Cyber security organization researchers have reported that some smart bulbs are suitable for data exfiltration from personal devices, and can leak information about multimedia preferences from the affected user, recording the smart bulb’s luminescence patterns. For these lighting sources to become an attack vector, they must first meet some requirements, such as support for multimedia content visualization, and infrared capabilities.
The attacker does not need to compromise the victim’s internal network to extract the information. They only need a direct connection between the selected device and the illumination sources, and a sufficiently wide point of view during the information extraction process.
An attacker can infer the victim’s multimedia preferences
The cyber security organization specialists who conducted the research studied how LIFX and Philips Hue smart bulbs receive commands to reproduce visualizations in a room and they developed a model to interpret the brightness and color modulations that occur when listening to music or playing a video.
During audio playing, the brightness level reflects the sound of the light source, while in the case of video displaying, the modifications reflect the dominant color and brightness level in the current video frame. The apps associated to smart bulbs control the oscillations by sending them specially formatted packets. The model created by the two researchers requires that the potential hacker creates a database of light patterns that can be used to define the profile of the attack victim.
Data leaking from personal devices
For the potential attack, the extraction of information from a personal device is possible only under certain conditions, because the simple observation of light patterns is not enough in this case.
Smart bulbs must be compatible with infrared lighting and should not require authorization to control them over the local network. In addition, the hacker would need to install malware that encodes private data from the selected device and sends it to the smart bulbs. The researchers used two observation points to capture the data: interior and exterior, with the internal observation recording the most accurate results, while a longer exposure will grant better results.
Out of a set of 100 samples, 51 songs were correctly inferred, while the genres of 82 songs were inferred too, commented researchers on audio inference tests.
Data extraction was possible through transmission techniques such as amplitude and/or wave-length shift modulation, using both the visible waves and infrared spectrum of smart bulbs.
To test the infrared data extraction method, the cyber security organization experts encoded an image in the light source and then decoded it at different distances (between 1 and 50 meters). At 5 meters, the image extracted from the source is highly intelligible and its visibility is degraded as data capture occurs over longer distances. However, even at 50 meters you can get an intelligible image.
The work of the two researchers is in the experimental phase, but it is a sample of a new possible attack vector. According to cyber security organization experts from the International Institute of Cyber Security, limiting the amount of light coming out of our homes is a basic protection measure against the potential proliferation of this attack in the future, to prevent the attackers of getting the slightest information about us.