Nowadays, there’s hardly anything that cannot be hacked. Our lives are more vulnerable than they have ever been, and this is mostly due to the smart devices we are using. We won’t be going further into detail about the paradox of the choices we are making, and how choosing comfort over privacy is a two-edged knife.
Instead, we will tell you about a brand new discovery which reveals how some smart light bulbs (or smart lights) can be used for covert data exfiltration processes from personal devices. These light bulbs can also leak multimedia preferences by recording their luminance patterns from distance.
How Are Connected Lights Creating a New Attack Surface?
According to Anindya Maiti and Murtuza Jadliwala, researchers from University of Texas at San Antonio, certain connected lights create a new attack surface, which can be maliciously used to violate users’ privacy and security.
These novel attacks take advantage of light emitted by modern smart bulbs in order to infer users’ private data and preferences, the researchers said in their paper.
To prove their point that there is indeed the need for efficient privacy protection, the researchers carried out three attacks in different scenarios:
The first two attacks are designed to infer users’ audio and video playback by a systematic observation and analysis of the multimediavisualization functionality of smart light bulbs. The third attack utilizes the infrared capabilities of such smart light bulbs to create a covert-channel, which can be used as a gateway to exfiltrate user’s private data out of their secured home or office network.
Why Did the Researchers Focus on Smart Lights?
Lighting products have traditionally not been an attractive target of security and privacy-related threats, the team pointed out, because conventional lamps typically do not have access to sensitive user information. Needless to say, that is not the case with modern smart lights which are typically connected to the user’s home or office network. As all IoT devices, lights can be controlled via mobile phones. And as it turns out, there is indeed a way to exploit them to derive users’ personal information.
During their investigation, the researchers focused on a new feature available in modern smart lights, known as multimedia-visualization:
Multimedia-visualization is intended for use in conjunction with a song or video playing on a nearby media player, which results in a vibrant lighting effect that is synchronized with the tones present in the audio or the dominant colors in the video stream, respectively. While such immersive audio-visual or ambient lighting effects can be entertaining and relaxing, we speculate that it can also lead to loss of privacy if not properly safeguarded.
The Infrared Light Can Create a Covert Channel Between Smart Lights and Attackers
The third attack is exploiting a smart light’s infrared lighting functionality to invisibly exfiltrate a user’s private data out of their secured personal device or network. The investigation reveals that “an attack can be accomplished by carefully manipulating and controlling (possible on modern smart lights) the infrared light to create a “covert channel” between the smart light and an adversary with infrared sensing capability”.
Furthermore, if a malicious agent (such as a piece of malware) is dropped onto the user’s smartphone or computer, the attacker can encode private information found on the device. The data can later be transmitted over the infrared covert-channel residing on the smart light. This is the place to note that a number of popular smart light brands don’t require any form of authorization for controlling the lights on the local network. This means that any application on the user’s smartphone or computer can act as a malicious exfiltration agent.
All in all, the main goal of the groundbreaking paper is “to highlight the vulnerable state of personal information of smart light users, outline system design parameters that lead to these vulnerabilities and discuss potential protection strategies against such threats”. For full technical disclosure, you can refer to the paper itself.