Flaws in security for Philips’s Hue smart lights could see your home placed in perpetual darkness.
The multicoloured Hue smart lights may seem like a bit of fun home decor, but electronics companies would like us to replace all our switches with smart controls.
The Register reports that researcher Nitesh Dhanjani has identified ways that malware could permanently hijack your phone’s control of the Hue light system or take control via ‘light recipes’ users can share online.
Read Recombu Digital’s review of Philips Hue and our guide to the Smart HomePhilips didn’t respond when Danjani tried to alert them to the flaws via their @tweethue channel, they didn’t let him pass on the full details.
Danjani wrote: “It is important that Philips and other consumer IoT organizations take issues like these seriously. In the age of malware and powerful botnets, it is vital that people’s homes be secure from vulnerabilities like these that can cause physical consequences.
“This case is also a good example to begin discussion of the possibility of future malware scanning homes for IoT devices. It is likely that future malware will include a database of IoT signatures that can be used to detect devices in homes and offices.
“Once the devices are scanned, the malware can exploit known vulnerabilities (such as this) associated with the particular device. Alternatively, a botnet system controlling the malware can remotely issue commands to control the devices.
“Imagine the power of a remote botnet system being able to simultaneously cause a perpetual blackout of millions of consumer lightbulbs. As consumer IoT devices permeate homes and offices, this scenario is increasingly likely in the near future.”
Danjani’s first attack assumes malware somewhere on a Hue owner’s home network, which could capture the MAC address of a smartphone or PC approved to control the lights.
A simple script could permanently switch off or issue other controls to lights, and since it’s very hard to unauthorise devices, it would be difficult to reset your system.
The second attack would use poisoned Hue ‘light recipes’ – colour and brightness settings which users can share online – combined with the new If This Then That (IFTTT) service.
IFTTT allows the lights to respond to an event, such as being tagged in a Facebook photo, emails arriving or an incoming phone call – but poisoned light recipes could again force a blackout or other behaviour.
Philips said Danjani’s attacks would be very hard to carry out against anyone with a secure home network.
“In developing Hue we have used industry standard encryption and authentication techniques to ensure that unauthorized persons cannot gain access to lighting systems,” Philips told Recombu Digital.
“An attack of the nature described requires that a computer on your private local network is compromised to send commands internally. This means there is no security risk if your home network is properly protected, as traffic passing between your devices and across the internet will remain fully secure.
“Like the rest of your devices, however, if an attack is made upon your home network, everything contained within that network can be compromised. Therefore our advice to customers as always is that they take steps to ensure they are secured from malicious attacks at a network level, in order to protect all of their devices, including Hue.”
Danjani also highlighted our tendency to re-use the same passwords for online services as a weakness, allowing an attacker who has harvested passwords from a major website to hijack Hue and other smart home devices.