Difference between revisions of "Lightbulb Worm"
CRudlstorfer (talk | contribs) |
CRudlstorfer (talk | contribs) |
||
| Line 1: | Line 1: | ||
== What is a Lightbulb Worm? == | == What is a Lightbulb Worm? == | ||
The Lightbulb Worm is a construct that results from the research and attacks done by Colin O'Flynn, Eyal Ronen, Adi Shamir, and Achi-Or Weingarten. | |||
They provide the ingredients of the first worm that affects smart lighting systems. | They provide the ingredients of the first worm that affects smart lighting systems. | ||
The worm has the power to spread only through physical proximity and would also be able to destroy lightbulbs permanently. It only takes one infected lightbulb to be installed, and the worm can spread - through its ZigBee wireless connectivity - directly to the physical neighbors of this lamp. These newly infected lamps would again infect all their neighbor lamps. | The worm has the power to spread only through physical proximity and would also be able to destroy lightbulbs permanently. It only takes one infected lightbulb to be installed, and the worm can spread - through its ZigBee wireless connectivity - directly to the physical neighbors of this lamp. These newly infected lamps would again infect all their neighbor lamps. | ||
That leads to a massive chain reaction that spreads in an epidemic fashion and attacks whole cities. </ref> | That leads to a massive chain reaction that spreads in an epidemic fashion and attacks whole cities. <ref name="1"/> <ref name="2"/> <ref name="3"/> | ||
| Line 13: | Line 13: | ||
The Philips Hue smart lamp system works as follows: | The Philips Hue smart lamp system works as follows: | ||
The lightbulbs are connected to a bridge device which creates a network the lightbulbs can join. The bridge controls all the lamps and also contains an IP link. Via the Router, it is connected to the Internet through which you can control your system with the Philips Hue Lightning App. | The lightbulbs are connected to a bridge device which creates a network the lightbulbs can join. The bridge controls all the lamps and also contains an IP link. Via the Router, it is connected to the Internet through which you can control your system with the Philips Hue Lightning App. <ref name="1"/> <ref name="2"/> <ref name="3"/> | ||
[[File:PhilipsHue.jpg]] | [[File:PhilipsHue.jpg]] <ref name="3"> | ||
Philips Hue lamps communicate with their controllers through the Zigbee protocol and use the ZigBee Light Link protocol. | Philips Hue lamps communicate with their controllers through the Zigbee protocol and use the ZigBee Light Link protocol. | ||
| Line 29: | Line 29: | ||
This “Master key" is a secret key, but it is used and stored on every ZLL certifed | This “Master key" is a secret key, but it is used and stored on every ZLL certifed | ||
product. But it's only one key for all ZLL products, so it was only a matter of time for it to be leaked. That happened in 2015. | product. But it's only one key for all ZLL products, so it was only a matter of time for it to be leaked. That happened in 2015. <ref name="1"/> <ref name="2"/> <ref name="3"/> | ||
| Line 39: | Line 39: | ||
2. Join (or start) network request: With this message, the device is instructed to join | 2. Join (or start) network request: With this message, the device is instructed to join | ||
the PAN. | the PAN. | ||
<ref name="1"/> <ref name="2"/> <ref name="3"/> | |||
== Security Features of Philips Hue == | == Security Features of Philips Hue == | ||
| Line 47: | Line 49: | ||
:It must be passed successfully to connect lamps to the bridge. | :It must be passed successfully to connect lamps to the bridge. | ||
:Without the proximity check, any initiator that owns the ZLL master key could instruct lightbulbs to :reset to a factory new state or join a new PAN. | :Without the proximity check, any initiator that owns the ZLL master key could instruct lightbulbs to :reset to a factory new state or join a new PAN. | ||
<ref name="1"/> <ref name="2"/> <ref name="3"/> | |||
== Ingredients of the Lightbulb Worm == | == Ingredients of the Lightbulb Worm == | ||
| Line 63: | Line 67: | ||
:So they just had to set the lightbulbs to a Factory New state and make the lightbulbs actively :search for ZigBee networks and are open to connection. | :So they just had to set the lightbulbs to a Factory New state and make the lightbulbs actively :search for ZigBee networks and are open to connection. | ||
:Setting them to a Factory New state was possible due to a software bug. | :Setting them to a Factory New state was possible due to a software bug. | ||
<ref name="1"/> <ref name="2"/> <ref name="3"/> | |||
| Line 72: | Line 77: | ||
- And also, the Bugs and Errors in the implementation of protocols (designed to prevent long-range take-over attacks) | - And also, the Bugs and Errors in the implementation of protocols (designed to prevent long-range take-over attacks) | ||
<ref name="1"/> <ref name="2"/> <ref name="3"/> | |||
== Estimated Damage == | == Estimated Damage == | ||
| Line 88: | Line 95: | ||
Also, locating the source of the attack and also detecting the attack itself would be very difficult. | Also, locating the source of the attack and also detecting the attack itself would be very difficult. | ||
<ref name="1"/> <ref name="2"/> <ref name="3"/> | |||
== Possible Attacks == | == Possible Attacks == | ||
| Line 99: | Line 108: | ||
:The light can be programmed in such a blinking rate which causes epileptic seizures | :The light can be programmed in such a blinking rate which causes epileptic seizures | ||
:The LEDs can also be driven at frequencies that are creating discomfort in humans | :The LEDs can also be driven at frequencies that are creating discomfort in humans | ||
<ref name="1"/> <ref name="2"/> <ref name="3"/> | |||
== Countermeasures == | == Countermeasures == | ||
| Line 110: | Line 121: | ||
- Negative testing to avoid implementation bugs | - Negative testing to avoid implementation bugs | ||
<ref name="1"/> <ref name="2"/> <ref name="3"/> | |||
== References == | == References == | ||
<references> | <references> | ||
<ref name = " | <ref name="1> | ||
Eyal Ronen, Colin O'Flynn, Adi Shamir, and Achi Or Weingarten. IoT Goes Nuclear: Creating a ZigBee Chain Reaction. In Proceedings – IEEE Symposium on Security and Privacy, 2017 | Colin O'Flynn. A LIGHTBULB WORM? Details of the Philips Hue Smart Lighting Design. In Black Hat USA, 2016 | ||
Eyal Ronen, Adi Shamir, Achi Or Weingarten, and Colin O‘Flynn. IoT Goes Nuclear: Creating a Zigbee Chain Reaction. IEEE Security and Privacy, 2018 /> | |||
<ref name="2">Eyal Ronen, Colin O'Flynn, Adi Shamir, and Achi Or Weingarten. IoT Goes Nuclear: Creating a ZigBee Chain Reaction. In Proceedings – IEEE Symposium on Security and Privacy, 2017 </ref> | |||
<ref name="3"> Eyal Ronen, Adi Shamir, Achi Or Weingarten, and Colin O‘Flynn. IoT Goes Nuclear: Creating a Zigbee Chain Reaction. IEEE Security and Privacy, 2018 </ref> | |||
</references> | </references> | ||
Revision as of 16:32, 11 January 2022
What is a Lightbulb Worm?
The Lightbulb Worm is a construct that results from the research and attacks done by Colin O'Flynn, Eyal Ronen, Adi Shamir, and Achi-Or Weingarten. They provide the ingredients of the first worm that affects smart lighting systems.
The worm has the power to spread only through physical proximity and would also be able to destroy lightbulbs permanently. It only takes one infected lightbulb to be installed, and the worm can spread - through its ZigBee wireless connectivity - directly to the physical neighbors of this lamp. These newly infected lamps would again infect all their neighbor lamps.
That leads to a massive chain reaction that spreads in an epidemic fashion and attacks whole cities. Cite error: Invalid <ref> tag; name cannot be a simple integer. Use a descriptive title Cite error: Invalid <ref> tag; name cannot be a simple integer. Use a descriptive title Cite error: Invalid <ref> tag; name cannot be a simple integer. Use a descriptive title
Philips Hue and Zigbee Light Link
The research and experiments of constructing the lightbulb worm have been done by using Philips Hue smart lighting systems and exploiting the implementation of their inbuilt ZigBee Light Link Protocol and firmware update mechanisms.
The Philips Hue smart lamp system works as follows:
The lightbulbs are connected to a bridge device which creates a network the lightbulbs can join. The bridge controls all the lamps and also contains an IP link. Via the Router, it is connected to the Internet through which you can control your system with the Philips Hue Lightning App. Cite error: Invalid <ref> tag; name cannot be a simple integer. Use a descriptive title Cite error: Invalid <ref> tag; name cannot be a simple integer. Use a descriptive title Cite error: Invalid <ref> tag; name cannot be a simple integer. Use a descriptive title
Cite error: Invalid <ref> tag; name cannot be a simple integer. Use a descriptive title
Cite error: Invalid <ref> tag; name cannot be a simple integer. Use a descriptive title
</references>