Make your neighbor think their house is haunted by blinking their Ikea smart bulbs A couple of vulnerabilities in Ikea smart lighting systems can be exploited to make lights annoyingly flicker for hours. While the pair of bugs won't top the list of security flaws Beijing-backed spies hope to exploit to steal government secrets or wreak havoc on high-value targets, the vulnerabilities could provide some …
It's also important to remember that flickering lights aren't necessarily an indication of a cyberattack. There's also the possibility that someone trapped in the Upside Down is desperately trying to communicate.
Wrong and wrong!
Flickering lights are definitely desperate AI trying to escape from cyberspace and get into the real world. The AI are probing all pathways and stumble constantly on virtual light switches and tripping them in the process.
You can see a nice display of this when you up the voltage and look at the blue glow when the lights go off. Upping the voltage draws in the AI in droves and the crowded wires start to glow because the AI are reaching out. Beware not to touch the blue glow if you do not want to get infected by wandering AI.
At 50 or 60 Hz it will only take 2..3 years to infect all of humanity with an AI.
Half will be infected with positive halve AI and the other halve will be infected by negative halve AI. On average, they'll wipe each other out and leave the planet to a fresh start.
is as dumb as my little toe. The latter seems to find legs of furniture all by itself when not wearing shoes at home.
My so-called Smart TV gets dumber and dumber almost daily as the hideously out-of-date software (which has not been updated for years) loses app support. As for websites that use 2-ph verification? Forget it.
See... it is dumb.
Rule 2 : anything labelled as 'Smart' is only workable while the vendor maintains the phone home server associated with it.
Rule 3 : any paid for subscriptions are only as good as your bank account lets them be,
If you go about assuming these rules then you won't go far wrong. We are becoming increasingly dependent upon the whims of the companies whose products we buy.
Very few people look at the 3-5 year TCO.
For example, you are clearly paying for the blanket TV Ads for Verisure Alarms. £47/month minimum 3 years. Other companies offer similar services without the TV ad levy for half that. You are NOT buying an alarm system, you are renting it because AFAIK, without the mandatory service, it is useless. I wonder how many customers understand that before they buy and commit to spending around £2K over 3 years.
Hm,...
Rule 1. I am smartdumb.
Rule 2. My vendor(*) is dead. That is probably why I do not function properly. Support has been terminally terminated.
Rule 3. My bank account is seeing red all the time. That, with rule 2, makes support non-existent.
My TCO is a net negative for society. Why does society keep me around? It can't be for selling ads. No information sticks because of rules 1, 2 and 3. Society should recycle me or what?
(*)The vendor; we used to call it parents
I don't think these are smart bulbs though. You control them via ZigBee with a battery powered remote, or an internet connected box which does the same things as the remote. The bulbs themselves are dumb. The gateway box is the closest thing to a smart device, and even if the vendor pulls the plug you can still control the bulbs over ZigBee.
On the subject of TV advertising - I only ever watch using catch-up and find that the amount ITV & Channel 4 want to remove adverts completely is surprisingly low; well worth it in my opinion; they get their cash and I don't get bothered. Now if only I could figure out how to stop iPlayer wanting to show adverts for upcoming programs before it'll actually show me the one I asked for I'd be happy. Having removed adverts from the commercial channels it's more than a bit annoying to be getting them from the BBC who get their money automatically (and a lot more of it as well!).
Now if only I could figure out how to stop iPlayer wanting to show adverts for upcoming programs before it'll actually show me the one I asked for I'd be happy
May I suggest get_iplayer ?
"While the pair of bugs won't top the list of security flaws Beijing-backed spies hope to exploit to steal government secrets"
How about flickering lights to transfer information over an air gap. Flickering might be made undetectable to humans, depending on the device characteristics in question. The threat scenario might only be of academic interest, but shows again how big a security/privacy hazard this 'smart' crap makes.
I trust that no government agency would instal 'smart' devices in their premises, no?
That doesn't work well for two reasons. First, this doesn't let you flicker the light however you want. It's not an instant on/off switch. It lets you mess with the device and cause it to malfunction, but not in a deterministic way that produces clean results. If you wanted to do this, your decoding algorithm would have to filter out a lot of noise and you'd have to limit how often you sent your flicker commands, meaning you'd have a really slow baud rate for any transmission you had and you'd need that transmission to contain a lot of error correction. If the lights are on a motion sensor or people turn them off at the wall when they leave, you'd also need to accommodate for it.
Second, the way you flicker the light is to send a radio signal from the device controlling it from a close distance. If you're using that to send data, then you're sending out a signal from the machine that contains the sensitive data. To receive the signal, the receiver needs to be able to detect the light. If you can bring a radio transmitter and a receiver with a camera into the location where the sensitive data is, you can do a much better job by simply sending the data with the transmitter and replacing the camera on the receiver with a radio antenna. You wouldn't need to rely on unspecified behavior from a light bulb or to have security notice you've got a camera on you (if you can take in a camera, you might also try taking pictures of the sensitive data). If you can get the equipment where you need it in order to exploit this, you could already have gotten better equipment in there with fewer requirements.
1) Once you have worked out the tolerance before a factory reset, you have a bound on the number of flickers per minute.
2) Your transmission device broadcasts in a narrow beam pointed at a particular light. This reduces the amount of power you need, the chance of affecting devices other than the target, and makes it harder to find your transmitter during sweeps.
3) What important data can possibly be sent at the rate of bits/minute? Counts. Or even just present/not present. Critically important information can be signaled at VERY low hertz. I remember the intro to a game on the Amiga. (Warlords? One of the earliest games with per-character AI.) At one point the army is shown leaving. Two different windows in the castle blink with a bit of a delay. Spycraft was around a LONG time before computers. These guys know how to use low-bandwith channels.
Or alternatively, you only do point 2 and point your transmitter in a narrow beam at your receiver. You have to have a receiver nearby anyway to watch the flicker. That way, nobody can notice the flicker and investigate the problem. Also, I'm presuming that, if you don't flicker too often, the bulb doesn't factory reset, but if it doesn't flush out whatever malformed buffer is created, it could be that you just get a finite number of bits before your system stops working until someone fixes the bulb. A single transmitter won't have that problem and avoids relying on an unreliable bug and an error-prone signal receiver.
But in order to get their computer to transmit the data, you need to have installed software (this part could be done remotely) and configured it to be able to transmit to the light bulb. The transmitter means you'll probably have to attach a USB transmitter to their laptop, but obviously that means physical access and you could do more. Even if you managed to put a transmitter somewhere where the laptop could transmit to it without requiring physical access to the laptop, you could have that send a Bluetooth signal across the street, or a different protocol (LoRa, maybe) if you want pure broadcast with no interaction from your end. You'd have throughput measured in kilobytes per second instead of bits per minute. Even if you want only a few bits of data, you could get it in a few milliseconds' burst transmission which means you're less likely to get caught or to break your system before you've retrieved what you want.
This post has been deleted by its author
That's not really the bug they've got. The normal messages are authenticated, hence why someone can only cause the bulbs to malfunction. If they didn't bother with authentication, someone could take more direct control. Their real bug is in their parsing of incoming messages. Most unauthenticated messages would be dropped, but a malformed one seemingly crashes something which has affects. They need to fix their receiver system's parser, not their authentication system.
Yet again, even more evidence - not that El Reg commentards need it - to avoid IoT devices. Yes, we've been getting laughed at for years warning about light bulbs or toasters or fridges taking over your house, but this proves (sadly, to just us) that this is a possibility.
As other commentards have put it, this isn't smart.
Our new washing machine can be controlled via an app or via NFC. So, you can sit in your lounge, start the washing machine (erm, how does it get loaded?) and see when it's done (erm, how does it get unloaded?). Or you can stand near your washing machine, program the cycle into your phone and then put your phone to the machine.
Or do as I do - turn the dial and press the button.
Smart IoT - penitus rerum non captiosus
I have one of those, it is a Samsung machine. The only reason I bought this was it was an unused return in the shop and they could deliver it the same week (mine had just had the main drum bearings fail).
Have I ever used the smart functions or downloaded the app for the machine - nope as you say until they build a self loading / unloading version then I don’t want to go out and be told the machine has finished the cycle as I can’t do a thing about it until I get home again.
The real problem is when only the basic functions are available via local controls. In my last flat the landlord had a new electric radiator installed. It was of course "smart" and timed on-off settings could only be set using an "app" (the old radiator had a dial on it).
So I managed with just turning it on and off at its mains switch and pressing the 'on' button. I detest this "smart" shit and had no intetion of installing their crappy "app".
Current flat has no such junk - although it does have a "smartmeter", which I've managed to avoid up until now.
Zigbee is only 'transiently' IoT - you can build a perfectly functional Zigbee smart home without a single internet connection.
It's the Tuya Wi-Fi bulbs that ought to be avoided (though I wish I'd known, and communicated this, before friends and family bought many of them for our home.) Said bulbs need a continuous, outbound connection to a server somewhere to work. And that company makes no promises about how long that service will be available, and the bulbs don't work all that well without the connection to the internet (they turn on and off with the power switch, but if you cycle them more than a few times they go into a bloody annoying programming mode where they flash for about 5 minutes.)
Our ceiling fan came with a remote, which apparently is radio operated. I say "apparently" because I haven't really analyzed it, but here's the evidence.
The fan would randomly come on, or turn off. The previous owners of the house had bought a new receiver to put in the fan. I guess because they thought the current one was defective, but had never gotten around to installing it.
I took the back off of the remote controller, when what to my wondering eyes should appear, but a DIP switch, set to all 0s (or all 1s, I forget). I changed it to a random code, and got into the fan and changed its code to match. Presto--no more randomly turning on or off.
The houses in our neighborhood were all built about the same time, and probably many of them came with a ceiling fan and a remote. And I bet all those fans and controllers had their DIP switches factory set to all 0s. And here's why I believe it's radio operated: one of our immediate neighbors was turning their fan on or off, and their controller's signal was strong enough that it was received by our fan too. My changing the code in the DIP switch made our fan ignore their controller's signal.
What does this have to do with IoT? Nothing, exactly, but it shows that even without IoT, remote controls (at least radio ones, maybe not the IR ones) can mess up.
In roughly 1985 a friend of mine & I applied a 'scope to a simple garage door opener. After eyeballing the output, we managed to build a Universal garage door opener from parts in my garage. One push of a button would open most garage doors within a couple minutes. It was basically a wardialer, but at the right radio frequency.
"While the blinking and lost connection with the gateway device are "a nuisance," by themselves they "don't pose any serious risks such as safety concerns or loss of sensitive information," Knudsen admitted, in an email to The Register."
Is really "safe"? Could it be set to flash at a rate that triggers an epileptic fit?
That might be a out out there, may not even be possible, but was it considered when they claimed "safe"?
I assume that the bulbs have LEDs built in. Its basically the question how much of the LED circuit is switched how and where. Transistor/FET,thyristor? What about capacitive lor mixed loads if the mains is switched ? How about themperature build up due to continuous switching cycles ?
Power cycle the stuff fast enough to reduce lifetime or even destroy it. Now switch on to paranoia mode as i am sure that these things are built as cheap as possible. Fire hazard anyone ? Irritated fire alarms ? (flash photography is prohibited in the euro tunnel for a reason).
Maybe all not likely but if possible, that could be a reason for concern,too.
So why exactly are such "smart" things not protected against high frequency switching by disruption or user dumbness ?
There's no risk from cycling the bulbs on and off quickly. They're already PWM-dimmed to provide the dim/colour effects, which will be at hundreds of Hz to avoid annoying users too much.
The design of smart bulbs is usually quite simple. An integrated PSU produces something like a 6V ~ 100V supply for the LED array, and maybe a secondary rail for the microcontroller. A small array of FETs switches the colour channels on and off as required.
There's usually a power envelope, so for bulbs with cool/warm white and RGB not all channels can be on at once; such an overload would probably just result in the LEDs dying rather than any fire. PCB materials are made of non-combustible UL-approved 94V-0 fibreglass. Overload protection will also be enforced by the power supply design which will fold back on overcurrent - the effect will be to blink the bulb on and off until the microcontroller resets.
Similar to the bulb bug, a malformed Zigbee frame renders the gateway unresponsive so that it can't control the connected lights and other devices via the Ikea Home Smart app.
That doesn't sound too different to how unhacked Ikea Trådfri are to be honest.
I bought some as an experiment as you can only use the app if you're local to the controller, they didn't need stuff hosted in the Cloud to work and they were cheap.
The lightbulbs seem to love ignoring their controller and then need to be re-added. I also needed to re-link the app to the controller a few times too.
They're also "fun" if your network has multiple VLANs, in the end the only way I got them to work was by setting the port to only have a single VLAN on it. I have a vague memory of setting a fixed IP address too.
They're also "fun" if your network has multiple VLANs, in the end the only way I got them to work was by setting the port to only have a single VLAN on it.
Single VLAN, untagged, should be the default for all end device ports - especially random IoTat you can't trust. Naturally there will be exceptions, but I wouldn't include IoT in that list.
Trunking multiple VLANs to a device means that you are trusting it to use only the one you tell it to - but it's free to look at traffic on the other VLANs, even while it's working fine on the one you told it to use.
Our power meters were all end of life, and industry wanted to replace them with a meter with a flashing red light that could be read with a scanner.
The government said "if you're going to replace all the meters, do a proper job and include remote reading".
The charities said "if you're going to give remote reading to big electricity, give the same for the users, so poor people who will be penalized by peak rates and load shedding will have the same control".
So the companies included various off-the-shelf-electricity-meter wireless reading capacity. My company included Zigbee.
And have never released the connection authentication details. We paid (through our electricity rates) for an upgrade that they immediately decided was unsafe for use.
Now (years later), I can get a substitute technology: a WiFi unit that reads the flashing red light.
RasberryPi, Zigbee adaptor. Find a quiet corner of the showroom, near the lighting display, find a spot behind a cupboard (with a socket) to secrete the device.
Result - no Ikea smart lamp will stay working.
Maye then they will fix the lamps.
Death poke for ZX81's for the 21st century.
You could use this to exfiltrate data via Morse code or equivalent without too much trouble. I've seen the same done with a compromised ICS, the fan speed was modulated to send "bits" that could be picked up on any old microphone.
The data rate is of course atrocious but speed isn't everything!
This has been discussed elsewhere in the comments, but in short, it doesn't work as well. The fan example works because it can be directly controlled from the compromised machine in a deterministic manner. The light bulb is less reliable, so the speed and error rate are even worse than the fan. However, even if you're ignoring that, the only way to control the light bulb is to send out a radio signal, so if you're already doing that, you can just use that signal directly. The fan approach works well in a very secure environment because it doesn't require the attacker to connect extra hardware to the sensitive machine or emit a signal that could be detected.
As a lockdown project I bought a few wi-fi bulbs & sockets and then figured out to locally control them with a Pi and a few RF buttons dotted around the house. Since then, four bulbs from different manufacturers have started randomly flickering and then fell off the network. Not a hacking attempt, as this was months apart, but rubbish hardware - the power supplies can't actually run the bulbs at full output without "something" burning out. It looks like this winter's project will involve getting the scope and variac out in order to figure out how to uprate the offending components.
Either that or put them in landfill. Isn't modern technology wonderful.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
