Security researchers have created an experimental IoT worm that can spread on its own to nearby compatible smart devices, causing havoc inside a modern smart city by allowing an attacker to jam WiFi connections, disturb the electric grid, or brick devices making entire critical systems inoperable.
Researchers tested out this concept by putting together an IoT worm that targets Philips Hue smart lamps, used in smart buildings, but also for intelligent street lighting. These smart lightbulbs are programmed to talk to their controller and each other via the ZigBee wireless protocol.
The IoT worm leverages this protocol to infect the device and make firmware updates in order to carry out malicious operations. Potential attack vectors include:
To prove the effectiveness of their attack and how easy it would be for someone to carry out one, researchers recorded two videos.
One shows an attack rig mounted on a car, that can drive around a city and spread the worm. The second shows the same attack rig mounted on a drone that can do the same thing.
In the videos above, the attacks are only temporary, but they can be made permanent. Researchers say that the IoT worm can alter the device firmware in order to disable future updates, keeping the device in a hijacked state until operators replace devices, or manually reflash the firmware using physical access to the device.
The research team also speculated on a possible attack against the city of Paris, also known as the City of Light.
While their work focused on Philips Hue smart lightbulbs, the attack can be ported to any other device or collection of devices.
For their part, researchers reported the issues they discovered to Philips, who promptly issued firmware updates.
The team of four researchers from the Weizmann Institute of Science in Rehovot, Israel, and the Dalhousie University in Halifax, Canada, published their work in a research paper titled: IoT Goes Nuclear: Creating a ZigBee Chain Reaction.
The Mirai IoT malware, which is the malware behind the huge botnets used to launch catastrophic DDoS attacks against Dyn, OVH, and KrebsOnSecurity, also includes worm-like features, containing code to spread to random Linux-based systems that have left their Telnet ports open.
Similarly, there's also a self-replicating worm that targets industrial equipment. The worm is named PLC-Blaster and was also created as an experiment by security researchers.