Here’s one reason to avoid the so-called Internet of Things: Everyday items like lightbulbs become easy targets for hackers once they’re connected to a network, meaning your mood lighting can quickly turn into a serious liability.
Say you’ve purchased a Philips Hue system, which allows you to control the intensity and color of your lightbulbs via an app. You’re sitting on the couch reading a book when suddenly a little drone flies next to your window. The lights go out and your app won’t respond. You’re stuck in the dark.
Best-case scenario, you’re the only one in the area with smart lightbulbs. But if we’re talking about a possible future a few years from now, your entire block — or neighborhood or city, even — might be vulnerable, and hackers could make the whole area go dark by accessing just your lightbulbs to begin with.
Scary, right?
A video from earlier this year demonstrating how such an attack is possible is getting new attention thanks to a research paper publicized on Thursday. You can watch it above — essentially, it shows a drone flying up to a building and taking control of smart lightbulbs, which ends up looking like this:
Image: seyalr via Youtube
The paper, “IoT Goes Nuclear: Creating a ZigBee Chain Reaction,” concerns a vulnerability that allows bad actors to breach one internet-connected device, like a Philips Hue lightbulb, and gain access to neighboring ones.
In the words of the study, a collaboration between the Weizmann Institute of Science in Israel and Dalhousie University in Canada:
“[This is] a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction, provided that the density of compatible IoT devices exceeds a certain critical mass… The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack.
(Emphasis ours.)
Much the same way your computer can be infected by malware, internet-connected smart home devices can be taken over by hackers and put to nefarious ends. It’s a particularly relevant concern right now, because we’ve very recently seen how internet-connected devices can be taken over for massive “denial of services” attacks.
In October, 100,000 internet-connected devices were taken over and directed to send loads of traffic to Dyn, an online infrastructure company that provides services for a number of major websites and apps. When the attack happened, people across the East Coast of the United States were unable to access Twitter, Spotify, Airbnb, Vox Media publications and more — and it’s all because of vulnerabilities in smart devices.
While that attack wasn’t world-ending, it was certainly disruptive. Amplify it across a wider area and we’d have a real problem on our hands. Hackers could knock out services that tell people where to vote, for example, or prevent them from getting information online during a major emergency.
Philips was informed of the research ahead of time and told Mashable it fixed the security flaw in its Hue lightbulbs via a patch last month.
“We have assessed the security impact as low given that specialist hardware, unpublished software and close proximity to Philips Hue lights are required to perform a theoretical attack,” a spokesperson for Philips Lighting said in an emailed statement. “Despite the low risk, we consulted with the researchers and developed a patch that has already been issued in a firmware update.”
But that requires people to actually make the update, of course, and it doesn’t change the fact that other devices might be vulnerable, too.
“We should work together to use the knowledge we gained to protect IoT devices,” the study authors write, “or we might face in the near future large scale attacks that will affect every part of our lives.”