Every once in a while, you read about an attack which has the potential for especially concerning consequences. Since reading about an IoT worm that could unleash all sorts of chaos, it’s come to mind again and again. Then it hit the radar of cryptographer and security pro Bruce Schneier. He wrote, “This is exactly the sort of Internet-of-Things attack that has me worried.”
Researchers from the Weizmann Institute of Science in Israel and Dalhousie University in Canada didn’t just theorize about the possibility of an IoT worm; using a few hundred dollars of readily available equipment, they created a proof of concept attack to exploit Philips Hue smart light bulbs.
Researchers have been taking aim at both ZigBee and Z-Wave wireless protocols for years. Hue light bulbs communication via the ZigBee protocol. Any new firmware is delivered via Over The Air (OTA) updates. In the researchers’ attack, the worm replaces the firmware.
In the paper, “IoT Goes Nuclear: Creating a ZigBee Chain Reaction” (pdf), researchers “describe a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction.”
Researchers Eyal Ronen, Colin O’Flynn, Adi Shamir and Achi-Or Weingarten explained:
The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes.
What could an IoT worm actually do? The researcher gave several examples of attack scenarios that go beyond massive DDoS attacks.
- An attack carried out from a remote location could cause the light bulbs to flash like possessed, which could trigger epileptic seizures or cause “long-term discomfort.”
- A hacker could attack the power grid by scheduling lights to blink on and off in mass, thereby creating sudden changes in power consumption.
- An attacker could turn off all the lights by bricking all the smart light bulbs. “Unlike regular DoS attacks, the attack is irreversible.” The researchers added, “Any effect caused by the worm (blackout, constant flickering, etc.) will be permanent.”
Any old stock would also need to be recalled, as any devices with vulnerable firmware can be infected as soon as power is applied. The consumer is unlikely to have time to perform the legitimate OTA update before the worm would infect the bulb.
- By tapping into the “test mode which transmits a continuous wave signal that is used during FCC/CE emission certification process,” an attacker could jam Wi-Fi, MiWi, Nest Weave, Thread and others. Additionally, the researchers noted that it’s possible to perform more “specific DoS attacks against specific devices or protocols.”
- The researchers were also able to abuse Philips Hue for espionage purposes, using infected lights to create convert channels for the purpose of exfiltrating and infiltrating data.
The researchers have more for you than just words of warning. To demonstrate the risks, they took to wardriving and warflying.
First they successfully tested an attack from car parked 50 meters (164 feet) away from a building which had Philips Hue lights installed. They noted that the factory reset portion of the attack worked from a range of more than 150 meters (492 feet). Then they successfully tested the attack while wardriving.
But wardriving is so yesterday, so they mounted their “autonomous attack kit” on a drone and launched a warflying attack on a building, hacking the smart Hue light bulbs from about 350 meters away. Put another way, that’s a distance of about 1,148 feet which is a bit under a half mile.
They even managed to force the Hue bulbs to flash S.O.S. in distress.
Is this a feasible attack? The researchers believe so, saying a worm could reach critical mass and “spread everywhere” in a city such as Paris which has at least 15,000 randomly located smart lights.
We believe this will not be the last bug or attack found against ZLL commissioning. While the vendor’s main design goal of ease of use is understandable, a better trade-off between usability and security must be made, and the security community and academia should be allowed to take part in the process. The sharp contrast between the open and inclusive manner in which TLS 1.3 standard was designed and the secretive work on the ZigBee 3.0 specification that is still not open to the public, is a big part of the problem.
We believe that in the same manner of the leaked ZLL master key, the OTA updates keys will also be leaked. The reuse of symmetric encryption and signing keys between lightbulbs is a big security risk and enables attackers to create a chain reaction of infections. Security by obscurity has failed time after time.
They suggested working together to protect IoT devices “or we might face in the near future large scale attacks that will affect every part of our lives.”
Philips issued a patch last month.