A team of researchers at Israel’s Weizmann Institute of Science has shown how hackers can use the simplest of household devices, like light bulbs, to potentially take down sections of the internet or launch a full-scale attack on a country’s infrastructure.
The researchers focused on hacking into ordinary devices which are connected to the internet, the so-called “Internet of Things,” to show how easy it is to take control of the devices and employ them for the kind of distributed denial of service (DDoS) attack that took down wide swathes of the internet last month for several hours.
The experiment, carried out by four researchers, Eyal Ronen, Colin O’Flynn, Adi Shamir and Achi-Or Weingarten, focused on simple Philips Hue wifi-connected smart bulbs and showed how the bulbs can “infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction.”
“The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes,” the researchers’ paper said.
The team managed to remotely infect the first light bulb by exploiting a weakness in the ZigBee Light Link protocol, the wireless language that everyday devices use to connect to one another.
In one experiment they flew a drone up to an office building that houses several well-known Israeli security companies and managed to transmit an infected key to a light bulb. Soon dozens of light bulbs were “kidnapped” and “crying for help” flashing SOS.
In another experiment the team drove by a building in the Weizmann Institute and managed to take control of the lights from a distance of 70 meters.
“We used only readily available equipment costing a few hundred dollars, and managed to find this key without seeing any actual updates,” they wrote.
By only taking control of the light bulbs, they warn that hackers could permanently disable, or “brick,” these devices, jam wireless networks, attack and overload an electric grid or even possibly cause epileptic seizures on a large scale by “repeatedly flashing the lights at the right frequency.”
And they warn that this is only the beginning of the problem. “Within the next few years, billions of IoT devices will densely populate our cities.”
The researchers said that they had been in contact with Philips and provided technical details and suggestions for a fix.
“They have already confirmed and fixed the takeover vulnerability,” they wrote.