Five days after the start of World War I, Sir Edward Grey, British Foreign Secretary, remarked to a close friend, “The lights are going out all over Europe, we shall not see them lit again in our lifetime.”
Recently a team of researchers from the Weizmann Institute of science and Dalhousie University released a paper that described exactly how you might do just that – turn all the lights out.
The paper is called (rather provocatively) “IoT Goes Nuclear: Creating a ZigBee Chain Reaction” and describes how the researchers were able to successfully attack, with no prior information, smart lightbulbs from a considerable distance, using both traditional war-driving and war-flying (remotely attacking from an off-the-shelf drone).
Even with what would appear to be good security built into the devices, the attackers were able to utilize a bug in the over-the-air update mechanism to switch the bulbs back to factory reset mode, and then take them over from a distance of 100 meters or more.
But that’s just the start.
Once they have control of a bulb, they can cause the bulb to repeat the process independently. Infect one bulb, and if there’s another bulb in range, it will pass along the worm, and so on. With sufficient density (they calculated around 15,000 bulbs installed across a city the size of Paris) the worm could own them all. Replacing any infected bulb would simply cause nearby bulbs to re-infect it, possibly more rapidly than you could patch it.
Infected bulbs could do any number of annoying things, including flash fast enough to potentially cause epileptic seizures or stealing data in air-gapped networks. Alternatively, attackers could simply turn them off – and keep them off, permanently.
Here we see the real challenges of IoT security. Something as simple as a lightbulb can be subverted and used to perform any number of anti-social activities, or downright dangerous things. Worse, the capability to spread rapidly across a wide geographic area is facilitated by the ad-hoc nature of the machine-to-machine connection – not reliant on physical infrastructure to support communications.
The issues boil down to:
- Simple devices can be subverted to achieve complex, or significantly damaging, attacks
- The ability for devices to communicate with one another will enable worm-like attacks to propagate, given sufficient density of devices
- The very update capability that would be used to patch devices can potentially be used to attack them
- Even manufacturers who have attempted to employ industry standards and good security can still build vulnerable devices
- As the density of devise increases, so does the vulnerability of the resultant infrastructure
- Traditional, internet-aware security may be useless, as the devices bypass the internet entirely and attack each other directly.
It’s a mess. We need a better way to identify and mitigate these types of attacks, which may develop after they are already in progress. Hoping we can build in enough security to prevent these attacks seems more and more like a pipe dream. We need a way to intercept communications, quarantine devices, and eliminate infections, in real-time, if we’re to keep control of the IoT. That’s something that, as far as I know, doesn’t exist yet.
Anyone want to build one? I mean, while the lights are still on.