Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Software Canada Privacy Technology Science

Researchers Hack Philips Hue Smart Bulbs Using a Drone (pcworld.com) 50

schwit1 quotes a report from PCWorld: "Researchers were able to take control of some Philips Hue lights using a drone. Based on an exploit for the ZigBee Light Link Touchlink system, white hat hackers were able to remotely control the Hue lights via drone and cause them to blink S-O-S in Morse code. The drone carried out the attack from more than a thousand feet away. Using the exploit, the researchers were able to bypass any prohibitions against remote access of the networked light bulbs, and then install malicious firmware. At that point the researchers were able to block further wireless updates, which apparently made the infection irreversible. 'There is no other method of reprogramming these [infected] devices without full disassemble (which is not feasible). Any old stock would also need to be recalled, as any devices with vulnerable firmware can be infected as soon as power is applied,' according to the researchers. The researchers notified Philips of the vulnerability. The company then delivered a patch for it in October." It wasn't long ago that claiming "Drones are controlling my lightbulbs!" would have gotten you locked up for your own protection.
This discussion has been archived. No new comments can be posted.

Researchers Hack Philips Hue Smart Bulbs Using a Drone

Comments Filter:
  • then someone gets sued. then some lawyers make bonus.
  • Not everything needs to be on the damn fucking internet.....unplug motherfuckers...

    • These particular bulbs are capable of changing color, so there needs to be someway of controlling them that doesn't necessitate replacing the light fixture itself or running more cabling all over the place. That means they need to use some kind of wireless technology and it's easiest just to use something standard that's well documented and already has legal approval.

      I suppose you could argue that the technology itself is pointless, but that could probably be said about plenty of things you consider nece
      • These particular bulbs are capable of changing color, so there needs to be...

        ...some justification as to why we "need" color changing light bulbs, other than data mining from the app controlling it?

        Yes, I agree.

    • Well... I have a few Hue bulbs, and while the IP is properly fire walled from the Internet, the issue here is zigbee, which you can't exactly firewall as an end user. The same issues were true for X10, Insteon, and every other power line and wireless system. Sure, you aren't going to be able to hack my DMX, well... unless you have physical access...
    • The bulbs themselves are not on the Internet directly, but on a Zigbee network, connecting to a Hue hub. The hub may or may not be connected to the internet (it doesn't need to be).

      What I understand from the article is that the attack doesn't use the internet or exploit the WLAN, but subverts the Zigbee network. You need to be fairly close to hook into that, hence the use of a drone. Wardriving would work just as well. I'm not sure how vulnerable Zigbee networks are in general, but it must be pretty
  • I'm a big fan of automation but wireless automation, especially the IoT blight is a horrible idea. If your primary defense is obscurity then accepting a broadcast from anywhere is a recipe for disaster. Wired automation is intrinsically safer because it requires physical access though I do not believe that should be it's only defense.

    • No. Wired is not more secure in any measurable way, and once one has proximity it is likely to be *far less* secure because so many people believe this myth. Why would I encrypt? It isn't wireless! (God invented the VPN for a reason)
      • Re: (Score:2, Insightful)

        by Khyber ( 864651 )

        "No. Wired is not more secure in any measurable way,"

        Bullshit, son. It's a little thing called PHYSICAL ACCESS REQUIRED.

        • You clearly have no idea what I said. You should look up words you don't understand before responding. The point is that physical access is usually not that much harder to get that access from within range. Typically the use case is some in the building connecting wirelessly and some doing wired. Your security landscape model falsely focuses on external actors (exclusively at that from what I can tell) when internal attack vectors are the most commonly exploited.
          • by Kjella ( 173770 )

            The point is that physical access is usually not that much harder to get that access from within range.

            Many offices are like that yes, where the access badge is just to keep random peeps from loitering for things to steal and anyone with semi-legitimate reason has access. Not every place is like that though, but disregarding that if you're talking about colored LEDs I'm mostly thinking home applications. And it's a lot harder to get access to my apartment than to get within range of my wifi. But who am I kidding, we'll probably hook it up to the IoT so it can be managed from the cloud. That puts the whole wo

          • The point is that physical access is usually not that much harder to get that access from within range. Typically the use case is some in the building connecting wirelessly and some doing wired. .

            That's his point. Physical access you have to be at one place, which usually has people in it. Your guy can sit anywhere and get in, he could literally be on the other side of the world and still access your shit. Security isn't all about encryption and 128 bit random passwords. Range is a big factor.

          • by Khyber ( 864651 )

            "You clearly have no idea what I said"

            You clearly don't work in a facility where EVERYTHING NEEDS TO BE LOCKED DOWN. By the way, guess what most offices have over their AC unit controls? A LOCK BOX. Guess what's dead simple to put on an automated system and lock down with a similar lock box? A non-wireless LED lighting system.

            Again, physical access requirements are far more secure than anything you're claiming.

  • Being heavily invested in home automation including Phillips Hue, it's been my experience that you can trust only the major IoT players when it comes to pushing frequent security updates, something Hue does well. So does Ring.

    I wish non-techie people knew about routers that can isolate the IoT stuff to its own network, or that buying cheap IoT stuff is no bargain in the long term.

  • Who needs to patch a lightbulb?

    Analog for the win!

  • $15 per bulb and they STILL suck.

    I like the part where they can make the infection "irreversible". Nice touch.

    Guess what brand of bulb I won't be buying, even though it's supposedly patched?

    • I suppose that "irreversible" bit will work for any device that does not have a factory reset and allows for remote installation of firmware, thereby removing the factory default firmware and the ability to receive updates. It's quite simple to make it irreversible (easier than making it reversible) as all you do is not adding code to accept firmware updates.

  • by almeida ( 98786 ) on Tuesday November 08, 2016 @09:22PM (#53242359)

    ZigBee issued a press release today about this [zigbee.org]. They say the attack exploited a bug in one vendor's implementation of the protocol, not a weakness in the protocol itself.

    • So, basically they were holding it wrong?
      • So, basically they were holding it wrong?

        Well, technically no. They were screwing it in wrong.

        On a related note, I wonder how many engineers does it take to change light bulb?

  • I'm sure the next thing is these guys get sued under some DMCA provision or clause, instead of getting appreciation for the effort the researchers put into exposing the vulnerability so the vendor can evolve their product.

    I know it sounds cynical, but can you remember a time where a vendor of these products actually thanked those who hacked it for letting them know the problem?

    • What's scary is that sooner or later, the hackers are going to start believing that going to a company with their findings is "all downside". The next step, of course, would be to sell their efforts to the highest bidder. And that, in turn, would probably lead to methods of anonymous transfer of wealth that might give average people access to some of the same tools as those routinely used by top banks, corporations and multi-billionaires.

      It would be an interesting world.

  • Now I will need a candle at night to read, because somebody might --you know tinker with my lights-- and force me to turn them off.

    • by Anonymous Coward

      Until a drone flies by and blows your candle out.

  • by wvmarle ( 1070040 ) on Tuesday November 08, 2016 @10:55PM (#53242553)

    Both TFS and TFA are really light on technical details - can anyone shed some light on where the drone comes in play? And also the vulnerability itself - a default password or something more obscure?

    Another question would be of course why would those lights even have the ability to install new software in the first place. Is it really that hard to do software right, that no updates are needed for something as simple as a lamp?

    • by cdrudge ( 68377 )

      Another question would be of course why would those lights even have the ability to install new software in the first place. Is it really that hard to do software right, that no updates are needed for something as simple as a lamp?

      Well, based on the fact that we're here talking about it, yeah, I'd say that there may circumstances where an update is needed because a flaw was found. Or would you rather just toss the bulb and go buy another updated one for $50?

    • They article didn't give any details, but it sounds they hacked the hub the lights connect to, not the lights themselves. They probably had to be on the same wifi network, hence the drone. So if the wifi network was secure this couldn't have happened, but the hub must have some sort of default password or way to take control if you simply have wifi access which isn't good security.
      • by aug24 ( 38229 )

        They sent new firmware to the bulb over the ZigBee network, using the symmetric key baked into every bulb (which they first had to obtain) to sign it. Obtaining the key is hard-ish, but they didn't say how they did it.

  • Thanks For share. Today I learned a lot from your website,, If you have a problem we come with a recommendation for us, please visit my website Obat Sinusitis [agaricpro.info]
  • Oooh, now I understand what happened in Stranger Things.
  • It wasn't long ago that claiming "Trump is president!" would have gotten you locked up for your own protection

    FTFY

    • by ebvwfbw ( 864834 )

      I remember when Reagan being President was laughed at. He's just an actor they said.
      More recently I remember when they said Obama was a joke. He couldn't even get into the 2000 DNC convention. Besides, he's black! He doesn't stand a chance. I remember saying - watch this guy, I bet he's going to nail it and here we are.

      So here we go again.

"Confound these ancestors.... They've stolen our best ideas!" - Ben Jonson

Working...