Cleantech Market Intelligence
Are Your Light Bulbs Hackable?
Just as autumn follows summer, the introduction of new networked devices for smart homes and buildings – embodiments of the Internet of Things (IoT) – are followed by reports of diabolical hacks of these smart devices. Recent plots have involved hacked toilets and light bulbs, and even columnist/humorist Joe Queenan has warned of hackers replacing your car’s music playlist with “Rod Stewart Chants the Gregorian chant Songbook, Volume 19.” Personally, I avoided purchasing a Wi-Fi enabled bed this summer, though it had more to do with my wallet than fears of hackers turning my slumber into a chiropractic nightmare.
The public imagination is informed by movies such as 2003’s The Italian Job, where city traffic control and transit systems are hacked from an airport luggage cart, or the security system hacks shown in Ocean’s Eleven. While these might be dismissed as sensationalized scenes (come on, a stable Wi-Fi signal in an airport baggage claim area?), there are legitimate cases of life imitating art. So should we fear a world of smart, networked devices?
The recent hoopla over the hack of Philip’s Hue Smart LED light bulbs, which offer efficient and programmable home lighting from your smart phone, is an interesting case. Apparently the bridge device connecting Hue’s ZigBee-based bulbs to the consumer’s Wi-Fi network was hacked via the Wi-Fi link, yielding control of the lighting system. Of course, this is a legitimate concern: lighting is critical to safety and security in homes, in commercial buildings, and outdoors. However, as Philips has noted, the apparent weakness originates in the customer’s Wi-Fi network, not the Hue’s control network. It doesn’t take much wardriving to understand how many unsecured home Wi-Fi networks exist. There are likely more high-value hacker targets in these homes (bank records, user passwords, etc.) than the lighting system, but clearly consumer education on proper Wi-Fi security and how this might ultimately impact physical security seems a prudent first line of defense.
The larger issue is that the risks posed by not understanding how security of the underlying network for ‘things’ influences physical security goes well beyond smart bulbs for the home. Commercial building control systems and smart city systems (lighting, parking, traffic control, etc.) are increasingly based on standard networking technologies. I recently toured a state-of-the-art smart building where the facility manager was very knowledgeable and justifiably proud of the building’s systems and energy performance. However, when asked to show us the control network components (such as Ethernet switches, etc.), we received a blank stare. He not only didn’t know where the network was located but didn’t really understand that it even existed, seeing it as just part of “the Honeywell system” that was installed. On one hand, this level of transparency indicates good reliability (I wish my home Wi-Fi network was this transparent), but you can’t secure something you don’t know exists. And this “invisible” network likely was handling all of the climate, lighting, security, access, elevators, and other systems in the building, making life easier for would-be hackers.Slowly awakening to these concerns, the building controls vendor community will need to find ways of engaging the hacker community, following the lead of IT technology suppliers. Interestingly, there is a growing hacker community for Philip’s Hue system, driven less by malicious intent and more by wanting to do cool things. Security concerns aside, this is a marketer’s dream come true.
While it may be fun to joke about the consequences of hacked light bulbs, toilets, and beds, the reality is the Internet of Things, as embodied in smart buildings, cities, and homes, increasingly needs to be viewed as part of the critical infrastructure begging for greater cyber-security awareness – as my colleague, Bob Lockhart, has been writing about for years.