Hackers may could use internet-connected bulbs as a gateway to access data, videos or photos stored on devices connected to the same network

Wednesday, 23rd October 2019, 11:44 am

Updated Wednesday, 23rd October 2019, 11:45 am
UTSA researchers reviewed the security gaps on smart bulbs exposing consumers to hacks (Photo: UTSA)

Security vulnerabilities in smart lightbulbs could leave your home open to hacking by tech-savvy thieves, experts have warned.

Researchers from the University of Texas at San Antonio (UTSA) have discovered how hackers can use internet-connected bulbs as a gateway to access data, videos or pictures stored on devices connected to the same secured wireless network.

Sign up to our daily newsletter

The i newsletter cut through the noise

As the attacks’ commands are conducted within the home Wi-Fi network, the homeowner may be unaware it ever happened.

Smart bulbs, including Philips Hue, Lifx and Ikea’s Trådfri, are marketed as energy-efficient alternatives to traditional lamps, allowing owners to adjust their light intensity or colour through smartphones or other connected devices.

Exploiting systems

A Rainbow7 Bluetooth smart-enabled lightbulb is illuminated at CES 2016 (Photo: Getty)

Many bulbs connect to a wireless home network without the need for a smart home hub (hardware or software designed to oversee communications between smart devices), and are often equipped with infra-red technology to help surveillance cameras in low-light conditions.

Hackers can exploit a smart light’s infrared lighting to extract private information from devices connected to the same network by creating a “covert channel” between the bulb and an infrared-sensing device.

The study, published in the journal Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies, urges smart bulb manufacturers to take security concerns seriously and add new measures to restrict their access to other smart home appliances.

Hacking the home

Remotely installing malicious software on the target’s smartphone or computer could give the hacker access to sensitive data, which they could encode and later transmit over the infrared covert channel created by the bulb, the researchers suggested.

Many smart bulbs do not require user authorisation to control them, meaning any smart device app granted permission to communicate with the smart bulb could be co-opted to extract and transmit the personal information.

“Your smart bulb could come equipped with infrared capabilities, and most users don’t know that the invisible wave spectrum can be controlled. You can misuse those lights,” said Murtuza Jadliwala, professor and director of the Security, Privacy, Trust and Ethics in Computing Research Lab in UTSA’s Department of Computer Science.

“Any data can be stolen: texts or images. Anything that is stored in a computer.”