While Intel and its ilk talk up the Internet of Things idea, it turns out that some of the early moves into the field are completely insecure.
Philips created a Hue LED lighting system, a smart lightbulb which uses wi-fi to connect to the net. Users can use their smartphones or computers connected to the web or local networks to turn lights on and off and control the colour of ambient lighting. Unfortunately it is so insecure a hacker can get in and turn your lights off.
Nitesh Dhanjani, the researcher who discovered the weaknesses and developed proof-of-concept attacks that exploit them, wrote in his blog that smart lightbulb systems are likely to be deployed in current and new residential and corporate constructions.
The flaw means an intruder can remotely shut off lighting in locations such as hospitals and other public venues.
The Philips wireless controller has an authentication controller which consists of a security token containing the device’s unique media access control identifier, that has been cryptographically hashed using a known algorithm.
These hardware addresses are trivial to detect by anyone on the same network or often by people within radio range of a device, making them unsuitable for authentication.
Dhanjani’s hack uses Java which is delivered when browsing compromised websites or websites dedicated to serving attack pages.
It combs through the address resolution protocol cache of a local network to find all connected devices.
The hack runs the MAC address of each discovered device through the MD5 hash algorithm and includes the output in a security token used to send commands to the light controller.
If a command is successfully executed, the hack will repeat it. If a command doesn’t succeed, the malware will register a new token every second or so using a different MAC address until a valid one is found.
It is just as well the lighting system is not that popular yet. Dhanjani said that a remote botnet system could cause a perpetual blackout of millions of consumer lightbulbs.
The other problem is that Philips has not really worked out how to deal with security problems yet. Dhanjani found it impossible to notify the company of its problems.