Not So Smart Lights

Monday, August 19, 2013 @ 05:08 PM gHale

The Philips Hue “smart lighting” system uses a device authentication scheme that allows anyone with an iPhone control app to issue instructions to the controller via HTTP, a security researcher said.

The vulnerability arises from how the Hue system authenticates devices, said researcher Nitesh Dhanjani, who wrote a white paper on the subject. It uses a simple and irrevocable hash of a device’s MAC address to create the authentication token.

Ubuntu Forums Back Up after Hack
Simple Machines Hacked
Messaging App Hacked
Ubuntu Forums Password Breach

“The secret whitelist token was not random but the MD53 hash of the MAC address of the desktop or laptop or the iPhone or iPad. This leaves open a vulnerability whereby malware on the internal network can capture the MAC address active on the wire (using the ARP cache of the infected machine),” he said.

If an attacker within wireless reach of the local network the Hue bridge connects to (on the local network or a neighboring apartment that can receive the WiFi signal), Dhanjani said, it would be easy enough to cycle through those addresses to find the Hue bridge and issue it instructions.

Philips made the whitelist tokens irrevocable to the ordinary user: “there is no administrative functionality to unauthorize the device,” Dhanjani said. “Since the authorization is performed using the MAC address, an authorized device will continue to enjoy access to the bridge (unless the user is technically savvy enough to use the http:///debug/clip.html debugger).”

Other attacks against Hue Dhanjani documented are the weak passwords Philips permits for the Internet application that provides remote control over Hue; and “recipe poisoning.”

The Internet app will accept a six-character password, and users do have a habit of re-using passwords for different sites – meaning if a password leaks, an attacker could end up remotely controlling the system.

Hue also has a “feature” where users can set up “recipes” that let the lights respond to the state of other apps. For example, the hue of the Hue can respond to the user’s Facebook activity for a service call “If This Then That” (IFTTT).

If the lights’ color ended up set to respond to a tagged photo on Facebook, for example, then simply sending a black photo would activate the recipe and turn the lights off.

Click here to download the white paper.

Leave a Reply

You must be logged in to post a comment.