Researchers have developed a proof-of-concept worm they say can rip through Philips Hue lightbulbs across entire cities – causing the insecure web-connected globes to flick on and off.

The software nasty, detailed in a paper titled IoT Goes Nuclear: Creating a ZigBee Chain Reaction [PDF], exploits hardcoded symmetric encryption keys to control devices over Zigbee wireless networks. This allows the malware to compromise a single light globe from up to 400 metres away.

The worm can then spread from a single smart bulb to those nearby thanks to the use of these skeleton keys.

The attack is the handiwork of researchers Eyal Ronen, Adi Shamir, and Achi-Or Weingarten of the Weizmann Institute of Science, Israel, along with Colin O'Flynn of Dalhousie University, Canada.

It triggered Philips to release a firmware patch for owners of its "Hue" connected bulbs. This is not without some risk as users must first set up the Philips Hue app in order to receive the automatic patches, and do so before attacks take place since the worm can easily override update attempts.

The researchers say "... the worm can rapidly retake new bulbs which the user has attempted to associate with the legitimate base station, making it almost impossible for vulnerable bulbs in range of another infected bulb to receive an [over the air] patch before the worm has spread."

The quartet found the Philips Hue update mechanism, while requiring some cryptographic validation, was flawed in that the AES-CCM keys universal to all Hue lightbulbs could be extracted using a side-channel attack.

(We note that, in general, a side-channel attack isn't needed to crack an embedded device that uses symmetrical keys: these hardcoded secrets can be extracted from the firmware data.)

Here's how the team described their malware:

The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack.

There is no validation between Philips Hue globes, allowing attacks to spread.

Researchers employed percolation theory to simulate an attack on bulbs across Paris. They find there are a sufficient number of the pwnable bulbs in the City of Lights for an attack to spread.

Youtube Video

The chain reaction will die in city areas where less than 15,000 of the globes are used but "spread everywhere" when there are more.

The off-the-shelf hardware required to pull off the attack would cost a few hundred dollars and is within the technical capabilities of many hackers.

Youtube Video

Malicious attackers could also cause the globes to flicker on and off with sufficient speed to trigger epileptic seizures in sufferers.

Researchers were not content to merely spread chaos over Zigbee, however. They found a test mode within the globes' 2.4Ghz spectrum band could "easily" disrupt nearby wifi networks.

"This demonstrates once again how difficult it is to get security right even for a large company that uses standard cryptographic techniques to protect a major product," the team says. ®