IOT failure - again

scottalanmiller

The blurry article?

I don't see anything that suggests anything other than a bulb is vulnerable because it's wide open. Nothing that suggests it gets past ZB security. Only that bulbs don't have any.

Dashrender

@scottalanmiller said in IOT failure - again:

@Dashrender said in IOT failure - again:

The attack starts by an attacker getting withing 400 meters of a bulb allows them to connect to it, and upload the virus, that bulb then attaches to anything within range, again 400 m, and passes the virus (worm) around to other devices.

ANY device? Are you sure? It's purely distance based and no security matters?

I don't know if the whole Zigbee protocol is broken, but definitely the implementation of the Hue Lights is poor and allows this take over, according to the researchers.

scottalanmiller

@Dashrender said in IOT failure - again:

@scottalanmiller said in IOT failure - again:

@Dashrender said in IOT failure - again:

The attack starts by an attacker getting withing 400 meters of a bulb allows them to connect to it, and upload the virus, that bulb then attaches to anything within range, again 400 m, and passes the virus (worm) around to other devices.

ANY device? Are you sure? It's purely distance based and no security matters?

I don't know if the whole Zigbee protocol is broken, but definitely the implementation of the Hue Lights is poor and allows this take over, according to the researchers.

I thought that the issue was that they were wide open, not secured at all.

Dashrender

https://boingboing.net/2016/11/09/a-lightbulb-worm-could-take-ov.html

Researchers from Dalhousie University (Canada) and the Weizmann Institute of Science (Israel) have published a working paper detailing a proof-of-concept attack on smart lightbulbs that allows them to wirelessly take over the bulbs from up to 400m, write a new operating system to them, and then cause the infected bulbs to spread the attack to all the vulnerable bulbs in reach, until an entire city is infected.

The researchers demonstrate attacking bulbs by drone or ground station. The demo attacks Philips Hue lightbulbs, the most popular smart lighting system in the market today.

Philips Hue use Zigbee for networking. Zigbee is a wireless protocol designed for low-powered Internet of Things devices, and it has many built-in security features. The most important of these is that once a device is initialized as part of a Zigbee network, it can't be hijacked onto a rival network unless you can bring a controller into close proximity to it (a couple centimeters away). However, there is a fatal flaw in the Zigbee implementation in the Hue system, and the researchers showed that they could hijack the bulbs from nearly half a kilometer away (this attack is only possible because Zigbee doesn't encrypt all traffic between devices).

scottalanmiller

http://betanews.com/2016/11/14/philips-hue-light-bulbs-worm-vulnerable/

Hard coded keys (passwords) and the threat is only to other bulbs all sharing the same password. Obviously not a flaw, just bad planning. Not a ZB issue.

scottalanmiller

@Dashrender said in IOT failure - again:

https://boingboing.net/2016/11/09/a-lightbulb-worm-could-take-ov.html

Researchers from Dalhousie University (Canada) and the Weizmann Institute of Science (Israel) have published a working paper detailing a proof-of-concept attack on smart lightbulbs that allows them to wirelessly take over the bulbs from up to 400m, write a new operating system to them, and then cause the infected bulbs to spread the attack to all the vulnerable bulbs in reach, until an entire city is infected.

Right.... only bulbs that are ALREADY vulnerable by having a publicly known shared password are at risk. Nothing here about a ZB vulnerability at all.

scottalanmiller

It's like saying that Windows security doesn't work because people shared passwords at one company. Or that SSH isn't secure because you CAN hard code passwords and let them get compromised.

Those are end user issues, not protocol issues.

Dashrender

@scottalanmiller said in IOT failure - again:

http://betanews.com/2016/11/14/philips-hue-light-bulbs-worm-vulnerable/

Hard coded keys (passwords) and the threat is only to other bulbs all sharing the same password. Obviously not a flaw, just bad planning. Not a ZB issue.

Sorry if you thought I was implying that ZB was broken.. (it's not great by any means, but not as broken as this implementation by Philips).

scottalanmiller

@Dashrender said in IOT failure - again:

Sorry if you thought I was implying that ZB was broken.. (it's not great by any means, but not as broken as this implementation by Philips).

THIS implementation isn't broken at all, either!! Nothing whatsoever wrong with ZB here at all. Where are you getting that? The articles aren't saying that at all.

scottalanmiller

The article does get the recap of what they write originally wrong and call it the implementation. It's not, whatever intern recapped obviously couldn't read the original. It's a shared password only.

Dashrender

With further offline discussion - we found that something called touchlink is where the implementation (or advancement in technology) failure took place in ZB.

I found this black hat article, https://www.blackhat.com/docs/us-15/materials/us-15-Zillner-ZigBee-Exploited-The-Good-The-Bad-And-The-Ugly-wp.pdf

... ZLL devices support a feature called “Touchlink Commissioning” that allows devices to be paired with controllers. As the default and publicly known TC link key is used, devices can be “stolen”. Tests showed that amateur radio hardware using normal dipole (Rasperry Pi extension board) antennas already
allowed Touchlink Commission from several meters away whereas for security reasons this should only work in close proximity. Usage of professional radio equipment would allow an even higher distance for such a successful device
takeover.

This tells me (though I haven't found it yet) that there is some type of spec that is suppose to prevent pairing of devices outside of a certain range.

Dashrender

https://www1.informatik.uni-erlangen.de/filepool/publications/zina/ZLLsec-SmartBuildingSec16.pdf

Nice read about touchlink, ZLL.

Dashrender

https://eprint.iacr.org/2016/1047.pdf

We focus in this paper on the popular Philips Hue smart
lights which had been sold (especially in the European
market) in large numbers since 2012. The communication
between the lamps and their controllers is carried out by the
Zigbee protocol, which is the radio link of choice between
many IoT devices due to its simplicity, wide availability, low
cost, low power consumption, robustness, and long range (its
main disadvantage compared to WiFi radio communication
is its limited bandwidth, which is not a real problem in most
IoT applications). The Hue lamps contain a ZigBee chip
made by Atmel, which uses multiple layers of cryptographic
and non-cryptographic protection to prevent hackers from
misusing the lamps once they are securely connected with
their controllers. In particular, they will ignore any request
to reset or to change their affiliation unless it is sent from
a ZigBee transmitter which is only a few centimeters away
from the lamp. Even though the attacker can try to spoof
such a proximity test by using very high power transmitters,
the fact that the received power decreases quadratically with
the distance makes such brute force attacks very hard (even
at ranges of a hundred meters). This requires high power
dedicated equipment and cannot be done with the standard
ZigBee off the shelf equipment.
Our initial discovery was that the Atmel stack has a
major bug in its proximity test, which enables any standard
ZigBee transmitter (which can be bought for a few dol-
lars in the form of an tiny evaluation board) to initiate a
factory reset procedure which will dissociate lamps from
their current controllers, up to a range of 400 meters.
Once this is achieved, the transmitter can issue additional
instructions which will take full control of all those lamps.
We demonstrated this with a real war-driving experiment
in which we drove around our university campus and took
full control of all the Hue smart lights installed in buildings
along the car’s path. Due to the small size, low weight, and
minimal power consumption of the required equipment, and
the fact that the attack can be automated, we managed to
tie a fully autonomous attack kit below a standard drone,
and performed war-flying in which we flew hundreds of
meters away from office buildings, forcing all the Hue lights
installed in them to disconnect from their current controllers
and to blink SOS in morse code.
By flying such a drone in a zig-zag pattern high over a
city, an attacker can disable all the Philips Hue smart lights
in city centers within a few minutes. Even though such an
attack can have very unpleasant consequences, its effects are
only temporary since they can be reversed by the tedious
process of bringing each lamp to within a few centimeters
from its legitimate controller and reassociating them.

interesting, seems that the implementation error (still haven't found how the distance is supposed to be ensured) is in the ZigBee chip from Atmel, not something Philips did wrong.

Dashrender

It's likely that this attack was only possible because a master key, one that's distributed to all certified ZigBee manufacturers under a secrecy clause and used on every ZigBee device, was in fact leaked in 2015. With this master key along with the flaw in the Atmel chip, probably is what allowed this situation to exist.

haven't they learned yet that a master key doesn't work? DVD's anyone? BluRay?

Dashrender

https://arxiv.org/pdf/1608.03732.pdf

Because our implementation failed to
send the acknowledgment within the demanded time frame
of 864 microseconds, we spoof another ZigBee device in
the network that acknowledges the reception of the scan
response, even if this device did not send the
scan request, as shown in Figure 6

In contrast, the Hue bulb responses to any arbitrary
originator because apparently no acknowledgment on MAC-layer is required.

hubtechagain

@dafyre Yeah, i've got a set of 3. they're awesome I'm gonna pick up some of the light strips soon too! Deck, outdoor kitchen, and mood lighting needs to happen

dafyre

@hubtechagain Better make sure your bulbs don't get hacked, ha ha.

Jason

I'll stick with my Old School Lutron Caseta switches and dimmers, and using a local apple tv as a bridge for homekit. These vendors doing their own standards are the problem.

Dashrender

@Jason said in IOT failure - again:

I'll stick with my Old School Lutron Caseta switches and dimmers, and using a local apple tv as a bridge for homekit. These vendors doing their own standards are the problem.

What own standards would those be?

The bulbs in question use ZB a widely used standard.

Jason

@Dashrender said in IOT failure - again:

The bulbs in question use ZB a widely used standard.

Zigbee is a randomly developed standard by a new alliance that doesn't have much experience. It's had many security concerns since day one. Anyone using it just plain didn't care about security.