Don't Be Silly - It's Only a Lightbulb

Conference:  Defcon 28



Smart light bulbs pose a serious security risk to our network, as attackers can remotely take over and control them, and use them to infiltrate the IP network through vulnerabilities in the bridge that connects the ZigBee network to the IP network.
  • Smart light bulbs can be remotely controlled and taken over by attackers
  • Attackers can use vulnerabilities in the bridge that connects the ZigBee network to the IP network to infiltrate the IP network
  • Even regular light bulbs can be used to steal other light bulbs
  • ZigBee has a maximal message size of less than 128 bytes, which poses a challenge for exploiting vulnerabilities remotely
The speaker recounts how he initially dismissed the idea of smart light bulbs as a trend that would die out, but was proven wrong by the increasing number of households using them. He also mentions the research by Colin Flynn and Elon M, who demonstrated how a drone could take over all the smart light bulbs on a campus, and how he and his colleagues decided to continue the research and take it one step further.


A few years ago, a team of academic researchers showed how they can take over and control smart lightbulbs, and how this in turn allows them to create a chain reaction that can spread throughout a modern city. Their research brought up an interesting question: aside from triggering a blackout (and maybe a few epilepsy seizures), could these lightbulbs pose a serious risk to our network security? Could attackers somehow bridge the gap between the physical IoT network (the lightbulbs) and even more appealing targets, such as the computer network in our homes, offices or even our smart cities? We’re here to tell you the answer is: Yes. Join us as we take a deep dive into the world of ZigBee IoT devices. Continuing from where the previous research left off, we go right to the core: the smart hub that acts as a bridge between the IP network and the ZigBee network. And let me tell you this, this harsh embedded environment is surely not on our side. With a maximal message size of less than 128 bytes, complex state machines and various strict timing constraints, this challenge is going to be tough. After a long journey, we finally made it. By masquerading as a legitimate ZigBee lightbulb, we were able to exploit vulnerabilities we found in the bridge, which enabled us to infiltrate the lucrative IP network using a remote over-the-air ZigBee exploit.