#23 Connected everything, hacked everything.
If you have not yet seen the infamous GE ‘Smart’ bulb resetting process video guide, just go and watch this video right now -
There is one more video that I would like you to watch. This is far less frustrating than the previous one. This describes an attack uncovered earlier this year on the Philips Hue bulbs that can be used for fun and profit.
I have been resisting the urge to ‘smartify’ my home lightings and add-on smart plugs and connect them with an Alexa like device for the last couple of years. To be honest, I have seen too much stuff to trust a light bulb manufacturer to do a good enough job with security patches and updates over the lifetime of the bulb so that I can simply connect it to my home WiFi network.
A glance over at the Home accessories page on Apple or a Mi gives you a plethora of options. You have devices from lights, fans, ACs, switches, faucets, and door locks that can be smartly operated using a Siri or Alexa like interface. (Smart door locks that can be remote controlled sounds scary.)
With every different IoT vendor you bring into your home, you are adding to the risk of vendor-specific implementation vulnerabilities. Sometimes the device vendors are too slow even to send a patch, and in some cases to keep the costs low, they do not build a way for them to apply a security patch once the device is out in the open, leaving the garbage bin as the only option for the device (or worse you never know about the security issue). Sometimes the vendor itself shuts shop with no option to update the device in case any security vulnerability is discovered later.
One of the most popular protocols for home IoT devices to talk to each other is Zigbee. Unfortunately, Zigbee and particularly the way it is implemented by various organizations have been marred by security vulnerabilities coming out almost every year. With Apple, Amazon, Samsung, Google, and Philips among others joining the Zigbee alliance to develop a royalty-free connected home standard a few months ago, it looks like this would be the way forward for the smart home networking. Some also see this as an attempt to prevent Chinese manufacturers from dominating the market with cheaper devices.
Zigbee is a mesh network intended for sensors and smart devices to work over short distances of 10-50 meters using intermediate nodes at a low speed (up to ~250kbps) to enhance battery life. The main components in a Zigbee network are smart devices nodes, routers responsible for routing traffic between devices, and a coordinator responsible for distributing security keys.
Zigbee uses symmetric key cryptography where a unique shared key is required to communicate between any two nodes in the network. The shared keys are transmitted securely using a different key which is preconfigured to the devices. Over-the-air (OTA) updates provided by device manufacturers are also encrypted using a similar mechanism.
A security vulnerability in Philips Hue light bulbs (again) was exploited back in 2016 when resereachers flew a drone that kept finding Zigbee devices and hacking them exploiting the pre-configured hardcoded key in the bulbs, turning them on and off to flash a morse code for 🆘. Zigbee Alliance claimed that it was due to an error in the specific implementation by Philips and not a weakness in the protocol itself.
Like it or not, eventually every dumb household item is going to be smart. I like to compare the current time as the same time back when the Internet was full of websites running on insecure HTTP with sniffing being common, SQL injections and XSS present on every other website waiting to be exploited, backups kept in directories with obfuscated names. Things will probably become better with time like they always do.