The Internet of Things is turning into a security nightmare. Following that massive DDoS attack that used an IoT-botnet to interrupt major swaths of the internet a few weeks ago, The New York Times outlines a threat detailed in a new report pleasantly titled “IoT Goes Nuclear.” In it, researchers detail a scenario whereby connected devices are infected by a worm that sets off a chain reaction, theoretically creating a doomsday-like scenario for smart cities containing millions of densely interconnected devices. The team demonstrated the threat by infecting a Hue lamp with a virus that then spread by jumping from one lamp to its neighbors, whether the lights were on the same private network or not. Worse yet, the researchers didn’t need physical access to the lights — they were infected wirelessly by a drone or car while still a few hundred feet away. In the video above you can see the lights being hacked to signal SOS repeatedly in Morse Code. As the drone draws closer you can see more lights starting to blink as the worm spreads across devices.
ANYONE WITH THE KNOWLEDGE AND MOTIVATION COULD EXECUTE A SIMILAR ATTACK
Researchers from the Weizmann Institute of Science and Dalhousie University were able to execute the chain-reaction attack by exploiting a vulnerability in the ZigBee wireless communications protocol, a widely-used home automation protocol found at the core of millions of today’s most popular smart home devices. Philips Hue lighting is just one example, other notable ZigBee devices include the Nest thermostat and Logitech Harmony Ultimate home-control hub. The infected payload was delivered by exploiting a weakness in Philips’ encryption to force an over-the-air firmware update using an “autonomous attack kit” built from “readily available equipment” costing just a few hundred dollars. In other words, anyone with the knowledge and motivation could execute a similar attack.