Hacking into the Internet of Things could be way, way easier than cybersecurity researchers thought. In fact, breaking into a network of “smart devices” could be as simple as flying a drone with a Raspberry Pi tied to it near a building full of tech.
In research released Thursday, scientists explain how a high-enough concentration of wireless “smart” technology opens up a vulnerability to malware, one that’s incredibly ripe for any hackers who care to exploit it. The virus could travel across WiFi, through the air, affecting other nearby wireless devices in the same manner as outbreaks of biological disease.
The researchers warned of a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction, provided that the density of compatible IoT devices exceeds a certain critical mass.” While “IoT devices exceeding critical mass” might sound way too 2016 to make sense, it means that devices like smart lamps (technically, smart light bulbs) have a fatal flaw. Put enough of them together, and they all become hackable.
This is why that Distributed Denial of Service attack on Dyn, Inc. last month was able to take down as many platforms as it did. Security on IoT devices is notoriously shoddy — the Philips Hue lamp used in the researcher’s study is just one example. The malware they designed can infect your nifty Philips Hue smart lamp by virtue of physical proximity alone. You probably haven’t invested too much effort into securing the various smart devices you might be lucky enough to have around your home; neither has anyone else.
To make their point, the researchers created this helpful video, which if you don’t know what you’re looking at seems innocuous enough at first but when contextualized becomes batshit insane. The team planted smart light bulbs in an office building that happens to house some well-known security companies and also the Israeli CERT. They rigged their “attack kit to a drone, flew that drone up to the building, and proceeded to Stranger Things the shit out of the unsuspecting Philips Hues as the drone closed in from its starting range of more than 1,000 feet away.
The team isn’t picking on Philips Hue bulbs because of any gratuitous security failing on the part of the Philips Lighting company. Rather, these bulbs were selected because they’re simply a representative product for the likely targets of these kinds of attacks. Pretty much any IoT devices would be at risk - the smart fridge, the Fitbit, the car your lock with your phone.
According to the paper, any devices built on wireless connectivity protocol ZigBee are vulnerable. The rest of the abstract is pretty grim and should not really be read before bed, but basically explains that once you have smart bulb Patient Zero, the infection can spread, domino-like, within minutes. The attacker could cut all the light bulbs in the city. As The New York Times pointed out, hackers could also target people with epilepsy, and this is all still just considering light bulbs, not even the rest of the more commercially popular IoT devices.
The researchers were kind enough to contact Philips Lighting and share their findings, “including all the technical details and suggestions for a fix.” The company duly shored up its malware vulnerabilities last month, but still insisted to the Times that there wasnt much clear and present danger.
“We have assessed the security impact as low given that specialist hardware, unpublished software and close proximity to Philips Hue lights are required to perform a theoretical attack,” a Philips spokeswoman wrote to the Times.
Until next time, that is.
Photos via Eyalro