Researchers have been able to gain control of Philips Hue light bulbs by using a scratch-built device attached to a drone.
Described as a being “similar to airborne biological infections such as influenza,” the attack exploits a vulnerability in ZigBee, the series of protocols used by a number of smart home products, including Hue. Specifically, it’s part of the Zigbee Light Link (ZLL) standard, which is also used by Busch-Jaeger smart plugs and Amtel light bulbs.
Building a cheap ZigBee transmitter with parts costing “a few dollars”, the team was able to factory reset and dissociate Hues from their normal controller devices from a range of up to 400 meters.
Because their scratch-built device was so light, the team attached it to a DJI Inspire and execute a fly-by attack on Hues at Dalhousie University campus in Halifax, Canada.
“Due to the small size, low weight, and minimal power consumption of the required equipment, and the fact that the attack can be automated, we managed to tie a fully autonomous attack kit below a standard drone, and performed war-flying in which we flew hundreds of meters away from office buildings, forcing all the Hue lights installed in them to disconnect from their current controllers and to blink SOS in morse code.
“By flying such a drone in a zig zag pattern high over a city, an attacker can disable all the Philips Hue smart lights in city centers within a few minutes.”
Read next: Cops down drug-carrying drones descending on Pentonville prison
Worse, as the attack uses ZigBee radio frequencies which are generally unmonitored, it’s near impossible to protect against a drive-by attack; unless you’ve totally RF-shielded your house, like Chuck from Better Call Saul (good luck getting mobile phone reception).
As well as totally bricking bulbs, the research paper, obtained by IoT Worm, also demonstrates that there’s a possibility for compromised Hues to jam WiFi traffic on the main 2.4GHz band, with the potential for “a more dedicated hacker“ to take control of other devices which use the same ZigBee radio frequency.
Seeing as the wildly popular Hue products continue to fly off the shelves, readers, mindful of the recent Mirai hack, may be justifiably worried.
Cross-industry body the ZigBee Alliance has poured cold water on the report, saying that the vulnerability is old news and has already been patched up.
“The problem in this specific smart bulb scenario has since been resolved and rolled out to all customers of that stack supplier. We also understand that Philips Hue, which uses third-party software components from this particular stack supplier for part of their portfolio, has implemented the patch and already rolled out the firmware to all devices in the field. No changes to the ZigBee standard are warranted.”
Anyone who has frantically unscrewed their Hue bulbs before ripping the wireless bridge out of the wall can calm down and ignore any reporting that says this will shut down ‘entire cities’.
The cross-industry body issued the above statement on Tuesday, though the team behind this attack revealed their findings back in August, at the Black Hat conference in Nevada. That it’s taken so long for a statement to be issued could be a cause for concern, but it's unlikely.
Without knowing which version of firmware you’re supposed to be running, it could be hard to tell if your bulbs have been compromised, although flashing bulbs and jammed WiFi traffic might be two major giveaways.
Update: PC Mag has spoken with George Yianni, head of technology at Philips connected lighting division. Yianni clarified a few key points about the vulnerability and Philips's work patching it.
First of all, the team headed by Eyal Ronen contacted Philips in August, at the same time they made their findings known at Black Hat.
The vulnerability applied to many different versions of the Hue bulbs. Yianni would not say which models were vulnerable, but said that they all using a certain chipset made by a third party company (Yianni would not reveal the chipmaker's name).
Over the following weeks, Philips worked with the researchers to plug the vulnerability. Patches started to be rolled out in early October.
The “great majority” of customers have since installed the updates. Because Philips lacks the capability to force over the air updates on Hues, customers need to manually approve all updates. Yianni wouldn’t say how many customers had yet to update their Hue systems, but added that
“We invest a lot in the testing of products and the responsible disclosure process and this is a good example of collaboration working. We were able to patch this particular issue before it became a risk, but customers need up update when prompted.”
With regards to the Mirai botnet hack, Yianni added that a good way for consumers to check that any product is safe to set up in their home would be to check if that company had a responsible disclosure program which would allow researchers to point out flaws before hackers could exploit them.
Due to the huge variety of IoT products, Yianni said that it’s incredibly hard for a cross-platform kite mark to be developed, meaning customers will really need to do their homework on security before shelling out for something.
Philips has also issued the following statement:
“Philips Lighting says reports of Philips Hue products being infected by a virus are inaccurate.
“Philips Hue products were not and have not been infected by a virus. Researchers contacted us in the summer about a potential vulnerability and we patched it before the details of findings were disclosed publicly. At no time was a virus created or used to infect any Philips Hue products.
“We recommend all our customers install the latest software update via the Philips Hue app, as with any other update that we release, despite assessing the risk to Philips Hue products as low.
“The academics with whom we cooperated via our responsible disclosure process, merely demonstrated the possibility of an attack. They did not create a virus nor disclose information necessary for someone else to do so. Their research findings helped us to develop and roll out the software update.”
Correction: This article originally suggested that as well as jamming traffic on the 2.4GHz band, the attack had the potential to access all devices on that same home network; the research paper suggested that the attack could merely see devices using 802.15.4 (i.e. ZigBee) on the 2.4GHz band. This has been amended.
“DJI Inspire 1 drone quadcopter flying 4K video” by Andri Koolme is licensed under CC BY 2.0.