Infrared channels could help attackers steal data and even reconstruct video images, say US researchers.
Smart lighting products have soared in popularity in recent years. A common feature of most of them is the ability to control lights remotely via Wi-Fi, Bluetooth, or other networks. Most systems are LED based, but some are also equipped with infrared capabilities to aid surveillance cameras in smart homes and offices.
But while smart lighting systems offer many environmental and energy minimisation benefits – as well as the ability to customise settings to suit users’ moods – most are connected to home or office networks – either directly or via a communication hub – and can be controlled by users’ mobile devices. As a result, smart lights are “poised to become a much more attractive target for security/privacy attacks than before”, according to new research published in the US.
Researchers from the University of Texas have discovered that some smart lightbulbs could be compromised by hackers to infer users’ preferences and steal private data – even if the systems have been secured against attack via the internet.
The researchers tested two of the most popular smart lighting systems from LIFX and Phillips Hue and found that the bulbs created new potential avenues of attack for hackers and other malicious actors.
“These connected lights create a new attack surface, which can be maliciously used to violate users’ privacy and security,” says the research.
The findings reveal that three new types of attack are possible, using the optical properties of the lights themselves, rather than their IP connectivity.
“The first two attacks are designed to infer users’ audio and video playback [choices] by a systematic observation and analysis of the multimedia visualisation functionality of smart lightbulbs,” says the report.
Anindya Maiti and Murtuza Jadliwala from the University of Texas at San Antonio looked at how smart bulbs receive commands for changing the brightness and colour of bulbs when music or videos are playing.
The researchers found that hackers could create or acquire a database of patterns that correspond to songs and videos and use this as a reference to build a profile of the victim’s likes and preferences.
In other words, hackers could determine which songs and videos the user is playing, merely by analysing the changing light intensities and colours of the smart lights.
While such an attack might seem unlikely, it could have significant privacy implications for smart light users. For instance, the US Video Privacy Protection Act (1988) was enacted to prevent abuse of users’ media consumption information, which can potentially reveal fine-grained personal interests and preferences.
Seeing red
The third attack type is more serious, suggests the report, and uses the infrared capabilities of smart light bulbs to create a covert communication channel, which could be used as a gateway to exfiltrate users’ private data out of their secured home or office network.
“With the help of a malicious agent on the user’s smartphone or computer, the adversary can encode private information residing on these [smart home] devices and then later transmit it over the infrared covert-channel residing on the smart light,” says the report.
“Moreover, as several popular brands of smart lights do not require any form of authorisation for controlling lights (infrared or otherwise) on the local network, any application installed on the target user’s smartphone or computer can safely act as the malicious data exfiltration agent.”
Exfiltration of data is possible using transmission techniques such as amplitude and/or wavelength shift keying, using both the visible and the infrared spectrum of the smart bulbs.
Additional reporting: Rene Millman.
Internet of Business says
Researchers said that the threats detailed in the paper could be mitigated by enforcing strong network rules, so that computers and smartphones cannot control smart lightbulbs over an IP network. However, such rules could, of course, harm the utility of the system, they said.
Users could also do something almost unheard of in the always-on, selfie-focused world: simply draw the curtains.
The detailed research findings are available here.