Smart lighting security flaw illuminates risk of IoT

The latest smart home security nightmare highlights the risk you take each time you add another connected item to your home, office or industrial network. And even market leading brands make mistakes.

The story of Hue

Philips Hue smart lighting systems are probably among the most widely installed smart home solutions in the world, so plenty of people needs to know about the latest Check Point research, which warns of a major security flaw in them.

Apparently, it is possible to infiltrate home/office networks using a remote exploit in the ZigBee low-power wireless protocol and Philips Hue smart bulbs and bridge as the access point.

The report claims it was possible to subvert smart home security to the extent that hackers took control of the bulb and then tricked users into a series of actions that let hackers infiltrate the network itself.

Check Point alerted Philips to the problem and the manufacturer quickly released a software patch to protect against it. (You can get that patch here – and if you happen to have a Hue system installed somewhere, you should install it as soon as you can.)

Note: Kaspersky research that tells us attacks against smart home devices climbed by around 700% in the last 12 months.

Why is this still happening?

This very much reminds me of the highly publicized 2014 attack when criminals used a vulnerability in a connected HVAC system to exfiltrate the details of millions of credit and debit cards from Target.

This is what can happen when attackers succeed in penetrating networks – a little packet-sniffing and your bank details could be purloined – as, too, might be the access codes for the power plant you work at.

What’s remarkable about this is that it has been six years since the Target hack, and yet it’s still possible to isolate connected items in order to subvert them.

This is a problem Apple has been working to try to solve ever since it created its Made for HomeKit system

Manufacturers have a responsibility

I’m not about to focus my ire on Philips in this – the company took steps to remediate the situation once it heard about it. Nor is it exactly Zigbee that is at fault — the truth is that every operating system holds its own set of vulnerabilities and identifying them is a big business.

But I will focus some anger at those manufacturers in the smart home space who don’t see security and privacy as important in an increasingly connected age. Because the risk to home and business represented by poorly secured devices on your connected networks depends on the weakest devices installed far more than on the better ones.

You can have 10,000 well-secured smart devices, but that ancient connected thermostat in the storeroom may be all the vulnerability a hacker needs to penetrate your entire network.

That’s also why you should diligently check how committed manufacturers are to regular software and security updates for the devices they want to sell. It doesn’t matter whether those systems are aimed at business or consumer users, if they don’t commit to regular security protection, you shouldn’t buy them. 

What can you do?

I recommend consumer and enterprise users take inventory of their existing connected device deployments.

Then ask the following questions:

• Has this device shown any unexpected instability recently?
• Is it possible to update the firmware?
• Is the latest software patch installed?
• How regularly do software patches ship?
• Is it possible to change any default password/code on the device and has it been changed?
• Is it possible to use an alphanumeric code?
• Does the system support the latest edition of its operating system?
• What is the device’s networking protocol? Is it still current?
• Is it possible to identify the device from beyond the network using standard network monitoring tools?
• If you can’t update the device, or change its password, or it uses an ancient networking protocol, stop using it.
• If the device is visible to people outside your network, either secure it, or switch it off and send it to be recycled.

In some cases, I’ve heard of deployments in which connected devices are placed on a separate wireless network from any computers or data storage systems.

Apple, has its own solution that may go some way toward securing HomeKit-based smarthomes, Homekit-enabled routers. These let you protect smart devices across your office or home, but only a few routers supporting this are available right now.

Personally, I think every router should have smart device protection baked inside. Perhaps this is what Apple, Google, Amazon, the Zigbee Alliance and others hope to achieve with the Connected Homes over IP project.

But the security vulnerabilities illuminated by this latest Hue problem should be proof positive that better security is mandatory, for home, office, factory or any other connected system.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.