Virus-Spreading Smart Light Bulbs

Just when you thought it was safe to turn on the light, an Israeli-Canadian study has uncovered a weakness in the design of Philips Hue smart light bulbs that it believes a hacker could use to launch an improvised wireless worm.

The attack works by targeting the Atmel ZigBee wireless chip inside each bulb which should, on the face of it, be highly secure. It’s cloaked in layers of cryptographic and non-cryptographic defences which also limit the proximity required to issue new instructions to mere centimetres.

Unfortunately, the chip’s proximity detection firmware has a security flaw which allows this to be extended by up to 400 metres, rendering it vulnerable to takeover after issuing a factory reset.

The team even came up with a memorable proof-of-concept that involved taking control of bulbs from a drone – dubbed war flying – before flashing back each bulb’s captured status as an SOS in Morse code:

Problem Is Patched For Now:

Philips have posted a statement on their website that reads:

Researchers contacted us in the summer about a potential vulnerability and we patched it before the details of findings were disclosed publicly. At no time was a virus created or used to infect any Philips Hue products.

We recommend all our customers install the latest software update via the Philips Hue app, as with any other update that we release, despite assessing the risk to Philips Hue products as low.

Potential Problems In The Future:

Although there’s no danger for Philips customers today the research is a signpost to what might be possible if the IoT’s security doesn’t improve as the density of devices gets ever greater.

The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDoS attack.In a process resembling a nuclear chain reaction, hackers can rapidly cause city-wide disruptions which are very difficult to stop and to investigate.

nakedsecurity.sophos.com...

With new technology comes new problems. I personally have no interest in getting smart light bulbs. If you do have them be sure to install the latest software update via the Philips Hue app. Be safe ATS

"Smart light bulbs" is the stupidest thing I have ever heard.

Why can't people just have a normal light that turns on and off from a switch? Over engineered first world problems with these gimmicks..
Even my fridge is purely there for keeping my food cold which has consistently dine for years.. Why the fk would I need it. Connected to the Internet?

a reply to: gmoneystunt

Just saw this on another news source... I've made my living with computers for the last 30 years, and I have to admit I do not understand why there is any consumer market for "smart" light bulbs. I have heard things like "Oh, you can have your lights set to turn a certain color if you get email from a particular person!". And they say that like it's a good thing. WTF?

There is technology and there is cool, whizzy technology and there is crazy inappropriate technology and to me smart light bulbs are squarely in the last category.

This infatuation with gadgets and connectivity that encourages such nonsense as smart light bulbs may be the end of us all.

a reply to: gmoneystunt

We have a "nest" system in our home, it allows you to adjust the temperature settings of the home from an app on your phone. It also gives you "real time" data.

I wonder if hackers/interested parties can develop a virus that will send false data, while setting the systems on overdrive (to either blast the heat, or the cool).

All these "Smart" items are going to wreak havoc in due time :/

As someone who works for one of the largest LED manufactures in the world I can get into specifics about why smart technology is great for the commercial market at the moment but not something ultra-important for the residential market.

It will however become the standard product at some point in the future and all lamps will be wireless enabled.

I have light control in switchboard case. WIFI have no place in my home. Wire is wire.

BTW I'm really not interested in IoT if there is no trusted and automated update service. It is security nightmare to watch for news while you have to use some proprietary app which is probably working only on limited set of OSes.

originally posted by: FamCore
I wonder if hackers/interested parties can develop a virus that will send false data, while setting the systems on overdrive (to either blast the heat, or the cool).

Yes, there are, you can count on it. And that will probably be rev 1 of what they eventually come up with.

a reply to: AugustusMasonicus

By the way I'm looking for high power LED arrays (50 - 100W) @ 12V, white, more to blue/violet spectrum. My friend had unlucky experience with lifetime of such things but as he is high school dropout he probably had some b# in power supply.

a reply to: JanAmosComenius

The typical commercial/industrial product is going to be 5-6K and the wattage depends on the amount of lumens you are expecting.

1st off, the HUE wifi lights were made for TV mood lighting mainly, and it's pretty badarse when you're watching a scifi movie and the lights all sync up to the same color as the show and provides a further immersive experience.

For businesses it's pretty awesome tech to use for marketing and sales, for consumer it's still a gimmick, once Augmented reality and Virtual Reality takes off, this tech will be used more and more.

I see more of a use for the wifi lights with racing drones than I do with the movie and show angle.

Which that said, the phillips brand is nothing more than a expensive hunk of junk, that's with most mainstream wifi devices, especially since that DDoS on DYN where these kinda devices were used.

The thing you all should be more concerned with is not hackers using these things without you knowing, it's hackers using your phone, laptop, computer and network without you ever knowing it, because frankly, most just don't know and won't ever be tipped off.

We live in the age where Warfare will cripple economies, infrastructure and kill or maim people connected medically.

a reply to: AugustusMasonicus

For commercial, i can see the benefit.

Then again, I can also see the benefit of having bulbs that last years so that maintenance isn't dragging out the 15ft stepladder and extendable pole with a suction cup every week to replace burned out bulbs in your lobby.

And, honestly, if I only had one wish in this area.....standardize the outlets, for the love of all that is holy In a prior building we had something like 3500 light bulbs, and 24 different outlet sizes to screw/plug/snap into. Some don't even look like a lightbulb, with pins on the bottom instead of a screw.

I have some rather bad trauma because of this light bulb scenario, it seems. LOL

I have Hue. We love it. Last night I programmed my outdoor flood lights for red white and blue for Veterans Day and had the light focused on my outdoor flag. It looked cool.

Sometimes I change the color in the shower to blue which to my surprise really does change my mood. Also my bedroom night lamps to read is a softer color. Thing has a million different colors or something.

You can program them for all sorts of media, strobe, sync to music, movie sound effects. Even make them act creepy during Halloween by shorting out flickering.

It's expensive but I have enjoyed it so far. Looking forward to Christmas and programing all my flood lights for some cool effects.

a reply to: bigfatfurrytexan

For commercial applications screw-based product is transitioning to strip-based or chip on board-based fixtures. With our product offering you can completely eliminate screw in products but still retain the same look and aesthetic.

a reply to: gmoneystunt

My brother has a "smart home" system through his employer. It includes a camera in the living room, so he can look from anywhere he's at and see what's going on in there. Pretty cool, yeah?

Except for the fact that whomever is alone in the apartment is vulnerable to anyone who can access the system. I lived with him for a while, and he would play tricks on me when I was there alone. He'd turn the lights on and off, make the door alarm go off (an audio of vicious dog barking), and other things like that. But the most disturbing thing of all was when he would text me and tell me what I was doing because he could see me on camera.

I have never heard of smart bulbs, and I don't really understand the technology very well, but I don't like it. I don't drive with cruise control either. The idea of relinquishing control of a potentially volatile scenario to a machine has never set very well with me. Everyone laughs at me, telling me I'm just paranoid, but so be it.

The thing I never thought of until I stayed at my brother's place is how easy it is for people to use this technology to spy on other people...or mess with their heads. Scary stuff, man. Pretty soon there's not going to be anything conventional left...it'll all be run by machines.

We're far too dependent on this crap aside from the creep factor, too. If the grid were to go down, most people would not know wtf to do...without computers to keep everything running smoothly, society would completely crumble within a couple of weeks at most. All of these things only serve to dumb us down and make us weak...while giving the power to the people who seek to subvert and dominate us.

originally posted by: tigertatzen
I have never heard of smart bulbs, and I don't really understand the technology very well, but I don't like it.

It allows you to link different fixtures digitally so you can dim/change their color temperature as a group to effect a desired ambiance setting.

An example: You have a bar/restaurant, you want the bar pendant lights and wall sconces to dim at a certain time so instead of trying to position various analog or push button digital dimmers on the wall you bypass this control by setting them to activate as a single group at the predetermined time. You get the exact same color and temperature every single time. They can also be set by the solar cycle for what is called daylight harvesting. Their output would be regulated by the amount of sunlight available so they could be at a lower output or off altogether based on the amount of natural ambient light coming through. It is a great energy saver.

This is becoming more and more prevalent in the industry and will eventually supplant wall controls at some point.

a reply to: bigfatfurrytexan

You missed your chance! In this post you should have added...

Dumb

Then your post would have been truly epic!

I read the title of the thread and was wondering how a smart light bulb could spread a virus (as in flu, ebola, zika, herpes...). LOL at my reading comprehension this morning!



This chip in the light bulb is the whole internet of things (IoT) and is nowhere close to being a reality. Smart grid, IoT, etc. will be coming someday but it may end up being a moot point if something like nuclear fusion becomes a reality. To get to the IoT you are going to need terahertz communications and that is still in the labs. Most of that tech will require graphene as it center and we are still waiting on the graphene battery, the graphene light bulb, sheets of the stuff... so, yeah, a ways off in the future.

So neat trick but kind of overkill unless you have an industrial installation. Maybe we should create an anti-virus company for light bulbs and beat Norton to the punch!