Architecture and Hardware

Just When You Thought Your Smart Bulbs Were Secure, Think Again

Light can “jump the air gap.”

A new study has revealed an intriguing, if not unlikely, James Bond-style approach to hacking smart bulbs connected to the Internet of Things.

It’s no secret that smart light bulbs, like any of the things connected to the Internet of Things (IoT), are potentially vulnerable to cyber attackers who could use them as entry points into a home network in order to perpetrate mischief ranging from data theft to tinkering with the bulbs themselves.

Conventional intrusions include slipping through Wi-Fi firewalls left unprotected during bulb setup, or exploiting shabby processes for authenticating users and authorizing operations.

A new study has revealed an intriguing, if not unlikely, James Bond-style approach: commandeer the lightwaves coming from the bulb, and embed them with hostile instructions that trigger harmful consequences. Or, intercept them and extract their information.

All it will take is for someone to sit outside of a house, a place of business, an embassy, or wherever with a receiver capable of capturing the modulated lightwaves emitted by smart light-emitting diode (LED) bulbs (note that an embassy staff would be pretty foolish to use smart bulbs in the first place, but take that as warning).

“Yes, you don’t need to penetrate a firewall, you can just send a message out through the light channel,” said Murtuza Jadliwala at the University of Texas at San Antonio (UTSA), where he directs the Security Privacy Trust and Ethics in Computing Lab (SPRITELAB) and co-authored the report Light Ears: Information Leakage via Smart Lights. “Our message to the community would be, don’t underestimate even the simplest IoT device that you attach to your home network. Smart light is an example; you can lose private information about yourself if you’re not careful about the smart light.”

Smart Lighting 101

A quick review of some smart bulb technology:

Smart lights, such as the Philips Hue bulbs from Signify (the world’s largest lighting company, known as Philips until May 2018), respond to smartphone apps and other wireless controls (including those delivered remotely via the Internet if, say, a homeowner is on vacation)  that command them to turn on or off, to brighten or dim, or to change colors or color temperature. LED bulbs lend themselves to this sort of digital operation because their light source is a semiconductor — a light-emitting diode (LED). Sometimes the command comes from a cue such as a connected television show or piece of music, which instructs the lights to change to suit a drama’s action or song’s mood. Users can pre-program lights to change at certain times of day or night. Smart lights also typically have an infrared transmitter to support other smart home operations, such as providing nighttime light for security cameras.

With all of that going on, hackers now have airborne light waves at their disposal as a potential hole in the security fence of information technology networks.

In their Light Ears report, published in the September issue of the Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies, Jadliwala and UTSA post-doctoral researcher Anindya Maiti describe a couple of ways to pirate the light.

The spy who lit me

One scenario exploits the modulations of smart lights prompted by events that can reveal things about a person’s identity. Smart lights can be controlled by all sorts of connected items, such as by smartwatches that detect when a person is sleeping and then dims the lights. Smartphones can turn off a light when they detect a person has left a room.

“Can someone take advantage of these manipulations in the lighting to infer things about the users who are controlling the  lights?” That was one of the questions that Jadliwala said he and his SPRITELAB team set out to explore when they decided to look into smart bulb security several years ago.

The answer they came up with was a resounding “yes,” especially when it comes to recording the change in light frequencies connected to “visualization” apps that allow smartphone users to program their lights to change in response to video and audio. “Someone eavesdropping outside can infer what someone is listening to, or what video they are watching, just by looking at the light signal,” said Jadliwala. “You can know a lot about a person’s personality — sexual preferences, or whatever.”

The eavesdropper would need to be within 100 or 150 meters, armed with a standard ambient light sensor. Snoopers who can’t be bothered to stand outside a window with such gear could have similar success if they could break into a phone, perhaps by more conventional means, and gain access to the ambient light sensor embedded in most phones that would have a visualization app, Jadliwala noted.

Invisible to the human eye

If that all sounds a bit far-fetched, then consider the other light-borne path of invasion: infrared. In this scenario, an attacker has to first succeed in embedding malware in a user’s control device, such as a phone. (Hold that thought!)

The malware then does what malware is known to do. It might, for instance, siphon data from the phone. It could even siphon data from other devices or storage bins connected to the network, possibly even outside the home, on networks supported by a common cloud system.

But rather than send that data back through a normal Wi-Fi router out to the Internet, where the theft could get detected, the malware in this case sends the data to the infrared emitter that is part of the smart light system. It modulates the infrared in a manner that encodes the stolen data. The user in the room doesn’t notice a thing, because infrared is invisible, but the eavesdropper outside (there’s that pesky eavesdropper again) has equipment that receives the infrared signal. Heist complete. It’s a form of what’s known as “data exfiltration.”

It might seem more like the stuff of a spy thriller, but the point is, it is indeed possible.

“We don’t know of physical cases where this has happened,” acknowledged Jadliwala at SPRITELAB, which exists to probe the unknown security weaknesses of cyberspace. “That’s why we want to raise awareness. People are overlooking the simplicity.”

In the case of the infrared attack, the “simplicity” relates to smart light systems that do not use a hub between the lights and a W-iFi router, but rely on direct links to Wi-Fi (Internet connections are common because users often want to control lights remotely, and because operational instructions can actually involve a trip to the cloud and back). If users do not configure their Wi-Fi routers properly, the malware can enter. Likewise, some hubs are not properly protected.

For hackers without a light sensor

Still, the idea of someone standing outside a home or a secure building with an infrared light reader does require some suspension of disbelief.

“These kind of attacks are interesting from an academic perspective,” said George Yianni, Signify’s head of technology for Philips Hue. “But yes, this is real James Bond stuff. I think they have limited  practical applicability in the real world.”

Ken Munro, a partner at Buckingham, England-based security firm Pen Test Partners, sounded a similar note. “I think it’s really interesting research, and rightly deserves attention,” he said. “We’re talking about jumping air gaps (breaching security by getting to a space thought to be physically inaccessible). But it’s one house at a time, with someone sitting outside.”

What concerns both Yianni and Munro more — and was of equal concern to the SPRITELAB crew — is the possibility of invading home networks via Wi-Fi penetration and taking over lights. Wi-Fi vulnerabilities that would allow infrared-bound malware to enter can also open the way for attacks that don’t require the convoluted infrared method. (Several years ago, Israel’s Weizmann Institute described an even more convoluted approach to light-based data exfiltration by making use of light from a printer with its lid open).

At Pen Test, Munro pointed out that smart lights are often part of a much wider network of connected devices that could include doorbells, appliances, security cameras, coffee makers, electric kettles (ubiquitous in U.K. homes), toys, power outlets, locks, or any other IoT “Things.” These devices tie \ into a cloud system that is connected to devices of the same brand in other homes and places. Infiltrate one device on a home network, and you could potentially wreak havoc on other devices, and, at the same time, swipe data.

“The sort of attacks we’re talking about with these IoT platforms are all of the devices at a time,” said Munro. “This scaling and aggregation is what really bothers me.”

Good news, bad news

The good news, Munro said, is that reputable smart lighting brands such as Signify are getting better at building in security (although as even Signify will say, if an end user does not properly configure connections to Wi-Fi, problems could ensue).

The bad news is that little-known original equipment manufacturers from places including the Far East are skimping on security in systems and apps they make for Western retailers who want to quickly enter the market for smart lighting or other IoT “things.”

How does that happen?

Vendors often fail to design authorization procedures into the operation of an IoT device such as a light bulb. While they typically put authentication into the log, they can leave it out when a user actually commands a bulb to do something – brighten, dim, change colors, whatever.

While most of the big name brands have addressed this, Munro noted that non-name-brand original equipment manufacturers are making private-label goods allowing quick market entry for Western retailers, while neglecting the authorization stage.

47 million and counting

In a three-month period through last September, “We found 47 million smart devices sitting on the Internet in this exploitable state,” Munro said, noting that all 47 million — including smart lights — were sitting on a cloud platform from one of two no-name Far Eastern providers.

“Where authorization checks aren’t correctly applied, one can usually compromise the complete account of the IoT device owner,” he explained, including “any data in the user’s account. That might include real-time location information, email addresses, home address, phone number, and device usage information. Obviously, that depends on the information the device collects and the data user inputs in to their account. One can also take control of the IoT device.”

Pen Test more recently found about 4 million Internet-connected solar inverters threatened in a similar manner.

Yet properly secured smart lights, to state a truism, should not be a problem. To that end, Signify’s Yianni noted the many steps his company takes to secure Hue bulbs, including separating the controls from Wi-Fi by deploying a hub, encrypting and authenticating all communications, and deploying time windows and proximity requirements for certain commands.

In fact, Signify scored high marks in an evaluation by SPRITELAB of the vulnerability of smart light systems, which is important because without proper protection, “any device, or any application on your network, could talk to these bulbs,” said Jadliwala.

In other words, there could be plenty of trouble even before the eavesdropper with the light reader shows up outside your window.

Mark Halper is a freelance journalist based near Bristol, England. He covers everything from media moguls to subatomic particles.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More