With Black Hat’s conference in Singapore coming up next month, I found myself chatting with independent security researcher Nitesh Dhanjani, who’ll be giving a presentation at the March 25-28 event. We talked mostly about some things he’d learned about the Philips hue lightbulb system. These LED bulbs, one of the hipster gems lurking in accessory section of the Apple Store, are a fancy, Internet-connected product, squashed full of wireless circuitry. Among other things, you can use your iPhone to set them to one of 16 million colors (and these days, I should add, you can do this from an Android app as well).
The magic works because the lightbulbs talk in the Zigbee home automation wireless protocol to a base unit that acts as a bridge between Zigbee and Wifi. Your smartphone controls the lightbulb essentially by using an app that browses to a Web server running on the base unit.
There’s a security feature that Philips has incorporated – your smartphone won’t be able to send control commands through the base unit unless it’s been pre-registered. To carry this registration out, you’ve got to use the local Wifi connection and you have to first press a button on the base unit (setting the unit to an open registration mode for a few minutes).
Partway through his research, Dhanjani noticed a quirk in this security feature after he’d had to completely reload his phone’s operating system and a fresh, unconfigured copy of the app.
The thing was, TK had been forced to completely reload his phone’s operating system and to load a fresh, unconfigured copy of the app. “I was walking over to my bridge, where I needed to press the button and it just worked. So I thought, how does the app know? Because I’m supposed to press the button. I thought, it just has to be something that ties to the phone.”
Long story short, the app sends a hash of the phone’s Wifi MAC address. If you’ve got access to the Wifi network, you’ve got access to the MAC address and getting the hash value is trivial. So, imagine a virus that attacks a conventional endpoint on your home network, but then turns off your lights and just keeps looping to turn them off.
Fatal? That’s probably too dark a view of the matter. But it’s more proof, if you needed it, that the Internet of Things will repeat the security mistakes of ten years ago.