Errors that prompt smart light hacks exposed at LuxLive

'Hackers can easily figure out the code of mobile apps that control devices, which in turn can provide them with the device's IP address,' Munro claimed at LuxLive.  Image: Mark Halper

A security consultant who makes a living from hacking the Internet of Things (IoT) warned the UK lighting industry that if it's not careful, its smart LED lighting systems could be extremely vulnerable to attack, LEDs Magazine reports.

In an 'ethical hacking' demonstration to an overflow crowd at the LuxLive 2016 exhibition last week, Ken Munro, founder of Buckingham-based Pen Test Partners, showed just how effortless it can be for ne'er-do-wells to gain access to Wi-Fi passwords and other key private information.

Hackers can often waltz into IoT devices such as kettles, coffee makers, and possibly lights, if the products' manufacturers simply add communications chips into their products without really thinking through the consequences.

'You can't just bolt in a module and expect it to deliver security,' said Munro. 'This is how many organizations are Internet-enabling their devices. They're bolting in a Bluetooth, a GSM, or a Wi-Fi module, a few dollars’ worth. What could possibly go wrong?'

Hackers can easily figure out the code of mobile apps that control devices, which in turn can provide them with the device's IP address, Munro claimed. From there, all hell can break loose.

'Please, if you're going to IoT-enable one of your devices, read the security guidelines, so you don't inadvertently end up making a lightbulb vulnerable to an Internet worm, like we saw last week,' said Munro, in an apparent reference to a set of Philips smart lighting products that flashed emergency signals after a drone-borne virus attacked them in an office building via a ZigBee wireless link. Munro said wireless technologies such as ZigBee, Wi-Fi and Bluetooth can all be secured.

On stage at LuxLive, co-located with the Strategies in Light Europe 2016 conference, Munro broke into the code of an Internet-connected electric kettle to easily figure out its Internet IP address (for American readers, electric kettles are as common as toasters in British kitchens). The kettle's manufacturer had used an old and still common communications protocol called Telnet, which Munro said is not encrypted.

'That's a disaster,' warned Munro. 'You shouldn't be using Telnet for stuff like this. That's really, really not a good idea.'

Once he tapped the Telnet port, he was able to figure out the user's password and access its embedded web server.

'I can retrieve your wireless network key in plain text,' said Munro. “It's nuts because now I'm on your wireless network and I can now man the middle and listen to every single piece of traffic that goes over your home Wi-Fi network. Every password you send, all your banking traffic, all your social network traffic, everything is mine.'

Hackers can even find a database of where all the smart kettles are in London, 'so I know how to go find your kettle, stand outside your house, point a wireless antenna at your kitchen, and steal your Wi-Fi key,' he said.

'You can't just bolt in a module and expect it to deliver security,' said Munro. 'This is how many organizations are Internet-enabling their devices. They're bolting in a Bluetooth, a GSM, or a Wi-Fi module, a few dollars’ worth. What could possibly go wrong?'

Ken Muro - Pen Test Partners

Munro demonstrated the same sort of penetration, Pen Test stands for 'penetration testing', on coffee machines, and noted that IoT chicanery could include making weak espressos or causing the system to overflow. He described how some poorly designed IoT door locks can stupidly respond to verbal commands from anyone shouting, 'Unlock the door.'

The same sort of havoc could ensue with IoT LED lights, said Munro. He diplomatically declined to single out any manufacturers as good or bad examples. He said the lighting industry's main issue with IoT security will be in how to allow users to initially couple their control device, say, a phone, with a specific lamp, a set-up process known as pairing.

'The biggest challenge for me is you have to go through the pairing process,' said Munro. 'You need to think really carefully about how do I push a device into pairing mode. Is it maybe turning a switch on three or four times? Is there some other way where I can say, ‘You know what, I'm going to reduce my security to allow pairing for 60 seconds but that's the only time I'm doing it, and after 60 seconds has elapsed, that's it.’...But think really carefully about what you do, because you're reducing the security of your device when you start that pairing.'

Rattling off general advice for manufacturers of any IoT device, he recommended digitally signing firmware code, validating the signing at boot time, and leaving sensitive information out of the code.

'With the Internet of Things, you're putting your hardware in the hands of a hacker,' Munro said. 'In those lightbulbs, in those things, in those controllers, you're putting your hardware and your firmware in the hands of your consumer, in the hand of the hacker. So if your firmware isn't good, the hacker will find out fast.'

Noting that 'it's very rare' to find a well-secured home IoT device, he praised Google's Nest smart home thermostat as an exception.

'If I was going to choose an IoT device, I'd probably go for a big name brand that's had some security issues in the past and has fixed them,' Munro said. 'So I actually quite like Nest [the smart thermostat maker], because they have the backing of Google, so there's a big reputation at stake if they get it wrong. But also, they've had three or four big security flaws, in the early versions of Nest, and they've fixed them, which means they're taking it seriously.'

Munro developed his own hacking skills in on-the-job training, when he coaxed a cash register to print out mortgage amortizations while he was working a job in the hospitality industry over 15 years ago.

Pen Test describes itself as 'ethical hackers' who reveal security flaws and advise companies on how to avoid them. In one claim to fame, it duped the talking doll My Friend Cayla into swearing. It is currently investigating possible IoT breaches on the robotic toy Anki Cozmo, although it has not yet found anything of note.


Editor's note: An earlier version of this story stated that Pen Test has made Anki Cozmo swear. It has not. Pen Test is currently testing Anki Cozmo for possible flaws and has so far not found any of note. It made My Friend Cayla swear last year.