Extended functionality attacks on IoT devices: The case of smart lights

Eyal Ronen, Adi Shamir

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

In this paper we consider the security aspects of Internet of Things (IoT) devices, which bridge the physical and virtual worlds. We propose a new taxonomy of attacks, which classifies them into four broad categories. The most interesting category (which we call functionality extension attacks) uses the designed functionality of the IoT device to achieve a totally different effect. To demonstrate this type of attack, we consider the case of smart lights (whose original functionality is just to control the color and intensity of the lights in a particular room) and show how to use them to achieve unrelated effects. In the first attack, we use smart lights as a covert LIFI communication system to exfiltrate data from a highly secure (or even fully airgapped) office building. We implemented the attack and were able to read the leaked data from a distance of over 100 meters using only cheap and readily available equipment. In another attack, we showed that an attacker can strobe the lights at a frequency which may trigger seizures in people suffering from photosensitive epilepsy (in the same way that rapidly flashing video games can cause such seizures). In our experiments, we have tested both high-end and lower-end smart light systems, ranging from an expensive Philips HUE system to a cheap system manufactured by LimitlessLED. In addition, we consider other weaknesses of the systems we tested, and propose feasible remedies for the problems we found.

Original languageEnglish
Title of host publicationProceedings - 2016 IEEE European Symposium on Security and Privacy, EURO S and P 2016
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages3-12
Number of pages10
ISBN (Electronic)9781509017515
DOIs
StatePublished - 9 May 2016
Externally publishedYes
Event1st IEEE European Symposium on Security and Privacy, EURO S and P 2016 - Saarbruecken, Germany
Duration: 21 Mar 201624 Mar 2016

Publication series

NameProceedings - 2016 IEEE European Symposium on Security and Privacy, EURO S and P 2016

Conference

Conference1st IEEE European Symposium on Security and Privacy, EURO S and P 2016
Country/TerritoryGermany
CitySaarbruecken
Period21/03/1624/03/16

Fingerprint

Dive into the research topics of 'Extended functionality attacks on IoT devices: The case of smart lights'. Together they form a unique fingerprint.

Cite this