Is smart lighting a security risk?

Wi-fi connected smart lights in the home could be the next battleground for malware, viruses and other malicious intrusion. Although the control element in such devices is a relatively simple chip, it is still effectively a computer – and therefore potentially open to exploitation by criminals and others.

So says a recent academic paper on the subject, which concludes that “modern Internet-enabled smart lights promise energy efficiency and many additional capabilities over traditional lamps. However, these connected lights also create a new attack surface, which can be maliciously used to violate users’ privacy and security”.

Says the report: “Lighting products have traditionally not been an attractive target of security/privacy-related threats because conventional lamps typically do not have access to sensitive user information.

“However, as modern smart lights are usually connected to users’ home or office network (either directly or via a communication hub) and can be controlled using users’ mobile devices, they are poised to become a much more attractive target for security/privacy attacks than before”.

The paper – entitled Light Ears: Information Leakage via Smart Lights and authored by Anindya Maiti and Murtuza Jadliwala of the University of Texas at San Antonio – looked at a number of possible avenues of attack that take advantage of light emitted by modern smart bulbs. The conclusion: “We conducted a comprehensive evaluation of these attacks in various real-life settings which confirmed the feasibility of proposed privacy threats”.

It’s not just the high-bandwidth wireless connectivity that is an issue; some smart bulbs are infrared-enabled, and hackers could use the infrared wavelength to directly access data on a home digital network – text messages, emails, photos and videos, documents. The owners may not even be aware of the hack since it would come from within their home’s own network.

Is there a solution? In the short term, the researchers advise shoppers to use smart bulbs that require a smart home hub, where internet-connected devices can communicate directly with each other instead of via wi-fi. It’s not a perfect solution, but it can make it more difficult for the hacker to access a home.

More important, though, is the need for built-in security: the report’s last words are a plea for “mandatory access control in smart light management protocols”.

The report is available for free download here.