Researchers Hack Philips Hue Smart Bulbs Using a Drone

schwit1 quotes a report from PCWorld: "Researchers were able to take control of some Philips Hue lights using a drone. Based on an exploit for the ZigBee Light Link Touchlink system, white hat hackers were able to remotely control the Hue lights via drone and cause them to blink S-O-S in Morse code. The drone carried out the attack from more than a thousand feet away. Using the exploit, the researchers were able to bypass any prohibitions against remote access of the networked light bulbs, and then install malicious firmware. At that point the researchers were able to block further wireless updates, which apparently made the infection irreversible. 'There is no other method of reprogramming these [infected] devices without full disassemble (which is not feasible). Any old stock would also need to be recalled, as any devices with vulnerable firmware can be infected as soon as power is applied,' according to the researchers. The researchers notified Philips of the vulnerability. The company then delivered a patch for it in October." It wasn't long ago that claiming "Drones are controlling my lightbulbs!" would have gotten you locked up for your own protection.

Statement from ZigBee

[almeida]

ZigBee issued a press release today about this. They say the attack exploited a bug in one vendor's implementation of the protocol, not a weakness in the protocol itself.

Re:Networked light bulbs are useless and stupid

[alvinrod]

These particular bulbs are capable of changing color, so there needs to be someway of controlling them that doesn't necessitate replacing the light fixture itself or running more cabling all over the place. That means they need to use some kind of wireless technology and it's easiest just to use something standard that's well documented and already has legal approval.

I suppose you could argue that the technology itself is pointless, but that could probably be said about plenty of things you consider necessary or vital as well, so there's not much point in going down that route since it's largely personal opinion or arbitrary. I suppose that this should be a lesson to hardware manufacturers that they need to consider security, or at least have some kind of physical hardware reset.

What's the role of the drone?

[wvmarle]

Both TFS and TFA are really light on technical details - can anyone shed some light on where the drone comes in play? And also the vulnerability itself - a default password or something more obscure?

Another question would be of course why would those lights even have the ability to install new software in the first place. Is it really that hard to do software right, that no updates are needed for something as simple as a lamp?

Re:What's the role of the drone?

[cdrudge]

Another question would be of course why would those lights even have the ability to install new software in the first place. Is it really that hard to do software right, that no updates are needed for something as simple as a lamp?

Well, based on the fact that we're here talking about it, yeah, I'd say that there may circumstances where an update is needed because a flaw was found. Or would you rather just toss the bulb and go buy another updated one for $50?

Re:What's the role of the drone?

[wvmarle]

I'd rather have the manufacturer do a decent job in building their software, so that updates aren't necessary. If they think the update option should be there, there should also be a factory reset option to recover from any problems with that.

Re:What's the role of the drone?

[locopuyo]

They article didn't give any details, but it sounds they hacked the hub the lights connect to, not the lights themselves. They probably had to be on the same wifi network, hence the drone. So if the wifi network was secure this couldn't have happened, but the hub must have some sort of default password or way to take control if you simply have wifi access which isn't good security.

Re:Networked light bulbs are useless and stupid

[Khyber]

This. I work in lighting, specifically LED. Making an analog RGB control is dead fucking simple and we've got wiring that already exists to handle such a thing.

Re: wireless automation is bad.

[Zero__Kelvin]

You clearly have no idea what I said. You should look up words you don't understand before responding. The point is that physical access is usually not that much harder to get that access from within range. Typically the use case is some in the building connecting wirelessly and some doing wired. Your security landscape model falsely focuses on external actors (exclusively at that from what I can tell) when internal attack vectors are the most commonly exploited.

Re:Networked light bulbs are useless and stupid

[djrobxx]

Old fashioned dimmers required a dimmer switch. Making a dimmer switch that could use some sort of powerline comms to send 3 integers (RGB) from switch to bulb to control hue and brightness would be utterly trivial. No new cabling required, just install a new dimmer switch and the bulb and you're done.

Have you ever used X10 / Insteon? PLC sounds good until you try to use it. Half the house is on different phases so you have trouble getting everything on the network. Then you also get issues with power strips consuming the signals, things generating interference, etc.

I'm really not a big fan of wireless either, but in practice Z-wave works a lot better.