This was on full display when a flaw was discovered that exposed the home networks of people using the very popular Philips Hue smart bulbs. Researchers from cyber security firm Check Point revealed how a bug enabled them to infiltrate the bulbs with a drone that hovers outside a building. They were able to gain access to the bulbs as well as the control bridge that leads to the users’ network, which means it is possible to compromise a person's home network or even that of a business or smart city using the bulbs.
To infiltrate the users’ network, the researchers exploited a previously discovered bug that Philips hadn’t fixed that allowed them to control aspects of the bulb like brightness and color. After lowering and raising the brightness or changing the color to trick the user into believing the bulb had a glitch, the user would then reset the product by deleting it from their app and then attempting to rediscover it. However, once they rediscovered the compromised bulb, it was able to offload malware onto the control bridge. The users’ home network is linked to this central hub, which means the malware or spyware could infect the entire network.
Check Point Research Head of Cyber Research Yaniv Balmas said: "Many of us are aware that IoT devices can pose a security risk, but this research shows how even the most mundane, seemingly ‘dumb’ devices such as light bulbs can be exploited by hackers and used to take over networks or plant malware.”
Although this vulnerability has now been fixed, it serves a powerful reminder of how cautious we all need to be when it comes to the devices we allow to access our home networks. For example, the vulnerability behind the Philips Hue bulbs and hubs is in the Zigbee communications protocol that is used by many other smart home brands, including Honeywell thermostats, Belkin’s WeMo, Amazon Ring, Ikea Tradfri, Comcast’s Xfinity Home alarm system and Samsung SmartThings.
Recently, researchers from the cybersecurity firm Forescout Technologies released a report outlining how they identified vulnerabilities in the software used by millions of connected devices that could be exploited by hackers to disrupt home and business computer networks. In response, the U.S. Cybersecurity and Infrastructure Security Agency flagged the issue in an advisory.
The devices affected came from around 150 manufacturers and covered everything from smart thermometers and plugs to printers and industrial control systems. Most, however, were consumer devices that had remote-controlled cameras and temperature sensors.
In 2019, the personal information of thousands of users of the popular doorbell camera Ring was compromised, exposing login names, passwords and the names of cameras such as “front door” or “bedroom,” potentially allowing hackers to see inside people’s homes; there have also been incidents of hackers taking over cameras to communicate with and frighten children.
In many cases, poor programming by developers is behind the issue. Experts say that in the worst cases, we could see attacks on the control systems driving critical services like power and water. Any device that is connected to the internet is vulnerable, and although some might be willing to take certain risks in exchange for the convenience of having a cell phone, is being able to see inside your fridge while you’re away from home or having your lights turn on before you walk in the door really worth exposing your family and network to hackers?
Sources for this article include: