Network connected lighting may not seem like much of a security risk, but it can open the door for big problems.

A year ago, most people’s image of a light bulb hack was a teenage prankster randomly turning lights on and off while they watched the family run from room to room to figure out what is wrong with their system. This would certainly be perceived as annoying but not a real threat to personal security or property. However, people are now beginning to realize the real danger; networked lighting can be an entry point to the entire smart home or building automation system.

It is common sense that connected safety and security devices such as door locks and security cameras require a high level of protection against hacking. But because hackers want access to the home network any device connected to a smart home or building automation network can serve as a gateway to this network. A seemingly innocuous device like a connected light bulb or a connected appliance can be tricked into trusting a malicious device, offering a hacker access to the system. It is the electronic equivalent of having a strong door and leaving the key under the mat. And when the hacker does access the network, the potential damage to privacy, personal property and identity can be devastating.

Researchers have demonstrated this type of attack across multiple brands of lighting products utilizing both WiFi and mesh protocols like Zigbee. In mesh networks, light fixtures are very convenient communication nodes since they are distributed throughout the building and are generally connected to a power line. This enables them to extend a network efficiently and keep communications active without the power constraints that a battery powered device would have. This also means that they are in a position to issue and relay commands to other types of devices within the network. Once an attacker is able to gain the trust of a connected light and get the network keys, then the WPA2 protocols for WiFi or the AES authentication protocols used in many Zigbee systems are rendered useless, leaving the hacker in control of the network.

This weakness is becoming more widely recognized and the desire for higher security standards for connected devices is rising. Network-level security protocols alone are no longer effective at protecting the integrity of a system; security must be addressed with each individual device.

What is the best way to protect connected devices?

Connected light bulbs are available in retail, which makes it very easy for attackers to physically analyze their construction and identify security weaknesses (e.g. if the encryption keys and security software are stored in the unprotected memory of a standard MCU, then finding a way into the system may be very easy). Effective security needs to rely on a dedicated tamper-resistant security device, such as a secure microcontroller. This type of controller enables secure storage of network passwords and authentication keys, as well as an isolated environment for security functions. A properly designed security chip, protects the connected device against both remote and physical attacks, making each node of the network an effective barrier against hacking attempts.

As a part of the rapidly evolving IoT market, both smart home and commercial/industrial building automation present tremendous opportunities for innovative engineering that makes our lives easier and safer. Of course, there are two sides of the story. The convenience of a connected world enables homeowners to watch their home from hundreds of miles away and, by the same token, provides an attack surface to thieves and hackers.

The good news is that trusted, proven and affordable security ICs are available. For instance, more than three billion secure controllers are embedded into payment cards every year. The systematic use of hardware security in even the simplest smart lighting system will facilitate mechanisms to build protection against easy entry for attackers to access a network, with potentially devastating consequences

Michael Armentrout is currently Regional Marketing and Business Development Manager for embedded security products at Infineon Technologies. He has 17 years of experience in the semiconductor industry and has led applications engineering and product marketing teams for wireless and security products serving the mobile, home automation & security, and embedded security markets. He has a BS in Electrical Engineering from Virginia Tech and an MBA from Portland State University.

 

Copyright © 2015 UBM Canon All Rights Reserved

http://www.eetimes.com/author.asp?section_id=36&doc_id=1327843