Researchers from the Weizmann Institute of Science in Israel and Dalhousie University in Canada have exposed a massive flaw in ZigBee and Z-Wave wireless protocols common in Internet of Things devices, specifically smart light bulbs.
The researchers equipped a drone with an “autonomous attack kit,” which would send malicious over the air (OTA) updates to control when Philips Hue light bulb turns on and off. The scientists argue that if proper security measures are not mandated for IoT devices, attacks like this could become commonplace.
Due to the built-in ZigBee wireless connectivity of certain smart light bulbs, the malicious code spreads from one lamp to another, using physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes.
Researchers demonstrated this by flying a drone 1,148 feet away from an office building set up with Philips Hue lights. The drone was mounted with the wireless transmitter to affect the devices and control them offsite.
So what is the worst thing that can happen should light bulbs end up under the control of a bad actor?
Examples include:
- Light bulbs flashing, which could trigger epileptic seizures
- Scheduling lights to blink on and off en masse, creating immense and sudden strain in power consumption, or
- Completely lock all the smart light bulbs.
Philips has since patched the bug that was exploited, however, the situation echoes the concern by many cybersecurity officials about the potential for distributed denial of service (DDoS) attacks.