Attacks on smart lighting IoT devices could one day send the smart building back to the dark ages
There have been a number of interesting Internet of Things (IoT) inventions over the last decade. Some of these IoT devices have been built simply because they could be, not because there was a need—things like a smart toilet paper dispenser that sends an alert to your phone when supplies are running low and a smart hairbrush to make sure you properly brush your hair. Other devices, however, have been purpose-built for increased efficiencies or greater convenience—things like IoT-based weather stations, smart parking and IoT waste management meters for collection route optimization.
Smart lighting is another purpose-built IoT device intended to bring benefits for both home and industrial users. Designed to automatically control the lights in a room or building based on factors like room occupancy and available daylight, smart lighting can reduce energy usage, potentially improve physical security and deter criminals, lengthen the lifespan of bulbs, optimize building space and improve working conditions.
However, as lights are integrated into building automation systems (BAS), they too become the sources and targets of attacks. Currently, most attacks on smart lights are either academic or proof-of-concept examples. But our researchers believe that smart lighting in building automation is a trend that could soon be exploited by malicious actors, especially as smart lighting is rapidly adopted.
To explore and test that belief, Forescout Research Labs analyzed various IoT devices commonly used in enterprise settings. The complete findings are described in our full report, “Rise of the Machines: Transforming Cybersecurity Strategy for the Age of IoT” and were presented at the DEF CON 27 ICS Village.
The full report offers a detailed explanation on the technical requirements and tactics employed to hack into the commonly used smart lighting system, Philips Hue. At a high level, our researchers revealed that it is possible to execute a smart lighting-based denial of service attack (DDoS) or achieve platform reconfiguration—both of which can have very real, physical consequences.
When the first smart light bulb hit the market, some scoffed and claimed its development was a waste—such a technological advancement was ‘never asked for’ and was a testament to human laziness. However, at that time very little consideration was given to the security implications of such an invention.
Since then, as more IoT devices have connected to the Internet across the globe, the security risks associated with unsecured smart lighting have become more evident. If successfully compromised by a malicious actor, all the lights in a building could be turned off. If all the rooms have windows and the attack occurs during the day, the consequences are mostly inconvenience and frustration. But, if an attack were launched at night on a factory that operated 24/7, the impact could span beyond not only a halt in production, but also potential physical harm to employees because of the lack of visibility.
Many factories and manufacturing plants are equipped with backup generators, which may power emergency lighting in such a circumstance. But, in scenarios like this, the vector for attack—smart lighting—could possibly enable lateral movement throughout the entire building automation system. Depending on what’s connected, bad actors could potentially shut down the backup generator and tamper with anything else connected to the network. This hypothetical example could have even greater consequences in other buildings, such as hospitals or financial institutions.
So far, smart lighting attacks have yet to make substantial headline news. But, just a few years ago no one had heard about data breaches stemming from a company’s connected heating, ventilation, and air-conditioning (HVAC) system either. Just as it’s only a matter of time before someone invents what most would consider an unnecessary IoT device, it’s also only a matter of time before someone figures out how to compromise it for malicious use.
Businesses and enterprises without the proper security controls in place are at risk of compromise. As the number of connected devices and IoT sensors continues to rise, it’s critical that enterprises evolve their cybersecurity strategy to maintain an effective security posture. For a closer look at just how easily malicious actors could disrupt the normal functioning of a smart building, and to learn how to best combat such threats, check out the full report: Rise of the Machines: Transforming Cybersecurity Strategy for the Age of IoT.