Self-Propagating Smart Light Bulb Worm

This is exactly the sort of Internet-of-Things attack that has me worried:

"IoT Goes Nuclear: Creating a ZigBee Chain Reaction" by Eyal Ronen, Colin OFlynn, Adi Shamir and Achi-Or Weingarten.

Abstract: Within the next few years, billions of IoT devices will densely populate our cities. In this paper we describe a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction, provided that the density of compatible IoT devices exceeds a certain critical mass. In particular, we developed and verified such an infection using the popular Philips Hue smart lamps as a platform. The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack. To demonstrate the risks involved, we use results from percolation theory to estimate the critical mass of installed devices for a typical city such as Paris whose area is about 105 square kilometers: The chain reaction will fizzle if there are fewer than about 15,000 randomly located smart lights in the whole city, but will spread everywhere when the number exceeds this critical mass (which had almost certainly been surpassed already).

To make such an attack possible, we had to find a way to remotely yank already installed lamps from their current networks, and to perform over-the-air firmware updates. We overcame the first problem by discovering and exploiting a major bug in the implementation of the Touchlink part of the ZigBee Light Link protocol, which is supposed to stop such attempts with a proximity test. To solve the second problem, we developed a new version of a side channel attack to extract the global AES-CCM key that Philips uses to encrypt and authenticate new firmware. We used only readily available equipment costing a few hundred dollars, and managed to find this key without seeing any actual updates. This demonstrates once again how difficult it is to get security right even for a large company that uses standard cryptographic techniques to protect a major product.

EDITED TO ADD: BoingBoing post. Slashdot thread.

Posted on November 9, 2016 at 6:54 AM • 29 Comments

Comments

Rackham Le RougeNovember 9, 2016 7:59 AM

I couldn't load the PDF so I haven't read the full report, but immediately come to think of the risk such lamps being used as a covert channel to exfiltrate information from e.g. air gapped systems. Imagine a malicious code specially tailored to use a chain of lamps by altering color or brightness, or any other property of the light barely detectable to the human eye, but enough to carry a signal readable by a photo sensor. An attacker could then, after successfully inserting the code, receive information just by observing a building from outside its perimeter- even if the compromised system is not even in a room with windows.

And what if, in addition, the firmware was updated with malicious software for keystroke recognition from wi-fi distortion? (https://www.schneier.com/blog/archives/2016/08/keystroke_recog.html)

Clive RobinsonNovember 9, 2016 8:01 AM

@ Wiredog,

Try explaining that headline to yourself circa 20 years ago

Agreed, or in the future for that matter, when smart is nolonger smart in the lexicon. A couple of double quotes around "Smart Light Bulb" should --now-- make it about as clear as it's ever going to get ;-)

Which gives rise to a silly thought for you, back in the days of TV and Movie cartoons upto the 1970's a light bulb was shown in a "thought bubble" as a metaphor for a "bright idea" or "smart thinking" (some say due to Edison). What will future historians make of it and our current "Smart Light Bulb" usage...

Clive RobinsonNovember 9, 2016 8:09 AM

@ Rackham Le Rouge,

I haven't read the full report, but immediately come to think of the risk such lamps being used as a covert channel to exfiltrate information from e.g. air gapped systems.

Care to think a little further... Some "smart lights" have sensors as well, and due to cost reasons these tend to work as well at the top end of the IR band as they do at the bottom end of the visable light band, sometimes better. Think of what you could do with an IR laser diode etc...

hawkNovember 9, 2016 9:13 AM

--> "This demonstrates once again how difficult it is to get security right even for a large company that uses standard cryptographic techniques to protect a major product."

CallMeLateForSupperNovember 9, 2016 11:35 AM

I cannot get my head around the apparent lure of using a phone to control a effing coffee maker, light or whatever. Must be the novelty: "ORDINARY lights make you un-ass your La-Z-boy lounger to control them; Miracle Lamp is controlled by your fart phone, which you already schlepp everywhere, like a pet rock."

TedNovember 9, 2016 11:37 AM

The DIGIT Act ('Developing Innovation and Growing the Internet of Things' Act) was introduced in the Senate in March 2016. Cory Booker is one of the four US Senators who proposed the legislation, and he provides a good summary here. Other good summaries are here and here.

Essentially, the bill would direct the Federal Communications Commission (FCC), in consultation with NTIA, to request public comment on the current and future spectrum needs of the IoT, including regulatory barriers and the development of the licensed and unlicensed spectrum.

“S.2607 - DIGIT Act”
https://www.congress.gov/bill/114th-congress/senate-bill/2607

“S. Rept. 114-364”
A report added to the legislation this September provides additional guidance.
https://www.congress.gov/congressional-report/114th-congress/senate-report/364

hawkNovember 9, 2016 11:51 AM

Expect IoT security to follow the same journalistic hype cycle as anything else.

The writer's oath;
1) if you don't know anything firsthand, just copy someone else. This ensures ideas propagate like viruses, whether good or bad. Cherry-pick events that seem to corroborate idea.
2) wait for the hype cycle to dwindle, then abruptly swing to contrarian position. This ensures you won't be ignored.

Something like this:
1) Armageddon is here because of IoT - you heard it from me first - the real source of investigative journalism.
2) Is IoT really that bad? Who told you that? What, me worry? See how cool I am? There's nothing to worry about. Just use a stronger password.
3) Rinse and Repeat

paulNovember 9, 2016 12:35 PM

@hawk:

Until someone develops a payload that can detect people writing about IoTmageddon (either from sensor analysis or by scanning their files) and selectively DDoSes them using local devices. Problem solved.

One of the things that amazes an old person like me about all these smart devices is how much power (CPU, memory) they need just to do the internet part of their job, with the result that they will almost always have the horsepower to accomplish whatever complex side task is set them.

hawkNovember 9, 2016 4:09 PM

@paul

And processing power, memory... incredible. The Samsung Gear 3 smart watch/fitness band hosts a dual-core 1GHz Exynos micro with 768 MB ram and 4 GB flash. It runs the Linux-based OS. It supports Bluetooth, WiFi and MST. Throw in GPS, mic + spkr, accelerometer + gyro, barometer, and more. On your wrist!

Computer Repair PhoenixNovember 9, 2016 5:07 PM

IoT will be problematic so long as they keep using 'password' as the default admin password on the devices! Why can't they make a random password and print it somewhere on the box of the items? Sure it makes it difficult, but at least it won't be added to the Mirai botnet!

Clive RobinsonNovember 9, 2016 11:15 PM

@ hawk, paul,

And processing power, memory... incredible. The Samsung Gear 3 smart watch/fitness band hosts ... and more. On your wrist!

Some time ago @Nick P and I had a little joke about the TV NCIS show and their "incredible" computers,

I joked that "that's nothing" and detailed a computer on my wrist that did everything... But needed an eighteen wheeler for the battery and a twenty four wheeler for the cryogenic unit to keep it cool.

So my "futureologists goggles" had predicted the rise of the "wrist bound data center" B-)

Unfortunately when I tried to "google" for it[1], I keep getting the,

    Some results may have been removed under data protection law in Europe.

Yet it did give me a link back to 2014 where I mentioned about the joke before,

https://www.schneier.com/blog/archives/2014/05/computer_forens_2.html#c6018237

[1] People have demanded I give "links" in the past for my predictions (why I don't know ;) and I've bumped into the same self message. And @Wael amongst others have found the links, so...

WaelNovember 9, 2016 11:39 PM

@Clive Robinson,

People have demanded I give "links" in the past for my predictions (why I don't know ;)

Put two and two together! This is a security site, we talk about cryptography and steganography. You drink tea and predict the future, so... They are wondering whether we should add Tasseography to the discussion list.

What do the leaves say today, huh?

Clive RobinsonNovember 10, 2016 1:15 AM

@ Wael,

Are you saying that my choice of "strong Brownian motion generator" has a Maxwell's Demon working for me?

WaelNovember 10, 2016 1:35 AM

@Clive Robinson,

has a Maxwell's Demon working for me?

Absolutely! And you should be happy about it. At least your thermodynamic Demon isn't like the Hiesenberg rat bastard genie that works for me. He isn't certain about anything.

Oox7aekiNovember 10, 2016 3:08 AM

> the global AES-CCM key that Philips uses to encrypt and authenticate new firmware

In 2016? Seriously?

lvps1000vmNovember 10, 2016 5:17 AM

Not sure about twenty, but fifteen years ago the preachers of the "Internet of things" were already chanting the marvels of it: 'Your Fridge and Toaster Will be *Sensible* Devices'

So yes, 15-20 years ago I would've absolutely believed this.

Tuna CanoeNovember 10, 2016 6:04 AM

why would it make sense to run mains voltage cables inside the ceiling and walls just to provide 10mA of electric to light a room? seems as sensible as gas powered streetlights.

we use stick on led lights in all our metal lined rooms, push button though, not mirai.

Phillip ReedNovember 10, 2016 8:06 AM

Why can't they make a random password and print it somewhere on the box of the items?

Makes it hard to reprogram the bulb in two years, after you've lost the box. I agree (tentatively) with the idea, but print it on the bulb.

Alpha NovemberNovember 10, 2016 6:30 PM

This is just bad science (I'll leave it up to the reader to decide if it was intentional to get the result the researchers wanted to hear or not). Assuming that lights are located randomly? Ignoring all topology and radio interference? There's also a number of unfounded statements (e.g. "which had almost certainly been surpassed already"). Given the "explosively" worded summary, it's no wonder it's popular. Fortunately (or unfortunately, depending on your perspective) that doesn't mean it's true.

albertNovember 11, 2016 11:36 AM

@Clive,

Many years ago a guy named Forest Mims discovered that an LED can function as a light detector. (This can be demonstrated with an LED and DMM). To say that LEDs are ubiquitous is an understatement. I wonder if a bicolor LED could work as a receiver, even when one color was active.

This might be a great way to monitor things. IIRC, UV-erasable EPROMs will also generate output when illuminated.

P.S. Programmable light bulbs are the height of foolishness. Until the next stupid fad comes along.

. .. . .. --- ....

Clive RobinsonNovember 12, 2016 2:14 AM

@ Albert,

Many years ago a guy named Forest Mims discovered that an LED can function as a light detector. (This can be demonstrated with an LED and DMM). To say that LEDs are ubiquitous is an understatement.

If you want a smile, look back on this blog a while to where I told @Figureitout about the bi-directionality of LEDs. His reaction was one that you could visualize the look on his face.

The simple fact is as I point out from time to time that most transducers are bi-directional so "speakers as microphones", "motors as generators" etc.

Which brings us to your question,

I wonder if a bicolor LED could work as a receiver, even when one color was active.

Yes, but more importantly the same is true of a single active LED, the laws of physics demand this.

Think of it like a water cistern filled from a watermain by a float switch, with a simple constricted flow outlet. If you have a preasure sensor in the watermain you can detect the shock wave of the float switch opening and closing and display it on an oscillograph etc. The graph would remain constant, unless you either restricted the outlet or added more water from another source to the cistern in which case the oscillograph would change proportionately to reflect these changes.

The use of this principle you are most likely to have to hand is the Back EMF motor speed control circuit, in your computer or cordless drill. You can find designs for "model railway" enthusiasts going back to the early days of transistors in the 1960's along with accompanying detailed explanations.

It's known that the Russian's amongst others used a similar technique in car radios in dipolomatic etc cars. And you can find circuits that will do the same thing in magnetic tape recorders where a bias signal is used to linearize the performance of the tape head and tape.

Less well known is the microgram weighing machines. These in effect use a "speaker coil" to lift the weighing plate. Any fractional increase in weight causes an increased current to flow to hold the weighing plate in the same position.

The problem with all of these systems is that of distinquishing the required signal from the undesired signal which can be thousands if not millions of times larger. Various tricks are used to "null out" the undesired signal. There are electronic circuits that can achive wanted signal recovery in the presence of unwanted signals 90-100dB larger (ie ten to the ten). You can look up the idea behind "Chopper Amplifiers" and "Parametric Amplifiers" to see some of the less obvious and more sensitive ways.

As for UV Erasable PROMs, the effect is actually the photovoltaic effect all semiconductors suffer from. I once got caught out with this with a very very low power single chip microprocessor development part. Working code developed un explainable software bugs when near a window during the day but not "after dark" when most of the best software debugging takes place ;)

albertNovember 12, 2016 3:42 PM

@Clive,

:)

Bright sunlight can also erase those EPROMS.
What I envisioned was a house full of those innocent little LEDs, babbling away like, well you know...

I've used those super thin piezo 'speakers' as mics. Again, innocent looking hardware.

@Alpha November,

OTOH, I'll bet Phillips would just love it if 'all the city lights' were Phillips Huetm smart lamps.

. .. . .. --- ....

Clive RobinsonNovember 12, 2016 5:33 PM

@ Albert,

What I envisioned was a house full of those innocent little LEDs, babbling away like, well you know...

You mean... "babbling away like," a little brook that one day to nearly everyones surprise becomes a raging torrent that sweeps aside all those places where privacy once dwelt?

FigureitoutNovember 12, 2016 10:46 PM

Clive Robinson
--Yeah that shocked me. I mean, of course any component won't be perfect, I just wasn't expecting something like 1.3V from a weak flashlight (using a crappy dmm too, could be a little more). Didn't do current measurement. Putting 1 diode (1n4007 or 1n4148) in series on anode line of LED nearly halved that voltage. I did 2 and went down to 0.3V IIRC. Did 3 and it stayed the same I think. Proper solution is probably a FET or BJT as a switch, if you want to turn on LED you switch on transistor and LED goes on. When off, there's an open. I know one MCU we use is suppose to tri-state all the other pins not in use by default (smart default), this makes it more ESD resistant, and I believe would fight some of hollywood remote injection attacks you've barely described.

Clive RobinsonNovember 13, 2016 9:51 AM

@ Figureitout, Albert,

... and I believe would fight some of hollywood remote injection attacks you've barely described.

Oh that they were just "Hollywood", you know @Bruce's mem about PhD to scriptkiddy in a year or so. Well the same applies to hardware only even more so currently. For a few reasons...

As you know I've talked occasionaly about some of the things I did with what are now called "EM Fault Injection Attacks" that are effectivly "TEMPEST in reverse" back in the 1980's with @RobertT amongst others. And how in effect there was a conspiracy of silence over them, due to a number of reasons (one being way overly broad pattents by the bod who tried to "own" DPA). In effect it turns out that quite a few engineers had independently discovered various asspects, but in effect "self censored" (something I was never any good at ;)

In effect it was the "don't kill the Goose that lays the Golden Eggs" syndrome. Which we know know the likes of the Five Eyes used to their own advantage for thirty years or so.

Even though mentioned here and on other blogs most were compleatly disbelieving. Have a look at the early days of BadBIOS discussions. Even here when RobertT and Myself chatted with Mike the Goat about the use of Ultrasound the general response could have been expressed as "Stop with the bad weed"...

Then a few "academics" said "Oh this is easy, and here's how", but even then few in ITSec were convinced. Then some bloke in Hawaii, went to Hong Kong, with a Rubics Cube and a laptop, and the brown stuff went flying. As a result the "catalog" of devices appeared, and the displeavers were effectivly saying still "not possible". But I amongst others pointed out that it was not just well within the laws of physics but previous leaked material that showed that such goings on had been happening from as early as WWII. But more importantly the stuff in the catalog was realy realy "old hat".

Move forward a year or so and the Corporate PII thieves started using ultrasound to track people etc, and still many "don't get it"...

The thing is I know as do others of a lot more tricks that would blow the socks off of Hollywood. I've mentioned some, but so far the academics and engineers appear to be self censoring more than ever, and I guess these days even I grok their concerns...

FigureitoutNovember 14, 2016 1:27 AM

Clive Robinson
--Yeah, making a clock drift, was the gist of your "fault injection" attack. The engineer in me knows there's probably a lot of problems w/ it, compared to avoiding RF. Certainly could do some damage, then again so could any oddball noise. Seemed more academic in nature (you needed a lot of energy very close), and never deployed. That would be mostly annoying and may lead to worthless bug chases (wasting time). Hope you didn't waste people's precious time too much or lead to false fixes to false problems.

Ultrasonic comms has been proven but can be defeated by sound proofing, making more noise, using fans, and removing any noticeable speakers/microphones. When there's all kinds of solid countermeasures, the attack isn't as scary.

I was referring to a hack you said, came in thru an LED attached to some GPIO line (maybe serial line), and you were able to write serial data to memory in the MCU; hinting at the possibility of injecting instructions into maybe von Neumann type MCU's where code and instructions aren't separated as much. Actually succeeding w/o crashing MCU or triggering a reset, very non-trivial.

I seem to be experiencing something like this occasionally, using ISP programming method for ATtiny's. A bit gets set, in what seems randomly, and the dirty workaround is to change the programming speed around. I'm not sure how to track this down just yet (and I've got too much other stuff to do, if it sets the bit it's setting everytime then I could justify looking into it further) but it irritates the hell out of me.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.