Philips' smart lights left in the dark by dumb security The Philips Hue “smart lighting” system uses a dumb-as-a-sack-of-hammers device authentication scheme that allows anyone with the iPhone control app to issue instructions to the controller via HTTP. According to researcher Nitesh Dhanjani, who has form looking at iPhone security, the “perpetual blackout” (PDF) vulnerability …
The Internet has been in the hands of the public long enough that stuff like this is inexcusable. It has been proven countless times that someone is absolutely guaranteed to screw with your product if it is connected. The days of assuming that the Internet is full of 'dumb users* is long over and product development teams must start to think about how total nutcases and assholes will abuse their products.
*The users are still, by and large, dumb, but enough of them have sufficient tech knowledge to absolutely ruin your product.
Sure, but Phillips chose security-through-obscurity. They could have chosen a random number at authorisation time to use as a shared secret. I bet the developers had a discussion...
"So what happens if the user has a disc failure or installs a new OS?"
"Well, they'll have to reauthorize"
"No good, too inconvenient"
"Well, the MAC address will usually stay the same"
"Too obvious"
"We could hash it"
"Hmmm"
"with MD53"
"with What? Yeah, sure NO-ONE will guess that"
It would be interesting to talk with the actual designers/developers for this product and ask them what their initial ideas were, what time and budget pressures they were working under and what management/marketing interference they were subjected to. However, I'm sure that Phillips would fight tooth and nail to prevent that and would quietly threaten dismissal to anyone who spoke to the press.
Would any ACs like to give information?
I'm going to save your first sentence, Frank, and post it into every security story. It's probably closer to the truth than most of the teenage rants.
But, equally, I've been the most clued up developer on a project, working under sympathetic management. (Managers are quite responsive to "Think of the PR disaster if this worst case scenario happens.") And then, five years down the line, I've discovered what I wrote was cack.
Given what Philips are doing, you would hope they used security experts rather than gave it to some smart-seeming graduates who said, "We can handle that." The evidence is less compelling.
I third the call to bring "Death to Internet of Things!"
Also, it'd be more insidious if timers are put in the script so the lights randomly flash throughout the night starting at around 1am. User won't know there's a problem until he's woken up... Bonus points for making it flash out in Morse Code "Wake up sucker!"
I don't think lightbulb security is really an issue. Who is going to use these? People who go on holiday or are otherwise out and about is about the only really useful use case, and who will give a shit if their lights go on and off randomly when they are not in?
Still mildly interesting to see how it works though, but I think MAC address as a use of security is fine. I don't think these will be used in public places. If these lights go on and off randomly (if I had the money to waste on them) I'd throw them in the bin, and think no more of it.
... in that this isn't an issue which affects the light bulbs per se, the video seems to indicate that it's the automation hub device that is compromised. If you sigh, chuck out the smart bulbs and buy replacements, they'll still be under the thrall of the malware. The only way to make your lightswitches work again is to take the hub device offline, as in the video.
I agree with you that this is one of those 'do it because we can' solutions in search of a problem, and I am not going to be exposed any time soon (I upvoted "Death to the Internet of Things!"), but it's interesting that in 2013 flawed implementations like this find their way all the way to the marketplace.
It's really not such a big deal.
- It's really easy to fix. They could MD5 any other value from the iPhone instead of the MAC. Or even a random value. Expect it in the next app update.
- Commercial applications (hospitals, offices) will not use the consumer Hue bridge, but a commercial grade gateway, which will have a different API/access control. The only critical part is the ZigBee over-the-air security.
- The attacker must first have access to the LAN which requires to exploit a vulnerability in the host PC. Makes the whole thing much less probable.
You send a http request and it does it. It sits firmly behind my firewall, but I still worry about someone getting through the wi-fi security itself. Fortunately my neighbors are not so technical.
Heck, it doesn't even seem to enforce minimum time-outs for switching between heating and cooling. You can flip back and forth until the compressor dies.
Given the bulb has to be on the wireless network, I kind of wondered why they bothered?
Instead of half-arsed security that was always going to be broken and which certainly took them non-zero effort to create, why not just take out the security altogether and add a warning to "secure your network properly". Passes the buck neatly passed to the homeowner, it's less expensive for Philips, and it would have saved them a bad headline.
"Why FFS do I want an internet connected light bulb?"
I'm not going to bother convincing you that you need an internet connected light bulb, because I don't want one either... That said I can see a benefit in that you don't have to run power cable cable everywhere just to connect the bulbs to the switches on the wall. Could be handy if it's difficult/expensive/dangerous to run a power cable where you want the switch.
I guess it could also be handy if you don't want light switches cluttering up your walls, but personally I'm comfortable enough with switches and running 250VAC @ 5A around the place. :)
The Phillips lights are wirelessly controlled on Zigbee, Enocean or some other comm protocol versus being wired to some controller. The bridge connects to the internet (of things) . This allows the automation of lighting without having hard wired control signals. If you have ever tried to retrofit hardwired control signals for these applications you will soon see the economy of wireless control.
The power cabling is already in place.
What they really need is to put this control into the lighting fixture, not the lightbulb. Then it has an economy of scale. New LED and some fluorescent ballasts now offer 0-10 VDC inputs so lights can be dimmed or turned on and off with hardwired control. There are more commercial product coming out that integrate the wireless into the switch or the lighting socket which make more sense than putting it into the bulb like Phillips.
Why FFS do I want an internet connected light bulb?
I can only guess why you might, but I can guess at a couple of reasons why including lighting in an automation scheme might be beneficial. In fact, instead of discussing lighting as a single issue, perhaps it would be better to look at why automating appliances might be worthwhile. First, differentiate between home and office use. Much of what goes into home automation is a combination of the cool factor and pure ostentation. Yes, there are plenty of truly worthwhile things to be done with home automation. What these are is likely to be defined as a function of taste more than anything else, I suspect. Setting it up so your lighting flashes to music or dims during a certain period probably has some use somewhere for someone. On the corporate side of the world, there is pressure for efficiencies which may be tracked and controlled through the use of automation. Image is also important.
I would expect the trend to be automate everything and control it all through a common interface. That interface will almost certainly be available remotely... which leads us back to light bulbs on the internet.
I recall more than one tech news article in the past proclaiming just that.
Well if the manufacturers of these new fangled networked appliances can't even secure a simple lightbulb properly then we're all screwed, I don't want to come home and find my frigde got hacked and ordered 1000 gallons of milk from a home delivery supermarket.
Sometimes think a webcam inside the fridge would be useful
I can check if I have any milk from work and even if it did get hacked I don't really care if millions of people on the interwebietubes are watching my gradually decaying celery
And it would answer the great philosophical question - does the light really go off when you close the door?
Gradually decaying celery? Not with the ideal fridge. (Mandatory XKCD reference.)
A lot of CE products don't. And in a way, that might be better - rather than trying to do security correctly in tons of connected devices, have it behind to a device (a wireless router in the home, whatever gateway is managing all such devices in a commercial environment) that handles security for it.
If you rely on its security, what happens if it is cracked? (security, not the glass) Do we really want to live in a world where we have to do firmware updates on our light bulbs? If you say "it can download them automatically", what happens if the support life of your light bulb is a lot shorter than its bulb life? Are you left only buying from major vendors, because you worry a small firm might go out of business and the site the bulbs access for firmware updates goes away?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
