Canadian and Israeli researchers have uncovered a flaw in the wireless technology used for “smart homes" that, for a time, made at least one brand of Internet-connected light bulbs susceptible to hackers.

Colin O'Flynn, a PhD student in Dalhousie University's Department of Electrical and Computer Engineering, uncovered the flaw following research he carried out on re-purposing low-cost Phillips Hue bulbs by re-programming them with new code. Using the Philips Hue smart light bulb as a platform, O'Flynn, together with researchers from the Weizmann Institute including Eyal Ronen, subsequently developed a computer worm that could be easily spread from one lamp to another using only the built-in ZigBee wireless connectivity and the lights' physical proximity.

Philips Hue light bulbs—the devices that the researchers hacked. The security vulnerability has since been patched. Image credit: Sho Hashimoto, used under a Creative Commons license. The researchers managed to take over lamps in two different “attack” scenarios. In the first, conducted at the Weizmann Institute, the researchers did a “drive-by” hack in a vehicle and found they were able to manipulate the lights from up to 70 meters away.

The second was significantly more elaborate. The target was an office building in the city of Be’er Sheva, in Israel, which hosts several well-known security companies as well as the Israeli Computer Emergency Response Team. Several Philips Hue lights were installed on one floor of the building and an “attack kit” was installed on a drone. As the drone drew closer to the building, lights were able to be manipulated to spell out "S.O.S." in Morse code.

While flickering lights may not initially seem like something to be concerned about, the technology has the potential to be dangerous if placed into the wrong hands. According to the researchers, compromised devices could be used to jam wireless networks, attack the electrical grid or steal information. (The researchers notified Philips of the potential problem, and the company has since issued a patch.)

“Hopefully, we'll start to take the security of all 'connected' devices seriously and not just those connected to the Internet,” says O’Flynn. “A big part of our research was showing how such a worm could spread between the light bulbs themselves wirelessly, independent of any Internet or network connection."