Smart bulbs could be used by hackers to steal data from people and organisations.
According to a research paper, authored by Anindya Maiti and Murtuza Jadliwala from the University of Texas at San Antonio, it is possible for hackers to recover data and even video images from the way bulbs are programmed to respond to audio and video data.
The researchers studied how smart bulbs received commands for changing the brightness and colour of bulbs when music or a video was playing.
According to the paper, the first two attacks are designed to infer users’ audio and video playback by a systematic observation and analysis of the multimedia visualisation functionality of smart light bulbs.
"The third attack uses the infrared capabilities of such smart light bulbs to create a covert-channel, which can be used as a gateway to exfiltrate user’s private data out of their secured home or office network," said researchers.
The attacks rely on how the smart bulbs change colour and brightness when music or video is playing. With audio-visualisation, the brightness level mirrors the source sound, while in video visualisations, the lighting imitates the primary colour and brightness level in the current video frame.
The researchers said that an attacker could create a database of patterns that correspond to songs and videos and use this as a reference for the profile acquired from the victim. Exfiltration of data was possible using transmission techniques like such as amplitude and/or wavelength shift keying, using both the visible and the infrared spectrum of the smart bulbs.
Using the techniques outlined in the paper, researchers showed that they were able to extricate a video image from a smart bulb at up to 50 metres away.
The third attack could exploit a smart light’s infrared lighting functionality to invisibly exfiltrate a user’s private data out of their secured personal device or network.
"With the help of a malicious agent on the user’s smartphone or computer, the adversary can encode private information residing on these devices and then later transmit it over the infrared covert-channel residing on the smart light," said researchers.
"Moreover, as several popular brands of smart lights do not require any form of authorisation for controlling lights (infrared or otherwise) on the local network, any application installed on the target user’s smartphone or computer can safely act as the malicious data exfiltration agent."
Researchers said that the threats could be mitigated by enforcing strong network rules such that computers and smartphones cannot control smart bulbs over an IP network. "However, such rules may harm the utility of smart bulbs", said researchers.
Javvad Malik, security advocate at AlienVault, told SC Media UK that the research is very interesting, and showcases how smart devices can be used to directly and indirectly attack users and enterprises or be used as spying tools to reveal information.
"With that being said, this type of attack seems unlikely to be seen in the real-world today outside of any specific, highly targeted attacks. There are other attack vectors which exist that bad actors would probably revert to before using such a niche attack," he said.