagine the power of a remote botnet system being able to simultaneously cause a perpetual blackout of millions of consumer light bulbs," Dhanjani wrote in his research.
He said he attempted to contact Philips representatives to notify them of the issues, but had to resort to trading messages via Twitter. It’s important, he noted, that not just Phillips but the ecosystem as a whole take note.
“The architecture employs a mix of network protocols and application interfaces that is interesting to evaluate from a design perspective,” the researcher said. “It is likely that competing products will deploy similar interfaces thereby inheriting abuse cases.”
He added, “the hue system is a wonderfully innovative product. It is therefore important is to understand how it works and to ultimately push forward the secure enablement of similar IoT products.”