The Philips Hue “smart lighting” system uses a dumb-as-a-sack-of-hammers device authentication scheme that allows anyone with the iPhone control app to issue instructions to the controller via HTTP.
According to researcher Nitesh Dhanjani, who has form looking at iPhone security, the “perpetual blackout” (PDF) vulnerability arises from how Hue system authenticates devices. It uses a simple and irrevocable hash of a device's MAC address to create the authentication token.
“The secret whitelist token was not random but the MD53 hash of the MAC address of the desktop or laptop or the iPhone or iPad. This leaves open a vulnerability whereby malware on the internal network can capture the MAC address active on the wire (using the ARP cache of the infected machine)”, he notes.
If an attacker within wireless reach of the local network the Hue bridge is connected to (on the local network or, The Register supposes, a neighbouring apartment that can receive the WiFi signal), Dhanjani writes, it would be easy enough to cycle through those addresses to find the Hue bridge and issue it instructions.
For his demonstration (video below), Dhanjani uses the attack to issue sustained “lights off” commands to the test system.
And, in the kind of brain explosion that will probably characterise the emerging Internet of Things, Philips has made the whitelist tokens irrevocable to the ordinary user: “there is no administrative functionality to unauthorise the device,” Dhanjani writes. “Since the authorisation is performed using the MAC address, an authorised device will continued to enjoy access to the bridge (unless the user is technically savvy enough to use the http://<bridge ip address>/debug/clip.html debugger).”
Other attacks against Hue that Dhanjani documents are the weak passwords Philips permits for the Internet application that provides remote control over Hue; and “recipe poisoning”.
The Internet app will accept a six-character password, and as we all know, users have a distressing habit of re-using passwords for lots of different sites – meaning that if a password leaks, an attacker can remotely control the system.
And Hue also has a “feature” that probably had the marketing team in a spasm of hypegasm when it was devised: users can set up “recipes” that let the lights respond to the state of other apps. For example, the hue of the Hue can be made to respond to the user's Facebook activity for a service call “If This Then That” (IFTTT).
If the lights' colour was set to respond to a tagged photo on Facebook, for example, then simply sending a black photo would activate the recipe and turn the lights off. ®