Skip to main content

Watch a drone hack a room full of smart lightbulbs from outside the window

Watch a drone hack a room full of smart lightbulbs from outside the window



Share this story

The Internet of Things is turning into a security nightmare. Following that massive DDoS attack that used an IoT-botnet to interrupt major swaths of the internet a few weeks ago, The New York Times outlines a threat detailed in a new report pleasantly titled "IoT Goes Nuclear." In it, researchers detail a scenario whereby connected devices are infected by a worm that sets off a chain reaction, theoretically creating a doomsday-like scenario for smart cities containing millions of densely interconnected devices. The team demonstrated the threat by infecting a Hue lamp with a virus that then spread by jumping from one lamp to its neighbors, whether the lights were on the same private network or not. Worse yet, the researchers didn’t need physical access to the lights — they were infected wirelessly by a drone or car while still a few hundred feet away. In the video above you can see the lights being hacked to signal SOS repeatedly in Morse Code. As the drone draws closer you can see more lights starting to blink as the worm spreads across devices.

Anyone with the knowledge and motivation could execute a similar attack

Researchers from the Weizmann Institute of Science and Dalhousie University were able to execute the chain-reaction attack by exploiting a vulnerability in the ZigBee wireless communications protocol, a widely used home automation protocol found at the core of millions of today’s most popular smart home devices — Philips Hue lighting is just one example. The infected payload was delivered by exploiting a weakness in Philips’ encryption to force an over-the-air firmware update using an "autonomous attack kit" built from "readily available equipment" costing just a few hundred dollars. In other words, anyone with the knowledge and motivation could execute a similar attack.

Philips was alerted to the vulnerability and a patch was issued last month. Nevertheless, the world is now flooded with insecure "smart" devices thanks to the simultaneous rise of dirt-cheap wireless modules, and the availability of free Kickstarter and Indiegogo money to fund even the most ridiculous ideas. So expect things to get worse before they get better.

Correction: The original version of this article identified Nest thermostats as ZigBee devices. While the original Nest shipped with ZigBee in 2011, all recent devices use Google's Thread and Weave protocols.