It seems Philips popular smartphone and computer controlled Hue LED lighting system is vulnerable to attackers who can exploits its weaknesses in order to cause blackouts. There is a fix for the exploit though: Remove the wireless device that receives the commands!
The vulnerabilities in the Hue LED lighting system made by Philips are another example of the risks posed by connecting thermostats, door locks, and other everyday devices to the Internet so they can be controlled by someone in the next room or across town. While the so-called Internet of Things phenomenon brings convenience and new capabilities to gadgets, they come at a cost. Namely, they’re susceptible to the same kinds of hack attacks that have plagued computer users for decades. The ability to load a Web page that causes house or office lights to go black could pose risks that go well beyond the typical computer threat.
Nitesh Dhanjani, the researcher who discovered the weaknesses and developed the proof-of-concept attacks that can exploit them, wrote on his blog Tuesday: “Lighting is critical to physical security. Smart lightbulb systems are likely to be deployed in current and new residential and corporate constructions. An abuse case such as the ability of an intruder to remotely shut off lighting in locations such as hospitals and other public venues can result in serious consequences.”
The main vulnerability Dhanjani uncovered was the weak authentication system the Philips wireless controller uses to receive commands from trusted smartphones and computers.
It consists of a security token containing the device’s unique media access control identifier that has been cryptographically hashed using a known algorithm. These hardware addresses are trivial to detect by anyone on the same network or often by people within radio range of a device, making them unsuitable for authentication. It’s tantamount to using a hashed street address as the combination to lock a front door.
The exploit can be delivered via browsing compromised websites or websites dedicated to delivering attack pages. The Java code then combs through the local network, searching for connected devices. It then attempts to send commands to discovered devices. If a command is successfully executed, the successful command will be repeated over and over.
The researcher says he attempted to contact Philips to notify them of the vulnerabilities in their Hue lighting system, but the best he was able to do was to trade a few messages with them via Twitter.
“It is important that Philips and other consumer [Internet of Things] organizations take issues like these seriously,” Dhanjani wrote. “In the age of malware and powerful botnets, it is vital that people’s homes be secure from vulnerabilities like these that can cause physical consequences.”