Smart lightbulbs can be used to steal secure data, finds report
Smart lights could be most popular IoT device in the next decade
Smart lights could be most popular IoT device in the next decade

Smart lightbulbs can be used to steal secure data, finds report

Infrared channels could help attackers steal data and even reconstruct video images, say US researchers.

Smart lighting products have soared in popularity in recent years. A common feature of most of them is the ability to control lights remotely via Wi-Fi, Bluetooth, or other networks. Most systems are LED based, but some are also equipped with infrared capabilities to aid surveillance cameras in smart homes and offices.

But while smart lighting systems offer many environmental and energy minimisation benefits – as well as the ability to customise settings to suit users’ moods – most are connected to home or office networks – either directly or via a communication hub – and can be controlled by users’ mobile devices. As a result, smart lights are “poised to become a much more attractive target for security/privacy attacks than before”, according to new research published in the US.

Researchers from the University of Texas have discovered that some smart lightbulbs could be compromised by hackers to infer users’ preferences and steal private data – even if the systems have been secured against attack via the internet.

The researchers tested two of the most popular smart lighting systems from LIFX and Phillips Hue and found that the bulbs created new potential avenues of attack for hackers and other malicious actors.

“These connected lights create a new attack surface, which can be maliciously used to violate users’ privacy and security,” says the research.

The findings reveal that three new types of attack are possible, using the optical properties of the lights themselves, rather than their IP connectivity.

“The first two attacks are designed to infer users’ audio and video playback [choices] by a systematic observation and analysis of the multimedia visualisation functionality of smart lightbulbs,” says the report.

Anindya Maiti and Murtuza Jadliwala from the University of Texas at San Antonio looked at how smart bulbs receive commands for changing the brightness and colour of bulbs when music or videos are playing.

The researchers found that hackers could create or acquire a database of patterns that correspond to songs and videos and use this as a reference to build a profile of the victim’s likes and preferences.

In other words, hackers could determine which songs and videos the user is playing, merely by analysing the changing light intensities and colours of the smart lights.

While such an attack might seem unlikely, it could have significant privacy implications for smart light users. For instance, the US Video Privacy Protection Act (1988) was enacted to prevent abuse of users’ media consumption information, which can potentially reveal fine-grained personal interests and preferences.

Seeing red

The third attack type is more serious, suggests the report, and uses the infrared capabilities of smart light bulbs to create a covert communication channel, which could be used as a gateway to exfiltrate users’ private data out of their secured home or office network.

“With the help of a malicious agent on the user’s smartphone or computer, the adversary can encode private information residing on these [smart home] devices and then later transmit it over the infrared covert-channel residing on the smart light,” says the report.

“Moreover, as several popular brands of smart lights do not require any form of authorisation for controlling lights (infrared or otherwise) on the local network, any application installed on the target user’s smartphone or computer can safely act as the malicious data exfiltration agent.”

Exfiltration of data is possible using transmission techniques such as amplitude and/or wavelength shift keying, using both the visible and the infrared spectrum of the smart bulbs.

Additional reporting: Rene Millman.

Internet of Business says

Researchers said that the threats detailed in the paper could be mitigated by enforcing strong network rules, so that computers and smartphones cannot control smart lightbulbs over an IP network. However, such rules could, of course, harm the utility of the system, they said.

Users could also do something almost unheard of in the always-on, selfie-focused world: simply draw the curtains.

The detailed research findings are available here.

Chris Middleton
Chris Middleton is former editor of Internet of Business, and now a key contributor to the title. He specialises in robotics, AI, the IoT, blockchain, and technology strategy. He is also former editor of Computing, Computer Business Review, and Professional Outsourcing, among others, and is a contributing editor to Diginomica, Computing, and Hack & Craft News. Over the years, he has also written for Computer Weekly, The Guardian, The Times, PC World, I-CIO, V3, The Inquirer, and Blockchain News, among many others. He is an acknowledged robotics expert who has appeared on BBC TV and radio, ITN, and Talk Radio, and is probably the only tech journalist in the UK to own a number of humanoid robots, which he hires out to events, exhibitions, universities, and schools. Chris has also chaired conferences on robotics, AI, IoT investment, digital marketing, blockchain, and space technologies, and has spoken at numerous other events.