Unshakeable Salt

Philips Hue lightbulbs are making the mainstream press once again. The Red Tops are spreading fear, uncertainty and doubt about how your home is at risk. The Internet of Things will destroy you and ‘wont someone please think of the children’. Your Hue lightbulb is supposedly a way for hackers to get into your home network and then from there, own all your things.

Unshakeable Salt Ltd can speak with some authority on these devices, as we’ve been hacking them for some time. We have a full set up and lab of our own – being able to demonstrate how they can be used nefariously. Thankfully it’s not as easy as the story describes

Your Philips Hue light bulbs can still be hacked — and until recently, compromise your network

The Verge

The article is fairly alarmist, without every talking about the impacts of the vulnerability.

  • What does it actually mean to you as a home user?
  • How about if you use these in a business environment?
  • What is the worst that could happen if you have Hue -ified your premises and have not patched your bulbs, hubs and associated devices?

Hue Impact

Assuming the bad guys have ‘pwned’ your Hue bridge. Here’s the most likely scenarios for moneytising or weaponising their success.

Weaponisation of your home network to be part of a botnet.
This is the likely scenario. They will use any compromised devices on your network and your network bandwidth to take part in a DDOS attack against someone else. It’s been done before, the more devices the better for them. It doesn’t matter about how powerful (and a lightbulb isn’t), it’s about how many. The bad guys will use as part of their own weapons capability, or monetise by selling a DDOS-as-a-service to another group of bad guys.

Monetisation of your home network to hide other activity.
Also likely, where they will use your network as a proxy to hide their activity. The illegal sale of narcotics, guns or child pornography looks to hide behind someone else’s network. Being able to run their anonymising proxy has a value and would generate a good revenue stream. The first you could know about this could be a 4am knock on your door from local law enforcement – after all, it’s going to look like you.

Monetisation of you
This is plausible, but unlikely. There would be effort required for potential little or no financial gain. In this scenario the bad guy sits on your network and intercepts your network traffic. They want to try and capture your authentication details for other systems – such as online banking or your Netflix / Amazon / online shopping accounts.

But how likely?

Just like when the original vulnerabilities in Hue were discovered 4 years ago, there has to a reality check. Just how plausible is it that an attacker is going to come after you? Well in short, it’s very VERY unlikely. The alarmist article doesn’t really mention this. They say:

It’s also nice to know it might have taken a fairly clever, patient hacker to exploit this vulnerability in the first place.

They exploit this vulnerability from the internet. If they can, then you have more serious security concerns than your light bulbs. They need to be within the short range of your Zigbee hub with a device pretending to be something you own. Not only in range, but also there for a long enough time. How many days of your lights and devices misbehaving would it take for you to think ‘I need to reset my device back to its default settings’ ? They need to be still in range when you walk up to the Hue bridge and press that central button.

I know they used a drone in the printed article and that’s not realistic. More likely this would be an attack from a device left within range. Unless they were really lucky, that device would have to be powered on and working for days /weeks/months on end before it could compromise your network. That means that device is also going to cost more than they are likely to make from you – as a person.

Business context

The money or capability the bad guys could gain from this vulnerability are different in a business context. The network capability and number of devices would be higher if they could pwn a corporate network. The potential to man in the middle and steal corporate information or accounts would be so much better. In a business context, the cost of buying and losing a device to hang around long enough to hijack a Hue network is more negligible .

Running a separate VLAN or segregated network for all Internet-of-Things devices is always recommended. After all, that’s what we do with ours.

Next Post