A vulnerability found in code widely used for connected Internet of Things (IoT) devices allowed researchers to take control of the devices. Beyond the routine uncovering of vulnerabilities the discovered vulnerability has drawn attention for a number of reasons including:
- The vulnerabilities are in a stack of code that is shared widely and used by a variety of devices and manufacturers.
- There is no additional layer of malware protection or cleaner available for these devices and the only way to remove the vulnerability by updating the firmware. This issue has been addressed quickly and firmware updates have been deployed by many vendors including Philips whose Hue Light products were part of the original study.
- An attack can be precipitated over the mesh network (in this case ZigBee) and bypasses traditional filtering or Intrusion Detection and Prevention technologies.
- Once implemented the worm can propagate across the mesh network to any vulnerable devices that move into range, either when the infected device is moved or when a mobile device moves into a mesh network containing an infected device.
- There is relatively low cost to the devices infected and used to propagate the infection. As an example: a relatively cheap lightbulb could be infected and given to an unsuspecting target or carrier who powers it up in their home or office and infects the devices in that network and any neighbouring networks.
The authors of the original paper outline a number of different attack methods as well as an array of disturbing potential outcomes including: disabling devices, causing seizures, and attacking public and private utilities and services.
Security is always tricky with complex systems and the massive scale of the IoT makes it extremely difficult to secure effectively. I believe Phillips should be commended for their open approach and speedy resolution to issues. Additional information can be found at the links below. I recommend reading the original report as there are interesting details and anecdotes including videos of a drone ‘proof of concept attack’ at an Israeli Computer Emergency Response Team (CERT) installation. There are also technical details of the exploits and how the impacted parties have addressed or managed the issues.
The original paper by Eyal Ronen, Colin O’Flynn, Adi Shamir and Achi-Or Weingarten can be found here: http://iotworm.eyalro.net/
The ZigBee statement on security can be found here: http://www.zigbee.org/zigbee-alliance-statement-on-security/
Phillips Product Security disclosure details can be found here: http://www.lighting.philips.com/main/company/about/product-security.html