SAN ANTONIO, Texas, Oct. 28, 2019 — A study performed at the University of Texas at San Antonio (UTSA) revealed that some smart light bulbs purchased for home use could become a target for hackers foraging for personal information.
Some smart bulbs can connect to a home network directly, without needing a smart home hub (a centralized hardware or software device that enables IoT products to communicate with each other). If these bulbs are IR-enabled, a hacker could send commands via the IR light that is emitted by the bulb to either steal data or spoof other IoT devices connected on the home network. The owner might not know about the hack because the hacking commands would be communicated within the owner’s home Wi-Fi network, without using the internet.
UTSA researchers review the security gaps in smart bulbs that could expose consumers to hacks. Courtesy of UTSA.
To test smart bulb security, the researchers staged and evaluated hack attacks that took advantage of light emitted by these bulbs to infer private data and preferences. The first two attacks were designed to infer users’ audio and video playback through a systematic observation and analysis of the multimedia-visualization functionality of smart light bulbs. The third attack used the IR capabilities of smart light bulbs to create a covert channel, which could be used as a gateway to exfiltrate a user’s private data from a secured home or office network. A comprehensive evaluation of these attacks in various real-life settings confirmed their feasibility.
“Most users don’t know that the invisible wave spectrum can be controlled. You can misuse those lights,” professor Murtuza Jadliwala said. “Any data can be stolen: texts or images. Anything that is stored in a computer.”
Smart bulbs are no longer a novelty item; last year consumers spent close to $8 billion on them, and that amount is expected to more than triple to $28 billion in less than a decade.
“Think of the bulb as another computer,” Jadliwala said. “These bulbs are now poised to become a much more attractive target for exploitation even though they have very simple chips.”
Jadliwala recommends that consumers opt for bulbs that come with a smart home hub rather than those that connect directly to other devices. He also recommends that manufacturers improve security measures to limit the level of access these bulbs have to other smart home appliances or electronics within a home.
The research was published in the Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies (http://dx.doi.org/10.1145/3351256).