Smart lighting has skyrocketed in popularity in the last few years, thanks to slick hardware like the Philips Hue and falling prices. It’s a fast, easy way to make your home or workplace feel a little more futuristic. Also futuristic: they way that hackers can hijack control of those bulbs simply by flying a drone close enough to transmit a radio signal.

A team of researchers from Dalhousie University explain how they can do it in a paper they titled IoT Goes Nuclear. All it required — apart from their collective knowledge and skills, of course — was a couple hundred dollars’ worth of off-the-shelf electronics. They shared a video of their drone doing a bit of “war flying” on YouTube:

Looks harmless enough in the video, right? Lights flicker on and off, even signaling S.O.S. in Morse code. Remember that it’s just a proof of concept. They’ve put a lighthearted spin on what they’re demonstrating, but what they’ve accomplished is alarming. They’ve taken complete control of a lighting system without having to gain physical access.

It gets worse, though. The Dalhousie team didn’t just figure out how to turn the lights off an on at will. They managed to completely overwrite the firmware and inject code that can actually spread their malware to other smart lightbulbs that are within range. Had they wanted to, they could have also permanently crippled the bulbs’ update mechanism and made restoring the factory firmware impossible.

There’s also a second way to perform the initial attack. Instead of flying by with a drone, a smart bulb that’s already infected can be installed near other bulbs. Once it starts broadcasting the team’s malicious signal, any vulnerable bulbs nearby can be co-opted.

Recommended by Forbes

Why would anyone want to gain control over a connected lightbulb? You only have to look for a headline about the havoc wreaked by the Mirai botnet to learn why.

Page 1 / 2 Continue

Continued from page 1

A large chunk of the army of zombies controlled by Mirai is made up of Internet-connected security cameras. Once infected, those cameras added a considerable amount of firepower to the Mirai DDoS attacks. Connected lightbulbs could be exploited in the same way, perhaps helping to cripple connectivity in an entire geographic region. An attacker may have more in mind than service disruptions, however.

Eyal Ronen and Adi Shamir, who worked on the project, also devised a way to stealthily steal data from sensitive networks using compromised bulbs. It’s not a fast process by any means, but it’s an effective one.

There’s even one possibility that sounds like it’s straight out of science fiction: that the lights could be made to flicker in such a way as to induce seizures. It sounds farfetched, but then so did the idea of a malicious hacker tampering with someone’s medical implant… and we know that’s possible now, too.

Page 2 / 2