Security researcher Nitesh Dhanjani managed to gain access to a Phillips Hue LED lighting system through a Java exploit, which then enabled him to remotely do as he pleased with the bulbs. In a video demonstration, he blacked out in the entire system with an uploaded script.
Hollywood warned us this day was coming. In the relatively new ‘Internet of things’, objects of everyday life – such as light bulbs, thermostats, and other household appliances – are already susceptible to security vulnerabilities, enabling a hacker hundreds of miles away to blackout a house’s lighting with a bad web page.
The security vulnerability was demonstrated by security researcher Nitesh Dhanjani, who managed to gain access to a Phillips Hue LED lighting system through a Java exploit. The Philips system is a smart system of light bulbs, which can be controlled by devices such as smartphones or computers.
Dhanjani exposed a weak authentication system in Hue, which uses known cryptographic algorithms to conceal the address necessary to control the light bulbs.
In order for an attacker to illicitly gain access to the LED lighting, the owner of the system need only to visit a page infected by a java program which will, once on the user’s device, easily find the media control address of the LED light bulbs. This address is then run through the known MD5 encryption algorithm, and zipped away on a fake security token, which the lighting system happily accepts.
Once this is done, the lighting system is at the whim of the attacker, who has thus gained control of it.
The scary thing is, he can do it from literally anywhere in the world.
“”Lighting is critical to physical security,” wrote Dhanjani in a blog post on Tuesday. “Smart lightbulb systems are likely to be deployed in current and new residential and corporate constructions. An abuse case such as the ability of an intruder to remotely shut off lighting in locations such as hospitals and other public venues can result in serious consequences.”
In the future, when appliances and household systems are almost entirely controlled by smart devices connected to the Internet, such a trivial vulnerability will not do. As wonderful a concept as a smart house is, the idea clearly needs more time to be studied and matured.
Because now, viruses can mean a lot more than a blue screen of death or a slow computer.
Source: Nitesh Dhanjani