photo of smartphone and lamp

Researchers at the University of Texas, San Antonio, suggest that so-called smart LED bulbs, gaining in popularity, contain security holes that could make users vulnerable to privacy violations and data hacks. [Image: UTSA]

In the mixed history of Internet of Things (IoT) hardware and applications for the home, one seemingly unequivocal success would seem to be so-called smart light bulbs. These LED-driven bulbs can be wirelessly accessed, through a mobile app, to control color and luminous output and even to provide infrared illumination to aid night-vision surveillance cameras.

But according to Anindya Maiti and Murtuza Jadliwala, a pair of cybersecurity experts at the University of Texas, San Antonio (UTSA), USA, the bulbs could embed another, less welcome functionality: they create “a new attack surface” for invading the privacy of their users (Proc. ACM Interact. Mob. Wearable Ubiquitous Technol., doi: 10.1145/3351256). In several recent experiments, the two researchers showed how nefarious third parties could use the output of the lights potentially to snoop on the music being listened to or the videos being viewed by residents of smart-light-enabled homes—or even to tap the bulbs’ infrared capabilities to create a back door into home data networks.

Expanding functions

The research firm Markets and Markets estimates that worldwide smart-lighting revenues will grow from an estimated US$7.9 billion in 2018 to some US$28.0 billion in 2025, a compound annual growth rate of 19.1%. Much of that growth, driven in part by pressures to reduce overall energy consumption, is apt to be in the domain of smart LED bulbs, whose luminous output (and thus energy appetite) can in principle be remotely controlled by the user.

Smart LED bulbs can be controlled in a variety of ways. Some smart-lighting installations are tied to a smart-home hub, a wirelessly enabled routing station that controls the home’s entire suite of IoT features. But a number of smart LED bulbs can also connect directly to a home or office network without an intermediate hub, and can be controlled via a downloadable app—a convenience factor underlying some of the bulbs’ increasing popularity.

As with many technology platforms, companies producing smart bulbs are finding ways to pack other functionalities into them beyond basic illumination control. Some bulbs, for example, include “multimedia visualization,” in which lighting intensity and color changes in sync with the music or video track being played. And the smart-light company LIFX has marketed smart LED bulbs capable of delivering invisible, 950-nm infrared light at user-controllable levels—a handy aid to night-vision security cameras that some consumers are using to protect residences.

Watching the music

In their work, Maiti and Jadliwala focused on hidden security threats behind these latter two applications. To explore the privacy threat posed by multimedia visualization, they placed a telephoto lens tied to a photosensor inside a room, 5 m away from a visualization-enabled smart bulb, and a telescope, tied to another photosensor, 50 m away in an exterior location. The two sensor setups then captured the intensity and color response of the smart bulb to music from a library of popular songs, and compared the luminance signal with a library of “luminance profiles” built for those songs.

The team found that a remote observer, using this simple system, could infer the song being played only a bit more than half the time—but that the system was considerably better at inferring the genre of music from the light signal alone. The accuracy of the selections, as might be expected, also markedly increased with increases in observation time. The team found similar results with the system’s ability to infer video choices from the smart-light visualization.

As threats go, having a third party spy on what pop song you’re listening to may seem relatively benign. But Maiti and Jadliwala point out that such snooping could potentially harvest information on “fine-grained personal interests and preferences” that could be abused in various ways.

Data hack, courtesy of IR

A far more significant potential security threat, according to Maiti and Jadliwala, lies in the second functionality they explored: the infrared capabilities of smart bulbs like the one from LIFX. In this case, the exploit begins with the planting of a malicious fragment of software on the user’s home network.

The UTSA pair showed that once such a program (a simple script written in the language Python) had gained a foothold, it could create a covert free-space information channel through the smart bulb’s infrared capability, shunting private information from the homeowner’s network to the outside world via the bulb. The information could be remotely picked up by a 950-nm infrared sensor and decoded by the remote observer.

What makes this particular exploit possible, Maiti and Jadliwala note, is that the LIFX bulbs are tied directly to the home network, rather than through a secure communications hub. What makes it especially dangerous is that, because the infrared signal is invisible, the security breach could potentially be maintained for a long time without detection.

Computer in a light bulb

In a press release accompanying the research, Jadliwala suggested that the advent of these smart-illumination devices may require a change of perspective on the ordinary light bulb. “Think of the bulb as another computer,” he said. “These bulbs are now poised to become a much more attractive target for exploitation, even though they have very simple chips.”

To fend off that threat, he and Maiti recommend that manufacturers begin implementing some form of secure, user-configurable access control for bulbs directly connected to home networks. Only one out of the ten most popular manufacturers of internet-enabled smart lighting, they observe, implement such controls at present. And the UTSA researchers suggest that consumers opt for systems involving smart-home hubs, rather than using insecure bulbs that connect directly to the home network.

Of course, there’s one other security-enhancing measure that users of smart bulbs might take. “A simple mitigation,” the two scientists write, “would be to cover the windows with opaque curtains and block light leakage to the outside.” When in doubt, draw the shades.