Forgot your password?
typodupeerror
Security

Hacking Lightbulbs To Cause a Sustained Blackout 115

Posted by timothy
from the dark-as-a-particle-or-as-a-wave dept.
An anonymous reader writes "Researcher Nitesh Dhanjani just published an evaluation of the Philips Hue wireless lighting system that is available at Apple stores (and online). These lightbulbs come with a wireless bridge that you can control from your iPhone. Dhanjani has published a video demonstrating a vulnerability he found that can be exploited by malware to cause a sustained blackout. The video shows how the malware script can continuously turn the light bulbs off. Dhanjani also discusses other scenarios such as the systems' tie in with IFTTT (If This Then That) to cause a blackout by tagging a Facebook user on a completely black photo. Lots of interesting ideas on security vulnerabilities targeting future malware and smart devices. The paper can be downloaded here (PDF)."
This discussion has been archived. No new comments can be posted.

Hacking Lightbulbs To Cause a Sustained Blackout

Comments Filter:
  • Question (Score:5, Insightful)

    by djupedal (584558) on Tuesday August 13, 2013 @09:51AM (#44552785)
    Why do I feel like I'm standing in line at the supermarket reading the cover of some tabloid rag right now...
    • Re:Question (Score:4, Insightful)

      by Anonymous Coward on Tuesday August 13, 2013 @10:10AM (#44553035)

      Why do I feel like I'm standing in line at the supermarket reading the cover of some tabloid rag right now...

      Hard to say.

      Perhaps it's because you didn't recognize the extremely important but implicit message that unless we (the engineers) pay more attention to what we're doing, then our products can be susceptible to widespread mayhem.

      It's a pretty relevant topic as everything around us becomes more and more networked.

    • You're drunk with a box of Tampons in hand, for the girl who's leaving you next week?

      And a box of wine.

    • Re:Question (Score:5, Insightful)

      by Princeofcups (150855) <john@princeofcups.com> on Tuesday August 13, 2013 @10:52AM (#44553541) Homepage

      Why do I feel like I'm standing in line at the supermarket reading the cover of some tabloid rag right now...

      Maybe it's time add a third level of moderation to slashdot. Have at least 5 high karma readers edit all article posts before they go up.
      - Spelling/grammar corrections
      - Weasel word removal
      - Check/supply links
      - Accurate titles/summaries

      God knows the current batch of mods aren't doing their job.

      • by larwe (858929)
        I have one mod point left and I read this reply and my finger doesn't know what to click ;)
      • When have the mods ever "done their job?"

        This is both the bane and the boon of Slashdot. Slashdot is not going downhill, it is the same as it ever was.

  • by schneidafunk (795759) on Tuesday August 13, 2013 @09:51AM (#44552791)
    It seems to me a bit frivolous to be connecting lights, toilets [inquisitr.com], refrigerators [engadget.com] and whatnot to wireless technology.
    • It doesn't have to be 802.11, but I can see some use in not having to go inside to turn on your outdoor lights.
      • Re: (Score:2, Insightful)

        by ebno-10db (1459097)

        Having to go inside to turn on your outdoor lights, eh? Next thing you know, telephony will revert to two tin cans and a string.

        Maybe I just suffer from a 20th century mentality, but I've never felt deprived having to actually open the door and go inside to turn on the outdoor lights. If I did, I would install a switch on the outside! (yes, waterproof obviously).

        This whole wireless control thing has degenerated into silly gimmicks. Admittedly this doesn't seem like some great security threat to me. There's

        • Admittedly this doesn't seem like some great security threat to me.

          It will be more and more of a threat, especially as we inevitably move toward autonomous robots for housekeeping chores. How 'bout I hack into your "Rosie Robot" and tell her to pick up a kitchen knife and wipe out your family in their sleep? (Not to mention the widespread speculation about Michael Hastings's car getting hacked...) Clearly we've got a long way to go in this regard.

          That got me thinking... would it be feasible to build a sort of "black box" recorder for your home? Have it scoop up all wired

          • by Gilmoure (18428)

            Sorta like a log, on a backup system?

            • Yes, but more robust and secure, completely impervious to network attack, and only vulnerable by physical force. Also with AI at a similar level to "Rosie Robot's" to allow it to recognize certain failure modes... such as when the nanny-cam sees Rosie entering the baby's room with a butcher knife in hand.

          • dump data? don't we have twitter and facebook for that

        • This whole wireless control thing has degenerated into silly gimmicks

          You're completely missing the point. This is about technology and how cool it is. It doesn't have to be useful or logical.

          Considering the sad state of software, you should already know this.
          • by PNutts (199112)

            This whole wireless control thing has degenerated into silly gimmicks

            You're completely missing the point. This is about technology and how cool it is. It doesn't have to be useful or logical.

            And bonus points if it is useful and logical. Instead of the fun and useful-to-me stuff I do with my Hue lights that nobody else cares about, I'll simply mention in a semi-technical forum that I use PowerShell and hook into Lync's APIs to turn a light outside the door of my home office on and red when I'm on the phone so my kids won't come knocking.

        • I've never been felt particularly deprived either. I have had times where I left home intending to be back home prior to dark and not left a light on or carried a flashlight to be stuck wandering from the street light to my dark porch to identify the proper keys to open the door. It hasn't inconvenienced me enough to actually get a connected bulb, but I might consider it when I have to replace it.
      • by Hentes (2461350)

        Then put a PLC [wikipedia.org] interface on them, wireless is badly suited for this.

    • I certainly agree as regards wireless information, but for lights, wireless power [wikipedia.org] is another story (only wimps worry about receiving picowatts).

    • by HexaByte (817350)
      Agreed! We want to do everything without getting off of our butts, then complain that we're too fat.
    • by kheldan (1460303)
      That's because it's not only frivolous, it's flat-out stupid.
      Don't know about anyone else, but I don't need or want so-called "smart" appliances or lightbulbs. I don't want someone else deciding when I can dry my clothes, or run my air conditioner, or be able to make my lights go on and off, or maybe hack my refrigerator and ruin hundreds of dollars of food "for the lulz". If I can't maintain direct control over things in my living space, then they need to go.
      • It's one of the classic rules of security, just with a different twist - if you allow someone else to control your lightbulbs, they aren't your lightbulbs any more.
      • You are right. However you are in the minority. Do you own a house? I don't mean mortgage I mean actually hold the note on the building and land. If you do then, you should have no problems as long as you don't move. Otherwise, there will reach a point where you will be upgraded to this. This is why we are talking about it now. % yrs is too late.

    • by yabos (719499)
      I can't wait till everyone's toilet starts tweeting every time they take a shit.
    • by plover (150551)

      It may seem frivolous, but there are lots of valid reasons. Most pertain to home automation in general, not just wireless systems, but most home automation systems today use wireless communication. Here are a few off the top of my head.

      • Wiring costs. Today, you run an extra wire from light fixtures to wall switches, regardless of where the fixture is in relationship to the switch. That may route a heavy copper wire down a short wall into the floor, across the floor to a wall, up the wall to the ceiling,
  • On, controllable, off?
  • by Score Whore (32328) on Tuesday August 13, 2013 @10:05AM (#44552983)

    Turning off a single or set of light bulbs is not a "sustained blackout." Shutdown all electrical systems in a city (or at least a neighborhood) and maybe you can start talking blackout. But turning off a couple of light bulbs isn't even inconvenient. What kind of hyperbolic dipshittery headline writing is this?

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Actually, the term blackout originally referred to everyone shutting off their lights during an air raid,

    • This is only the tip of the iceberg. You can cyber-computer-terrorist-hack a blindfold to PERMANENTLY MAKE EVERY LIGHT IN THE UNIVERSE BLACKOUT*!

      (*For one person. Provided they don't remove the blindfold from their eyes.)
    • by Ol Olsoc (1175323)

      Turning off a single or set of light bulbs is not a "sustained blackout." Shutdown all electrical systems in a city (or at least a neighborhood) and maybe you can start talking blackout. But turning off a couple of light bulbs isn't even inconvenient. What kind of hyperbolic dipshittery headline writing is this?

      Walking down a stairwell and having the lights go out is hardly hyperbolic dipshittery. But rather than just look at a situation and declaring people asshats if they are concerned, have a little imagination. If we are connecting our lights to the internet, it just shows that whatever is connected to the internet will suffer the same problems as anything else connected to it.

      Lights are only one thing. There are refrigerators, locks furnaces, toilets, all manner of things that someone thought we needed to

      • by mlts (1038732) *

        A year or two ago, some company got mentioned on Slashdot which made electronically "lockable" bolts which fastened and unfastened via remote control, and were used for airline seats. They had an advantage since no tool paths for screwdrivers, wrenches, etc. were needed.

        It might be a small object, but if those go into common use, and someone manages to hack a "unfasten all right now" command, it might not be a funny prank when chairs and other items come loose.

        At the minimum, devices should use Bluetooth a

        • by plover (150551)

          Z-wave home automation devices use an out-of-band pairing step. You have to bring the controller and device to be controlled close together, then operate a manual switch on the controlled device to pair it to the controller. However, their security model appears to be almost entirely through patent-enforced obscurity, rather than any actual technical security. Z-wave door locks are supposed to be "encrypted", but nobody who knows is talking about how the protocols work, how the keys are stored and managed

          • Yes they do. You would be surprised and horrified what is available on the darknet. Nothing is completely secure. No encryption exists that can't be broken. If someone wants to they will. The question is will their prank injure one person or kill thousands.

      • > I'm looking forward to the "Norton Home Appliance Antivirus Suite".

        I don't like the idea of getting home to an empty fridge and seeing "we have quarantined your cheese" in the logs.
      • by cdrudge (68377)

        Walking down a stairwell and having the lights go out is hardly hyperbolic dipshittery. But rather than just look at a situation and declaring people asshats if they are concerned, have a little imagination.

        What did millions of people do when they were walking down a stairwell previously and the light bulb burned out? Or someone else flipped a switch. No one apparently knows as those people were never heard from again. Or they stopped. Realize they would have to figure out how to climb some stairs caref

        • by Ol Olsoc (1175323)

          What did millions of people do when they were walking down a stairwell previously and the light bulb burned out?

          Given the nature of light bulbs, they tend to burn out on turning them on, or turning them off. It's the nature of the fiulament, which is an inductor, and there is a current spike when turning them on and off. In addition, the filaments resisatnce is lower when it is cold, making it more likely they will do it whan switched on. Point is, you don't have much of a point.

          Or someone else flipped a switch. No one apparently knows as those people were never heard from again

          Just feel like arguing tonight, eh?

    • As far as I can tell this isn't even a security hole in the lighting itself - they used a java exploit to gain control of the mac that was already controlling the lights. I'd be more interested if you could do a drive-by attack on the lighting system itself.

    • People though the same about virii in the 90s. You are right, one light bulb is an annoyance. How about a malware that shuts them all off at once. Apple isn't virus free. Its yellow journalism. That's what kind of hyperbolic dipshittery headline writing it is.

  • by fatgraham (307614) on Tuesday August 13, 2013 @10:07AM (#44552999) Homepage

    Apologies in advance for the trolling but that section seems a bit unnecessary... it's basically saying "if something bad happens to the service you use, something bad can happen to you"?

    The light device has little to do with the hypothetical compromise of a cloud service IMO. As well as the feature of changing hue from another image. "Blackout" is a little alarmist when it's just doing what it's told to do...

    The hack/comprimised access itself is neat though.

  • I guess I should maybe rethink my purchase of my Philips Wireless Beltbuckle.

  • "Which is precisely the sort of thing we need to know," insisted the girl. "Do people want fire that can be fitted nasally?"

    • I prefer the ideas generated around fiscal policy.....

      MANAGEMENT CONSULTANT:
      Um listen, if we could, er, for a moment move on to the subject of fiscal policy -

      FORD:
      ”Fiscal Policy”?!

      MANAGEMENT CONSULTANT:
      Yes.

      FORD:
      How can you have money if none of you actually produce anything? It doesn’t grow on trees you know!

      MANAGEMENT CONSULTANT:
      You know If you would allow me to continue!

      CAPTAIN:
      Yes let him to continue.

      MANAGEMENT CONSULTANT:
      Since we decided a few weeks ago to adopt leaves as legal tender,

  • Now that the mood lighting has been disabled I can proceed with my insidious plot.

  • by Covalent (1001277) on Tuesday August 13, 2013 @10:19AM (#44553131)
    Security issues aside, wireless connectivity uses some small amount of power. To me this is energy wasting of the highest order. My lightbulbs constantly listening for the one time per month that maybe I want to turn them on from my phone? Yes please and a side of mountain top removal coal mining please!
    • by Ol Olsoc (1175323)

      Security issues aside, wireless connectivity uses some small amount of power. To me this is energy wasting of the highest order. My lightbulbs constantly listening for the one time per month that maybe I want to turn them on from my phone? Yes please and a side of mountain top removal coal mining please!

      NO imagination dude!

      Just imagine, you'll be able to be on top of Mount Everest, and flush your toilet! ZOMG! All your Friends on Facebook will be able to flush it too. Imagine the celebrity aspect too. Kim Kardashian can charge people a hundred bucks to flush her toilet. This is the best thing to happen since People Magazine!

    • Security issues aside, wireless connectivity uses some small amount of power. To me this is energy wasting of the highest order. My lightbulbs constantly listening for the one time per month that maybe I want to turn them on from my phone? Yes please and a side of mountain top removal coal mining please!

      With a computer controllable lighting system you may well be able to save energy by exercising better (automated) control over the lights - for example, automatically tuning them to the most appropriate brightness based on the current environment rather than running them at full power all the time, tracking where people are in the house and automatically turning the lights off in unused rooms, etc. That said, with the power requirements of modern LED lights, this does seem like rather a small potential sav

  • by Anonymous Coward
    Well, i have a lot of these bulbs in my house. And since the protocol is open (zigbee protocol) anyone can script a "blackout". Or a disco. The only news in this article is that somehow the handshake token gets hijacked by the script. Well, anyone near the bridge can just create a new token, so there is no need to hijack one.
  • Hysteria Much? (Score:5, Informative)

    by s122604 (1018036) on Tuesday August 13, 2013 @10:23AM (#44553185)
    The hack described in the article is interesting from a technical perspective, but the use of the term "blackout" is hysterical and misleading.

    When I think of the term "blackout", I take that to mean no more 120/240 in any of my sockets.

    Yes, appliance hacks are something that we all should think about as more and more of the ubiquitous appliances, like lights, HVAC, water and sewer, that truly make the modern world function come online, but cmon....
    • by jasax (1728312)
      Imagine when a "blackout" will be done to Japanese-style automatic toilets...
      "...Malware.... Here goes a jet of boiling water right into your ba*ls!..."
      So, 1024-bit encryption (at least) to the hot water valve key has to be enforced! :-)
      • Imagine when a "blackout" will be done to Japanese-style automatic toilets... "...Malware.... Here goes a jet of boiling water right into your ba*ls!..." So, 1024-bit encryption (at least) to the hot water valve key has to be enforced! :-)

        Wouldn't that be "turns of the flushing noise it makes so nobody can hear you while you are on the toile - so everybody can hear you on the toilet"? That would lead to mass suicides.

    • But how are you going to drive to Goodwill and buy a non-networked light bulb system aka a lamp for $1 if you can't find your keys cuz your house is dark because you're an Apple-tard? Didn't think of that, did you?
  • I need one of these for when my group has star parties. One that covers about 50 miles in all directions.
  • There is no reason for a light bulb to be connected to the internet, this proves it. If you are too stupid or lazy to be able to turn on/off your own lights using a mechanical switch you deserve getting the "blackout of shame".

  • Aye, I was rather dubious of this product for this reason and others. Another fundamental problem is they're taking something simple and cheap and adding a great deal of complexity and cost to it which increases the price, reduces the market and lowers reliability. I don't need lightbulbs that can think for themselves, talk to each other or talk to me. Just turn on and off. That's enough.

  • ... catching up with Lucas Electric

  • Power companies are putting in smart meters that will allow them to turn off your power at their command for unpaid bills but the kicker is that they also will be allowed to turn off your air conditioner when they think it's best for them do to so. Forget if you have an old person living with you that can't take the heat outside. http://tucsoncitizen.com/wryheat/2013/02/18/tep-wants-to-control-your-air-conditioner-this-summer/ [tucsoncitizen.com]
    • by Svenia (3001819)
      I understand completely in the instance of an unpaid bill, but it seems a bit excessive to turn off someone's AC purely for "cost savings" purposes. If the client opts into it (I.e. - "Why's my bill so high? Complain Complain. - "Well we have this cost savings program you could join..." /shuts-off-ac-remotely), but here in Florida I'd be damned pissed to find they remotely shut off my AC, when I've paid my bill in full, on time every month. It's my damned business if I want to keep my place 70 year round, s
    • by plover (150551)

      That's certainly not how the Smart Grid has to work.

      One way it could work is for you to establish the rate you're willing to pay. A Smart Meter can tell your household appliances "The price of electricity from 4-8PM will follow this schedule: first 2 kWh are $0.20 each. Next 1 kWh is $0.40. Additional kWh are $5.00 each." You can then tell your A/C to "run for no more than 40 minutes per hour whenever the price > $2.00 / kWh", or "run the A/C for no more than $1.00 each hour." Demand pricing would

  • Why do we consider multiple security vulnerabilities in control software a 'smart' device? More like a stupid device designed by a fool!
  • Everything wireless is less secure than its wired counterpart. Always prefer wired if given an option.

    The only question to ask yourself is how bad is the potential downside?

    Just think of the most basic aspects. Wireless by definition means *direct these signals through the air in all directions and receive signals from the air in all directions*

    What could possibly go right?

    Wireless communication between car components? No thanks!
    Wireless lights everywhere? No thanks!

  • Has network connection = can be hacked. That's a law of physics. If you don't want your [insert device here] to get hacked, make sure it doesn't have any form of networking capabilities. If you're still on the fence, go watch Ghost in the Shell: Standalone Complex.
  • ...sound a little bit like what we used to do with fax machines, Fax someone a black piece of paper. As the leading edge of the paper comes out of the machine, scotch tape it to the trailing edge. Recipient's machine runs until it's out of paper or toner.

    Everything old is new again...
  • Quite expensive, knowing a (remote) LED light controller costs only about 25$ and a LED (color)strip costs about 30$ ..

    This can be hacked -way cheaper- through a microcontroller like Arduindo ..

  • So, what happens when your lights crash?

  • Toaster of 2113:

    Takes 2 minutes to boot, has 16 Yottabytes of memory and 2 Xenabytes of permanent storage.

    After you put your toast in it, it rejects it on the basis that you've had too much white bread this week and the company doesn't want to be held liable for serving you more unhealthy food. ...After putting some brown bread in the toaster, the toaster plays an ad for some other food you can't eat whilst analyzing the DNA of the bread and checking that the seeds that made the bread were correctly license

The reason that every major university maintains a department of mathematics is that it's cheaper than institutionalizing all those people.

Working...