back to article IoT worm can hack Philips Hue lightbulbs, spread across cities

Researchers have developed a proof-of-concept worm they say can rip through Philips Hue lightbulbs across entire cities – causing the insecure web-connected globes to flick on and off. The software nasty, detailed in a paper titled IoT Goes Nuclear: Creating a ZigBee Chain Reaction [PDF], exploits hardcoded symmetric …

  1. Anonymous Coward
    Anonymous Coward

    ANY i.o.t

    Device should be consigned to the bin, the entire concept is fundamentally flawed...

    1. Charles 9

      Re: ANY i.o.t

      Take it to the logical conclusion; the entire INTERNET is hopelessly flawed and must be replaced. Any ideas?

    2. Voland's right hand Silver badge

      Re: ANY i.o.t

      I beg to differ.

      If it has a known protocol and if it is BEHIND a firewall and talking only to MY GATEWAY - I am all for it.

      I have been fighting with the dishwasher for the best of today. It is having a hissy fit and claiming it has "water issues" which I cannot diagnose properly because I cannot interrogate its damn microcontroller and the codes on the front panel are not sufficiently informative.

      I would have loved it being connected as long as it is not going anywhere outside my network - this would have allowed me to ask which of the 3 sensors in charge of the damn filling is at fault (reed counter for water volume, water fill cut-off or water level) while it is running through its tests. All of it without getting off my desk a couple of floors above it.

      1. Anonymous Coward
        Anonymous Coward

        Re: ANY i.o.t

        That assumes the manufacturer has included the option to interrogate it in that way.

        Above being able to turn it on / off remotely, I doubt it.

      2. cybergibbons

        Re: ANY i.o.t

        This isn't enough to isolate you from risk though. If this device is on the same network as your PC or phone, they can attack the device, and the device attack them.

      3. ~chrisw

        Re: ANY i.o.t

        But you never get that kind of useful raw sensor data in a useable form from IoT washing machines, you just get some lazily designed and barely-updated app offering which shows if the machine is still running or not. Useless.

    3. Anonymous Coward
      Anonymous Coward

      Re: ANY i.o.t

      I don't think every I.o.T device is fundamentally flawed.

      A lot of their current implementations are flawed from a security point of view.

      I can see a point of internet enabled monitoring and control of several things in my house.

      Lighting, heating and security all seem pretty useful to me.

      The Philips implementation of shoving the IoT electronics in the lamp seems pretty silly and expensive to me. Also I wouldn't use Zigbee. But putting the IoT electronics in the ceiling rose, if properly done, seems like a good idea to me.

      An internet enabled fridge or freezer that tells me its getting too hot is useful if it stops me throwing lots of food away. Although I have never saw the point ( or how it is sensibly achievable ) of a fridge that would automatically order food and drink so it can be restocked. I ( well my wife ;) ) want to be in charge of food purchases, not some flippin' fridge.

      A cooker, clothes-iron or other fire risk item that could tell me remotely its still switched on could be useful. I don't know how many times I've wondered if something has been left switched on when I have left my house. Maybe I'm a bit OCD, and should get help ;) I guess I could just check manually ...

      I really don't see the great advantage of the NEST single thermostat controlling an entire house's heating, But individually controlled rooms with different temperatures set looks useful to me. Especially if some rooms can be left at a low just above freezing temperature because the normal occupants of the room aren't in the house. The Honeywell EVO home looks useful, but way too expensive.

      IoT toasters, kettles well they really are pointless.

      Of course all these things need to be done securely, especially if home security systems are included.

      Currently way too many IoT things seem to be insecure.

      Along with the cost, this is what stops me from currently bothering ...

      1. ZippedyDooDah

        Re: ANY i.o.t

        "An internet enabled fridge or freezer that tells me its getting too hot is useful if it stops me throwing lots of food away".

        More than 27 years ago I bought a freezer that made a loud beeping noise if it got too warm. I believe it utilised a revolutionary device called a "thermostat".

        1. ~chrisw

          Re: ANY i.o.t

          My fridge has a device-agnostic sensor which has many configuration options for measuring different zones. It's called a fridge thermometer and it cost about £4.

  2. Neil Barnes Silver badge
    Holmes

    I wonder...

    if it's too late to patent the mechanical light switch?

    1. Pen-y-gors

      Re: I wonder...

      Not in the US - 'prior art' is no more than 'blah blah blah' to the Patent Office examiners.

    2. Thought About IT

      Re: I wonder...

      You could probably get away with it, if you gave it rounded corners.

  3. Richard Jones 1

    Idiotic

    The acronym was wrong from the start, it is not IOT but the Internet Direct Integration of Threats Including Chaos, or IDIOTIC, It adds next to nothing and takes away as much as it can.

  4. Captain DaFt

    Headline from another article:

    "IoT is more than vapourware, insists GSMA"

    I agree; It's also a menace and a disaster!

  5. Steve Davies 3 Silver badge
    FAIL

    Hands up who is still a fan of IoT?

    Come on now, don't be shy. In the words of Delia,

    Lets be having you.

    To be honest, this is just another can in the supermarket sized can of worms that IoT is these days.

    A Marketing answer to a question that has not been asked or if it has, it has not been properly considered in any way shape or form before the implementation.

    IMHO, all IoT and I mean ALL should come with at very least, a health warning. At best, they should be removed from sale ASAP and all current owners told to disconnect them from the internet NOW.

    Naturally, this won't happen so we will see this type of vunerability demonstrated more and more.

    Eventually, a botnet will be constructed that could threaten the whole internet. Not just DDOSing a few targets but the whole thing. Then where would we be eh?

    Perhaps it might be a good thing. Because the sudden inability of the Millenials to listen to their latest bit of (c)RAP or R&B (Not proper R&B in my eyes but that is another debate entirely) that they would normally stream (stupid idea IMHO) might spur some reaction.

    As a boring old fart/old fogey/IT Dinosaur (who still has the puched card stack for his first program), I will do my bit and not even purchase anything that it IoT enabled.

    I wonder what Donald will make of this when all the .gov sites are taken down.

    Perhaps it will be 'build another golf course and hotel complex'? {joking}

    1. Dan 55 Silver badge

      Re: Hands up who is still a fan of IoT?

      As a curmudgeon, may I be the first to say... I told you so.

      Following the infinite monkeys theory it had to happen sometime.

    2. Anonymous Coward
      Anonymous Coward

      Re: Hands up who is still a fan of IoT?

      "As a boring old fart/old fogey/IT Dinosaur (who still has the puched card stack for his first program), I will do my bit and not even purchase anything that it IoT enabled."

      So what happens WHEN (not IF) EVERY lightbulb on the market is "smart," candles are nowhere to be found and they ban lamp oil as a fire risk?

      1. Steve Davies 3 Silver badge

        Re: Hands up who is still a fan of IoT?

        To answer your question about what happens when all lightbulbs are 'smart'.

        I will just pull up the drawbridge, disconnect the WiFi. no WiFi then no Internet connection for those so called 'smart' but actually dumb devices. I will also make sure that I buy up bulbs that are not smart before they go off sale.

        Remember that if your lightbulb can be connected to the internet, how difficult would it be to add a Microphone and ... you can get the rest. Think of all those hours of Nooky that the FBI will have to listen to before they hear the words 'F*** Trump'...

        As my 'Leccy' is supplied overhead, I have a good supply of Candles and a generator. We lost power for 7 days in the great storm a few decades ago.

        1. Charles 9

          Re: Hands up who is still a fan of IoT?

          Even if you disconnect YOUR WiFi, what's to stop someone else setting up one from outside your premises that your devices can nonetheless reach, and indeed they may be able or even REQUIRED to do so as a Whispernet, which you'd have no ability to turn off unless you'd like to live TEMPEST-style with no windows.

          1. Anonymous Coward
            Anonymous Coward

            Re: Hands up who is still a fan of IoT?

            IoT devices could be hardwired, then they wouldn't need wifi.

            Although some people have a pathological fear of cat-5 cabling and alarm-signal cables.

            As an ex-electrician, amateur electronics tinkerer, professional computer programmer I get hours of enjoyment running cat-5 and alarm-6-core-signal cables everywhere around my house. I do realise I'm a bit odd in this respect, but my home-brew IoT will not be susceptible to Wifi attacks. ( although the mice might chew through the cables )

            My wife might leave me over all the money I've wasted on cat-5 and other cabling, but that's another issue ...

          2. toughluck

            Re: Hands up who is still a fan of IoT?

            Even if you disconnect YOUR WiFi, what's to stop someone else setting up one from outside your premises that your devices can nonetheless reach, and indeed they may be able or even REQUIRED to do so as a Whispernet, which you'd have no ability to turn off unless you'd like to live TEMPEST-style with no windows.

            I'd open up the bulb and cut the antenna. Not possible to open it up? High enough induction current will fry it anyway. Plus the added bonus of returning it just before warranty expires -- can't open it up, can't prove I did anything nasty.

        2. toughluck

          @Steve Davies 3

          Think of all those hours of Nooky that the FBI will have to listen to before they hear the words 'F*** Trump'...

          Man, that's a really disturbing fetish. Did you try seeing a professional psychiatrist? There may still be some hope for you...

      2. Loud Speaker

        Re: Hands up who is still a fan of IoT?

        So what happens WHEN (not IF) EVERY lightbulb on the market is "smart," candles are nowhere to be found and they ban lamp oil as a fire risk?

        You have obviously not been to a 3rd world country (where nothing works properly, even without the aid of the Internet): People learn to ignore the problems, and just get things done.

      3. ~chrisw

        Re: Hands up who is still a fan of IoT?

        It's surprisingly easy to disconnect an antenna or even just pop off a surface mount component to cripple the Tat component. Think of it like a beneficial lobotomy.

    3. Anonymous Coward
      Anonymous Coward

      Re: Hands up who is still a fan of IoT?

      What will Donald do when all the .gov sites are taken down ...

      I guess he'll want to build a IoT firewall and get the IoT industry to pay for it.

      Although he really will not have any idea what it is or if it is achievable, so then he'll just unleash the red necks in a modern day luddite revolution to destroy all the IoT devices in the US at least.

      I'm not wishing this , just saying ...

  6. Frenchie Lad

    Solves Philips's Obsolescence Needs

    IMHO this is an attempt by Philips to persuade their punters that a Mk II, whenever it comes, needs to be bought to replace the current Hue.

    Think of the profits, sell it, hack it, sell next version, hack it........

    1. Anonymous Coward
      Anonymous Coward

      Re: Solves Philips's Obsolescence Needs

      No need, they updated the firmware on the base to lock out other vendors, but then had to back down...

      http://www.theregister.co.uk/2015/12/17/philips_firmware_that_adds_drm_to_light/

      Welcome to the brave new world.

  7. Anonymous Coward
    Anonymous Coward

    French Engineering

    Say no more...

    1. Anonymous Coward
      Anonymous Coward

      Re: French Engineering

      Yes, that well-known French company Philips... Probably best that you do say no more if that's the extent of your knowledge.

      1. Pen-y-gors

        Re: French Engineering

        To be fair, Phillips do have an office in Brussels, so presumably they have some French-speaking staff.

        1. Uffish

          Re: French Speaking Philips

          Brussels is bilingual (French and Dutch) so they wouldn't need to.

      2. Dan 55 Silver badge

        Re: French Engineering

        I thought Philips was now just a hollowed-out trade mark that they stuck on Chinese tat anyway.

        1. Mage Silver badge

          Re: hollowed-out trade mark

          They only really do lights and healthcare. The Philips badge for TVs and AV licensed to two Asian companies, so less connection to that stuff than Argos has to Bush (Argos decide which Chinese/Turkish stuff to stick the Bush badge on).

          Semiconductors spun off as NXP and now getting extinguished for the IP by Qualcomm, I mean bought.

          No idea who does the kitchen stuff that used to be Philips, the tumble driers, fridge, freezer, washing machine.

          In 1926 they only made light bulbs and diversified into Valves (tubes) then Radio. They were once the largest Consumer Electronics in Europe.

          1. NightFox
            Coat

            Re: hollowed-out trade mark

            They still make those nice screwdrivers that you can open paint tins with though

          2. Loud Speaker

            Re: hollowed-out trade mark

            They were once the largest Consumer Electronics in Europe.

            That was before the MBA was invented.

          3. Phil O'Sophical Silver badge

            Re: hollowed-out trade mark

            No idea who does the kitchen stuff that used to be Philips, the tumble driers, fridge, freezer, washing machine.

            All sold to Whirlpool many years ago.

        2. Anonymous Coward
          Anonymous Coward

          Re: French Engineering

          Nearly all B&O is Philips technology.

          Another success of form over function.

      3. Atilla_the_bun

        Re: French Engineering

        Umm, my understanding was that Phillips was Dutch. Maybe they sold the brand to a French co.?

  8. Pen-y-gors

    Serious penalties needed

    Whilst there are currently an awful lot of people who deserve some serious punishment <remoan>(including 52% of the UK voting population)</remoan>, possibly the stocks, pillory, branding irons, the whole mediaeval thing, really the people at the front of the queue should be the spam-for-brains idiots who get away with 'designing' these IoThingies. There is more to industrial design than 'Alright, Mr. Wiseguy ... if you're so clever, you tell us what colour it should be."

  9. FredBloggs61

    "enabling the attacker to turn all the city lights"

    Hmm.. ALL the city lights?

    1. Destroy All Monsters Silver badge

      ALL of them!

      MWAHAHAHAHAH! (Evil Thunder!!)

    2. Dan 55 Silver badge

      Philips would love to sell this tat to entire city, or at least one bulb per 400m. Thankfully it ain't going to happen.

  10. frank ly

    A total WTF moment

    Patching a lightbulb to fix a security vulnerability.

    1. Rich 11

      Re: A total WTF moment

      Which brings to mind the image of sticking plaster on a sickly red lightbulb.

  11. Sam Jelfs

    Not just Philips...

    Its worth noting the authors write in their conclusion that "The main problem is in

    the insecure design of the ZLL [ZigBee Light Link] standard itself", yes the attack was possible due to a leaked key in the Philips implementation, but the underlying standard is poor to start with, and there are some 1000+ ZigBee certified devices on the market from various makers.

  12. Anonymous Coward
    FAIL

    Cue another over hyped exploit....

    ...it can spread across a whole city*

    *Provided you have clear space of less than 400m between each niche product.

    1. Uffish

      Re: Cue another over hyped exploit....

      There is only one way to find out - please, very very pretty puleeeeze !

  13. Steve Crook

    Trump/Brexit angle.

    No doubt this worm has been in the wild for some time. Coded messages flashed into the brains of voters compelling them to go and vote 'the wrong way'. All very Manchurian Candidate, anyone fancy a game of cards?

    1. Destroy All Monsters Silver badge

      Re: Trump/Brexit angle.

      ENOUGH!

  14. AIBailey
    Stop

    When you have to release a patch to make a lightbulb more secure...

    ... then you really have reached the point where IoT proves it really is nothing more than a solution looking for a problem.

    The icon is for all the Internet of Tat manufacturers out there.

  15. Anonymous Coward
    Anonymous Coward

    Subtitle: "Phillips Huey and the Gooey Kablooie"

    Come on, El Reg!

  16. Death_Ninja

    Tinfoil wallpaper time

    Or if you want a classier look than the inside of a Soviet space capsule, there is always:

    http://edition.cnn.com/2012/07/18/tech/signal-blocking-wallpaper-stops-wi-fi-stealing-and-comes-in-a-snowflake-pattern/index.html

    1. Destroy All Monsters Silver badge

      Re: Tinfoil wallpaper time

      " Scientists behind the product point to studies that say the overuse of wireless technology could cause harmful heath effects."

      "Out for a quick buck"

    2. Charles 9

      Re: Tinfoil wallpaper time

      Tell me, is it effective even in a room with glass windows that are normally radio-permissive?

      1. Death_Ninja

        Re: Tinfoil wallpaper time

        You can get foil coverings for windows too. One of my company's new offices had it - to stop being dazzled in the new all glass modern building.

        We had to deploy our own bloody femto box to the site because nobody could get a phone signal....

        So yes, perfectly possible to have a sexy looking emcon building :)

    3. PNGuinn
      Pint

      Re: Tinfoil wallpaper time

      Thanks for the idea, Ninja.

      I'm just off to patent Internet Connected Wallpaper.

      What could possibly go wrong?

  17. SImon Hobson Bronze badge

    To be fair, the Hue (and others of a similar function) do have a place - they are certainly not the "solution to a non-existant problem" a lot of the Internet of Tat stuff is. As a mood setting appliance they are useful - as a utility light, not so much and I'd use a normal light bulb attached to a switch.

    That they've turned out to be insecure by design is a bit of a black mark for Phillips.

    1. toughluck

      You're right about the mood setting. I really like how Hue can interact with Ambilight. Although it stops being neat when you notice that each bulb (used to) cost some £50.

    2. PNGuinn
      Devil

      " the Hue (and others of a similar function) do have a place"

      Yeah - In the bin.

      Mood setting appliance??? WTF?

      A lightbulb is there to give me bloody light.

      Not put ME in a bad mood.

      We need a crusty old fart icon.

  18. Anonymous Coward
    Anonymous Coward

    Oh dear

    Now it is IoT light bulbs, before that it was other IoT 'things'. Just how long before all those government mandated 'smart' meters are in line to become another plaything of the script kiddies?

    Maybe, instead of the GSMA insisting IoT is more than vapourware they should be insisting on tight security for the devices.

  19. Dwarf

    Does anyone know why this product was necessary in the first place ?

    Oh, I know. Someone in marketing had a great idea.

    Then someone in engineering had to do something stupid to keep their colleague from throwing another tantrum.

    1. HamsterNet

      Shesh what kind of third world mud hut do you live in?

      So you can change the colour and brightness of your kid's bedroom and dim it for his night light.

      So your hall lights come on as you move through the house, but only if its dark and very dimmer after midnight.

      So you can dim the office light from working to movie time without getting up.

      So you can set timers on your lights for when you are away (don't want the burglars tripping in the dark do we).

      So your lights turn off if nobody is in the room, along with the heating in that room. No point heating the toy room when nobody is in there.

      Seems the safest thing in relation to this security issue is to have your neighbours at least 400m away from your house.

  20. John H Woods Silver badge

    Well, yes

    "This demonstrates once again how difficult it is to get security right even for a large company that uses standard cryptographic techniques to protect a major product"

    Well, yes. Because one of those standard cryptographic techniques would appear to be key reuse. Even if the key isn't vulnerable to side-channel attacks or other hardware extraction, sooner or later it is going to leak from the manufacturer.

    Key reuse in IOT becomes less acceptable with cost, lifetime and number for each SKU. Given the cost and expected lifetime of the bulbs, using the same key for even a few hundred items appears somewhat negligent.

  21. M7S
    Coat

    This threat can be countered with traditional crime fighting methods

    Once known as the hue and cry

    Or maybe that wil now mean something rather different

  22. Anonymous Coward
    Anonymous Coward

    Internet of Tat

    That is all.

  23. Commswonk

    A Possible Positive...

    is that misbehaving light bulbs would (will?) be a very visible but not really damaging manifestation of the current inherent flaws in the IoT concept. It should become obvious to both consumers and politicians that something is dreadfully wrong, and each group can in its own way apply pressure to those who peddle both the concept and the hardware. The possible reputational damage to Philips (or whoever has the use of the name) ought to be sufficient for remedial action to be more or less inevitable, and it might just wake the politicians up sufficiently for them to realise that legislation will have to be enacted to enforce a much greater degree of user protection*.

    I think we have to be realistic and accept that the IoT, daft as it is, is with us and is likely to spread considerably before anything is done to make it anything even resembling secure. Televsion advertisements for one system or another are becoming more commonplace, and (sadly) there will be an awful lot of people who fall for the idea that their lives will be more complete and rewarding if they can fiddle about with their domestic appliances using their fondleslabs some distance from home.

    Their gullibility is breathtaking; to (slightly) misquote H L Mencken Nobody ever went broke underestimating the intelligence of the public.

    * How effective this can ever be is uncertain, given that systems that are supposedly secure clearly aren't when subjected to a determined attack.

  24. Cuddles

    Eh

    "The chain reaction will die in city areas where less than 15,000 of the globes are used"

    So, not really an issue then. I doubt there's actually a single city that has that many IoT lightbulbs, let alone that many of a specific brand. Hacks that rely on there being a significant number of vulnerable devices in close proximity are best aimed at devices that actually sell in significant numbers.

    That's not to say work like this isn't worth doing; the more people point out how stupid it is to have hilariously insecure internet connections controlling basic needs like lighting and heating, the better. It's just that this particular attack is less "everyone's lights are about to go crazy" and more "fortunately most people aren't stupid enough to buy this shit yet".

    1. You aint sin me, roit

      Re: Eh

      Read the paper!

      "Since the Philips Hue smart lights are very popular in Europe and especially in affluent areas such as Paris, there is a very good chance that this threshold had in fact been exceeded"

      The number of 15,000 comes from an estimated radius of 100m for each ZigBee device and the area of Paris being about 105 square kilometers. Infecting 15,000 will give a critical mass capable of infecting all the lights - though it is possible that infecting just one would be enough.

      1. Charles 9

        Re: Eh

        " though it is possible that infecting just one would be enough."

        The critical mass measure is the amount such that an initial infection would likely be able to spread completely through the population because each device has enough neighbors to prevent isolation.

  25. Anonymous Coward
    Joke

    Hue and cry

    Buy the hue, cry when you're pwned

  26. Locomotion69

    We are screwed

    The concept is good as a concept, but every implementation so far proves to be bad. Even worse, nothing will change until someone actually exploits a massive hack and shuts down an entire city/traffic network/airport/hospital/... Once we figure out that securing will be a. extremely expensive, b. make IoT devices going offline all the time thus crippling it functionality and c. does not provide 100% security we are forced to accept to be pwned every now and then.

    1. Anonymous Coward
      Anonymous Coward

      Re: We are screwed

      Yet we'll REFUSE to accept being pwned because, at the worst, being pwned is Game Over, Better Luck Next Life, which no one will accept. Worse yet, the worst case is becoming increasingly likely.

      1. Doctor Syntax Silver badge

        Re: We are screwed

        ...or bayoneted.

  27. PhilDin

    It's not like this is anything new, Dave Farley expressed the concerns most eloquently back in 2003:

    https://www.ibiblio.org/Dave/Dr-Fun/df200306/df20030604.jpg

    1. Destroy All Monsters Silver badge

      Actually in "A Deepness in the Sky" aliens (that is, us) try to take over a world (the alien world) by subverting the automation of the alien civilization from orbit.

      One of the protagonists (Pham Nuven) also reminisces about an event in which he participated in a planetary police mission because the local fascist bastard govnmt had transformed all the gear from Furby to Phone into surveillance and enforcement tools.

      Plus, Pham wins the day by using circuitry built surreptitiously into every nano processor since, like, forever, that only he knows how to control (because he is a survivor of another age) ... using hand gestures (see also: crazy prepared)

  28. Kev99 Silver badge

    Who was the lobotomised idiot who thought it would be cute to use the internet to turn on a tea kettle. There is absolutely NO need to have any appliance connected to the internet.Communities have controlled light for decades using photo sensors and mechanical timers. And I had remote control for lights via the telephone since the 80s.

    Remember, a net is just a bunch of holes connected by string and a cloud is just a bunch of holes connected by vapor.

  29. Anonymous Coward
    Mushroom

    Kaboom!!!

    It's all fun and games until hacker works out how to get your IoT Gas Boiler to go BOOM!! and then instead of 15,000 lights going out, it will be 15,000 homes going out...

    "No boom today. Boom tomorrow. There's always a boom tomorrow."

  30. Captain Badmouth
    Thumb Down

    EDF

    Sent me an email to announce they were going to install a smart meter at my property in the not-too-distant future. I rang them to explain how wrong they were.

  31. Nifty Silver badge

    that reminds me

    I must update the firmware on my nail clippers

  32. Stevie

    Bah!

    All your lightbulb are belong to other lightbulb.

  33. This post has been deleted by its author

  34. David Pollard

    This sheds a new light ...

    ... on the notion of painting the town red.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like