Security of Things (Episode 2)

The Internet Of Things seems to be very immature in terms of security. Similar to what the Internet Of Humans was back in 1995. This week I have been following an interesting discussion on the Philips Hue connected light bulbs. It appears a small home made device, capable of sending the Hues into the Oblivion, can be built. All that is needed is a simple micro-controller (like the Arduino) and a ZigBee radio (like the XBee).

Reading the discussions at the http://www.everyhue.com community site, here is what happened:

1. A Hue lightbulb can be remotely reset (a standard Philips remote can do this trick).
2. After the reset, the bulb starts looking for a ZigBee network coordinator.
3. A rouge coordinator may give the bulb a random network key and send it over to a randomly selected ZigBee channel. Once this happens, there is no way to recover the bulb. It sticks to the random network key obtained from the evil coordinator. Since nobody knows the key anymore, there is no way to reset the bulb back to the factory settings.

To quote the ZigBee expert on the discussion thread:

It is possible to send the bulb to another channel via remote ZDP command but for this you need to know it's current working channel and the network key.

But the key was random generated and is lost...

Tried every reset/steal known in the book (). Nothing works.

The flaw seems to be in the assumption the bulbs should trust any ZigBee network coordinator they find. Silly bulbs. Why would they?

What seems to be missing in the conceptual design of the Philips Hue lighting system is some kind of second factor authentication. The bulbs trust something in the air. They cannot verify what exactly is, what they trust. The human owner cannot help them either. It will be interesting to watch how the story unfolds. Security, or the lack of it, may turn the connected lighting into connected darkness. Especially when the system is widely adopted. And this by no means is Philips' fault. Most of the connected things share this behavior. But at least many of them have mechanical reset switch, which the Hue lacks...

The problem goes deeper. In the Internet Of Humans, we can independently judge the environment we are in. Is the network trusted or not? Is the certificate trusted or not? Does the site look legitimate? Is the DNS server behaving correctly. In the Internet Of Things, a light bulb is a very simple device, not capable of applying fuzzy logic AI to judge the environment it is in. It is programmed to trust whatever meets the simple criteria. Are you a ZigBee coordinator? Yes! Then give me the key and channel, thank you!

I think the IoT devices should never attempt to automatically commission themselves. They should ask humans for assistance. Like matching the QR codes or using the secondary identification factor, possibly NFC or similar technique. Otherwise we are asking for a disaster...