Security researchers recently created a proof-of-concept attack against Internet-connected lightbulbs, causing breached devices to infect their neighbors. The propagation continues and spreads itself across the community. This hack highlights the insecurity in one of many Internet of Things (IoT) network protocols.
Researchers say the worm, which currently targets Philips Hue lightbulbs, can set off a chain reaction that could compromise devices across entire cities. Right now, the hack causes the insecure web-connected globes only to flick on and off, but this is only a proof of concept to show foundational weaknesses. It is likely more advanced impacts and propagation could be developed.
Home automation networks
The primary weakness is in the network to which the devices are connected. ZigBee, Thread, WeMo, and Z-Wave were developed as home automation standards to communicate with and control IoT devices. They have been around for years and complement more familiar Wi-Fi and Bluetooth standards. In many cases these require a hub, which can connect a mix of products communicating on two or more of these standards. These are popular in homes settings and have expanded over the years into business environments.
ZigBee and Z-Wave are the most widely used of these automation protocols. Z-Wave has more than 1,500 products, totaling over 50 million devices in customers’ hands, and ZigBee has more than 1,000 products. Thread is the newest and, unlike ZigBee/Z-Wave, is IP based, which has both pluses and minuses from a security perspective. The Thread protocol was driven by the needs of Google’s Nest Labs, Samsung Electronics, ARM, and others who want a smart-home networking protocol compatible with IP Version 6.
Theoretical attack
The vulnerability research highlights the insecurity of such systems, especially in peer-to-peer or mesh mode. Such configurations can open the door to chained attacks, such as zombie infestations you see in movies. The worm spreads by jumping from one infected lamp to physically nearby neighbors using their ZigBee connections. Because there is no validation between Philips Hue globes, the attack is allowed to spread.
Based upon percolation theory simulations to infect an entire city, researchers believe there is a tipping point at which it would take at least 15,000 vulnerable devices to sustain the contagion to spread everywhere. With any fewer, they suspect the infection would remain restricted to certain areas and not infect an entire city. Estimates vary, but the total number of global IoT devices may exceed 30 billion by 2020. Many of these will be connected to home automation networks.
Key points
- This is a proof-of-concept attack, not yet seen in the wild. It does highlight the risks that entire networks of devices may be compromised and, even worse, configured to infect each other.
- A real-world attack could range from flashing lights to moderately inconvenient and costly incidents in which devices must be recovered while safety may be at risk. Impacts will be based upon the types of devices deployed and how they are used. Household-convenience devices are less important than those in an emergency room or illuminating a busy intersection.
- The vulnerability research is a motivator for standards bodies to take action in hardening these standards. Future versions, with improved security, may not be backward compatible in all cases and residual devices would remain susceptible to attack.
- These standards have some encryption and authentication controls in place; but, as the research has proven, these can be undermined.
- Such attacks are a fear of “smart city” developers, most of whom have known this could happen. Long-term security is still uncertain.
The importance of IoT security is currently a hotly debated topic; these additional weaknesses add to the overall concerns. I expect both further vulnerability research and eventual real-world attacks will inspire developers to work on insecure IoT network protocols. We need more scrutiny and better design and security practices because these devices will soon control more facets of our personal lives and business functions.
Interested in more? Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.