Feeds

Philips' smart lights left in the dark by dumb security

Send your neighbours to the dark ages with an app

Security for virtualized datacentres

The Philips Hue “smart lighting” system uses a dumb-as-a-sack-of-hammers device authentication scheme that allows anyone with the iPhone control app to issue instructions to the controller via HTTP.

According to researcher Nitesh Dhanjani, who has form looking at iPhone security, the “perpetual blackout” (PDF) vulnerability arises from how Hue system authenticates devices. It uses a simple and irrevocable hash of a device's MAC address to create the authentication token.

“The secret whitelist token was not random but the MD53 hash of the MAC address of the desktop or laptop or the iPhone or iPad. This leaves open a vulnerability whereby malware on the internal network can capture the MAC address active on the wire (using the ARP cache of the infected machine)”, he notes.

If an attacker within wireless reach of the local network the Hue bridge is connected to (on the local network or, The Register supposes, a neighbouring apartment that can receive the WiFi signal), Dhanjani writes, it would be easy enough to cycle through those addresses to find the Hue bridge and issue it instructions.

For his demonstration (video below), Dhanjani uses the attack to issue sustained “lights off” commands to the test system.

Watch Video

And, in the kind of brain explosion that will probably characterise the emerging Internet of Things, Philips has made the whitelist tokens irrevocable to the ordinary user: “there is no administrative functionality to unauthorise the device,” Dhanjani writes. “Since the authorisation is performed using the MAC address, an authorised device will continued to enjoy access to the bridge (unless the user is technically savvy enough to use the http://<bridge ip address>/debug/clip.html debugger).”

Other attacks against Hue that Dhanjani documents are the weak passwords Philips permits for the Internet application that provides remote control over Hue; and “recipe poisoning”.

The Internet app will accept a six-character password, and as we all know, users have a distressing habit of re-using passwords for lots of different sites – meaning that if a password leaks, an attacker can remotely control the system.

And Hue also has a “feature” that probably had the marketing team in a spasm of hypegasm when it was devised: users can set up “recipes” that let the lights respond to the state of other apps. For example, the hue of the Hue can be made to respond to the user's Facebook activity for a service call “If This Then That” (IFTTT).

If the lights' colour was set to respond to a tagged photo on Facebook, for example, then simply sending a black photo would activate the recipe and turn the lights off. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.