It’s now a given: the Internet of Things is horribly broken.
Connected lightbulbs, though one of the few possibly-justifiable products in the mucilage that is the IoT market, are sometimes contributors to that rank unsecurity. And now researchers have shown just how evil attacks on lightbulbs can be, claiming their hacks can cause epileptic fits and steal information from segregated, supposedly-secure networks in startling sub rosa fashion. All they needed was to subtly modulate light pulses in two bulbs on the market to convey data to a telescope up to 100 meters away, or have them create a strobe effect to bring on seizures. Both attacks were possible because authentication on the lightbulbs – a Philips Hue and a LimitlessLED – were found wanting, allowing anyone who could locate the devices to send commands.
There’s one obvious caveat: the hacker must first have to find a way onto the lightbulbs’ network to interact with their radio frequency receivers. But once that’s achieved it’s possible to create light signals that are unobservable to the human eye but can represent data to a machine within line of sight, according to the researchers, Weizmann Institute of Science PHD student Eyal Ronen and his professor Adi Shamir, a luminary of the cryptographic field best known as the co-inventor of the RSA algorithm, now pervasive across encrypted networks.
According to a paper (published below) presented at the IEEE Privacy and Security Symposium in Germany last week, they tested their hacks on two specific lightbulbs: a Philips Hue Lux and a LimitlessLED, the latter being a small Kickstarter project. The LimitlessLED, for which a starter kit costs just over $50, was most useful for their devilry, as it had a weak connecting procedure that allowed for any hacker on the network to sniff the traffic and collect an unencrypted Wi-Fi password used to connect to the bulb. Though the light should not have allowed for for startling or subtle changes in light intensity, Ronen and Shamir discovered they could concatenate commands to create such shifts; such concatenation shouldn’t be allowed, they argued.
The Philips device, whilst it had no clear bugs, did offer greater control over the strength of the light with 256 brightness levels, making it easier to create a covert channel. Indeed, it’s a more expensive piece of kit than the LimitlessLED, retailing at just over $100 for a starter kit. It’s also compatible with Apple HomeKit.
Crucially, for both devices commands between the lightbulb and their controllers were not encrypted, making it possible to spy on the communications to learn how they operated. Anyone on the same network, the hackers noted, could ultimately control the LEDs with limited technical nous or skill.
To carry out their attacks, Ronen and Shamir used a laptop, a TAOS TC3200 Color light-to-frequency converter, an Arduino computer and a telescope, all of which was portable and could be bought for less than $1,000 on eBay EBAY -0.31%. On the other side, where the lightbulb was installed, a controller was connected to a PC running their malware.
They were able to manipulate the bulbs’ “pulse width modulation” to the degree that “off periods”, conveying a binary 0, would last only 10 milliseconds, below the “flicker threshold” where the eye notices a change.
Academic hackers used a telescope, cheap computer and laptop to collect signals coming from a compromised connected lightbulb.
The telescope focused on the bulb, filtering the light so it could be converted to frequency and passed through the Arduino board. That would detect rises and falls in frequency, picking out infinitesimal changes in light intensity at intervals as small as 10 microseconds. The laptop processed the information and once pieced together, the data would become usable. The researchers claimed they could have their lightbulbs leak more than 10KB per day, enough for private encryption keys and passwords. This represented another cunning way to pilfer data from “air-gapped” networks, where systems are segregated from the wider Internet to keep outsiders out.
On the other hand, Ronen and Shamir wrote, the ability to control the light intensity with such ease could be abused to “create strobes in the most sensitive frequencies.” Such attacks would, of course, not require the expense of a telescope or supplementary computing equipment, just the ability to exploit the bulbs for a shocking effect. “Such an attack could be directed at hospitals, schools and other public buildings using connected LEDs,” the paper read.
Hacking lightbulbs for ransom
Ronen, speaking over the phone from the IEEE event last week, said his hacks were another sign that the IoT world needs greater focus on security. “I think it’s a very big problem, not just with the specific attack we’ve shown with the lights. We should speak about how we do security in IoT,” Ronen said. “The main issue [in the lightbulbs] is that there are not enough security measures.” He believes the attacks could also work at distances greater than 100 meters, as long as hackers were willing to pay up to $3,000 for a high quality telescope.
If manufacturers are concerned enough about the problems, they may have to do a device recall, Ronen said, as he had not seen any methods for remote updates of the bulbs’ software. “I don’t know what the best solution is right now.” He believes encryption between communications and command validation would help prevent attacks in the real world. Limitless should also address its “incredibly unsafe” connection process, Ronen added.
Whilst Phillips had not responded to a request for comment at the time of publication, LimitlessLED’s creator Hamish Ahern said he would look into the use of his devices as a means of covert communication. “I don’t like the idea of subliminal messages.” Ahern also agreed the Wi-Fi setup process was vulnerable and could be fixed by using a randomized password. He did not specify when updates would be incoming.
Concerns remain around the use of lightbulbs and other connected devices for either physical attacks that pose a danger to human safety or surreptitious surveillance. “Sadly, I think the (as I understand it) known link between strobing lights and epileptic seizures might be the first idea of many in this direction,” said Professor Alan Woodward WWD -0.35%, from the Department of Computing at the University of Surrey in the UK.
“I’m sure those minded to do so will be able to think of ways of crossing the virtual/physical barrier to mount potentially injurious attacks using connected devices, and I’m also sure they will find creative ways of monetizing it.” He suggested extortion, hackers threatening to cause damage to someone’s home unless a fee was paid, could be one avenue for profit.