A Drone may hack a {#IoT} Smart City

Within the next few years, billions of IoT devices will densely populate our cities to transform them into so called “Smart Cities”.

Serious security concerns regarding the Internet of Things (IoT) are continuing to mount in the wake of the massive DDoS attacks like the one that used a massive IoT botnet to take down a portion of the Internet last month. The Friday October 21, 2016 attack has been analysed as a complex & sophisticated attack, using maliciously targeted, masked TCP and UDP traffic over port 53.

This month, researchers were able to hack into the Philips Hue Light Link Touch System from an aerial drone more than a thousand feet away from the light source to remotely control the Hue lights and cause them to blink S-O-S in Morse code.

Researchers were able to flicker the lights at range of over ~50 meters while driving.

For those not familiar with the Philips Hue, it’s a popular personal wireless LED light bulb that allows users to choose white light or over 16 million colors (they say that the possibilities are up to your imagination!) from a smartphone app.

According to the technical paper titled, "IoT goes nuclear: Creating a ZigBee Chain Reaction", researchers discovered that they were able to exploit a weakness in the common wireless radio protocol called ZigBee (aka IEEE802.15.4) that is often used in #IoT smart home devices.

This paper describes a new type of threat in which the adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction.

I know, all this sounds like a typical sci-fi movie, but take a look at the videos to understand the enormity of the threat.

The worm spreads by jumping directly from one light bulb to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes. It enables the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack.

This video starts with an external footage of the drone taking off at a range of approx 350 meters. As the drone gets closer to the building, the ZigBee channel gets more reliable, and they are able to affect more lights, and the flickering becomes more regular. When the drone hovers in front of the building, the second phase of their attack can be seen. The lights have been “kidnapped” from their controller and are crying for help, signalling S-O-S repeatedly in Morse code.

“Drones can potentially take over an entire #IoT smart city and the worst part is that they could be half a mile away from ground zero!”

This scenario might be alarming enough by itself, but this is only a small example of the large scale problems that can be caused by the poor security offered in many IoT devices. So think twice before you go out and purchase IoT gadgets this Black Friday!

Thanks for reading my blog, please do share in your network. Your likes, comments and suggestions would be greatly appreciated.

- Prashant Jhingran @MyCoolVentures / [email protected]

 Disclaimer: The views expressed in the article are those of the author, and they do not reflect in any way those of the institutions to which he is affiliated. All product and company names are trademarks? or registered? trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.