Weaknesses in a popular brand of light system controlled by computers and smartphones can be exploited by attackers to cause blackouts that are remedied only by removing the wireless device that receives the commands, a security researcher said.

The vulnerabilities in the Hue LED lighting system made by Philips are another example of the risks posed by connecting thermostats, door locks, and other everyday devices to the Internet so they can be controlled by someone in the next room or across town. While the so-called Internet of Things phenomenon brings convenience and new capabilities to gadgets, they come at a cost. Namely, they're susceptible to the same kinds of hack attacks that have plagued computer users for decades. The ability to load a Web page that causes house or office lights to go black could pose risks that go well beyond the typical computer threat.

"Lighting is critical to physical security," Nitesh Dhanjani, the researcher who discovered the weaknesses and developed proof-of-concept attacks that exploit them, wrote in a blog post published Tuesday. "Smart lightbulb systems are likely to be deployed in current and new residential and corporate constructions. An abuse case such as the ability of an intruder to remotely shut off lighting in locations such as hospitals and other public venues can result in serious consequences."

The most serious vulnerability Dhanjani uncovered was the weak authentication system the Philips wireless controller uses to receive commands from trusted smartphones and computers. It consists of a security token containing the device's unique media access control identifier that has been cryptographically hashed using a known algorithm. These hardware addresses are trivial to detect by anyone on the same network or often by people within radio range of a device, making them unsuitable for authentication. It's tantamount to using a hashed street address as the combination to lock a front door.

Dhanjani's exploit arrives in Java code that can be delivered when browsing compromised websites or websites dedicated to serving attack pages. It combs through the address resolution protocol cache of a local network to find all connected devices. The exploit then runs the MAC address of each discovered device through the MD5 hash algorithm and includes the output in a security token used to send commands to the light controller. If a command is successfully executed, the exploit will repeat the successful command over and over. If a command doesn't succeed, the malware will register a new token every second or so using a different MAC address until a valid one is found.

The Philips system, which Ars has reviewed in detail before, allows people to use smartphones or computers connected to the Internet or local networks to turn lights on and off and control the color of ambient lighting. The video below demonstrates how the vulnerability can be exploited to create a blackout that lasts as long as the lights are connected to the wireless control bridge. Even disabling the smartphone or computer the exploit abuses to take control of the system may not be enough to turn the lights back on if there are other devices on the network that have already been authenticated.

While Dhanjani's proof-of-concept code is rudimentary, it's not outside the ability of a determined attacker to write more sophisticated code that could exploit the vulnerability in large numbers of light controllers all at once.

"Imagine the power of a remote botnet system being able to simultaneously cause a perpetual blackout of millions of consumer lightbulbs," Dhanjani wrote in a more detailed analysis. "As consumer [Internet of Things] devices permeate homes and offices, this scenario is increasingly likely in the near future."

The researcher said he attempted to contact Philips representatives privately to notify them of the vulnerabilities he found in their product, but the best he was able to do was exchange a few messages over Twitter. The inability of a white-hat hacker to report defects like these is the biggest concern consumers should have. If Philips or any other company wants to offer products that act like Internet-connected hardware or services, they should first establish the kind of secure development programs in place at Microsoft, Apple, and Google. That way, people who buy these new devices won't be subject to the kinds of attacks that targeted users of Windows XP a decade ago.

"It is important that Philips and other consumer [Internet of Things] organizations take issues like these seriously," Dhanjani wrote. "In the age of malware and powerful botnets, it is vital that people's homes be secure from vulnerabilities like these that can cause physical consequences."

Update:

In an interview on Wednesday, George Yianni, head of technology for connected lighting at Philips, told Ars the Hue lighting system was intentionally designed to grant access to any device connected to a user's home network. Company designers went about doing this by using security tokens that are generated without requiring a user to take press a special authentication button on the wireless bridge of the system.

"We've made the choice to make this token someting which any app that runs on your phone can also generate," Yianni said. "People have 20 different Hue apps on their phone and we wanted to have these apps be able to share the same security tokiens with each other so the user would not have to go an press the button on the bridge every single time he installs an app."

Yianni also said the company is going to make it easier for researchers to privately report security vulnerabilities.