Vulnerability In Philips Hue Lightbulbs


Smart light bulbs may be the next big IoT attack vector and researchers have now created a proof-of-concept worm that can be used to spread across smart light bulbs, potentially infecting an entire network and opening them up to exploitation. IT security experts from the prpl Foundation and AlienVault commented below.

Cesare Garlati, Chief Security Strategist at the prpl Foundation:

Cesare Garlati“Zigbee was never intended to be a secure wireless technology, at least by current standards. The ability to remotely hijack a large number of electric loads (i.e. light bulbs) represents a real safety concern – due to the impact this kind of attack can have on the electrical grid. However, Zigbee attacks are unlikely to result in DDOS attacks against Internet targets – such as seen with Mirai – as Zigbee devices don’t connect directly to the Internet and, in any case, have very limited bandwidth or the ability to create Internet disruption.”

Javvad Malik, Security Advocate at AlienVault:

Javvad Malik“When it comes to Internet connected devices there are three primary attack cases:

  1.  Using IoT devices to attack
  2.  Attacking IoT devices themselves3
  3. . Leveraging IoT devices to leak sensitive information.

The botnet attack a couple of weeks ago was a prime example of 1.

This research is a prime example of 2 whereby the devices themselves (bulbs) are the target.

Like the botnet, the viability and the impact of such attacks should not be underestimated. IoT devices are typically woefully inadequate to defend against direct attacks, and few companies actively monitor IoT device status or traffic.

While there are many benefits to IoT devices, they need to be recognised as valuable assets and the right level of security built around them.”