Smart lighting security flaw illuminates risk of IoT

Credit to Author: Jonny Evans| Date: Fri, 07 Feb 2020 06:35:00 -0800

The latest smart home security nightmare sheds light on the risk you take each time you add another connected item to your home, office or industrial network – and even market leading brands make mistakes.

Philips Hue smart lighting systems are probably among the most widely installed smart home solutions in the world, so plenty of people deserve to learn about the latest Check Point research which warns of a major security flaw in them.

It seems it is possible to infiltrate home/office networks using a remote exploit in the ZigBee low-power wireless protocol and Philips Hue smart bulbs and bridge as the access point.

The report claims it was possible to subvert smart home security to the extent that hackers took control of the bulb and then tricked users into a series of actions that let hackers infiltrate the network itself.

Check Point alerted Philips to the problem and the manufacturer very quickly released a software patch to protect against it.

You can get that patch here, and if you happen to have a Hue system installed somewhere in your life you should install it as soon as you can.

Particularly in view of Kaspersky research that tells us attacks against smart home devices climbed by around 700% in the last 12 months.

This strongly reminds me of the highly publicized 2014 attack when criminals used a vulnerability in a connected HVAC system to exfiltrate the details of millions of credit and debit cards from Target.

This is what can happen when attackers succeed in penetrating networks – a little packet-sniffing and your bank details could be purloined – as too might be the access codes for the power plant you work at.

What’s remarkable about this is that it has been six years since the Target hack, and yet it’s still possible to isolate connected items in order to subvert them.

This is a problem Apple has been working to try to solve ever since it created its Made for HomeKit system

Now, I’m not about to focus my ire on Philips in this – the company took steps to remediate the situation once it heard about it.

Nor is it exactly Zigbee that is at fault — the truth is that every operating system holds its own set of vulnerabilities and identifying them is a big business.

But I will focus some anger at those manufacturers in the smart home space who don’t see security and privacy as important in an increasingly connected age.

Because the risk to your home and business represented by poorly secured devices on your connected networks reflects the weakest devices you have installed far more than the better ones.

You can have ten thousand well secured smart devices, but that ancient connected thermostat in the storeroom may be all the vulnerability a hacker needs to penetrate your entire network.

That’s also why you should diligently check how committed manufacturers are to regular software and security updates for the smart devices they want to sell you. It doesn’t matter if those systems are aimed at business or consumer users, if they don’t commit to regular security protection, you shouldn’t buy them. 

I recommend consumer and enterprise users take inventory of their existing connected device deployments.

When they do, they should ask the following questions:

In some cases, I’ve heard of deployments in which connected devices are placed on a separate wireless network from any computers or data storage systems.

Apple, has its own solution which may go some way toward securing HomeKit-based smarthomes, Homekit-enabled routers. These let you protect smart devices across your office or home, but only a few routers supporting this are available right now.

Personally, I think every router should have smart device protection baked inside. Perhaps this is what Apple, Google, Amazon, the Zigbee Alliance and others hope to achieve with the Connected Homes over IP project.

But the security vulnerabilities illuminated by this latest Hue problem should be proof positive that better security is mandatory, for your home, your office, factory or any other connected system.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

http://www.computerworld.com/category/security/index.rss