_Philips denies IoT worm in their HUE LED lighting system
Philips (PHG) issued a statement clarifying that it had already made a patch to protect its HUE Smart LED bulb system from hacker attacks. The statement was in response to a paper written by two students and a professor at Weizmann Institute in Israel, explaining how the students were able to compromise the HUE system through a bug in the ZigBee protocols that the system uses to verify local security and were able to remove the bulbs from the Philips system and extract the encryption key that Philips uses to authenticate new firmware updates.
The paper goes on to speculate that by capturing only one bulb in the system, hackers could use the ZigBee connections to spread a virus across the system in minutes, and using Paris as an example, the believe that it would take 15,000 bulbs to cause a chain reaction across the city and control or block the lights, which would also allow them to stop further firmware updates, giving the hackers permanent control.
According to Philips, the research team informed the company of their findings and Philips patched the system before the report was published, stating “At no time was a virus created or used to infect any Philips Hue products”, but the company also urged consumers that had already purchased the bulbs to update their software, “even though the assessed risk was low.” Other sites however, have stated that malicious updates could still be used to infect one smart bulb that is in close proximity to others, and spread the code quickly.
While the benefits of IoT are significant, particularly in the manufacturing space, the devices, the data streams, and the overall systems tend to be relatively vulnerable to worms and other forms of malicious behavior. Regardless of the purpose of the IoT devices, the implementation of chip level security to protect the devices and data is absolutely essential if such networks are going to be put in place. The Stuxnet worm, allegedly developed by a US and Israeli team around 2010, was used to sabotage Iran’s nuclear program by compromising the capacity of the program’s centrifuges by speeding up the rotation speed enough to ‘vibrate’ the device until it no longer worked. This was in the ‘old days’ before the implementation of IoT, and shows how such vulnerabilities can be used to influence a rival or steal data. Most people will not worry too much about whether their LED light bulbs can be hacked, but IoT for the manufacturing sector is far more sensitive to such breeches. More devices means more risk, and those assessments are much lower on the IoT totem pole than the benefits championed by suppliers.
The paper goes on to speculate that by capturing only one bulb in the system, hackers could use the ZigBee connections to spread a virus across the system in minutes, and using Paris as an example, the believe that it would take 15,000 bulbs to cause a chain reaction across the city and control or block the lights, which would also allow them to stop further firmware updates, giving the hackers permanent control.
According to Philips, the research team informed the company of their findings and Philips patched the system before the report was published, stating “At no time was a virus created or used to infect any Philips Hue products”, but the company also urged consumers that had already purchased the bulbs to update their software, “even though the assessed risk was low.” Other sites however, have stated that malicious updates could still be used to infect one smart bulb that is in close proximity to others, and spread the code quickly.
While the benefits of IoT are significant, particularly in the manufacturing space, the devices, the data streams, and the overall systems tend to be relatively vulnerable to worms and other forms of malicious behavior. Regardless of the purpose of the IoT devices, the implementation of chip level security to protect the devices and data is absolutely essential if such networks are going to be put in place. The Stuxnet worm, allegedly developed by a US and Israeli team around 2010, was used to sabotage Iran’s nuclear program by compromising the capacity of the program’s centrifuges by speeding up the rotation speed enough to ‘vibrate’ the device until it no longer worked. This was in the ‘old days’ before the implementation of IoT, and shows how such vulnerabilities can be used to influence a rival or steal data. Most people will not worry too much about whether their LED light bulbs can be hacked, but IoT for the manufacturing sector is far more sensitive to such breeches. More devices means more risk, and those assessments are much lower on the IoT totem pole than the benefits championed by suppliers.
RSS Feed