Drone used to hijack smart lights inside the building on the left

Security researchers have created an experimental IoT worm that can spread on its own to nearby compatible smart devices, causing havoc inside a modern smart city by allowing an attacker to jam WiFi connections, disturb the electric grid, or brick devices making entire critical systems inoperable.

Researchers tested out this concept by putting together an IoT worm that targets Philips Hue smart lamps, used in smart buildings, but also for intelligent street lighting. These smart lightbulbs are programmed to talk to their controller and each other via the ZigBee wireless protocol.

Some attack scenarios can look like pranks, while others can be catastrophic

The IoT worm leverages this protocol to infect the device and make firmware updates in order to carry out malicious operations. Potential attack vectors include:

  • Flash the lightbulbs at a high frequency in order to trigger epileptic seizures.
  • Schedule smart lamps to repeatedly turn on and off, causing sudden changes in the power consumption of an electric grid.
  • Alter the device firmware in a catastrophic way to cause mass street lighting outages.
  • Modify the device firmware to cause constant flickering, forcing authorities to shut down or replace hacked lightbulbs.
  • Use the smart lamp's internal "test mode" to emit radio waves that can jam local WiFi signals.

To prove the effectiveness of their attack and how easy it would be for someone to carry out one, researchers recorded two videos.

One shows an attack rig mounted on a car, that can drive around a city and spread the worm. The second shows the same attack rig mounted on a drone that can do the same thing.

In the videos above, the attacks are only temporary, but they can be made permanent. Researchers say that the IoT worm can alter the device firmware in order to disable future updates, keeping the device in a hijacked state until operators replace devices, or manually reflash the firmware using physical access to the device.

Entire cities can be shut down

The research team also speculated on a possible attack against the city of Paris, also known as the City of Light.

The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack. To demonstrate the risks involved, we use results from percolation theory to estimate the critical mass of installed devices for a typical city such as Paris whose area is about 105 square kilometers: The chain reaction will fizzle if there are fewer than about 15,000 randomly located smart lights in the whole city, but will spread everywhere when the number exceeds this critical mass (which had almost certainly been surpassed already).

While their work focused on Philips Hue smart lightbulbs, the attack can be ported to any other device or collection of devices.

For their part, researchers reported the issues they discovered to Philips, who promptly issued firmware updates.

There's already an IoT worm going around

The team of four researchers from the Weizmann Institute of Science in Rehovot, Israel, and the Dalhousie University in Halifax, Canada, published their work in a research paper titled: IoT Goes Nuclear: Creating a ZigBee Chain Reaction.

The Mirai IoT malware, which is the malware behind the huge botnets used to launch catastrophic DDoS attacks against Dyn, OVH, and KrebsOnSecurity, also includes worm-like features, containing code to spread to random Linux-based systems that have left their Telnet ports open.

Similarly, there's also a self-replicating worm that targets industrial equipment. The worm is named PLC-Blaster and was also created as an experiment by security researchers.