IoT lightbulb worm takes over all smart lights until entire city is infected

News by Danielle Correa

A research team has set up a chain reaction attack that would take over Philips Hue smart lightbulbs across entire cities

Researchers have developed a proof-of-concept attack on smart lightbulbs that allows them to wirelessly take control over the bulbs from up to 400m.


The attack involves writing a new operating system to one of the light bulbs. The infected bulb then uses its trusted status to spread the infection to all vulnerable bulbs in reach, until an entire city is infected, “enabling the attacker to turn all the city lights on or off permanently brick them, or exploit them in a massive DDoS attack”, according to the researchers.


The research team from Dalhousie University in Canada and the Weizman Institute of Science in Israel demonstrated attacking bulbs by drone or ground station. The researchers chose to work with Philips Hue lightbulbs, one of the market leaders in smart lighting systems in the market.


“If we want to look at worst case scenarios then the damages could be significant. Apart from the obvious cases of turning off lights in very dark areas that could cause the human occupants to lose their footing and injure themselves, we need to consider the dangers of strobing LED lighting that could cause epileptic seizures. It could also be used to cause disruption to other Wi-Fi networks using the 2.4 GHz spectrum. If enough lightbulbs are connected and compromised they could be used to form a DDoS attack,” said Mark James, security specialist at ESET, in commentary to


One of the flaws allowing for this can be found in the Zigbee wireless protocol implementation used in the Hue system. Researchers showed that they could hijack the bulbs from nearly half a kilometer away as it does not encrypt all traffic between devices.


Another flaw was found in the system the bulbs use for system updates. The updates are cryptographically signed using a very strong algorithm. However, the researchers were able to extract the keys from one lightbulb and, because the same key is used in every bulb, were able to use them to sign their own malicious updates.

The attack targets devices by Zigbee signals, making it almost impossible to defend against through traditional methods such as firewalls.


In their report, the researchers said “the worm can rapidly retake new bulbs which the user has attempted to associate with the legitimate base station, making it almost impossible for vulnerable bulbs in range of another infected bulb to receive an [over the air] patch before the worm has spread”.


Users must first set up the Philips Hue app in order to receive automatic patches before attacks take place since the worm can easily override update attempts.


“Philips have already issued a patch to resolve this particular issue but getting the patch is not as easy as it should be. These types of issues can often arise from using common technologies that may be flawed, it once again highlights the dangers of an interconnected world running to embrace technology with security taking a back seat,” James said.


“Fixing the malicious software update will require physical replacement of every affected lightbulb with a new one, and a waiting period for a software patch to be available before restoring light. This scenario might be alarming enough by itself, but this is only a small example of the large scale problems that can be caused by the poor security offered in many IoT devices,” the report stated.


In emailed commentary to SC, Alex Mathews, EMEA technical manager at Positive Technologies said: “This is a sign of a worrying bigger picture trend. As more and more IoT devices are connected to the internet, they bring with them countless vulnerabilities because they simply aren't created with security in mind. The creators of devices such as this typically prioritise consumer appeal, not potential threats from hacking, and this creates a potential risk. Even when a vulnerability is known or discovered, all too often manufacturers cannot fix them as they typically lie within third party components and/or the cost is too prohibitive.


“If we're to stem the deluge of IoT insecurities, there needs to be comprehensive, agreed-upon guidelines on how to secure such apparatus. Hardware manufacturers, service providers, security experts and everyone else in between needs to be aware of this, and cooperate with one another.”

Stephen Gates, chief research intelligence analyst at NSFOCUS IB commented: "Industrial IoT devices are a major concern for security researches worldwide.  The implications of these devices being hackable is very alarming. From widespread outages to takeover by botnet herders, soon we will likely have smart lights and a litany of other industrial IoT devices being used to wreak havoc on a scale never witnessed before. Manufacturers need to recognise that almost anything is hackable and put appropriate protects into place. Recommendation: hire the hackers to test your systems before making them publicly available. Whatever happened to 'due care'?"  

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews