Usability and Security Should not be Mutually Exclusive in IoT-Connected Lighting

Interoperability is the goal for many Internet of Things devices. However, one issue that is often overlooked in the installation Internet-connected devices including lighting is the security of such systems. This multi-protocol compatibility that allows interoperability can open up such devices to the security issues of those multiple protocols. The cost of using such convenient lighting controls should not be the security of computer networks and clouds.

A relatively recent New York Times article revealed that a luxury hotel in Austria that had key cards was hacked. Guest could not get into their rooms, and new key cards would not work. The hackers demanded $2000 to give the hotel back control of the keycard system. The owner of the hotel, which has rooms averaging about $550 per night, decided to pay the ransom and has gone back to using old fashioned keys to prevent hacking.

Ransomware has become the Modern form of Piracy

Hackers asking for ransom has become a modern version of piracy. Unfortunately, this is not an isolated incident. In a much more malicious and potentially dangerous incident, a hospital in Los Angeles was hacked, and the Hackers took control of the medical records system. The hackers demanded $17,000 before they would allow the hospital employees to access the critical medical records. In a hospital setting, medical records can mean life or death for patients.

Luxeon High Power

Experts warn that paying such ransoms just encourages and likely funds similar schemes. Many times hackers do even have to have physical access to systems to gain control. For example, hackers in a nearby parking garage have taken control of systems.

Testing for Security Vulnerabilities is Not a One-time Thing

A recent study by IBM Security and the Ponemon Institute found that 80% of respondents do not routinely test their IoT apps for security vulnerabilities. That makes it much easier for criminals to exploit IoT security vulnerabilities to steal, spy, or even cause physical harm.

While lighting in and of itself in an office or business is not the life-or-death issue like healthcare records, having lights go out can disrupt business and make customers want to leave. I could envision a somewhat less malicious hacker controlling the lighting and keeping it off until a ransom is paid to disrupt productivity. Such hacking could be costly for business, and it can be mostly preventable with security built into the lighting system.

Osram found that its Lightify bulbs had been hacked. Osram has since worked to correct the issue.

Zigbee lighting controls, a standard that was meant to be secure, was also found to have some security flaws that could be exploited. For this reason as of at least as of two years ago, Philips hue bulbs, which use ZigBee protocol, could be hacked, according to experts. The experts showed that compromising a single bulb could infect nearby bulbs within minutes even if the bulbs were not part of the same. Philips has worked to correct the issue since then.

According to Tobias Zillner and Sebastian Strobl, security experts at Cognosec, what allowed them to overcome the security of ZigBee was the fact that, no physical access was required, no knowledge of the secret key was necessary, and with ZigBee (at least according to them as of 2015) usability overrides security issues.

These two security experts warned that many connected lighting systems use security that is equivalent to passing plain text passwords. This is unacceptable. The industry should learn that ideally, IoT-connected lighting products should not have to compromise on security to obtain their usability.

More Recent Commentaries and Editorials

PoE Lighting and its Role in the future of IoT
In January and February of each year companies announce new product offerings. Just this month, Philip Lighting reported that the company deployed its first Power Over Ethernet lighting system in a…
Read More
2017 LED Lighting and IoT Industry Year in Review
A lot happened this year in the IoT-connected lighting realm. Numerous companies came out with new IoT-based lighting products, sensors, controllers, and software and platforms. However, Philips…
Read More
TM-30 May Help Better Guide Choice than Looking at CRI (Updated)
By Scott McMahan The Illumination Engineering Society plans to stop using CRI. CRI as a standard has been around since 1964. The usefulness of CRI as a standard is considerably less than what most…
Read More
Interoperability Not Just Compatibility the Goal of IoT
The TALQ Consortium recently announced that the standards organization's new mandate is to help bring interoperability to smart city applications beyond street and outdoor lighting. The TALQ…
Read More
Hurricanes Remind Us Not to Take Lighting for Granted.
With the major hurricanes in the past few weeks and the recent announcement of Philips Lighting's establishment of the Philips Lighting Foundation, I have realized that people have forgotten how…
Read More