June15, 2017: The LED lighting industry needs to be very careful, as smart LED lighting systems could easily open up gates for hackers, warned Ken Munro, founder of Buckingham, UK-based Pen Test Partners, who is a security consultant and an ethical hacker of the Internet of Things (IoT).
Munro demostrated an “ethical hacking” at the LuxLive 2016 exhibition. He showed that a hacker can easily gain access to Wi-Fi passwords, and other private information.
What mistakes manufacturers make
Hackers can very easily gain access into IoT devices like kettles, coffee makers, and now possibly into smart LED lights, if the LED lighting manufacturers do not take precautions against such acts, and simply put communication chips into their smart lighting products without being aware of the security disasters, he warned.
Manufacturers are just putting is a module, a Bluetooth, a GSM, or a Wi-Fi module, and making their products Internet-enabling, thinking that the products will deliver security on its own, he pointed out.
Munro explained that smart LED lighting manufacturers should know properly the pairing process. They need to think carefully about how to push a device into pairing mode.
He, therefore, suggested the manufacturers of any IoT device to use digitally signing firmware code, validating the signing at boot time, and leaving sensitive information out of the code.
How hackers can gain access
Munro said that hackers can easily crack the code of the mobile apps that control the devices. This code can then help them to reach to the IP address of the device, and get all the important information.
Munro urged the lighting manufacturers to be aware of the security guidelines and read them carefully before they attempt to make their devices IoT-enable.
Munro mentioned how a set of Philips smart lighting products in an office building flashed emergency signals when a drone-borne virus attacked them via a ZigBee wireless link. Munro said that wireless technologies like ZigBee, Wi-Fi and Bluetooth can all be made secured.
Munro said that even IoT kids’ toys like Anki Cozmo robot, and Christmas tree lights are all open to attacks.
At the show, Munro demonstrated how he got into the code of an Internet-connected electric kettle, and could easily get its Internet IP address. The kettle had an old and common communications protocol called Telnet, which Munro said was not encrypted.
Munro warned that if the manufacturers use Telnet then it would definitely lead to hacking disasters, as a hacker can easily tap the Telnet port, and find out the user’s password, and access its web server.
“I can get your wireless network key,” said Munro. “It is very easy as now I am on your wireless network, and I can listen to every single piece of traffic that goes over your home Wi-Fi network. Every password you send, all your banking details, all your social network details, everything is in my control.”
He said that hackers can even find out from a database where is your kettle, point a wireless antenna at your kitchen, and steal your Wi-Fi key,” he said.
He pointed out how some poorly designed IoT door locks can respond to anyone shouting, “Unlock the door.”
The same disaster can happen with IoT LED lights as well, he said. Munro said the lighting industry’s main challenge would be with IoT security to ensure that the users know how to control their devices, keeping the security factor in mind.
He also suggested the users to be aware of the security guidelines, and choose an IoT device of a big brand.