Smart lights vulnerable to “blink and you’ll miss it” attack

Over the last couple of years, key parts of our daily lives have been sliding into some form of Internet connectivity. Smartphones and other devices have become necessities. Paying bills? Those systems have moved online. Tax? Online. Wage slips and bank statements? It’s paperless time. Welfare assistance? There’s a login portal for that. In short, people need web access.

However, there’s a lot of non-critical systems and services which are making this leap too. And if it’s got a computer in it and it’s connected to the Internet, you know that sooner or later somebody will find a way to compromise it. Internet-connected light bulbs, now is your time to shine.

Shining a light on vulnerabilities

Back in 2021, researchers discovered two potential flaws in a popular smart lighting system. The vulnerability allowed them to make the light bulbs blink. In a worst case scenario, the system would “forget” its configuration and all bulbs would be set to maximum. These issues are outlined in CVE-2022-39064 and CVE-2022-39065. It’s the old “Blink once for yes, blink twice for no” except in this case it’s “Blink once to assume control, blink a few more times to perform a factory reset”.

Victims of these potential attacks could power cycle their gateway, but the attackers would be free to come back at any time without a fix in place. Now, some folks may wonder what the big deal is as it’s “just” making a light bulb blink. Well, if nothing else, ramping someone’s household to maximum lightbulb brightness over a sustained period of time isn’t great at a time of spiralling energy bill costs.

But there’s more too it than that. Whether the computer in question is a server or a light bulb, unauthorised users are not supposed to be able to make it do things without your permission. When they do, the only thing you know for sure is that your security has been breached.

The first CVE has been addressed with all software versions from 1.19.26 onward. According to The Record, CVE-2022-39064 “has not been fully dealt with” and there’s no ETA on when a full fix will arrive.

The winding road of IoT issues

The Internet of Things (IoT) is here to stay, and a lot of folks simply like the idea of managing every aspect of their home life via one app or service. Unfortunately, some services or devices are cheaply made and insecure by default.

IoT devices can introduce new risks too. Some devices inadvertently provide abusive people with new ways to harass and abuse their partner or ex-partner, for example.

And making devices “smart” often means making them dependent on an Internet connection or cloud service—which is fine until they aren’t there. In 2020, an Amazon cloud service outage managed to knock out all kinds of things that would previously have been unaffected, from doorbells to hoovers.

Realistically, the genie is out of the bottle and manufacturers are going to continue to include “smart” functionality in everything from TVs to refrigerators. As a result, it’s essential that researchers and device tinkerers are able to explore, find, and report on potential security concerns, because IoT failures can be far more serious than a bit of unauthorised light blinking. On a recent Lock and Code podcast, hacker Sick Codes explained how they broke open a John Deere tractor and installed a version of Doom.

So, what can you do about all this?

First of all, treat anything you own that’s “smart” as if it’s just another computer. Understand how you’ll learn about security updates, and how you download and apply them. If you can’t, or if there are known problems with no apparent fix, fire up a support conversation with the manufacturer.