Abstract
The rapid evolution of the Internet-of-Things (IoT) introduces innovative services that span across various application domains. As a result, smart automation systems primarily designed for non-critical environments may also be installed in premises of critical sectors, without proper risk assessment. In this paper we focus on IoT-enabled attacks, that utilize components of the smart lighting ecosystem in popular installation domains. In particular, we present a holistic security evaluation on a popular smart lighting device (The specific model is not referred in this paper, since we are currently in the process of a responsible disclosure procedure with the vendor.), that is focused on vulnerabilities and misconfigurations found on hardware, embedded software, cloud services and mobile applications. In addition, we construct a Common Vulnerability Scoring System (CVSS) like vector for each attack scenario, in order to define the required capabilities and potential impact of these attack scenarios and examine their potential exploitability and impact.
This research has been co-financed by the European Union and Greek national funds through the Operational Program Competitiveness, Entrepreneurship and Innovation, under the call RESEARCH - CREATE - INNOVATE (project code: T1EDK-01958).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
References
Apthorpe, N., Reisman, D., Feamster, N.: A smart home is no castle: Privacy vulnerabilities of encrypted iot traffic. arXiv preprint arXiv:1705.06805 (2017)
Bakhshi, Z., Balador, A., Mustafa, J.: Industrial IoT security threats and concerns by considering cisco and microsoft IoT reference models. In: 2018 IEEE Wireless Communications and Networking Conference Workshops (WCNCW), pp. 173–178. IEEE (2018)
Herzberg, B., Igal Zeifman, D.B.: Breaking down Mirai: an IoT DDoS botnet analysis. https://www.imperva.com/blog/malware-analysis-mirai-ddos-botnet/
Cerrudo, C.: An emerging us (and world) threat: cities wide open to cyber attacks. Secur. Smart Cities 17, 137–151 (2015)
Colin, O.: A lightbulb worm? Details of the Philips Hue smart lighting design (Black Hat USA 2016 White Paper) (2016)
Costin, A.: Security of CCTV and video surveillance systems: threats. vulnerabilities, attacks, and mitigations. In: TrustED, vol. 16, pp. 45–54
Dhanjani, N.: Hacking lightbulbs: security evaluation of the Philips hue personal wireless lighting system. In: Internet of Things Security Evaluation Series (2013)
Do, Q., Martini, B., Choo, K.K.R.: Cyber-physical systems information gathering: a smart home case study. Comput. Netw. 138, 1–12 (2018)
Dubrova, E.: Anti-tamper Techniques. KTH Royal Institute of Technology, Sweden (2018)
ENISA: Baseline security recommendations for IoT in the context of critical information infrastructures, November 2017
Fagan, M., Fagan, M., Megas, K.N., Scarfone, K., Smith, M.: Foundational cybersecurity activities for IoT device manufacturers. US Department of Commerce, National Institute of Standards and Technology (2020)
Fagan, M., Fagan, M., Megas, K.N., Scarfone, K., Smith, M.: IoT Device Cybersecurity Capability Core Baseline. US Department of Commerce, National Institute of Standards and Technology (2020)
Fagan, M., Marron, J., Brady, K., Cuthill, B., Megas, K., Herold, R.: IoT device cybersecurity guidance for the federal government: Establishing IoT device cybersecurity requirements. Technical report, National Institute of Standards and Technology (2020)
Fakhri, D., Mutijarsa, K.: Secure IoT communication using blockchain technology. In: 2018 International Symposium on Electronics and Smart Devices (ISESD), pp. 1–6. IEEE (2018)
Ferrigno, J., Hlaváč, M.: When AES blinks: introducing optical side channel. IET Inf. Secur. 2(3), 94–98 (2008)
Goodin, D.: Hackers trigger yet another power outage in Ukraine (2017). https://arstechnica.com/security/2017/01/the-new-normal-yet-another-hacker-caused-power-outage-hits-ukraine/
Guri, M., Bykhovsky, D.: aIR-jumper: covert air-gap exfiltration/infiltration via security cameras & infrared (IR). Comput. Secur. 82, 15–29 (2019)
Guri, M., Hasson, O., Kedma, G., Elovici, Y.: An optical covert-channel to leak data through an air-gap. In: 2016 14th Annual Conference on Privacy, Security and Trust (PST), pp. 642–649. IEEE (2016)
Kayas, G., Hossain, M., Payton, J., Islam, S.R.: An overview of UPnP-based IoT security: threats, vulnerabilities, and prospective solutions. In: 2020 11th IEEE Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON), pp. 0452–0460. IEEE (2020)
Lee, R.M., Assante, M.J., Conway, T.: Analysis of the cyber attack on the Ukrainian power grid. SANS Industrial Control Systems (2016)
Liu, H., Spink, T., Patras, P.: Uncovering security vulnerabilities in the Belkin Wemo home automation ecosystem. In: 2019 IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops), pp. 894–899. IEEE (2019)
Maiti, A., Jadliwala, M.: Light ears: information leakage via smart lights. Proc. ACM Interact. Mob. Wearable Ubiquit. Technol. 3(3), 1–27 (2019)
Maiti, A., Jadliwala, M.: Smart light-based information leakage attacks. GetMobile Mob. Comput. Commun. 24(1), 28–32 (2020)
Mi, X., Qian, F., Zhang, Y., Wang, X.: An empirical characterization of IFTTT: ecosystem, usage, and performance. In: Proceedings of the 2017 Internet Measurement Conference, pp. 398–404 (2017)
Morgner, P., Mattejat, S., Benenson, Z.: All your bulbs are belong to us: Investigating the current state of security in connected lighting systems. arXiv preprint arXiv:1608.03732 (2016)
Notra, S., Siddiqi, M., Gharakheili, H.H., Sivaraman, V., Boreli, R.: An experimental study of security and privacy risks with emerging household appliances. In: 2014 IEEE Conference On Communications and Network Security, pp. 79–84. IEEE (2014)
Rathee, G., Balasaraswathi, M., Chandran, K.P., Gupta, S.D., Boopathi, C.: A secure IoT sensors communication in industry 4.0 using blockchain technology. J. Ambient Intell. Humaniz. Comput. 12(1), 533–545 (2021)
Ronen, E., O’Flynn, C., Shamir, A., Weingarten, A.O.: IoT goes nuclear: Creating a ZigBee chain reaction. IACR Cryptology ePrint Archive 2016, 1047 (2016)
Ronen, E., Shamir, A.: Extended functionality attacks on IoT devices: the case of smart lights. In: 2016 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 3–12. IEEE (2016)
Samaila, M.G., Sequeiros, J.B., Simões, T., Freire, M.M., Inácio, P.R.: IoT-HarPSecA: a framework and roadmap for secure design and development of devices and applications in the IoT space. IEEE Access 8, 16462–16494 (2020)
Schwittmann, L., Boelmann, C., Matkovic, V., Wander, M., Weis, T.: Identifying tv channels and on-demand videos using ambient light sensors. Pervasive Mob. Comput. 38, 363–380 (2017)
Schwittmann, L., Matkovic, V., Weis, T., et al.: Video recognition using ambient light sensors. In: 2016 IEEE International Conference on Pervasive Computing and Communications (PerCom), pp. 1–9. IEEE (2016)
Shah, T., Venkatesan, S.: A method to secure IoT devices against botnet attacks. In: Issarny, V., Palanisamy, B., Zhang, L.-J. (eds.) ICIOT 2019. LNCS, vol. 11519, pp. 28–42. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-23357-0_3
Sikder, A.K., Babun, L., Aksu, H., Uluagac, A.S.: Aegis: a context-aware security framework for smart home systems. In: Proceedings of the 35th Annual Computer Security Applications Conference, pp. 28–41 (2019)
Stellios, I., Kotzanikolaou, P., Grigoriadis, C.: Assessing IoT enabled cyber-physical attack paths against critical systems. Comput. Secur. 107, 102316 (2021)
Stellios, I., Kotzanikolaou, P., Psarakis, M., Alcaraz, C., Lopez, J.: A survey of IoT-enabled cyberattacks: assessing attack paths to critical infrastructures and services. IEEE Commun. Surv. Tutor. 20(4), 3453–3495 (2018)
Tanen, J.: Breaking bhad: Getting local root on the Belkin Wemo switch (2016)
Tsiknas, K., Taketzis, D., Demertzis, K., Skianis, C.: Cyber threats to industrial IoT: a survey on attacks and countermeasures. IoT 2(1), 163–188 (2021)
Xiao, L., Wan, X., Lu, X., Zhang, Y., Wu, D.: IoT security techniques based on machine learning: how do IoT devices use AI to enhance security? IEEE Signal Process. Mag. 35(5), 41–49 (2018)
Xu, Y., Frahm, J.M., Monrose, F.: Watching the watchers: automatically inferring tv content from outdoor light effusions. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 418–428 (2014)
Zandberg, K., Schleiser, K., Acosta, F., Tschofenig, H., Baccelli, E.: Secure firmware updates for constrained IoT devices using open standards: a reality check. IEEE Access 7, 71907–71920 (2019)
Zhou, Z., Zhang, W., Yu, N.: IREXF: data exfiltration from air-gapped networks by infrared remote control signals. arXiv preprint arXiv:1801.03218 (2018)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Stellios, I., Mokos, K., Kotzanikolaou, P. (2022). Assessing Vulnerabilities and IoT-Enabled Attacks on Smart Lighting Systems. In: Katsikas, S., et al. Computer Security. ESORICS 2021 International Workshops. ESORICS 2021. Lecture Notes in Computer Science(), vol 13106. Springer, Cham. https://doi.org/10.1007/978-3-030-95484-0_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-95484-0_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-95483-3
Online ISBN: 978-3-030-95484-0
eBook Packages: Computer ScienceComputer Science (R0)