International researchers have demonstrated how simple it is to hack into internet-connected appliances, often called the ‘Internet of Things.’ As connected devices proliferate around the world, so does the risk of hacking attacks and disruptions.

Last month’s massive distributed denial-of-service (DDOS) attack crashed or slowed down scores of major internet providers and services across the US. No information was compromised, but the disruption affected popular services such as Twitter and Spotify. The hacking group that claimed responsibility says it was a demonstration of vulnerability.

A new paper from cyber-security researchers at Israel’s Weizmann Institute of Science and Canada’s Dalhousie University shows that malicious hackers could cause a “nuclear chain reaction” by hacking into ‘smart’ lightbulbs or other popular IoT household devices.

Read more

“The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack,” wrote Eyal Ronen, Colin O’Flynn, Adi Shamir and Achi-Or Weingarten in the paper, titled IoT Goes Nuclear: Creating a ZigBee Chain Reaction.

The researchers exploited a flaw in the ZigBee wireless communication protocol to suborn Philips Hue lightbulbs. The protocol is also used by Nest thermostats and Logitech Harmony Ultimate home-control hubs, among other devices.

Using a flaw in Philips’ encryption to force a firmware update, the researchers delivered their worm to the lightbulbs and made them do their bidding.

“We used only readily available equipment costing a few hundred dollars, and managed to find this key without seeing any actual updates. This demonstrates once again how difficult it is to get security right even for a large company that uses standard cryptographic techniques to protect a major product,” the researchers wrote.

The first demonstration involved the researchers remotely activating lights inside a building, from a passing car some 70 meters (76 yards) away.

This was followed by a more ambitious hack, using a drone against a building hosting numerous security companies from a distance of 350 meters (380 yards).

The researchers noted several possible malicious applications of the hack, from ‘bricking’ the IoT devices and rendering them permanently disabled, to jamming the wireless networks across cities using test protocols to overwhelm the 2.4 GHz frequency commonly used by WiFi devices. Another possibility would be for hacked ‘smart lights’ in a city to simultaneously turn on and off multiple times, placing a strain on the electrical grid – or causing epileptic seizures among the vulnerable.