One might think that the security industry is beefing up its message with profanity and far-fetched stories, and you may regard all of it – to an extent – as scare mongering. The latest attack on the smart "HUE Light Bulbs" by Philips puts this views to rest, I hope. Apparently, modern smart light bulbs are equipped with secure communication protocols, such as ZigBee, some firmware, and lots of processing power. Attackers recently managed to insert a malware worm into HUE Light Bulbs that damages or destroys the bulb but not without copying itself into the neighboring bulbs within proximity. This piece of clever code uploads a fake certificate first and implements the code before swinging into action. This is possible by exploiting a number of vulnerabilities that were communicated to Philips earlier this year. The certificate was extracted from a "HUE Light Bulb," and attackers exploited one of them. Technical details about this attacks can be found in the public domain. Philips said they have closed the gap with firmware updates that were published in October 2016. The story reminds me of Robert T. Morris and his famous "Internet Worm" released upon the world in 1988. Now, if someone would have told the world back then that a later version of this concept could put the world into darkness by hijacking smart light bulbs, this someone would have lost all credibility. That a HUE Light Bulb could be used for covert operations as a surveillance tool is more than another unpleasant side note. In the future, we might think twice before we pay a Nigella Lawson style visit to the fridge in the middle of the night. Who knows who is listening and watching! A mature and educated consumer must decide whether or not to introduce so called "smart equipment" (or IoT devices) into the household, which is the most private space and highly protected by many constitutions. But in the not-so-far future, one may not have a choice anymore as the economy of mass production will dictate that a unified product features all options. The electronics are available at very low cost already, and running a second production batch of the same product without IoT features might not be an option in highly competitive markets.
“Heise Online – Security” Licht an, Licht aus: ZigBee-Wurm befällt smarte Glühbirnen 08-NOV-2016 “The Register” IoT worm can hack Philips Hue lightbulbs, spread across cities 10-NOV-2016