The so-called internet of Things,
its proponents argue, offers many benefits: energy efficiency, technology so
convenient it can anticipate what you want. Now here’s the bad news: Putting a
bunch of wirelessly connected devices in one area could prove irresistible to
hackers. And it could allow them to spread malicious code through the air. Researchers
report in a new paper (not made public till the filing of the report) that they
have uncovered a flaw in a wireless technology that is often included in smart
home devices like lights, witches, locks, thermostats and many of the
components of the much-ballyhooed “smart home” of the future. The researchers
focused on the Philips Hue smart light bulb and found that the flaw could allow
hackers to take control of the bulbs, according to researchers at the Weizmann
Institute of Science near Tel Aviv, Israel, and Dalhousie University in
Halifax, Canada. That may not sound like a big deal. But imagine thousands or
even hundreds of thousands of internet connected devices in close proximity.
Malware created by hackers could be spread like a pathogen among the devices by
compromising just one of them. And they wouldn’t have to have direct access to
the devices to infect them. The researchers were able to spread infection in a
network inside a building by driving a car 229 feet away. Just two weeks ago,
hackers briefly denied access to whole chunks of the internet by creating a
flood of traffic that overwhelmed the servers of a US company called Dyn, which
helps manage key components of the internet. Security experts say they believe
the hackers found the horsepower the hackers found the horsepower necessary for
their attack by taking control of a range of internet connected devices, but
the hackers did not use the method detailed in the report. One Chinese wireless
camera manufacturer said weak password on some of its products was partly to blame
for the attack. Even the best internet defense technologies would not stop such
an attack. The new risk comes from a little known radio protocol called ZigBee.
Created in the 1990s, ZigBee is a wireless standard widely used in home
consumers devices. While it is supposed to be secure, it hasn’t been held up to
the scrutiny of other security methods used around the internet. The researchers
found that the ZigBee standard can be used to create a so-called computer worm
to spread malicious software among internet connected devices. So what could
hackers do with the compromised devices? For one, they could set an LED light
into a strobe pattern that could trigger epileptic seizures or just make people
very uncomfortable. It may sound farfetched, but that possibility has already
been proved by the researchers. The color and brightness of the Philips Hue
bulb can be controlled from a computer or a smartphone. The researchers showed
that by compromising a single bulb, it was possible to infect a large number of
nearby lights within minutes. The worm program carried a malicious payload to watch
light – even if they were not part of the same private network. In creating a
model of the infection process, they simulated the distribution of the lights
in Paris over about 40 square miles and noted that the attack would potentially
spread when as few as 15,000 devices were in place over that area. The researcher
said they had notified Philips of the potential vulnerability and the company
had asked the researchers not to go public with the research paper until it had
been corrected.
