A couple of weeks ago, a massive cyber attack temporarily took down some of the most popular sites on the web – including Twitter, Reddit, and Amazon – by co-opting millions of vulnerable 'smart home' devices.
And now security researchers have shown just how easy it is to pull off these kinds of 'Internet of Things' (IoT) attacks, in a brazen hacking demonstration using a drone to create a chain reaction of remotely infected smart light bulbs from hundreds of metres away.
The exploit, pulled off by Canadian and Israeli researchers, wasn't intended maliciously, but to reveal how vulnerable small networked devices like webcams, baby monitors, and smart appliances are to attacks by hackers.
These kinds of devices don't run security or antivirus software like PCs do, and the built-in security features they come with are often lacking or out of date, as can be seen in the video here of the hack:
The light bulb in question is a successful brand name too – Philips Hue light bulbs, one of the most popular smart lighting systems you can buy, which lets you remotely control things like the bulbs' brightness and colour via smartphone apps.
But the system seems to have a major vulnerability in its wireless protocol – called ZigBee – which the researchers exploited to pull off this attack.
Triggering the hack with an 'attack kit' that the researchers installed on a drone (in the video above) or on a ground station (the video below), the malware spreads contagiously from one light to another, and the attackers can start the domino effect from up to 400 metres (1,312 feet) away.
"[A]djacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction, provided that the density of compatible IoT devices exceeds a certain critical mass," the researchers explain in their paper.
In a dense city like Paris covering about 105 square kilometres (41 square miles), the researchers say the attack would spread over the whole metropolis, provided a critical mass of 15,000 devices is infected.
"The worm spreads by jumping directly from one lamp to its neighbours, using only their built-in ZigBee wireless connectivity and their physical proximity.
The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack."
In case you've got any Philips Hue light bulbs running at home, you'll be pleased to know that the company promptly patched the security hole after the researchers informed them of the vulnerability.
But just make sure that your devices are running the latest software, otherwise hackers could host an impromptu strobe party in your living room.
For its part, Philips says the amount of know-how and equipment necessary to pull this hack off does not make it a serious risk for customers.
"We have assessed the security impact as low given that specialist hardware, unpublished software and close proximity to Philips Hue lights are required to perform a theoretical attack," a company spokesperson told John Markoff at The New York Times.
While that might be the case, the attack is just the latest demonstration of how exposed these kinds of relatively unprotected devices are.
The researchers only had good intentions here, but if they'd wanted to, they could have easily caused a lot of damage – whether rendering thousands of infected bulbs useless, or co-opting them all into a dangerous botnet like we saw in the large-scale attack a fortnight ago.
What's the solution? It's hard to say at this stage, given there are millions of networked smart devices connected to the internet from potentially thousands of different manufacturers.
But from the researchers' point of view, software and hardware makers need to step up their game quickly, before everybody's smart devices morph into potentially very dangerous liabilities.
"We can learn from history about the importance of good design practices for security protocols and how to implement them," the researchers write.
"We should work together to use the knowledge we gained to protect IoT devices or we might face in the near future large scale attacks that will affect every part of our lives."
The details of the attack have been described in a working paper available online.