Autore: ExtremeTech

Philips Hue

Within a the last two decades, lighting has very rapidly moved from Thomas Edison’s highly controlled burning to semiconductor-based illumination. The logical next step after our lights became electronic devices was to turn them into internet-connected gadgets, which Philips did quite successfully with the Hue lighting system. Joining the internet of things is an important advance for lighting, but it means that these devices are subject to the same security issues that all other connected products must face. This week we learned that Philips fell short in its security precautions and a security researcher was able to crack into the Hue’s supposedly closed system, creating a localized blackout.

Using a malware script, Nitesh Dhanjani hacked into a Hue installation and issued a blackout command through the bridge (the Hue’s router) turning the connected lights out entirely. This is essentially the connected home equivalent of a hacker taking over your car, except that Dhanjani actually did it and documented the entire process.

The attack itself doesn’t seem too interesting — theoretically, the hacker gets a bit of malware onto the victim’s computer which tells the Hue bulbs connected to a bridge on the same network to turn off. The bulbs are still powered but they are not not producing light, which is the standard off-state for Hue. This shouldn’t be that bad because the Hue bulbs are designed to revert to the on state after they lose power for any period — say, a wall switch is flipped — but in this case the malware script runs continuously, so the bulbs are commanded to turn off immediately after they are powered up.

By compromising a device on the network — not the Hue system itself — this malware would completely break the Hue for almost any user, unless they thought to try the bulbs without the bridge installed. In this case the Hue bulbs would not respond to app commands or be able to change color, leaving the owner with a set of very expensive, white Philips LED bulbs (but at least they would work).

In his paper on the hack Dhanjani walks through the Hue’s security — which is otherwise adequate — and makes the point that connected devices must focus on security. He details how the highly connected Hue can be attacked through multiple vectors, including links on Facebook, IFTTT recipes, or by theoretically finding a flaw in the radio protocol (Zigbee Light Link). By placing the malware on a local PC it becomes persistent and much more effective then attacking the Hue itself. Not only does this method circumvent the Hue’s otherwise adequate security, but it would render replacement Hue systems useless as well.

This proof-of-concept hack might not seem very concerning — it’s an exploit, coded by a director at Ernst & Young who’s the whitest of white hat hackers, that disables a few bulbs in a very small number of homes — but its point is clear enough. Philips needs need get smarter about its security, and be more careful about steps that are skipped solely for ease of use. In this case the Hue’s whitelist tokens cannot be edited once they are in place without accessing the debugger, which is not only the malware’s attack vector but also the reason the malware can continue to operate, causing a perpetual blackout.

Philips Hue bridgeI spoke to Hue’s system architect George Yianni about Dhanjani’s findings and learned that Philips has already discussed the issue with the researcher. Philips is taking the matter seriously, but Yianni noted that the exploit wasn’t really so much a hack of the Hue as it was of a computer and the network. The Hue, by design, is based on open APIs and the trust of local devices. These two tenets are what makes the Hue easy to use and easy to program for, so in this case the Hue was simply doing what it was told: turning off when a trusted device issues the command. Better security at the computer level, such as antivirus software, would have prevented this entire situation.

He admitted that perhaps not all Philips security choices were the correct ones, and there were issues that the company is looking into, such as the reuse of API tokens as opposed to issuing unique random keys, but such decisions have trade-offs. In this instance, each device that connects to the Hue would have to be authenticated by the bridge, as opposed to a single set-it-and-forget-it process during the initial installation.

While Philips might be in the spotlight here, the company is hardly alone in needing to give a hard look at its security choices. Connected devices need to be given the utmost scrutiny and updated in response to problems. The same mandate is true for all connected devices, from cars to computers to Bluetooth-connected blood monitor implants.

Now read: How a Philips light bulb uses blue LEDs to produce white light