Canadian security researchers uploaded a video demonstration of how they were able to hack Philips Hue LED lights using a drone. By exploiting a bug in the ZigBee Light Link Touchlink system, the hackers were able to remotely control the smart bulbs and made them blink SOS in Morse code.
The attack was performed via the drone, which was able to bypass all security measures of the networked light bulbs from more than a thousand feet away. Furthermore, the security researchers were able to install malicious firmware that blocks further wireless updates, making an infection as good as irreversible without a costly recall:
“There is no other method of reprogramming these [infected] devices without full disassemble (which is not feasible). Any old stock would also need to be recalled, as any devices with vulnerable firmware can be infected as soon as power is applied,” according to the researchers.
PC World suggests this isn't entirely harmless as it could be used to trigger epileptic seizures in vulnerable people, or another nefarious use could be to plunge buildings into darkness.
The researchers informed Philips of the vulnerability, which plugged the bug in October. This is once again a reminder that a lot of these new Internet of Things devices are in desperate need of better security.