Header Ads

Breaking News

Smart lighting security flaw illuminates risk of IoT


The latest smart home security nightmare sheds light on the risk you take each time you add another connected item to your home, office or industrial network – and even market leading brands make mistakes.

The story of Hue

Philips Hue smart lighting systems are probably among the most widely installed smart home solutions in the world, so plenty of people deserve to learn about the latest Check Point research which warns of a major security flaw in them.

It seems it is possible to infiltrate home/office networks using a remote exploit in the ZigBee low-power wireless protocol and Philips Hue smart bulbs and bridge as the access point.

The report claims it was possible to subvert smart home security to the extent that hackers took control of the bulb and then tricked users into a series of actions that let hackers infiltrate the network itself.

Check Point alerted Philips to the problem and the manufacturer very quickly released a software patch to protect against it.

You can get that patch here, and if you happen to have a Hue system installed somewhere in your life you should install it as soon as you can.

Particularly in view of Kaspersky research that tells us attacks against smart home devices climbed by around 700% in the last 12 months.

Why is this still happening?

This strongly reminds me of the highly publicized 2014 attack when criminals used a vulnerability in a connected HVAC system to exfiltrate the details of millions of credit and debit cards from Target.

This is what can happen when attackers succeed in penetrating networks – a little packet-sniffing and your bank details could be purloined – as too might be the access codes for the power plant you work at.

What’s remarkable about this is that it has been six years since the Target hack, and yet it’s still possible to isolate connected items in order to subvert them.

This is a problem Apple has been working to try to solve ever since it created its Made for HomeKit system

Manufacturers have a responsibility

Now, I’m not about to focus my ire on Philips in this – the company took steps to remediate the situation once it heard about it.

Nor is it exactly Zigbee that is at fault -- the truth is that every operating system holds its own set of vulnerabilities and identifying them is a big business.

But I will focus some anger at those manufacturers in the smart home space who don’t see security and privacy as important in an increasingly connected age.

Because the risk to your home and business represented by poorly secured devices on your connected networks reflects the weakest devices you have installed far more than the better ones.

You can have ten thousand well secured smart devices, but that ancient connected thermostat in the storeroom may be all the vulnerability a hacker needs to penetrate your entire network.

That’s also why you should diligently check how committed manufacturers are to regular software and security updates for the smart devices they want to sell you. It doesn’t matter if those systems are aimed at business or consumer users, if they don’t commit to regular security protection, you shouldn’t buy them. 

What can you do?

I recommend consumer and enterprise users take inventory of their existing connected device deployments.

When they do, they should ask the following questions:

  • Has this device shown any unexpected instability recently?
  • Is it possible to update the firmware on this device?
  • Is the latest software patch installed?
  • How regularly do software patches ship?
  • Is it possible to change any default password/code on the device and has it been changed?
  • Is it possible to use an alphanumeric code?
  • Does the system support the latest edition of its operating system?
  • What is the device’s networking protocol? Is it still current?
  • Is it possible to identify the device from beyond the network using standard network monitoring tools?
  • If you can’t update the device, or change its password, or it uses an ancient networking protocol, stop using it.
  • If the device is visible to people outside your network, either secure it, or switch it off and send it to be recycled.

In some cases, I’ve heard of deployments in which connected devices are placed on a separate wireless network from any computers or data storage systems.

Apple, has its own solution which may go some way toward securing HomeKit-based smarthomes, Homekit-enabled routers. These let you protect smart devices across your office or home, but only a few routers supporting this are available right now.

Personally, I think every router should have smart device protection baked inside. Perhaps this is what Apple, Google, Amazon, the Zigbee Alliance and others hope to achieve with the Connected Homes over IP project.

But the security vulnerabilities illuminated by this latest Hue problem should be proof positive that better security is mandatory, for your home, your office, factory or any other connected system.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

Copyright © 2020 IDG Communications, Inc.


Source link

No comments