Hacking Lightbulbs To Cause a Sustained Blackout 115
An anonymous reader writes "Researcher Nitesh Dhanjani just published an evaluation of the Philips Hue wireless lighting system that is available at Apple stores (and online). These lightbulbs come with a wireless bridge that you can control from your iPhone. Dhanjani has published a video demonstrating a vulnerability he found that can be exploited by malware to cause a sustained blackout. The video shows how the malware script can continuously turn the light bulbs off. Dhanjani also discusses other scenarios such as the systems' tie in with IFTTT (If This Then That) to cause a blackout by tagging a Facebook user on a completely black photo. Lots of interesting ideas on security vulnerabilities targeting future malware and smart devices. The paper can be downloaded here (PDF)."
Question (Score:5, Insightful)
Re:Question (Score:4, Insightful)
Hard to say.
Perhaps it's because you didn't recognize the extremely important but implicit message that unless we (the engineers) pay more attention to what we're doing, then our products can be susceptible to widespread mayhem.
It's a pretty relevant topic as everything around us becomes more and more networked.
Re: (Score:1)
It is if they are hackable. On Newsroom the HBO show, The Military liaison suggested the apocalypse would come when a hacker shuts down the grid, opens up the dams (causing widespread flooding and destruction) and alters pressures on pipelines causing them to explode. So while you think a hackable light isn't something important its one step away from your electricity being turned off by a hacker. That is mayhem.
Re: (Score:2)
You're drunk with a box of Tampons in hand, for the girl who's leaving you next week?
And a box of wine.
Re:Question (Score:5, Insightful)
Why do I feel like I'm standing in line at the supermarket reading the cover of some tabloid rag right now...
Maybe it's time add a third level of moderation to slashdot. Have at least 5 high karma readers edit all article posts before they go up.
- Spelling/grammar corrections
- Weasel word removal
- Check/supply links
- Accurate titles/summaries
God knows the current batch of mods aren't doing their job.
Re: (Score:2)
Re: (Score:2)
When have the mods ever "done their job?"
This is both the bane and the boon of Slashdot. Slashdot is not going downhill, it is the same as it ever was.
wireless basic needs (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2, Insightful)
Having to go inside to turn on your outdoor lights, eh? Next thing you know, telephony will revert to two tin cans and a string.
Maybe I just suffer from a 20th century mentality, but I've never felt deprived having to actually open the door and go inside to turn on the outdoor lights. If I did, I would install a switch on the outside! (yes, waterproof obviously).
This whole wireless control thing has degenerated into silly gimmicks. Admittedly this doesn't seem like some great security threat to me. There's
Re: (Score:2)
Admittedly this doesn't seem like some great security threat to me.
It will be more and more of a threat, especially as we inevitably move toward autonomous robots for housekeeping chores. How 'bout I hack into your "Rosie Robot" and tell her to pick up a kitchen knife and wipe out your family in their sleep? (Not to mention the widespread speculation about Michael Hastings's car getting hacked...) Clearly we've got a long way to go in this regard.
That got me thinking... would it be feasible to build a sort of "black box" recorder for your home? Have it scoop up all wired
Re: (Score:2)
Sorta like a log, on a backup system?
Re: (Score:2)
Yes, but more robust and secure, completely impervious to network attack, and only vulnerable by physical force. Also with AI at a similar level to "Rosie Robot's" to allow it to recognize certain failure modes... such as when the nanny-cam sees Rosie entering the baby's room with a butcher knife in hand.
Re: (Score:2)
Re: (Score:1)
If I schedule them to off how long before you notice? NSA doesn't care about you until you try to disrupt the system. Then want all your tracking already available so they can discover it. Its like Person of Interest, only real.
Re: (Score:2)
Re: (Score:2)
dump data? don't we have twitter and facebook for that
Re: (Score:2)
You're completely missing the point. This is about technology and how cool it is. It doesn't have to be useful or logical.
Considering the sad state of software, you should already know this.
Re: (Score:2)
This whole wireless control thing has degenerated into silly gimmicks
You're completely missing the point. This is about technology and how cool it is. It doesn't have to be useful or logical.
And bonus points if it is useful and logical. Instead of the fun and useful-to-me stuff I do with my Hue lights that nobody else cares about, I'll simply mention in a semi-technical forum that I use PowerShell and hook into Lync's APIs to turn a light outside the door of my home office on and red when I'm on the phone so my kids won't come knocking.
Re: (Score:2)
Re: (Score:2)
Then put a PLC [wikipedia.org] interface on them, wireless is badly suited for this.
Re: (Score:2)
I certainly agree as regards wireless information, but for lights, wireless power [wikipedia.org] is another story (only wimps worry about receiving picowatts).
Re: (Score:2)
Re: (Score:3)
Don't know about anyone else, but I don't need or want so-called "smart" appliances or lightbulbs. I don't want someone else deciding when I can dry my clothes, or run my air conditioner, or be able to make my lights go on and off, or maybe hack my refrigerator and ruin hundreds of dollars of food "for the lulz". If I can't maintain direct control over things in my living space, then they need to go.
Re: (Score:1)
Re: (Score:1)
You are right. However you are in the minority. Do you own a house? I don't mean mortgage I mean actually hold the note on the building and land. If you do then, you should have no problems as long as you don't move. Otherwise, there will reach a point where you will be upgraded to this. This is why we are talking about it now. % yrs is too late.
Re: (Score:1)
How many people are smart enough to recognize this? I will quote from 'Men in Black' A person is smart. People are dumb stupid panicky animals and you know it.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
It may seem frivolous, but there are lots of valid reasons. Most pertain to home automation in general, not just wireless systems, but most home automation systems today use wireless communication. Here are a few off the top of my head.
Three-position switch? (Score:2)
Re: (Score:3)
Re: (Score:1)
http://www.theverge.com/2013/5/25/4365726/daniel-dennett-explains-how-to-reprogram-your-brain [theverge.com]
http://youtu.be/4Q_mY54hjM0 [youtu.be]
Re: (Score:2)
I'd say we're making no progress because this is all that's required to break stuff. Again.
Companies are great at tacking needless wifi into things and not being able to protect them against the most basic of attack. But hey, it's not like you need your lights to work reliably, right?
I can't wait for the toilet that won't flush unless you pay the guy in Russia that infected it with malware. That's going to make all our lives better.
Re: (Score:2)
Re: (Score:1)
I believe the darknet anons are already working on it.
SUSTAINED BLACKOUT!!! OH NOES!!!! (Score:5, Insightful)
Turning off a single or set of light bulbs is not a "sustained blackout." Shutdown all electrical systems in a city (or at least a neighborhood) and maybe you can start talking blackout. But turning off a couple of light bulbs isn't even inconvenient. What kind of hyperbolic dipshittery headline writing is this?
Re: (Score:2, Informative)
Actually, the term blackout originally referred to everyone shutting off their lights during an air raid,
Re: (Score:2)
(*For one person. Provided they don't remove the blindfold from their eyes.)
Re: (Score:2)
That's why the NSA stakes out every kids party where they're playing Pin The Tail On The Donkey.
Re: (Score:1)
There was a Dr. who episode of that. He fixed it. ;)
Re: (Score:3)
Turning off a single or set of light bulbs is not a "sustained blackout." Shutdown all electrical systems in a city (or at least a neighborhood) and maybe you can start talking blackout. But turning off a couple of light bulbs isn't even inconvenient. What kind of hyperbolic dipshittery headline writing is this?
Walking down a stairwell and having the lights go out is hardly hyperbolic dipshittery. But rather than just look at a situation and declaring people asshats if they are concerned, have a little imagination. If we are connecting our lights to the internet, it just shows that whatever is connected to the internet will suffer the same problems as anything else connected to it.
Lights are only one thing. There are refrigerators, locks furnaces, toilets, all manner of things that someone thought we needed to
Re: (Score:2)
A year or two ago, some company got mentioned on Slashdot which made electronically "lockable" bolts which fastened and unfastened via remote control, and were used for airline seats. They had an advantage since no tool paths for screwdrivers, wrenches, etc. were needed.
It might be a small object, but if those go into common use, and someone manages to hack a "unfasten all right now" command, it might not be a funny prank when chairs and other items come loose.
At the minimum, devices should use Bluetooth a
Re: (Score:2)
Z-wave home automation devices use an out-of-band pairing step. You have to bring the controller and device to be controlled close together, then operate a manual switch on the controlled device to pair it to the controller. However, their security model appears to be almost entirely through patent-enforced obscurity, rather than any actual technical security. Z-wave door locks are supposed to be "encrypted", but nobody who knows is talking about how the protocols work, how the keys are stored and managed
Re: (Score:1)
Yes they do. You would be surprised and horrified what is available on the darknet. Nothing is completely secure. No encryption exists that can't be broken. If someone wants to they will. The question is will their prank injure one person or kill thousands.
Re: (Score:1)
I don't like the idea of getting home to an empty fridge and seeing "we have quarantined your cheese" in the logs.
Re: (Score:2)
What did millions of people do when they were walking down a stairwell previously and the light bulb burned out? Or someone else flipped a switch. No one apparently knows as those people were never heard from again. Or they stopped. Realize they would have to figure out how to climb some stairs caref
Re: (Score:2)
What did millions of people do when they were walking down a stairwell previously and the light bulb burned out?
Given the nature of light bulbs, they tend to burn out on turning them on, or turning them off. It's the nature of the fiulament, which is an inductor, and there is a current spike when turning them on and off. In addition, the filaments resisatnce is lower when it is cold, making it more likely they will do it whan switched on. Point is, you don't have much of a point.
Or someone else flipped a switch. No one apparently knows as those people were never heard from again
Just feel like arguing tonight, eh?
Re: (Score:2)
As far as I can tell this isn't even a security hole in the lighting itself - they used a java exploit to gain control of the mac that was already controlling the lights. I'd be more interested if you could do a drive-by attack on the lighting system itself.
Re: (Score:1)
People though the same about virii in the 90s. You are right, one light bulb is an annoyance. How about a malware that shuts them all off at once. Apple isn't virus free. Its yellow journalism. That's what kind of hyperbolic dipshittery headline writing it is.
IFTTT/facebook tie-in is a bit alarmist? (Score:3)
Apologies in advance for the trolling but that section seems a bit unnecessary... it's basically saying "if something bad happens to the service you use, something bad can happen to you"?
The light device has little to do with the hypothetical compromise of a cloud service IMO. As well as the feature of changing hue from another image. "Blackout" is a little alarmist when it's just doing what it's told to do...
The hack/comprimised access itself is neat though.
Rightey-O (Score:2)
I guess I should maybe rethink my purchase of my Philips Wireless Beltbuckle.
who needs this?! (Score:1)
"Which is precisely the sort of thing we need to know," insisted the girl. "Do people want fire that can be fitted nasally?"
Re: (Score:3)
I prefer the ideas generated around fiscal policy.....
MANAGEMENT CONSULTANT:
Um listen, if we could, er, for a moment move on to the subject of fiscal policy -
FORD:
”Fiscal Policy”?!
MANAGEMENT CONSULTANT:
Yes.
FORD:
How can you have money if none of you actually produce anything? It doesn’t grow on trees you know!
MANAGEMENT CONSULTANT:
You know If you would allow me to continue!
CAPTAIN:
Yes let him to continue.
MANAGEMENT CONSULTANT:
Since we decided a few weeks ago to adopt leaves as legal tender,
*Evil Laugh* (Score:2)
Now that the mood lighting has been disabled I can proceed with my insidious plot.
Re: (Score:2)
To remotely turn them off. or on. or up. or down. or a different color/hue/warmth. or to synchronize them. or to remotely manage all of yours from one point.
Re: (Score:2)
Still not seeing why we need Internet connected lightbulbs. Personally, I wouldn't install them if they were given to me for me.
Re: (Score:2)
Re: (Score:1)
to download light bulb porn, why else? Rule 34 people!
multiple reasons not to include wireless (Score:3)
Re: (Score:2)
Security issues aside, wireless connectivity uses some small amount of power. To me this is energy wasting of the highest order. My lightbulbs constantly listening for the one time per month that maybe I want to turn them on from my phone? Yes please and a side of mountain top removal coal mining please!
NO imagination dude!
Just imagine, you'll be able to be on top of Mount Everest, and flush your toilet! ZOMG! All your Friends on Facebook will be able to flush it too. Imagine the celebrity aspect too. Kim Kardashian can charge people a hundred bucks to flush her toilet. This is the best thing to happen since People Magazine!
Re: (Score:2)
Security issues aside, wireless connectivity uses some small amount of power. To me this is energy wasting of the highest order. My lightbulbs constantly listening for the one time per month that maybe I want to turn them on from my phone? Yes please and a side of mountain top removal coal mining please!
With a computer controllable lighting system you may well be able to save energy by exercising better (automated) control over the lights - for example, automatically tuning them to the most appropriate brightness based on the current environment rather than running them at full power all the time, tracking where people are in the house and automatically turning the lights off in unused rooms, etc. That said, with the power requirements of modern LED lights, this does seem like rather a small potential sav
I have them too... (Score:1)
Hysteria Much? (Score:5, Informative)
When I think of the term "blackout", I take that to mean no more 120/240 in any of my sockets.
Yes, appliance hacks are something that we all should think about as more and more of the ubiquitous appliances, like lights, HVAC, water and sewer, that truly make the modern world function come online, but cmon....
Re: (Score:1)
"...Malware.... Here goes a jet of boiling water right into your ba*ls!..."
So, 1024-bit encryption (at least) to the hot water valve key has to be enforced!
Re: (Score:2)
Imagine when a "blackout" will be done to Japanese-style automatic toilets... "...Malware.... Here goes a jet of boiling water right into your ba*ls!..." So, 1024-bit encryption (at least) to the hot water valve key has to be enforced! :-)
Wouldn't that be "turns of the flushing noise it makes so nobody can hear you while you are on the toile - so everybody can hear you on the toilet"? That would lead to mass suicides.
Re: (Score:2)
Kind of like TVBeGone... (Score:2)
Fail (Score:2)
There is no reason for a light bulb to be connected to the internet, this proves it. If you are too stupid or lazy to be able to turn on/off your own lights using a mechanical switch you deserve getting the "blackout of shame".
A dubious product (Score:2)
Aye, I was rather dubious of this product for this reason and others. Another fundamental problem is they're taking something simple and cheap and adding a great deal of complexity and cost to it which increases the price, reduces the market and lowers reliability. I don't need lightbulbs that can think for themselves, talk to each other or talk to me. Just turn on and off. That's enough.
Philips and Apple are finally ... (Score:2)
Power Companies (Score:1)
Re: (Score:1)
Re: (Score:1)
If you were offering something constructive, AC, like perhaps they could do a program where people who feel they may overu
Re: (Score:1)
Re: (Score:3)
That's certainly not how the Smart Grid has to work.
One way it could work is for you to establish the rate you're willing to pay. A Smart Meter can tell your household appliances "The price of electricity from 4-8PM will follow this schedule: first 2 kWh are $0.20 each. Next 1 kWh is $0.40. Additional kWh are $5.00 each." You can then tell your A/C to "run for no more than 40 minutes per hour whenever the price > $2.00 / kWh", or "run the A/C for no more than $1.00 each hour." Demand pricing would
Why do we call buggy control software smart? (Score:2)
Repeat after me Wireless is insecure (Score:2)
Everything wireless is less secure than its wired counterpart. Always prefer wired if given an option.
The only question to ask yourself is how bad is the potential downside?
Just think of the most basic aspects. Wireless by definition means *direct these signals through the air in all directions and receive signals from the air in all directions*
What could possibly go right?
Wireless communication between car components? No thanks!
Wireless lights everywhere? No thanks!
simple security rule (Score:2)
Re: (Score:1)
I'll make it easier because it is so awesome. http://www.youtube.com/watch?v=JTc_ZJ1Hpks [youtube.com]
That tagging a black photo in Facebook... (Score:1)
Everything old is new again...
199$ for 3 lamps and a bridge ?! (Score:2)
Quite expensive, knowing a (remote) LED light controller costs only about 25$ and a LED (color)strip costs about 30$ ..
This can be hacked -way cheaper- through a microcontroller like Arduindo ..
Sooo... (Score:2)
So, what happens when your lights crash?
Future (Score:2)
Toaster of 2113:
Takes 2 minutes to boot, has 16 Yottabytes of memory and 2 Xenabytes of permanent storage.
After you put your toast in it, it rejects it on the basis that you've had too much white bread this week and the company doesn't want to be held liable for serving you more unhealthy food. ...After putting some brown bread in the toaster, the toaster plays an ad for some other food you can't eat whilst analyzing the DNA of the bread and checking that the seeds that made the bread were correctly license
Re: (Score:1)
http://www.youtube.com/watch?v=2KyRCQp32p8 [youtube.com] amityville toaster