Of no surprise comes another confirmation of the fact that the Internet of Things is a security nightmare. A new research from white-hat hackers exposes security vulnerabilities of the Philips Hue smart light bulbs.
Philips Hue Smart Lights Past Hack
According to Engadget, the Philips Hue smart light bulbs have already been hacked in the past. Back at that time, Philips was quick to point out that in a real-world situation its smart light gadgets would be pretty difficult to hack. For this to happen, digital intruders would need to already be in your home network.
This new attack, however, shows that we should take Philips assurance with a grain of salt. While the company claimed that it wouldn't be feasible to directly attacking the light bulbs, a new study shows that, in fact, attacking the smart lights doesn't require a direct access. All it takes to hack the light bulbs is tricking them to accept a fake firmware update.
Philips Hue Smart Lights Latest Hack
The security researchers were able to bypass the built-in safeguards against remote access by exploiting a weakness in the Touchlink aspect of the ZigBee Light Link system. From that point, the white hat hackers were able to extract the global AES-CCM key used by the manufacturer to encrypt and authenticate new firmware, according to the PDF document detailing the security research study.
As the result of gaining access, the hackers were able to turn lights on and off. They could achieve these results both from a drone flying outside an office building and a van driving by a house. The office building was hacked from about a quarter of a mile (1,148 feet or 350 meters) and the lights were made to signal "S.O.S." in Morse code once under control.
According to the security researchers, they used only cheap and readily available equipment that is costing a few hundred dollars. They also explained that it was easy to find the global AES-CCM key without seeing any actual updates. According to CNET, after contacting Philips earlier this year with all the details needed for a fix, the company has confirmed the weaknesses.