Philips Hue, a web-enabled, 50-watt equivalent LED bulb that I described as being a “spendy, smart, and super-chromatic showstopper,” is one versatile little light bulb.
A quick refresher from my original post on what's been dubbed by the marketing folks over at Philips Lighting as “the world’s smartest web-enabled LED home lighting system:"
… an upgradable and future-proof network of Hue bulbs can transform your home into a veritable discotheque (or the set of a Dario Argento movie) if you aren’t feelin’ that boring old white light or want to let potential intruders that you're really home while traveling. And in addition to allowing for vibrant, customized colors (apparently more than 16 million colors are possible including an “incandescent white”) and remotely turning the bulbs on and off via smartphone or tablet, the Hue system is capable of a whole lot more.
But as security researcher Nitesh Dhanjjani recently discovered, the not-so-impenetrable MAC address-based authentication system tied to the Hue network is also vulnerable to malicious hacking, namely localized blackouts in which the bulbs can be simultaneously — and remotely — switched off for a sustained period. This is fantastic news for deviant pranksters looking to indulge in some spooky “American Horror Story”-style shenanigans on their worst enemies but obviously troubling from a security standpoint.
ExtremeTech elaborates on these blackout attacks:
Using a malware script, Nitesh Dhanjani hacked into a Hue installation and issued a blackout command through the bridge (the Hue’s router) turning the connected lights out entirely. This is essentially the connected home equivalent of a hacker taking over your car, except that Dhanjani actually did it and documented the entire process [See video below].
The attack itself doesn’t seem too interesting — theoretically, the hacker gets a bit of malware onto the victim’s computer which tells the Hue bulbs connected to a bridge on the same network to turn off. The bulbs are still powered but they are not producing light, which is the standard off-state for Hue. This shouldn’t be that bad because the Hue bulbs are designed to revert to the on state after they lose power for any period — say, a wall switch is flipped — but in this case the malware script runs continuously, so the bulbs are commanded to turn off immediately after they are powered up.
In developing Hue we have used industry standard encryption and authentication techniques to ensure that unauthorized persons cannot gain access to lighting systems. An attack of the nature described requires that a computer on your private local network is compromised to send commands internally. This means there is very limited security risk if your home network is properly protected, as traffic passing between your devices and across the internet will remain fully secure. However, if an attack is made upon your home network, everything contained within that network can be compromised. Therefore our main advice to customers is that they take steps to ensure they are secured from malicious attacks at a network level, in order to protect all of their devices, including Hue.
Via [ExtremeTech], [Engadget]
Related stories on MNN: