This post was written by Keith Dawson for UBM Tech’s community Web site All LED Lighting, sponsored by Philips Lumileds. It is archived here because the All LED Lighting site has gone dark. This material is Copyright 2013-2015 by UBM Americas.
One Way to Hack Hue
It looks like the Internet of Things (IoT) -- of which Hue is a popular exemplar -- needs to get more serious about security.
We have written about Philips Hue before. It is a system of connected lights controlled from a smartphone or tablet app connected to the same local network. The system also lets the user control the lights from a web browser on a computer (from the same network or a different one) by relaying commands through the meethue.com website.
Nitesh Dhanjani, a security researcher, analyzed the Hue system and detected a few vulnerabilities. He tried to contact Philips before publishing the details, but he failed to open a channel to report the issues. He published a blog post and a detailed analysis this week.
Dhanjani's proof-of-concept code repeatedly (and stubbornly) turns off all the Hue lights connected to the network hosting an infected device. That payload may seem trivial, but as he points out, interfering with physical devices that are connected to the Internet could have serious real-world consequences.
The Hue starter kit, available from Apple stores and from Amazon.com, consists of three ZigBee-equipped light bulbs and a bridge. The bridge is plugged into the network's WiFi access device and translates the user's desires (expressed as user interface gestures in the Hue app) into commands in the ZigBee Light Link protocol, by which the bridge communicates with the individual bulbs.
Dhanjani discovered a weakness in the way apps on the user's devices authenticate themselves to the Hue bridge. Instead of using a randomized authentication token communicated securely between device and bridge, Hue uses a simple encoding (an MD5 hash) of the device's MAC address, a unique identifier assigned to each network interface. Malicious code running on a device attached to the network can sniff out MAC addresses.
The code he developed is delivered to a user's computer by a visit to a rigged webpage. Once inside the network, the code constructs authentication tokens from the MAC addresses it finds and tries using them to send commands to the Hue bridge to turn off all lights. Once it finds a token that works, it resends the lights-out command repeatedly. The only way to get the lights back on is to unplug the bridge from the network and stop the bad code from running before reconnecting it.
Thus the scenario depicted in this 2008 episode of The Big Bang Theory has just come closer to realization.
A lesson for IoT companies
Philips engineers clearly considered security when developing Hue; they simply made an exploitable error. Everyone does this. Security researchers do the world a favor by finding these errors and -- in the ideal case -- bringing them to the attention of the responsible companies, so they can be fixed. In the case of Hue, Dhanjani could not reach anyone at Philips to report on the error in detail.
Companies making devices and systems that will be controllable over networks need to offer a reliable way to report security problems -- something Microsoft, Google, and Apple have done for a long time. The OECD has predicted that the average household with two teenagers will have about 50 Internet-connected devices by 2022. We can't afford the damage that would result if bad guys around the world were able to hack into them.