A lightbulb worm could take over every smart light in a city in minutes

Researchers from Dalhousie University (Canada) and the Weizmann Institute of Science (Israel) have published a working paper detailing a proof-of-concept attack on smart lightbulbs that allows them to wirelessly take over the bulbs from up to 400m, write a new operating system to them, and then cause the infected bulbs to spread the attack to all the vulnerable bulbs in reach, until an entire city is infected.

The researchers demonstrate attacking bulbs by drone or ground station. The demo attacks Philips Hue lightbulbs, the most popular smart lighting system in the market today.

Philips Hue use Zigbee for networking. Zigbee is a wireless protocol designed for low-powered Internet of Things devices, and it has many built-in security features. The most important of these is that once a device is initialized as part of a Zigbee network, it can't be hijacked onto a rival network unless you can bring a controller into close proximity to it (a couple centimeters away). However, there is a fatal flaw in the Zigbee implementation in the Hue system, and the researchers showed that they could hijack the bulbs from nearly half a kilometer away (this attack is only possible because Zigbee doesn't encrypt all traffic between devices).

The Hue system also has safeguards to prevent malicious tampering: updates have to be cryptographically signed using a very strong algorithm or they will be rejected by Hue systems. The researchers were easily able to extract the signing keys — which are the same for all Philips Zigbee products — and use them to sign their own malicious updates.

Thus armed, the researchers were able to take over any Philips Hue system.

There are many ways that a hijacked Hue system can be used to cause mischief. Zigbee uses the same radio spectrum as wifi, so a large mesh of compromised Zigbees could simply generate enough radio noise to jam all the wifi in a city. Attackers could also brick all the Hue devices citywide. They could use a kind of blinking morse code to transmit data stolen from users' networks. They could even induce seizures in people with photosensitive epilepsy.

The fact that the attack targets devices by Zigbee signals — rather than over the internet — means that it is virtually impossible to defend against through traditional methods like firewalls.

Like many IoT companies, Philips' business model for its smart lights involves controlling who may make and sell the lightbulbs (Philips charges a very high markup on its own bulbs). Last December, the company covertly updated its lights to reject third party bulbs (it later walked this back after public outcry).

Companies that use encryption to prevent third-party consumables can use laws like Section 1201 of the US Digital Millennium Copyright Act to threaten competitors with lawsuits and even prison sentences for breaking the crypto; this right extends to threatening security researchers for revealing embarrassing defects in their products. It's probably not a coincidence that one of the researchers on this paper is affiliated with an Israeli institution, as Israel is the only major US trading partner that has not been forced to adopt a version of DMCA 1201 by the US trade representative (it's no coincidence that a six-year-old showstopper bug in the DRM in Google's Chrome was revealed by another Israeli). Canada has had its version since 2011, meaning that the Canadian author has done something exceptionally brave (and maybe foolhardy) by putting his name to this paper.

The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack. To demonstrate the risks involved, we use results from percolation theory to estimate the critical mass of installed devices for a typical city such as Paris whose area is about 105 square kilometers: The chain reaction will fizzle if there are fewer than about 15,000 randomly located smart lights in the whole city, but will spread everywhere when the number exceeds this critical mass (which had almost certainly been surpassed already).

To make such an attack possible, we had to find a way to remotely yank already installed lamps from their current networks, and to perform over-the-air firmware updates. We overcame the first problem by discovering and exploiting a major bug in the implementation of the Touchlink part of the ZigBee Light Link protocol, which is supposed to stop such attempts with a proximity test. To solve the second problem, we developed a new version of a side channel attack to extract the global AES-CCM key that Philips uses to encrypt and authenticate new firmware. We used only readily available equipment costing a few hundred dollars, and managed to find this key without seeing any actual updates. This demonstrates once again how difficult it is to get security right even for a large company that uses standard cryptographic techniques to protect a major product.


IoT Goes Nuclear: Creating a ZigBee Chain Reaction (paper)

[Eyal Ronen, Colin O'Flynn, Adi Shamir and Achi-Or Weingarten/IOT Worm]
Creating a ZigBee Chain Reaction

IoT Goes Nuclear: Creating a ZigBee Chain Reaction (discussion)

[Eyal Ronen, Colin O'Flynn, Adi Shamir and Achi-Or Weingarten/IOT Worm]

(via /.)