Security flaws in Philips smart light bulbs are leaving users open to blackouts and password-stealing cyber attacks, according to independent researcher Nitesh Dhanjani’s public white paper Hacking Lightbulbs: Security Evaluation of the Philips Hue Personal Wireless Light System.
Dhanjani highlighted several vulnerabilities in the bulbs’ architecture as being potentially exploitable, and he says the most serious vulnerability could be used by hackers to permanently turn off the lights, according to an article from V3.
"The Hue bridge uses a whitelist of associated tokens to authenticate requests. Any user on the same network segment as the bridge can issue HTTP commands to it to change the state of the light bulb. In order to succeed, the user must also know one of the whitelisted tokens. It was found that in case of controlling the bulbs via the Hue website and the iOS app, the secret whitelist token was not random but the MD53 hash of the MAC address4 of the desktop or laptop or the iPhone or iPad," the paper reads. "This leaves open a vulnerability whereby malware on the internal network can capture the MAC address active on the wire (using the ARP5 cache of the infected machine). Once the malware has computed the MD5 of the captured MAC addresses, it can cycle through each hash and issue ‘all lights off' instructions. Once a request is successful, the malware can inﬁnitely issue the command using the known working whitelist token to cause a perpetual blackout."
Philips told V3 that the company is aware of the paper, clarifying that the attacks works only on local networks, meaning its impact should be negligible. Dhanjani responded that hackers could easily tweak the malware for more nefarious purposes, the article says. He highlighted the creation of a blackout-causing botnet as a particularly troubling scenario, as it could grant criminals the ability to turn out the lights on whole businesses.