Nova Scotia

Why hackers might be drawn to your smart light bulbs

Smart-bulb lights in a household, or even an apartment building, could be taken over by hackers, with one device being used to get into next, research by Dalhousie University PhD student Colin O'Flynn and colleagues in Israel has found.

Consumers need to pressure manufacturers for security features, says Halifax PhD student

Dalhousie University PhD student Colin O'Flynn was part of a research group that looked at smart light bulbs. (Zak Markan/CBC)

The technology that can turn on the lights in your home with a simple swipe on your smartphone may seem really cool. Thing is, hackers could have their eye on the same thing.

New research by Dalhousie University PhD student Colin O'Flynn and colleagues in Israel has found smart bulbs could be susceptible to infiltration — so much so that lights in a household, or even an apartment building outfitted with the technology, could be taken over by hackers.

The researchers have released a draft paper, which hasn't yet been published in a journal or peer-reviewed, that details a study of Philips Hue lamps, which use LED light bulbs operated through apps. 

O'Flynn, who studies in the department of electrical and computer engineering at Dalhousie, said the study looked at two things: "Can you reprogram it? Can you make it do bad things?"

The answers were yes and yes, according to the research.

Lights out

The researchers drove around their campus, the Weizmann Institute of Science in Israel, and controlled lights along the route, making them blink SOS in Morse code. They also flew a drone, with an attached device, over office buildings.

O'Flynn and his colleagues were able to make the bulbs talk to each other, which means it was possible to create a widespread viral infection.

Someone could program their light bulb to turn off their neighbour's, for instance. The range of a virus could be from 30 to about 400 metres, O'Flynn said.

"What happens if it's a big city and these are really popular?" O'Flynn said on CBC's Information Morning. "Maybe somewhere like San Francisco that might have a whole apartment building where a lot of people have these bulbs. Could you turn off a whole building? Could you do other stuff with them?"

No virus, company says

In a statement, Philips said its bulbs have not been infected by any virus and that it moved to patch a potential vulnerability when notified of it by the researchers last summer.

"The academics with whom we co-operated via our responsible disclosure process merely demonstrated the possibility of an attack," the statement said.

"They did not create a virus nor disclose information necessary for someone else to do so. Their research findings helped us to develop and roll out the software update."

The company recommends customers install the update using the Philips Hue app.

The internet of things

There are many devices, from thermostats to security cameras, that are now part of "the internet of things," which means they connect to the web and can be accessed through a smartphone.

One little device can be used to get into another, O'Flynn said.

Recently, hackers crippled Dyn Inc., a major U.S. internet firm, which disrupted the availability of popular websites including Twitter, Netflix and PayPal.

A group claiming to be responsible for the attack said it organized networks of connected devices to create a massive botnet that threw 1.2 trillion bits of data every second at Dyn's servers, overwhelming the targeted machines.

Consumer pressure

Items like smartphones or even a fridge have the potential to be affected, O'Flynn said.

"Maybe from this smart bulb you could get into a wireless thermostat. From that you can get onto some other network," O'Flynn said.

He said there are solutions, but they cost companies money and time.

"It's really up to consumers to push the manufacturers," O'Flynn said. "The only reason they won't put good money into security is people don't ask for it."

With files from CBC's Information Morning, Associated Press