Feeds

Philips' smart lights left in the dark by dumb security

Send your neighbours to the dark ages with an app

Build a business case: developing custom apps

The Philips Hue “smart lighting” system uses a dumb-as-a-sack-of-hammers device authentication scheme that allows anyone with the iPhone control app to issue instructions to the controller via HTTP.

According to researcher Nitesh Dhanjani, who has form looking at iPhone security, the “perpetual blackout” (PDF) vulnerability arises from how Hue system authenticates devices. It uses a simple and irrevocable hash of a device's MAC address to create the authentication token.

“The secret whitelist token was not random but the MD53 hash of the MAC address of the desktop or laptop or the iPhone or iPad. This leaves open a vulnerability whereby malware on the internal network can capture the MAC address active on the wire (using the ARP cache of the infected machine)”, he notes.

If an attacker within wireless reach of the local network the Hue bridge is connected to (on the local network or, The Register supposes, a neighbouring apartment that can receive the WiFi signal), Dhanjani writes, it would be easy enough to cycle through those addresses to find the Hue bridge and issue it instructions.

For his demonstration (video below), Dhanjani uses the attack to issue sustained “lights off” commands to the test system.

Watch Video

And, in the kind of brain explosion that will probably characterise the emerging Internet of Things, Philips has made the whitelist tokens irrevocable to the ordinary user: “there is no administrative functionality to unauthorise the device,” Dhanjani writes. “Since the authorisation is performed using the MAC address, an authorised device will continued to enjoy access to the bridge (unless the user is technically savvy enough to use the http://<bridge ip address>/debug/clip.html debugger).”

Other attacks against Hue that Dhanjani documents are the weak passwords Philips permits for the Internet application that provides remote control over Hue; and “recipe poisoning”.

The Internet app will accept a six-character password, and as we all know, users have a distressing habit of re-using passwords for lots of different sites – meaning that if a password leaks, an attacker can remotely control the system.

And Hue also has a “feature” that probably had the marketing team in a spasm of hypegasm when it was devised: users can set up “recipes” that let the lights respond to the state of other apps. For example, the hue of the Hue can be made to respond to the user's Facebook activity for a service call “If This Then That” (IFTTT).

If the lights' colour was set to respond to a tagged photo on Facebook, for example, then simply sending a black photo would activate the recipe and turn the lights off. ®

The essential guide to IT transformation

More from The Register

next story
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
Think crypto hides you from spooks on Facebook? THINK AGAIN
Traffic fingerprints reveal all, say boffins
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.