Feeds

back to article Philips' smart lights left in the dark by dumb security

The Philips Hue “smart lighting” system uses a dumb-as-a-sack-of-hammers device authentication scheme that allows anyone with the iPhone control app to issue instructions to the controller via HTTP. According to researcher Nitesh Dhanjani, who has form looking at iPhone security, the “perpetual blackout” (PDF) vulnerability …

COMMENTS

This topic is closed for new posts.
Silver badge

Is MD53

48 times as safe as MD5?

4
0
Silver badge
Joke

Re: Is MD53

That would be MD240, shurely?

3
0
Childcatcher

Re: Is MD53

Alternatively 3.55 exp33.

Philips are soooo smart.

0
0
Silver badge

Post Analysis

The Internet has been in the hands of the public long enough that stuff like this is inexcusable. It has been proven countless times that someone is absolutely guaranteed to screw with your product if it is connected. The days of assuming that the Internet is full of 'dumb users* is long over and product development teams must start to think about how total nutcases and assholes will abuse their products.

*The users are still, by and large, dumb, but enough of them have sufficient tech knowledge to absolutely ruin your product.

12
1
Silver badge

Re: Post Analysis

On the other hand a light bulb that requires biometric login , 2 factor authentication and a 8digit RSA-ID that changes every 30seconds is also rather useless

7
0
Bronze badge
Coat

Re: Post Analysis

Sure, but Phillips chose security-through-obscurity. They could have chosen a random number at authorisation time to use as a shared secret. I bet the developers had a discussion...

"So what happens if the user has a disc failure or installs a new OS?"

"Well, they'll have to reauthorize"

"No good, too inconvenient"

"Well, the MAC address will usually stay the same"

"Too obvious"

"We could hash it"

"Hmmm"

"with MD53"

"with What? Yeah, sure NO-ONE will guess that"

3
0

Why are you to dumb to spell the name properly in the title?

0
6
Anonymous Coward

"Why are you to dumb to spell the name properly in the title?"

Oops. Or should that be "Durr ..." ?

9
0
Anonymous Coward

Why are you to dumb to spell the name properly in the title?

Welcome to Dosche's Law. It states that in the process of correcting someone else's posting, they, too, will screw up their own posting.

8
0
Silver badge

Dosche's Law?

The term you're looking for is "Muphry's Law".

4
0
Coat

Re: Dosche's Law?

That would be "Morphy's Law".

0
0
Silver badge
Silver badge

Re: Dosche's Law?

"The term you're looking for is "Muphry's Law".“

Maybe he meant "Douche's Law"?

0
0
Anonymous Coward

Re: Dosche's Law?

No. Dosche's Law as coined by Ward Dosche, currently Zone 2 coordinator of Fidonet. He coined this "law" at least 20 years ago when confronted by numerous others trying to play spelling-Nazi on his posts ;)

0
0
Anonymous Coward

Re: Dosche's Law?

Maybe he meant "Douche's Law"?

That would depend on how well you know the Ward Dosche in question ;)

0
0
Anonymous Coward

Overprice carp

Only suckers and shrills raves about this grossly overprice junk; the poor security is hardly surprising.

It is quite fitting that it is sold in Apple (sucker) stores.

4
1
Stop

Re: Overprice carp

Shrills?

Do you mean shills?

Nobody was raving about it anyway...

0
0
Anonymous Coward

Last I heard

Philips were trying to make this communication method the new standard for office lighting control.

I wonder what happened at the last planning meeting?

3
0
Silver badge

"Honey, the lights don't work again"

No problem, ask the guy parked outside our house downloading porn to turn them back on again.

8
0
Silver badge

Getting the entire story

It would be interesting to talk with the actual designers/developers for this product and ask them what their initial ideas were, what time and budget pressures they were working under and what management/marketing interference they were subjected to. However, I'm sure that Phillips would fight tooth and nail to prevent that and would quietly threaten dismissal to anyone who spoke to the press.

Would any ACs like to give information?

6
0
Silver badge

Re: Getting the entire story

I'm going to save your first sentence, Frank, and post it into every security story. It's probably closer to the truth than most of the teenage rants.

But, equally, I've been the most clued up developer on a project, working under sympathetic management. (Managers are quite responsive to "Think of the PR disaster if this worst case scenario happens.") And then, five years down the line, I've discovered what I wrote was cack.

Given what Philips are doing, you would hope they used security experts rather than gave it to some smart-seeming graduates who said, "We can handle that." The evidence is less compelling.

1
0
Silver badge
Flame

Call me old fashioned, but...

Light.

Power supply.

Wire.

Switch.

Sorted...

Death to the Internet of Things!

15
1
Silver badge

Allow me to add :

Double shotgun barrel to the face of any prick who wants to plug my fridge into the Web.

10
0
Flame

Re: Call me old fashioned, but...

I third the call to bring "Death to Internet of Things!"

Also, it'd be more insidious if timers are put in the script so the lights randomly flash throughout the night starting at around 1am. User won't know there's a problem until he's woken up... Bonus points for making it flash out in Morse Code "Wake up sucker!"

2
0
Joke

Fine as long...

Fine as long as your Connected shotgun hasn't been hacked...

0
0

I don't think lightbulb security is really an issue. Who is going to use these? People who go on holiday or are otherwise out and about is about the only really useful use case, and who will give a shit if their lights go on and off randomly when they are not in?

Still mildly interesting to see how it works though, but I think MAC address as a use of security is fine. I don't think these will be used in public places. If these lights go on and off randomly (if I had the money to waste on them) I'd throw them in the bin, and think no more of it.

0
5
Bronze badge
Stop

I think you are mistaken ...

... in that this isn't an issue which affects the light bulbs per se, the video seems to indicate that it's the automation hub device that is compromised. If you sigh, chuck out the smart bulbs and buy replacements, they'll still be under the thrall of the malware. The only way to make your lightswitches work again is to take the hub device offline, as in the video.

I agree with you that this is one of those 'do it because we can' solutions in search of a problem, and I am not going to be exposed any time soon (I upvoted "Death to the Internet of Things!"), but it's interesting that in 2013 flawed implementations like this find their way all the way to the marketplace.

4
0
Thumb Down

I think you've entirely missed the point (what the PR department says is the point) of these bulbs.

If you just want to look like your home when you're on holiday, use a timer plug and a lamp.

2
0
WTF?

I think you're a bit confused...

If you want to look like your home then you'd need a costume to make you look like a house/flat etc.

11
0
Facepalm

Not such a big deal

It's really not such a big deal.

- It's really easy to fix. They could MD5 any other value from the iPhone instead of the MAC. Or even a random value. Expect it in the next app update.

- Commercial applications (hospitals, offices) will not use the consumer Hue bridge, but a commercial grade gateway, which will have a different API/access control. The only critical part is the ZigBee over-the-air security.

- The attacker must first have access to the LAN which requires to exploit a vulnerability in the host PC. Makes the whole thing much less probable.

0
0
Silver badge
Facepalm

My 3M wi-fi thermostat doesn't do ANY authentication at all.

You send a http request and it does it. It sits firmly behind my firewall, but I still worry about someone getting through the wi-fi security itself. Fortunately my neighbors are not so technical.

Heck, it doesn't even seem to enforce minimum time-outs for switching between heating and cooling. You can flip back and forth until the compressor dies.

2
0

Re: My 3M wi-fi thermostat doesn't do ANY authentication at all.

Given the bulb has to be on the wireless network, I kind of wondered why they bothered?

Instead of half-arsed security that was always going to be broken and which certainly took them non-zero effort to create, why not just take out the security altogether and add a warning to "secure your network properly". Passes the buck neatly passed to the homeowner, it's less expensive for Philips, and it would have saved them a bad headline.

0
0
WTF?

Er...

...nobody appears to have commented on the fact that an internet connected light bulb is a totally shit idea, as useless as the internet connected fridge.

Why FFS do I want an internet connected light bulb?

Anybody?

4
0
Roo
Bronze badge

Re: Er...

"Why FFS do I want an internet connected light bulb?"

I'm not going to bother convincing you that you need an internet connected light bulb, because I don't want one either... That said I can see a benefit in that you don't have to run power cable cable everywhere just to connect the bulbs to the switches on the wall. Could be handy if it's difficult/expensive/dangerous to run a power cable where you want the switch.

I guess it could also be handy if you don't want light switches cluttering up your walls, but personally I'm comfortable enough with switches and running 250VAC @ 5A around the place. :)

0
0
Bronze badge
Childcatcher

Re: Er...

Why FFS do I want an internet connected light bulb?

I can only guess why you might, but I can guess at a couple of reasons why including lighting in an automation scheme might be beneficial. In fact, instead of discussing lighting as a single issue, perhaps it would be better to look at why automating appliances might be worthwhile. First, differentiate between home and office use. Much of what goes into home automation is a combination of the cool factor and pure ostentation. Yes, there are plenty of truly worthwhile things to be done with home automation. What these are is likely to be defined as a function of taste more than anything else, I suspect. Setting it up so your lighting flashes to music or dims during a certain period probably has some use somewhere for someone. On the corporate side of the world, there is pressure for efficiencies which may be tracked and controlled through the use of automation. Image is also important.

I would expect the trend to be automate everything and control it all through a common interface. That interface will almost certainly be available remotely... which leads us back to light bulbs on the internet.

0
0
Bronze badge
Devil

Re: Er...Not power cabling but SIGNAL cabling

The Phillips lights are wirelessly controlled on Zigbee, Enocean or some other comm protocol versus being wired to some controller. The bridge connects to the internet (of things) . This allows the automation of lighting without having hard wired control signals. If you have ever tried to retrofit hardwired control signals for these applications you will soon see the economy of wireless control.

The power cabling is already in place.

What they really need is to put this control into the lighting fixture, not the lightbulb. Then it has an economy of scale. New LED and some fluorescent ballasts now offer 0-10 VDC inputs so lights can be dimmed or turned on and off with hardwired control. There are more commercial product coming out that integrate the wireless into the switch or the lighting socket which make more sense than putting it into the bulb like Phillips.

1
0
Bronze badge

"even your fridge will have its own IP address..."

I recall more than one tech news article in the past proclaiming just that.

Well if the manufacturers of these new fangled networked appliances can't even secure a simple lightbulb properly then we're all screwed, I don't want to come home and find my frigde got hacked and ordered 1000 gallons of milk from a home delivery supermarket.

0
0
Silver badge

Re: "even your fridge will have its own IP address..."

Sometimes think a webcam inside the fridge would be useful

I can check if I have any milk from work and even if it did get hacked I don't really care if millions of people on the interwebietubes are watching my gradually decaying celery

And it would answer the great philosophical question - does the light really go off when you close the door?

0
0
Bronze badge

Re: "even your fridge will have its own IP address..."

Gradually decaying celery? Not with the ideal fridge. (Mandatory XKCD reference.)

0
0

At least we wont have to worry about skynet.

Since we will be the one that creates it, don't count on it being able to do shit without falling on its ass and accidentally reformatting itself after two nanoseconds.

0
0

Remind me ....

How many engineers does it take to secure a lightbulb?

1
0
Silver badge

Frankly I'm surprised it had any security at all

A lot of CE products don't. And in a way, that might be better - rather than trying to do security correctly in tons of connected devices, have it behind to a device (a wireless router in the home, whatever gateway is managing all such devices in a commercial environment) that handles security for it.

If you rely on its security, what happens if it is cracked? (security, not the glass) Do we really want to live in a world where we have to do firmware updates on our light bulbs? If you say "it can download them automatically", what happens if the support life of your light bulb is a lot shorter than its bulb life? Are you left only buying from major vendors, because you worry a small firm might go out of business and the site the bulbs access for firmware updates goes away?

0
0
Silver badge

Re: Frankly I'm surprised it had any security at all

In this case it's that gateway that was cracked.

0
0
This topic is closed for new posts.