This is how drones could take over and turn off the lights in a city

Researchers have shown how hackers easily could take over all light bulbs in a city. Björn Söland, internet of things (IoT) expert at identity and security company Nexus Group, explains how the researchers were able to do remote factory resets and upload malicious over-the-air updates to the bulbs.

A couple of days ago a document landed on my desk: “IoT Goes Nuclear: Creating a ZigBee Chain Reaction.” In it, researchers describe and verifie how internet of things (IoT) devices are able to infect each other with a worm that can spread explosively over large areas in what can be likened to a nuclear chain reaction, provided that the density of compatible IoT devices exceeds a certain critical mass.

The researchers used the popular smart lamps Philips Hue for their experiment. They realized that an attack can start by plugging in a single infected bulb anywhere in a city, and then the malware can spread all over the city within minutes, enabling the attacker to for example turn all the city lights on or off, permanently destroy them, or exploit them in a massive distributed denial of service (DDoS) attack.

The malware spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity (a wide spread sensor network technology that everyday devices use to connect to one another) and their physical proximity.

What makes this experiment even more interesting is that the researchers also made a spectacular science fiction like YouTube video, showing a remote controlled drone flying close to a building, hijacking all its light bulbs. The researchers forced the bulbs to start emitting SOS signals – how cool is that? And how worrying?

By digging into the document I found that the attack was based on a major bug in the Philips Hue bulbs. Any standard ZigBee transmitter can initiate a factory reset procedure which will dissociate lamps from their current controllers, and this should only be possible to do from a distance of a few centimeters – but the bug made it possible to make a factory reset from a distance of 400 meters.

A drone flying over a city forcing a factory reset of millions of lamps is of course unpleasant and time consuming to fix, but the consequence is probably not catastrophic. So the researchers started looking for more, and they found that all the lamps use the same secret (key) to warrant uploading of software updates! This is really a “one ring to rule them all” scenario.

Within a few days, using only easily obtained equipment costing a few hundred dollars, the researchers obtained the secret values needed to create new firmware and upload it into any Philips Hue lamp.

With the ability to do a remote factory reset and to encrypt, sign and upload malicious over-the-air updates, the researchers had everything that would be needed to launch a takeover attack with severe consequences for Phillips and its customers. Worth mentioning is the fact that all of these things happens in the sensor network – out of reach from ordinary network controls and without the traditional network segmentation that can restrict the spreading of an infection.

Lessons learnt

There are quite a few lessons that can be learnt from this, but there is especially one that I would like to emphasize: to base a product’s security on a secret that is the same for every single instance of the product is always a BAD idea. To figure out what this shared secret is might not be easy, but once it is done the reward for the hacker is immense.

One way to raise the bar for attackers is to use different keys for each device. Then the reward for a successful key extraction attack is access to one device – not millions.

Here at Nexus we meet customers that are aware of the risks IoT entails. And with the help of our customers, standards organizations (for example Internet Engineering Task Force, IETF) and research organisations (for example The Swedish Institute of Computer Science, SICS), we aim to dramatically raise the bar for devastating attacks. We strongly believe that the best way to do this is to adapt existing security technologies, like public key infrastructure (PKI) and strong authentication, to fit sensor networks as well.

Doing nothing to increase IoT security is not an option.

Björn Söland, internet of things (IoT) expert at Nexus Group.