I had an interesting exchange with a spokeswoman from the manufacturing giant Philips earlier this week. I reached out to that company because one of their newer, and cooler consumer products, the HUE “smart” light bulbs were the subject of an impromptu security audit that revealed some troubling security flaws.
As I reported on The Security Ledger (one among several such reports), HUE light bulbs, contain vulnerabilities that make them susceptible to attacks in which a remote attacker could use a compromised system on a home network to manipulate the HUE light bulbs.
Writing on his blog, (http://www.dhanjani.com) independent security researcher Nitesh Dhanjani revealed that the Philips wireless bridge that relays commands to the deployed HUE bulbs relies on a list of allowed “tokens” to validate the HTTP-format requests from authorized administrators. However, in the case of the iOS app that is used with HUE devices, those tokens are merely an MD5 hash of the whitelisted mobile device’s Machine Access Code (or MAC) – a publicly broadcast and easily retrievable bit of identifying information.
Mind you – this isn’t earth shattering, call-the-FEDS stuff. The most serious flaw discovered by Dhanjani would let a remote attacker turn bulbs on or off, or cause them to change color (one of the cool features of the HUE bulbs). That’s irritating and perhaps nerve-wracking, especially in the hands of a mean spirited Internet troll of the kind that already hijack webcams and other household gear to torment their unsuspecting owners.
But Dhanjani was making a larger point with his demonstration hack of the HUE bulbs, namely: that Philips “and other consumer IoT (Internet of Things) organizations take issues like these seriously,” he wrote. “In the age of malware and powerful botnets, it is vital that people’s homes be secure from vulnerabilities like these that can cause physical consequences."
That wasn’t an opinion shared by Philips. In an e-mail response to my request for comment, spokeswoman Silvie Casanova (great name, btw) repeated what has become something of a boilerplate statement for consumer device makers who wind up on the wrong side of security researchers.
Philips, she told me, “used industry standard encryption and authentication techniques to ensure that unauthorized persons cannot gain access to the lighting system. “ Besides, any attack on a HUE bulb would need to come from the same network on which the bulb was deployed.
“An attack of the nature described really points to home wi-fi security as it requires that someone get past the security on your home computer or your private local area network to send commands within your home network,” she wrote. “This would mean any device on that network would be compromised, including your personal data such as passwords, financial information, and traffic passing between any of your devices in your home (tablets, etc.)”
In other words: with access to your brokerage account, who really cares about the light bulbs in your living room? That’s a valid point, to be sure. The problem is that Philips doesn’t just make light bulbs. It’s also one of the world’s leading manufacturers of medical devices and industrial control equipment. And research suggests that for many large firms that operate horizontally, across verticals, security flaws tend to run in the family. In other words, the kinds of problems that Dhanjani identified in its HUE bulbs – weak encryption schemes, a lack of strong password enforcement – are likely to crop up in its other products.
As I said, the security problems discussed here aren’t all that serious. But the security myopia of the product development organization that produced the HUE bulbs is. Critically: Philips has failed to learn the lesson that PC software makers like Microsoft and Adobe long ago absorbed: that adversaries exist, that vulnerable platforms will be exploited, and that the consequences of those attacks – measured by monetary damages and the damage to a company’s reputation – can be hard to predict.
Philips was presented with evidence that the method they chose for creating secure tokens that allow mobile devices to authenticate to the wireless base station that manages HUE bulbs was trivially exploitable. Specifically: it relied on creating a “secure” cryptographic signature using two pieces of more or less public information: the MD5 algorithm and the MAC (machine address code) of the mobile device seeking access to the HUE base station. One writer likened that to using “a hashed street address as the combination to lock a front door.
The proper response would be for Philips to take the news of a trivial hack of the company’s core method for authenticating mobile devices seriously. That would entail:
- Responding to the security researcher who disclosed the vulnerabilities – something that Philips hadn’t done as of Wednesday, more than a month after Dhanjani first reported the problems.
- Promise a fix that, while not unbreakable (because nothing is), drastically raises the bar for would-be hackers.
- Re-assess the overall security of the HUE system and others like it. Among the questions to consider: how might the elements of a benign system like HUE be used maliciously, beyond the nuisance hacks this researcher has demonstrated? Could HUE, deployed in a commercial environment, be a stepping-stone to larger and more serious attacks?
Instead, Philips reminded its customers to “take steps to ensure they are secured from malicious attacks at a network level, in order to protect all of their devices, including HUE.”
Caveat emptor, indeed.