Lightbulb Worm

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

What is a Lightbulb Worm?

The Lightbulb Worm is an attack on Philips Hue lamps discovered by the research team of Colin O'Flynn, Eyal Ronen, Adi Shamir, and Achi-Or Weingarten. Based on two main attacks in the Zigbee-based Philips Hue ecosystem they provide the ingredients for the first worm that affects smart lighting systems.

The worm has the power to spread only through physical proximity and opens the possibility of deploying malicious code via a firmware update. It only takes one infected lightbulb to be installed, and the worm can spread - through its ZigBee wireless connectivity - directly to the physical neighbors of this lamp. These newly infected lamps would again infect all their neighbor lamps. That can lead to a massive chain reaction that spreads in an epidemic fashion and attacks whole cities. The critical mass to infect all lightbulbs within an urban area like Paris was estimated to be around 15.000 lightbulbs. [1]

Philips Hue and Zigbee Light Link

The research and experiments of constructing the lightbulb worm have been done by using Philips Hue smart lighting systems and exploiting the implementation of their inbuilt ZigBee Light Link Protocol and firmware update mechanisms.

The Philips Hue smart lamp system works as follows: The lightbulbs are connected to a bridge device which creates a network the lightbulbs can join. The bridge controls all the lamps and also contains an IP link. Via the Router, it is connected to the Internet through which you can control your system with the Philips Hue Lightning App. [2]

Philips Hue and ZLL Architecture [2]

Philips Hue lamps communicate with their controllers through the Zigbee protocol and use the ZigBee Light Link protocol. [2]

The ZigBee Light Link protocol is standardized by the ZigBee Alliance and is a very popular standard in the lighting industry because it provides network flexibility and scalability. It also offers high interoperability between products from different vendors. To enable high interoperability, the Touchlink Commissioning protocol is used. It makes the installation of the light bulbs very easy and intuitive. [3]

The Touchlink commissioning protocol creates PANs (Personal Area Networks) and directs every new device placed in proximity to a specific bridge to join the PAN. The new device receives an encryption key that is used to encrypt and authenticate messages within the PAN. This encryption key is unique for every PAN and encrypted by a “Master key."

This “Master key" is a secret key, but it is used and stored on every ZLL-certified product. In the case of Philipps Hue products, the same AES-CCM key was used on every device. In 2015 the key was leaked online and could be found on various websites including Twitter (now X). This resulted in the fact that the team was able to interfere with the encrypted connection of the light bulb and the bridge opening the doors for various attacks.

The Touchlink protocol provides two message types with which the state of a lightbulb can be changed:

1. Reset to factory new request: If the target device receives this message With a valid Transaction ID, it is reset to a factory new state, and all Network information and keys are deleted.

2. Join (or start) network request: With this message, the device is instructed to join the PAN. [2]

Security Features of Philips Hue

Encryption Mechanisms – see Philips Hue and ZigBee Light Link

Proximity Check - prevents a takeover of lightbulbs in the nearest neighborhood.

The proximity check ensures that the initiator is physically very close to the target.
It must be passed successfully to connect lamps to the bridge.
Without the proximity check, any initiator that owns the ZLL master key could instruct lightbulbs to reset to a factory new state or join a new PAN. [2]

Ingredients of the Lightbulb Worm

Take over Attack - the worm moving laterally by spreading from one bulb to another
To perform a take over attack against a Philips Hue lightbulb two major attack vectors were used:
  • The leaked "Master Key" made it possible for the researchers to interfere with the encrypted communication of the bridge and the lightbulb. This enabled them to send the "Factory Reset" and "Join" messages to the targeted bulb.
  • By sending a transaction ID of all zeros, due to an implementation error in the code, the proximity check was bypassed enabling an attack over a greater distance.
So they just had to set the lightbulbs to a Factory New state and make the lightbulbs actively search for ZigBee networks and are open to connection.
Setting them to a Factory New state was possible due to a software bug that could have been found with negative testing during the Zigbee certification process. [2]


Firmware Update Attack - Persistence of code execution on the lamps to take over the control of the lamps
The researchers achieved the Persistence of Code Execution by exploiting the (OTA - Over the Air) update mechanisms of the Philips Hue. It is possible for any device in the network to send a firmware update to another device due to the interoperability approach ZigBee is using. The only limitation still in place was the signature check of the lightbulb. The researchers first found out that the same key is used for all Philips Hue lightbulbs signing the firmware and second what type of encryption mechanism is used (AES-CCM). By using a combination of Correlation Power Analysis (CPA) and Differential Power Analysis (DPA), both of which are side-channel attacks, the research team was able to extract the key used for signing software updates.
This enabled them to perform firmware updates over the air with their own manipulated code inside. The key was never released by the research team.[2]

Security Issues of the Philips Hue System

  • Use of a single symmetric encryption key shared across many devices to protect the firmware update process
  • The attacks were also possible because the hardware is vulnerable to side-channel analysis
  • And also, the bugs and errors in the implementation of protocols (designed to prevent long-range take-over attacks) [2]

Estimated Damage

To estimate the actual damage of such an attack, the researchers calculated how many smart lamps would have to be installed to launch the attack.

Result: Paris, the critical mass would be around 15,000 lamps (installed within a distance of about 100 meters). That is not an unrealistic amount of lamps concerning the popularity of Philips Hue. So the researchers assumed that cities might be already vulnerable to such attacks. [2]


This attack is even more remarkable because there is no internet communication used. The worm only spreads through physical proximity and is independent of established networking structures – so once created, the worm is probably impossible to stop.

System administrators usually try to stop such an attack by isolating subnetworks from each other, which in this case would not be possible because only ZigBee communication is used, which is not monitored or protected.

Also, locating the source of the attack and detecting the attack itself would be very difficult. [2]

Possible Attacks

Bricking Attacks
Unlike usual DoS irreversible, all devices would have to be replaced
Wireless Network Jamming
ZigBee runs over the IEEE 802.15.4 standard, which uses the 2.4 GHz, license-free band (continuous wave signal from 'test mode' could overlap other channels)
Data infiltration and exfiltration
Affect people's health
The light can be programmed at such a blinking rate that it causes epileptic seizures
The LEDs can also be driven at frequencies that are creating discomfort in humans [2]

Phillips reaction

Before releasing the found vulnerabilities the research team informed Philips Lighting (now Signify) with reasonable time to fix the issues. Philips then released an update shortly before the release and also later released a press release. In the information, Philips stated "Their research findings helped us to develop and roll out the software update.". No indication of an unfixed vulnerability.[4]


Unfixed vulnerabilities - Don't be silly - it's only a lightbulb

In 2020 the researcher Eyal Itkin revealed a new form of hack for the Philips Hue System.[5] In this article he describes the still working vulnerabilities including the Firmware Update Attack and also the Take over Attack still being possible. Only the proximity check is fixed, making the lightbulb worm impossible to spread but still leaves the door wide open for further attacks. Following up on this discovery the possibility of taking over a lightbulb and infecting it with self written code provided the basis for an attack against the Philips Hue Bridge. The attacker was able to find a vulnerability that leveraged a buffer overflow attack to escalate to root privileges. Following this an attack on devices in the LAN network was possible.


The buffer overflow vulnerability was then fixed but the other vulnerabilities seem to be unpatchable leaving attack vectors for threat actors.

To this day (last updated: 08.12.2024) the vulnerabilities are still as stated above are still not fixed.

Countermeasures

  • Unique keys per lightbulb
  • Asymmetric cryptography for software verification
  • Reducing the amount of damage a leaked key might be able to cause
  • Negative testing to avoid implementation bugs [2]

Zigbee Protocol Overview

  • ZigBee is a low-power, low-data-rate wireless communication protocol.
  • Used in smart homes, industrial automation, and sensor networks.
  • Operates in 2.4 GHz frequency band with mesh network communication.

Zigbee Architecture

  • Architecture includes Application, Application Interface, Security, Network, Medium Access Control, and Physical Layer.

Zigbee Addressing and Frames

  • Uses short (16-bit) and long (64-bit) addresses for device identification.
  • Packet-based communication with data frames, acknowledgment frames, and command frames.

Zigbee Security and Sniffing

  • Features encryption and authentication for secure device communication.
  • Tools like Wireshark and nRF52840 dongle mentioned for Zigbee sniffing.

Initial Steps for Experimentation


References

  1. Eyal Ronen, Colin O'Flynn, Adi Shamir, and Achi Or Weingarten. IoT Goes Nuclear: Creating a ZigBee Chain Reaction. In Proceedings – IEEE Symposium on Security and Privacy, 2017
  2. Jump up to: 2.00 2.01 2.02 2.03 2.04 2.05 2.06 2.07 2.08 2.09 2.10 2.11 Eyal Ronen, Adi Shamir, Achi Or Weingarten, and Colin O‘Flynn. IoT Goes Nuclear: Creating a Zigbee Chain Reaction. IEEE Security and Privacy, 2018
  3. Jianfeng Wang. Zigbee light link and its applications. IEEE Wireless Communications, 2013
  4. MEDIA ALERT: Reports of Philips Hue products being infected by a virus are inaccurate, 2016
  5. Don’t be silly – it’s only a lightbulb, 2020

Further Information

  • Colin O'Flynn. A LIGHTBULB WORM? Details of the Philips Hue Smart Lighting Design. In Black Hat USA, 2016
Retrieved from "https://wiki.elvis.science/index.php?title=Lightbulb_Worm&oldid=16894"