A research team Dalhousie University in Canada and the Weizman Institute of Science in Israelhas set up a chain reaction attack that would take over Philips Hue smart lightbulbs across entire cities.
The attack involves writing a new operating system to one of the light bulbs, and then the infected bulb uses its trusted status to spread the infection to all vulnerable bulbs in reach, until an entire city is infected. This would allow the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDoS attack.
One of the flaws allowing for this can be found in the Zigbee wireless protocol implementation used in the Hue system. Researchers showed that they could hijack the bulbs from nearly half a kilometre away as it does not encrypt all traffic between devices.
The system the bulbs use for system updates has a security hole. While the updates are cryptographically signed using a very strong algorithm, researchers only needed to extract the keys from one lightbulb and, because the same key is used in every bulb, could use them to sign their own malicious updates.
“Fixing the malicious software update will require physical replacement of every affected lightbulb with a new one, and a waiting period for a software patch to be available before restoring light. This scenario might be alarming enough by itself, but this is only a small example of the large-scale problems that can be caused by the poor security offered in many IoT devices,” the report stated.
“The worm can rapidly retake new bulbs which the user has attempted to associate with the legitimate base station, making it almost impossible for vulnerable bulbs in range of another infected bulb to receive an [over the air] patch before the worm has spread,” the report said.
Users must first set up the Philips Hue app to receive automatic patches before attacks take place since the worm can easily override update attempts. Philips has already issued a patch to resolve this specific issue but it does not really fix the over all problem of IoT devices.
Infection could also be carried out by a drone flying over a city which makes for a rather nasty attack scenerio.