Post-Halloween Philips LED Bulb bug scare
The report that the Philips Hue line of smart LED light bulbs are infected with a virus is so juicy the news networks are still buzzing with headlines like:
Why Light Bulbs May Be the Next Hacker Target ~New York Times-Nov 2, 2016
Light Bulbs Seized by Hackers in Latest Internet of Things Attack ~Fortune-Nov 3, 2016
New study details a security flaw with Philips Hue smart bulbs ~CNET-Nov 3, 2016
This Virus Automatically Kills Smart
Light Bulbs ~ Motherboard-Nov 3, 2016
This was after the Weizmann Institute of Science in Israel published the results of a study showing how easily Hue bulbs’ cybersecurity protection can be compromised just by being near them. The title of the study itself is meant to scare: ‘IoT Goes Nuclear: Creating a ZigBee Chain Reaction’. Zigbee is an Internet-of-Things (IoT) radio protocol for connecting devices (much like Bluetooth or WiFi, but at relatively low power) employed by Philips Hues bulbs. In the study the researchers created an ‘attack kit’ and demonstrated its use in compromising Philips Hue lights in two videos – the one using a drone to initiate the attack looking straight out of Mission Impossible:
The researchers simply described the attack thus: ‘For our war-flying we found a more interesting target. An office building in the city of Beer Sheva hosting some well-known security companies and also the Israeli CERT.’
Philips was quick to issue a clarification on Nov 3, saying:
Philips Hue products were not and have not been infected by a virus. Researchers contacted us in the summer about a potential vulnerability and we patched it before the details of findings were disclosed publicly. At no time was a virus created or used to infect any Philips Hue products.
And, to be fair, the researchers never called their attack kit a ‘virus’ – they call it a ‘worm’. Philips points out that:
The academics with whom we cooperated via our responsible disclosure process, merely demonstrated the possibility of an attack. They did not create a virus nor disclose information necessary for someone else to do so. Their research findings helped us to develop and roll out the software update.
Philips stresses that currently the risks of Philips Hue products are low, and urges customers to update the software on their Philips Hue LED light bulbs through the Philips Hue app.
The practice of researchers informing manufacturers first before a product security vulnerability is made public is called ‘responsible disclosure’ and was first popularized in the software industry. Bruce Schneier, of ‘Schneier on Security’ blog describes it in his 2007 article:
The basic idea was that the threat of publishing the vulnerability is almost as good as actually publishing it. A responsible researcher would quietly give the software vendor a head start on patching its software, before releasing the vulnerability to the public.
The Weizmann Institute of Science disclosure on Philips Hue LED light bulbs comes just two weeks after the Internet-of-Things DDOS attack on the New Hampshire DNS provider Dyn last October 21, where cybercriminals used millions of hacked internet-connected devices (like printers, cameras, and routers) as a botnet to overwhelm Dyn’s servers, shutting many people out of sites like Amazon, Twitter, and Netflix.
As the Internet-of-Things takes off, this incident should remind us manufacturers to always keep security as a priority in all our products.