Researchers at Canada's Dalhousie University and Israel's Weizmann Institute of Science recently published a paper describing a proof-of-concept worm that could spread between adjacent IoT devices in what they describe as "a city-wide bricking attack."
The researchers used Philips Hue smart bulbs as a platform to demonstrate the attack, which they successfully delivered from a moving car 70 meters away from the target, and from a flying drone 350 meters away.
"The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity," the researchers wrote. "The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDoS attack."
The researchers say they were easily able to extract the global AES-CCM key that Philips uses to encrypt and authenticate new firmware. "This demonstrates once again how difficult it is to get security right even for a large company that uses standard cryptographic techniques to protect a major product," they wrote.
"The malicious firmware can disable additional firmware downloads, and thus any effect caused by the worm (blackout, constant flickering, etc.) will be permanent," the researchers noted. "There is no other method of reprogramming these devices without full disassemble (which is not feasible). Any old stock would also need to be recalled, as any devices with vulnerable firmware can be infected as soon as power is applied."
And because ZigBee uses the 2.4 GHz band, an attack could also block all communications over that band, including Wi-Fi.
The researchers have disclosed the vulnerability to Philips, which has already confirmed and fixed it. "OTA updates are available," they note.
AlienVault security advocate Javvad Malik told eSecurity Planet by email that there are three primary attack cases for Internet-connected devices: (1) using IoT devices to attack, (2) attacking IoT devices themselves, and (3) leveraging IoT devices to leak sensitive information. "The Mirai botnet attack that occurred in October was a prime example of No. 1," he said. "This research on the lightbulb worm is a prime example of attack case No. 2, whereby the devices themselves (the bulbs) are the target."
"In both cases, the viability and the impact of such attacks should not be underestimated," Malik added. "IoT devices are typically woefully inadequate to defend against direct attacks, and few companies actively monitor IoT device status or traffic. While there are many benefits to IoT devices, they need to be recognized as valuable assets, and the right level of security needs to be built around them."
A recent survey [PDF] of 1,527 U.S. adults found that more than 40 percent are "not confident at all" that IoT devices are safe, secure, and able to protect personal information, and 50 percent said concerns about the cyber security of an IoT device have discouraged them from purchasing one.
Still, the survey, conducted by ESET in collaboration with the National Cyber Security Alliance (NCSA), found that while almost 80 percent of respondents have seven or more devices connected to their home router, 29 percent haven't changed their home router password from its default setting.
A recent eSecurity Planet article looked at four essential IoT security best practices.