Hackers can take full control of a popular model of internet-connected light bulb from as far away as 400 yards, and mess with it by turning it off and on or even bricking it.
In a best-case scenario, this is a great way to prank your Internet of Things-loving friends; in a worst case scenario, hackers could theoretically create a worm that spreads through nearby light bulbs and blacks out entire buildings or even neighborhoods.
"I could do whatever I wanted with them"
A bug in the way the Philips Hue protocol allows other light bulbs to join your home network could let a nefarious neighbor or hacker force your light bulbs to join their network. And given that all Philips Hue bulbs use the same encryption key to ensure that the updates they get come from Philips and not an attacker, the researchers believe it's possible to create a worm or virus that automatically spreads through nearby light bulbs.
With this attack, if one day these light bulbs become popular enough, "the worst case scenario is to blackout the whole city," according to Eyal Ronen, a PhD student at the Weizmann Institute of Science in Israel, who discovered the bug.
That's a far-fetched scenario that depends on the light bulbs becoming widespread enough to blanket a city, but there are other more realistic attacks too.
Ronen and Colin O'Flynn, a PhD student at Dalhousie University in Canada, detailed these risks in a presentation at the Black Hat Security conference in Las Vegas on Thursday. The two conducted independent, separate research into the Philips Hue.
Ronen found the bug in the way the Philips Hue controller adds new light bulbs to your home network. This allows an attacker to bypass a mechanism that's supposed to prevent controllers farther than 15 or 30 cm away from linking to the light bulbs, and instead connect and take over lightbulbs as far as 400 meters (around 435 yards) away outdoors, and 70 m (around 75 yards) inside, which is the range of the ZigBee protocol, the one the light bulbs use.
Along with colleagues at his university, Ronen successfully demonstrated this attack in two experiments, one driving around in a car, and one flying a drone equipped with off-the-shelf hardware.
"We were able to take full control of Philips lightbulbs from a very large distance," Ronen told me after his presentation.
"I could do whatever I wanted with them," Ronen added. He made them flicker so that they'd spell SOS in morse code.
O'Flynn thinks that it'd be possible to automate this attack and turn it into a worm—malware that can spread between devices—as long as they can get the encryption key used by the bulbs. This, he says, is physically possible.
After finding the bug, Ronen, who earlier this year showed that hackers could abuse Philips light bulbs to try to cause epileptic fits and even hack into sensitive networks, contacted Philips to report the issue. The company is still working on rolling out the patch.
"As part of academic research, Mr. Ronen shared a security vulnerability affecting some Philips Hue lights with us through our responsible disclosure process," a Philips spokesperson said in an email. "We have already created a solution which needs to be integrated and tested. We endeavor to roll this out as soon as practically possible."
The company also downplayed the impact of the bug.
"We have assessed the security impact as very low given that specialist hardware, unpublished software and close proximity to the Philips Hue lights are required to perform the attack," the statement concluded.
Pressed for more answers, the spokesperson added that by "close proximity we mean 50-100m."
Given that Ronen is not releasing the full details of the bug and how to exploit it, it's likely that we'll never see anyone taking advantage of it in the wild. But it should serve as a stark reminder that the Internet of Things—even the products made by giant corporations such as Philips—is still a long way from being secure.