In fact, all it takes is tricking the bulbs into accepting a nefarious firmware update. By exploiting a weakness in the Touchlink aspect of the ZigBee Light Link system (again!), the hackers were able to bypass the built-in safeguards against remote access. From there, they “extracted the global AES-CCM key” that the manufacturer uses to encrypt and authenticate new firmware, the researchers write (PDF).
“The malicious firmware can disable additional downloads, and thus any effect caused by the worm, blackout, constant flickering, etc.) will be permanent.” What’s more, the attack is a worm, and can jump from connected device to connected device through the air. It could potentially knock out an entire city with just one infected bulb at the root “within minutes.”
“There is no other method of reprogramming these devices without full disassemble (which is not feasible). Any old stock would also need to be recalled, as any devices with vulnerable firmware can be infected as soon as the power is applied.”
The result is that the hackers were able to turn lights on and off both from a van driving by a house and a drone flying outside an office building. For the home, the team was 70 meters (229.7 feet) away and caused lights to go on and off individually. The office building houses a few security companies including Oracle, and was hacked from 350 meters (1,148 feet; about a quarter of a mile), and once under control, the lights started signaling “S.O.S.” in Morse code.
“We used only readily available equipment costing a few hundred dollars, and managed to find this key without seeing any actual updates.” Not terrifying at all, right? The researchers say that they’ve contacted Philips and included all the details needed for a fix. Philips has confirmed the weaknesses and issued firmware updates to hopefully guard against this ever happening.