The Inquirer-Home

Philips' Hue light bulbs are vulnerable to blackout attacks, researcher claims

Are you afraid of the dark?
Thu Aug 15 2013, 11:45
philips hue light bulbs

WEB CONNECTED LIGHT BULB SYSTEM Philips Hue is susceptible to cyber attacks due to a flaw that, if exploited by a hacker on your LAN, could be used to create a "blackout attack".

The vulnerability, which doesn't sound very threatening compared to some others in cyberspace, was discovered by an independent security researcher who goes by the name of Nitesh Dhanjani.

Dhanjani spent some time researching the hackability of Hue, and published his findings in a white paper entitled "Hacking Lightbulbs: Security Evaluation of the Philips Hue Personal Wireless Light System".

The white paper highlighted several vulnerabilities in the light bulbs' architecture as being potentially exploitable, and said the most serious vulnerability could be used by a hacker to, wait for it... permanently turn off the lights. Scary stuff.

"The Hue bridge uses a whitelist of associated tokens to authenticate requests. Any user on the same network segment as the bridge can issue HTTP commands to it to change the state of the light bulb," Dhanjani explained in the paper.

"In order to succeed, the user must also know one of the whitelisted tokens. It was found that in [the] case of controlling the bulbs via the Hue website and the iOS app, the secret whitelist token was not random but the MD5 hash of the MAC address of the desktop or laptop or the iPhone or iPad."

According to the white paper, "this leaves the bulbs open to a vulnerability whereby malware on the internal network can capture the MAC address active on the wire, using the ARP cache of the infected machine".

"Once the malware has computed the MD5 of the captured MAC addresses, it can cycle through each hash and issue 'all lights off' instructions," he added.

"Once successful, the malware can infinitely issue the command using the known working whitelist token to cause a perpetual blackout."

We asked the bulbs' maker Philips what it thought of Dhanjani's findings. The Dutch company said that it is aware of the white paper, clarifying that the attack works only on local networks, meaning its impact should be negligible.

"In developing Hue we have used industry standard encryption and authentication techniques to ensure that unauthorised persons cannot gain access to lighting systems," the firm said.

"An attack of the nature described requires that a computer on your private local network is compromised to send commands internally. This means there is no security risk if your home network is properly protected, as traffic passing between your devices and across the internet will remain fully secure."

Philips said that if an attack is made upon your home network, everything contained within that network can be compromised, so advised customers to take steps to ensure they are "secured from malicious attacks at a network level, in order to protect all of their devices, including Hue".

Dhanjani tried to extend his fear mongering attempt to convince people that they could be left in the dark to businesses, claiming a blackout-causing botnet as a future scenario.

"It is likely that future malware will include a database of IoT signatures that can be used to detect devices in offices. Once the devices are scanned, the malware can exploit known vulnerabilities (such as this) associated with the particular device," said the paper.

However, Hue is a consumer product and rarely used in offices, especially not in larger scale businesses, so it's probably not worth worrying about unless you use the lights at home and have a hacker roommate, but not a backup torch. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Existing User
Please fill in the field below to receive your profile link.
Sign-up for the INQBot weekly newsletter
Click here
INQ Poll

Microsoft Windows 10 poll

Which feature of Windows 10 are you most excited about?