ANYONE WITH THE KNOWLEDGE AND MOTIVATION COULD EXECUTE A SIMILAR ATTACK
Researchers from the Weizmann Institute of Science and Dalhousie University were able to execute the chain-reaction attack by exploiting a vulnerability in the ZigBee wireless communications protocol, a widely-used home automation protocol found at the core of millions of today’s most popular smart home devices. Philips Hue lighting is just one example, other notable ZigBee devices include the Nest thermostat and Logitech Harmony Ultimate home-control hub. The infected payload was delivered by exploiting a weakness in Philips’ encryption to force an over-the-air firmware update using an “autonomous attack kit” built from “readily available equipment” costing just a few hundred dollars. In other words, anyone with the knowledge and motivation could execute a similar attack.
Philips was alerted to the vulnerability and a patch was issued last month. Nevertheless, the world is now flooded with insecure “smart” devices thanks to the simultaneous rise of dirt-cheap wireless modules, and the availability of free Kickstarter and Indiegogo money to fund even the most ridiculous ideas. So expect things to get worse before they get better.