Smart light bulbs, the WiFi-enabled fixtures that can be controlled from your phone and emit different colors or pulse with the beat of the song you’re listening to, are increasingly becoming a weak link that cyber attackers can target, researchers at the University of Texas at San Antonio have found.
UTSA researchers at the Sprite Lab, which stands for security, privacy, trust, and ethics in computing, published a study this fall that raises concerns about the security of the devices, popular among holiday shoppers, and called for improvements to the products.
“Think of the bulb as another computer,” said co-author Murtuza Jadliwala, professor and director of the Sprite Lab in UTSA’s Department of Computer Science. “These bulbs are now poised to become a much more attractive target for exploitation even though they have very simple chips.”
The scientific inquiry was prompted by co-author Anindya Maiti’s own purchase of smart bulbs. The postdoctoral fellow at UTSA said he soon found that the bulbs’ infrared capabilities can be exploited by sending invisible, infrared signals to the lights to steal data or spoof other internet-based devices in the household.
He decided to connect his smart lights to the multimedia features in his smart home, synching the bulbs to change brightness and flash to match the rhythms of a song. The multimedia visualization feature in smart lighting systems can be controlled using the system’s mobile app.
“After a while, I realized that it might be possible that an attacker or one of my neighbors might be able to infer what I’m watching or listening to,” he said.
The Sprite Lab team created a library of the top 400 songs and was able to correctly identify what the user of a smart bulb was listening to just by capturing the pulsating of the lights.
The smart lighting industry is expected to grow more than 20 percent during the next five years, according to recent market studies. In 2025, it is slated to become a $23 billion market.
With the use of smart lighting becoming increasingly pervasive, Maiti said it is incumbent on product manufacturers and their regulators to introduce new measures, such as access controls that restrict unauthorized access to the bulbs. With the exception of the Philips Hue smart bulb – which Maiti said is one of only a few manufacturers to have an access-control feature and does not connect directly to a Wi-Fi network – most smart bulbs on the market are vulnerable to attacks.
The Philips bulbs connect to a smart home hub, a central dashboard for controlling and accessing smart home devices. The Sprite Lab team is recommending manufacturers introduce such access controls to the next generations of their models. Because the researchers demonstrated users’ media consumption can be easily inferred using a lens to monitor the infrared waves, Maiti also said that manufacturers should lower the wattage emitted. This would help reduce the amount of light that leaks out from a home and help protect consumers’ privacy, he said.
By manipulating a smart bulb, an attacker might be able to gain access to any device connected to the home’s WiFi network and steal data from them, Maiti said.