Fast-spreading worm turns Philips smart bulbs into a blinking nightmare

Are connected light bulbs really a smart idea? Perhaps not if the latest IoT scare is anything to go by, involving researchers concocting a worm capable of spreading itself rapidly across Philips Hue bulbs.

The exploit was detailed in a research paper cheerily entitled ‘IoT Goes Nuclear: Creating a ZigBee Chain Reaction’, and it uses said wireless networking tech, exploiting Atmel’s ZigBee chip in the Hue light bulbs which apparently has a major flaw in its proximity test.

This enabled the researchers to use a ZigBee transmitter to pull off a factory reset on a bulb, removing the light’s association from its current controller, and subsequently performing an over-the-air firmware update using a ‘side channel attack’ to bypass security (cryptographic protection measures) and install their own firmware.

The light bulb which has been infected can then spread that modified firmware to other Hue bulbs in range, starting the dire chain reaction referred to in the paper’s title.

Apparently the exploit can be pulled off at a range of up to 400 metres, and the hardware required is small and uses little power, so it’s cheap enough to buy and can be mounted on a drone.

The researchers did just that, demonstrating that they could fly up to a building, take control of the smart bulbs inside, and use them to flash out SOS in Morse code.

Disco inferno 

As well as potentially turning buildings into nightmarishly flashing disco-like environments – and more seriously, majorly upping the rate of flashing to potentially prove a danger to people with epilepsy – an attacker could also disable firmware updates and effectively brick the bulbs beyond recovery.

In a large city where there are plenty of smart light bulbs in close proximity, this sort of attack is obviously a worrying prospect indeed.

On its part, Philips has issued a patch to resolve this flaw, but as The Register points out, users must set up the app for the smart bulbs to receive automatic patches to gain protection from the fix. Also, it’s no good if a Hue bulb has already been infected, as the malware will simply block the update.

Doubtless it won’t be long before we hear more tales of potential terror from the realms of the Internet of Things, with the IoT already getting a rough ride over the amount of compromised devices making up the Mirai botnet (which recently took down large chunks of the internet).

As the researchers put it: “This scenario might be alarming enough by itself, but this is only a small example of the large scale problems that can be caused by the poor security offered in many IoT devices.”

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).