Researchers Hack Philips Hue Smart Bulbs Using a Drone (pcworld.com) 50
schwit1 quotes a report from PCWorld: "Researchers were able to take control of some Philips Hue lights using a drone. Based on an exploit for the ZigBee Light Link Touchlink system, white hat hackers were able to remotely control the Hue lights via drone and cause them to blink S-O-S in Morse code. The drone carried out the attack from more than a thousand feet away. Using the exploit, the researchers were able to bypass any prohibitions against remote access of the networked light bulbs, and then install malicious firmware. At that point the researchers were able to block further wireless updates, which apparently made the infection irreversible. 'There is no other method of reprogramming these [infected] devices without full disassemble (which is not feasible). Any old stock would also need to be recalled, as any devices with vulnerable firmware can be infected as soon as power is applied,' according to the researchers. The researchers notified Philips of the vulnerability. The company then delivered a patch for it in October." It wasn't long ago that claiming "Drones are controlling my lightbulbs!" would have gotten you locked up for your own protection.
eventually, someone gets hurt (Score:2)
Networked light bulbs are useless and stupid (Score:1)
Not everything needs to be on the damn fucking internet.....unplug motherfuckers...
Re: (Score:2)
Re: (Score:3)
I suppose you could argue that the technology itself is pointless, but that could probably be said about plenty of things you consider nece
Re:Networked light bulbs are useless and stupid (Score:4, Informative)
This. I work in lighting, specifically LED. Making an analog RGB control is dead fucking simple and we've got wiring that already exists to handle such a thing.
Re: (Score:2)
Re: (Score:3)
Old fashioned dimmers required a dimmer switch. Making a dimmer switch that could use some sort of powerline comms to send 3 integers (RGB) from switch to bulb to control hue and brightness would be utterly trivial. No new cabling required, just install a new dimmer switch and the bulb and you're done.
Have you ever used X10 / Insteon? PLC sounds good until you try to use it. Half the house is on different phases so you have trouble getting everything on the network. Then you also get issues with power strips consuming the signals, things generating interference, etc.
I'm really not a big fan of wireless either, but in practice Z-wave works a lot better.
Re: (Score:2)
These particular bulbs are capable of changing color, so there needs to be...
...some justification as to why we "need" color changing light bulbs, other than data mining from the app controlling it?
Yes, I agree.
Re: (Score:2)
Re: (Score:2)
What I understand from the article is that the attack doesn't use the internet or exploit the WLAN, but subverts the Zigbee network. You need to be fairly close to hook into that, hence the use of a drone. Wardriving would work just as well. I'm not sure how vulnerable Zigbee networks are in general, but it must be pretty
wireless automation is bad. (Score:2, Insightful)
I'm a big fan of automation but wireless automation, especially the IoT blight is a horrible idea. If your primary defense is obscurity then accepting a broadcast from anywhere is a recipe for disaster. Wired automation is intrinsically safer because it requires physical access though I do not believe that should be it's only defense.
Re: wireless automation is bad. (Score:2)
Re: (Score:2, Insightful)
"No. Wired is not more secure in any measurable way,"
Bullshit, son. It's a little thing called PHYSICAL ACCESS REQUIRED.
Re: wireless automation is bad. (Score:3)
Re: (Score:2)
The point is that physical access is usually not that much harder to get that access from within range.
Many offices are like that yes, where the access badge is just to keep random peeps from loitering for things to steal and anyone with semi-legitimate reason has access. Not every place is like that though, but disregarding that if you're talking about colored LEDs I'm mostly thinking home applications. And it's a lot harder to get access to my apartment than to get within range of my wifi. But who am I kidding, we'll probably hook it up to the IoT so it can be managed from the cloud. That puts the whole wo
Re: wireless automation is bad. (Score:2)
Re: (Score:2)
The point is that physical access is usually not that much harder to get that access from within range. Typically the use case is some in the building connecting wirelessly and some doing wired. .
That's his point. Physical access you have to be at one place, which usually has people in it. Your guy can sit anywhere and get in, he could literally be on the other side of the world and still access your shit. Security isn't all about encryption and 128 bit random passwords. Range is a big factor.
Re: (Score:2)
"You clearly have no idea what I said"
You clearly don't work in a facility where EVERYTHING NEEDS TO BE LOCKED DOWN. By the way, guess what most offices have over their AC unit controls? A LOCK BOX. Guess what's dead simple to put on an automated system and lock down with a similar lock box? A non-wireless LED lighting system.
Again, physical access requirements are far more secure than anything you're claiming.
Re: wireless automation is bad. (Score:2)
Trust the major players, not bargains. (Score:1)
Being heavily invested in home automation including Phillips Hue, it's been my experience that you can trust only the major IoT players when it comes to pushing frequent security updates, something Hue does well. So does Ring.
I wish non-techie people knew about routers that can isolate the IoT stuff to its own network, or that buying cheap IoT stuff is no bargain in the long term.
Re: (Score:1)
Subtle.
Philips, bright.... ... _ _ _ ...
Delivered a patch? (Score:2)
Who needs to patch a lightbulb?
Analog for the win!
$15 per bulb and they STILL suck (Score:2)
$15 per bulb and they STILL suck.
I like the part where they can make the infection "irreversible". Nice touch.
Guess what brand of bulb I won't be buying, even though it's supposedly patched?
Re: (Score:2)
I suppose that "irreversible" bit will work for any device that does not have a factory reset and allows for remote installation of firmware, thereby removing the factory default firmware and the ability to receive updates. It's quite simple to make it irreversible (easier than making it reversible) as all you do is not adding code to accept firmware updates.
Statement from ZigBee (Score:5, Informative)
ZigBee issued a press release today about this [zigbee.org]. They say the attack exploited a bug in one vendor's implementation of the protocol, not a weakness in the protocol itself.
Re: (Score:2)
Re: (Score:2)
So, basically they were holding it wrong?
Well, technically no. They were screwing it in wrong.
On a related note, I wonder how many engineers does it take to change light bulb?
Litigation (Score:1)
I'm sure the next thing is these guys get sued under some DMCA provision or clause, instead of getting appreciation for the effort the researchers put into exposing the vulnerability so the vendor can evolve their product.
I know it sounds cynical, but can you remember a time where a vendor of these products actually thanked those who hacked it for letting them know the problem?
Re: (Score:2)
What's scary is that sooner or later, the hackers are going to start believing that going to a company with their findings is "all downside". The next step, of course, would be to sell their efforts to the highest bidder. And that, in turn, would probably lead to methods of anonymous transfer of wealth that might give average people access to some of the same tools as those routinely used by top banks, corporations and multi-billionaires.
It would be an interesting world.
Oh oh. (Score:2)
Now I will need a candle at night to read, because somebody might --you know tinker with my lights-- and force me to turn them off.
Re: (Score:1)
Until a drone flies by and blows your candle out.
What's the role of the drone? (Score:4, Informative)
Both TFS and TFA are really light on technical details - can anyone shed some light on where the drone comes in play? And also the vulnerability itself - a default password or something more obscure?
Another question would be of course why would those lights even have the ability to install new software in the first place. Is it really that hard to do software right, that no updates are needed for something as simple as a lamp?
Re: (Score:3)
Well, based on the fact that we're here talking about it, yeah, I'd say that there may circumstances where an update is needed because a flaw was found. Or would you rather just toss the bulb and go buy another updated one for $50?
Re:What's the role of the drone? (Score:4, Informative)
I'd rather have the manufacturer do a decent job in building their software, so that updates aren't necessary. If they think the update option should be there, there should also be a factory reset option to recover from any problems with that.
Re: (Score:3)
Re: (Score:2)
They sent new firmware to the bulb over the ZigBee network, using the symmetric key baked into every bulb (which they first had to obtain) to sign it. Obtaining the key is hard-ish, but they didn't say how they did it.
obat sinusi (Score:1)
Sudden revelation (Score:2)
Oh Noes! (Score:2)
FTFY
Re: (Score:1)
I remember when Reagan being President was laughed at. He's just an actor they said.
More recently I remember when they said Obama was a joke. He couldn't even get into the 2000 DNC convention. Besides, he's black! He doesn't stand a chance. I remember saying - watch this guy, I bet he's going to nail it and here we are.
So here we go again.