Interoperability is the goal for many Internet of Things devices. However, one issue that is often overlooked in the installation Internet-connected devices including lighting is the security of such systems. This multi-protocol compatibility that allows interoperability can open up such devices to the security issues of those multiple protocols. The cost of using such convenient lighting controls should not be the security of computer networks and clouds.
A relatively recent New York Times article revealed that a luxury hotel in Austria that had key cards was hacked. Guest could not get into their rooms, and new key cards would not work. The hackers demanded $2000 to give the hotel back control of the keycard system. The owner of the hotel, which has rooms averaging about $550 per night, decided to pay the ransom and has gone back to using old fashioned keys to prevent hacking.
Ransomware has become the Modern form of Piracy
Hackers asking for ransom has become a modern version of piracy. Unfortunately, this is not an isolated incident. In a much more malicious and potentially dangerous incident, a hospital in Los Angeles was hacked, and the Hackers took control of the medical records system. The hackers demanded $17,000 before they would allow the hospital employees to access the critical medical records. In a hospital setting, medical records can mean life or death for patients.
Experts warn that paying such ransoms just encourages and likely funds similar schemes. Many times hackers do even have to have physical access to systems to gain control. For example, hackers in a nearby parking garage have taken control of systems.
Testing for Security Vulnerabilities is Not a One-time Thing
A recent study by IBM Security and the Ponemon Institute found that 80% of respondents do not routinely test their IoT apps for security vulnerabilities. That makes it much easier for criminals to exploit IoT security vulnerabilities to steal, spy, or even cause physical harm.
While lighting in and of itself in an office or business is not the life-or-death issue like healthcare records, having lights go out can disrupt business and make customers want to leave. I could envision a somewhat less malicious hacker controlling the lighting and keeping it off until a ransom is paid to disrupt productivity. Such hacking could be costly for business, and it can be mostly preventable with security built into the lighting system.
Osram found that its Lightify bulbs had been hacked. Osram has since worked to correct the issue.
Zigbee lighting controls, a standard that was meant to be secure, was also found to have some security flaws that could be exploited. For this reason as of at least as of two years ago, Philips hue bulbs, which use ZigBee protocol, could be hacked, according to experts. The experts showed that compromising a single bulb could infect nearby bulbs within minutes even if the bulbs were not part of the same. Philips has worked to correct the issue since then.
According to Tobias Zillner and Sebastian Strobl, security experts at Cognosec, what allowed them to overcome the security of ZigBee was the fact that, no physical access was required, no knowledge of the secret key was necessary, and with ZigBee (at least according to them as of 2015) usability overrides security issues.
These two security experts warned that many connected lighting systems use security that is equivalent to passing plain text passwords. This is unacceptable. The industry should learn that ideally, IoT-connected lighting products should not have to compromise on security to obtain their usability.