Having already seen what can happen when thousands of connected products are targeted and used for a DDoS attack, researchers have announced that they have developed a ‘worm’ that can allegedly set off a chain reaction through Philips Hue lightbulbs across entire cities.
Previous cases of IoT targeting have often involved early stage concepts, products rushed to market, or cheap knock-offs, so the implications that the longtime biggest selling connected lightbulb from a major manufacturer like Phillips are huge for designers and manufacturers.
“The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity,” explains researchers Eyal Ronen, Adi Shamir, and Achi-Or Weingarten of the Weizmann Institute of Science, Israel, along with Colin O’Flynn of Dalhousie University, Canada.
“The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack.”
Speaking to The Register, the quartet suggested that they had also found a test mode within the globes’ 2.4Ghz spectrum band could “easily” disrupt nearby wifi networks.
“This demonstrates once again how difficult it is to get security right even for a large company that uses standard cryptographic techniques to protect a major product.”
Stephen Gates, chief research intelligence analyst at NSFOCUS IB, advised that such attacks are going to continue, and that those producing the products need to take action.
“Industrial IoT devices are a major concern for security researches worldwide. The implications of these devices being hackable is very alarming,” said Gates
“From widespread outages to takeover by botnet herders, soon we will likely have smart lights and a litany of other industrial IoT devices being used to wreak havoc on a scale never witnessed before.
“Manufacturers need to recognise that almost anything is hackable and put appropriate protects into place. Recommendation: hire the hackers to test your systems before making them publicly available. Whatever happened to “due care”.”