Abstract: Within the next few years, billions of IoT devices will densely populate our cities. In this paper we describe a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction, provided that the density of compatible IoT devices exceeds a certain critical mass.
In particular, we developed and verified such an infection using the popular Philips Hue smart lamps as a platform. The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack.
MPG: the idea of internet-connected anything (except computers and equivalents) has struck me as an incredibly ignorant and short-sighted idea for more than a decade. This case confirms that suspicion. I won’t be buying any Philips LED bulbs!
How about another really, really Bad Idea: the forced conversion (including my home) of electricity meters to ones that communicate wirelessly and related cruft, all on the internet. How about shutting down an entire state’s electricity grid for even a few days? That’s the future of warfare, if nothing else. And already probes are in progress using the IoT: witness the very recent massive DDOS attack that took out key internet services like NetFlex by attacking DNS provider Dyn.
The IoT is a massive national security risk, because it puts every kind of infrastructure at risk. Imagine a few billion IoT devices put to work hitting all major internet service providers, along with electrical power stations, banks, dams and so on. Not a pretty thing to contemplate.