How to launch a citywide bricking attack? Too easy, thanks to the proliferation of IoT devices that have blanketed the landscape in recent times. The Mirai botnet has demonstrated how easy it is to turn innocent smart devices into mindless zombies used to launch massive DDoS attacks against selected targets. 

Variations of that malware have already been used to bring down several high-trafficked websites, practically disrupting access for millions of people. Other variations of the infamous Mirai were also responsible for last week’s attack that virtually cut off Liberia from access to the internet.

Ever since the source code for Mirai found its way into the wilds of the internet, numerous malicious hacker groups have dissected it with the aim of using it to seek out vulnerable devices they can hijack and use to launch DDoS attacks.

As can be expected, the botnets come in various capacities – depending on the level of skill of the creator. While some of them are low-skilled, quite a number of them really know what they are doing.

The hackers behind the attacks on Dyn and Liberia fall into the upper echelons of the skill range. Suddenly, we are looking at Mirai operators with enough firepower to adversely affect systems in a nation state.

Researchers from Israel’s Weizmann Institute of Science and Dalhousie University in Canada, have demonstrated how to exploit a flaw in ZigBee, a wireless protocol used in many internet of things devices, to exploit vulnerabilities in the technology used to control certain smart devices.

In a research paper titled, IoT Goes Nuclear: Creating a Zigbee Chain Reaction, they described a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction, provided that the density of compatible IoT devices exceeds a certain critical mass.

They developed and verified such an infection using the popular Philips Hue smart lamps as a platform.

The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity.

The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack.

To make such an attack possible, the researchers had to find a way to remotely yank already installed lamps from their current networks, and to perform over-the-air firmware updates.

They overcame the first problem by discovering and exploiting a major bug in the implementation of the Touchlink part of the ZigBee Light Link protocol, which is supposed to stop such attempts with a proximity test.

To solve the second problem, they developed a new version of a side channel attack to extract the global AES-CCM key that Philips uses to encrypt and authenticate new firmware. They used only readily available equipment costing a few hundred dollars, and managed to find this key without seeing any actual updates.

By extracting the global keys Philips uses to encrypt and authenticate new firmwares, the researchers were able to load a malicious over-the-air firmware update.

This demonstrates once again how difficult it is to get security right even for a large company that uses standard cryptographic techniques to protect a major product.

Grave Implications

Attacking the electric grid

All the city’s smart lamps can be scheduled to simultaneously turn on and off multiple times. The sudden changes in power consumption can have a detrimental effect on the electric grid.

Causing epileptic seizures

By repeatedly flashing the lights at the right frequency, it is possible to induce epileptic seizures in photosensitive people on a large scale.

The researchers said they have made a full disclosure to Philips Lighting, including all the technical details and suggestions for a fix. They have already confirmed and fixed the takeover vulnerability.