Granted, light bulbs aren’t as ominous as, say, nuclear weapons. But what could you do if you loaded malicious firmware onto a smart bulb? Could you unleash a worm that jumps from bulb to bulb? Could this be a conduit for hacking into the network?
Colin O’Flynn, founder of the ChipWhisperer open source project for hardware security, decided to poke around and see what was possible. He presented his results in a white paper and a Thursday morning talk here at Black Hat.
The good news is O’Flynn (on the right in the photo above) determined it wouldn’t be easy to create that worm, at least not right away. In fact, O’Flynn liked a lot of what he saw in the Hue design; its security weak spots are the results of trade-offs that were understandable, he said.
The bad news is that he’s certain the worm is possible. Even worse, the bulbs can indeed be hacked and controlled by someone who isn’t even in the building. That’s what Ph.D. student Eyan Ronen (pictured at left above) demonstrated during the talk.
Send in the Drones
O’Flynn likened Ronen’s talk to an opening act that’s so much better than the headliner — which sounded like Canadian modesty (O’Flynn is from Halifax, Nova Scotia) but turned out to be true. O’Flynn’s talk was good, but Ronen’s had cool video footage from a drone.
Ronen’s segment wasn’t originally part of the talk. He’d been researching the Hue as well, so he contacted O’Flynn after the Black Hat schedule had been published, noting that their work had some similarities.
Check out our complete coverage of Black Hat USA 2016.
Ronen couldn’t offer the level of technical detail that O’Flynn did, as Philips is still fixing the vulnerabilities he disclosed to them. But he did present a demo: a video of himself driving by a building at the Weizmann Institute of Science, where he’s doing his studies. From the car, while in motion, he was able to get Hue bulbs to flicker on and off.
With the drone, he did the same for an office building, one that houses the likes of RSA and Oracle. (One of Ronen’s professors happens to be Adi Shamir, the “S” in RSA.) From a distance of 350 meters, he got the lights to blink on and off in a Morse code S-O-S pattern.
The significant thing here is that the lights are supposed to be run only by a controller 10 to 20 centimeters away. Ronen’s hack showed that the distance limitation can be overcome.
Taking Hue Apart
The bulk of O’Flynn’s talk went into his dissection of the Hue bulbs and their bridges, the bases they connect into. He started by recounting one known weakness in the way it receives network keys.
The bulb has to be told what network to join and must receive a key for that network. And you want that key to be sent in encrypted form, especially since it’s getting delivered wirelessly, through a protocol called ZigBee Light Link (ZLL).
The problem is that Philips uses the same master key to encrypt that network key for every bulb. And, of course, that master key has been leaked.
While that might sound like a blunder on Philips’ part, O’Flynn was sympathetic to the idea of a shared master key. You don’t want a lot of number-crunching to go on inside a smart bulb, because the extra processing adds to the cost and eats up space. So Philips opted for what’s called a symmetric key scheme, a well-known concept.
Moreover, knowing the master key doesn’t necessarily buy you a lot. “It means you can only potentially take over a bulb or sniff the joining process,” O’Flynn said. “You’re not going to be able to get the network key.”
When O’Flynn dug into Hue’s memory, using hardware hacking techniques to discern how the bulb operates, he found some things he liked. Memory gets wiped right after being used, for example, which means certain hacks can only work within slim time windows.
“There are quite a few steps taken to stop you from hacking these devices,” he said.
And while the master key has been leaked, O’Flynn noted that it at least wasn’t obvious to find inside the bulb’s memory.
There’s another key, though, that could cause trouble. The bulbs seem to use the same encryption key for their firmware. This key hasn’t been leaked yet, and O’Flynn wasn’t able to spot it in memory either. Discovering this key would be a major step, because it would let a hacker overwrite the bulb with any desired programming. That’s how the theoretical light bulb worm could be inserted.
O’Flynn also described a way to get root access to the Linux operating system running on the Hue’s bridge. He made it sound easy — and cool, in that it involved using a paper clip to short out the memory chip.