Nov 8, 2016: In response to the recent media reports on potential cyber security vulnerabilities of Philips LED Hue bulbs, Philips has issued a statement claiming that its smart LED bulb Hue products are not infected by computer viruses.
Vulnerabilities of Philips LED Hue bulbs
A research team from Israel led by Professor Adi Shamir of Weizmann Institute of Science revealed certain potential cyber security susceptibilities of LED Hue bulbs, and publicized the findings in a report. The research informed Philips about the findings, and industry insiders believe that Philips must have patched the LED Hue bulb firmware before the report was issued.
The research team had demonstrated likelihood of conducting an attack on Philips Hue bulbs, and hence Philips could have developed the patch ware in order to upgrade the security of the Hue bulbs. Philips urged its customers to upgrade their software through Philips Hue app, although the reported risk was low.
Possible city blackout
Researchers from Weizmann Institute of Science PHD showed how Hue bulbs connectivity may be hacked by the built-in ZigBee wireless connectivity. A hacker could attack via a single infected bulb, which could allow the virus to spread between lamps and neighbouring bulbs through the wireless ZigBee connectivity systems, because of its physical proximity allowing the virus to spread within a short period of time.
The hacker may then control the city lights by switching it on or off, which could permanently exploit the bulbs to huge DDOS attack. The researchers projected a city with an area of around 105 sq km would require about 15,000 smart LED bulbs to continue the infected bulbs chain reaction. However, the procedure would die down if the city possessed lesser lights than required.
The study revealed how a bricking attack can be used by attackers to blackout cities, and cause lights to flicker constantly. In case of an attack, the malicious firmware immobilizes extra firmware downwards, which would affect from the worm permanent, with no reversible reprogramming procedures.
In addition, the research team demonstrated how the attack could be executed using a drone.Regardless of Philips announcement and the research team’s complete disclosure of the status of the LED Hue bulbs, a recent report revealed Philips only fixed the bug that allowed the research team to remotely capture the bulbs, but malicious upgrades may still be created.